formal modeling and analysis of bittorrent using coloured petri nets jing liu, xinming ye, tao sun...
Post on 15-Jan-2016
217 views
TRANSCRIPT
Formal Modeling and Analysis of Formal Modeling and Analysis of BitTorrent using Coloured Petri NetsBitTorrent using Coloured Petri Nets
Jing LIU, Xinming YE, Tao Jing LIU, Xinming YE, Tao SUNSUN
ICT-CAS & IMU, ChinaICT-CAS & IMU, China
2009-10-202009-10-20
22
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
33
ICT-CASICT-CAS Jing LIU, a PhD candidateJing LIU, a PhD candidate Project Project
National Key Technologies R&D Program of National Key Technologies R&D Program of ChinaChina
integrating P2P and CDN technologies to integrating P2P and CDN technologies to distribute large-scale media contents fast and distribute large-scale media contents fast and efficiently over Internetefficiently over Internet
BitTorrent is utilized and improved to support BitTorrent is utilized and improved to support the scenario that storage servers in CDN the scenario that storage servers in CDN behaved as always-on-line seeds of P2Pbehaved as always-on-line seeds of P2P
lasted 2 years, more than 15 memberslasted 2 years, more than 15 members need an effective formal specification for easy need an effective formal specification for easy
communication and better implementationcommunication and better implementation
44
IMUIMU Xinming YE (Leader) and Tao SUNXinming YE (Leader) and Tao SUN Inner Mongolia UniversityInner Mongolia University
Research Group: 3 Professors & 8 Research Group: 3 Professors & 8 studentsstudents
Research TopicsResearch Topics Model checking based protocol Model checking based protocol
verificationverification FSM and Petri Nets based protocol FSM and Petri Nets based protocol
testing, including conformance testing testing, including conformance testing and interoperability testingand interoperability testing
55
This paperThis paper A combination of Project Engineering A combination of Project Engineering
and Theoretical Research and Theoretical Research from Engineering perspectivefrom Engineering perspective
a uniform specificationa uniform specification simulating protocol execution visuallysimulating protocol execution visually testing new algorithms before testing new algorithms before
implementationimplementation from Research perspectivefrom Research perspective
a general modeling methodologya general modeling methodology validate and analyze the protocol modelsvalidate and analyze the protocol models
Modeling BitTorrent using CPNModeling BitTorrent using CPN
66
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
77
Related worksRelated works MostMost
adopt various mathematical models to adopt various mathematical models to evaluate the performance of BitTorrentevaluate the performance of BitTorrent
focus on the aggregate properties, such focus on the aggregate properties, such as average downloading or uploading as average downloading or uploading rates, network utilization and cost, etcrates, network utilization and cost, etc
FewFew focus on the functional behavior modeling focus on the functional behavior modeling
in peer level, which aims to construct a in peer level, which aims to construct a formal function model of BitTorrent and formal function model of BitTorrent and validate its soundnessvalidate its soundness
88
Our contributionOur contribution A modeling architecture of BitTorrentA modeling architecture of BitTorrent guidance about model hierarchy, data abstraction and guidance about model hierarchy, data abstraction and
model refinementmodel refinement
A coloured Petri Nets based hierarchical A coloured Petri Nets based hierarchical model of BitTorrent model of BitTorrent
an unambiguous and visual formal specification for an unambiguous and visual formal specification for different implementationsdifferent implementations
facilitate the behaviors simulation and system facilitate the behaviors simulation and system properties verificationproperties verification
An effective model validation and analysis An effective model validation and analysis methodmethod
combining simulation, state space analysis and model combining simulation, state space analysis and model checking technologies checking technologies
validate the model and check whether models satisfy validate the model and check whether models satisfy the key requirement properties of BitTorrent systemthe key requirement properties of BitTorrent system
99
BitTorrent overviewBitTorrent overview
tracker
seeds Leecher
peer list request
peerlist
handshake
send bitmap
report download
status cyclically
piece request
piece sharing
handshake
send bitmap
piece request
piece sending
control packet(choke/interested)
peer list maintenance
algorithm
control packet(choke/interested)
peer selection algorithm
choking algorithm
leechers
3 Entities3 Entities TrackerTracker SeedSeed LeecherLeecher
2 Protocols2 Protocols Tracker Tracker
ProtocolProtocol
Peer ProtocolPeer Protocol
2 Algorithms2 Algorithms Piece selectionPiece selection
ChockingChocking
1010
Modeling assumptionModeling assumption Only single file sharing is consideredOnly single file sharing is considered
covers all functionalities and is more feasible for analysiscovers all functionalities and is more feasible for analysis
File piece is the basic sharing unitFile piece is the basic sharing unit the similar processing behaviors as slice sharingthe similar processing behaviors as slice sharing
Some indispensable parts are omitted or simplifiedSome indispensable parts are omitted or simplified web server related processing web server related processing Bencoding and Hash checking Bencoding and Hash checking the hash value of torrent file is used to indentify each sharthe hash value of torrent file is used to indentify each shar
ing file instead of using the whole torrent fileing file instead of using the whole torrent file Endgame mode: does not affect the main functionalities, Endgame mode: does not affect the main functionalities,
and avoid introducing huge concurrent state spaceand avoid introducing huge concurrent state space basic choking algorithm: without optimistic unchoking anbasic choking algorithm: without optimistic unchoking an
d anti-snubbingd anti-snubbing
1111
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
1212
Two HurdlesTwo Hurdles some sections in the specification do not need some sections in the specification do not need
to be modeledto be modeled such as system deployment procedure or some data such as system deployment procedure or some data
collection behaviors for user layer displaying. collection behaviors for user layer displaying. Modeling these behaviors contributes few to system Modeling these behaviors contributes few to system functional analysis, and to make matters worse, functional analysis, and to make matters worse, introduces incogitable but unnecessary state space introduces incogitable but unnecessary state space explosion. explosion.
some detailed algorithms or message some detailed algorithms or message interactions are not explained clearly or interactions are not explained clearly or mentionedmentioned Take the choking and interesting messages for Take the choking and interesting messages for
example, the trigger time and orders of such messages example, the trigger time and orders of such messages interaction are not mentioned clearly. It needs further interaction are not mentioned clearly. It needs further consideration and complementarities from the consideration and complementarities from the perspective of design or implementation phases. perspective of design or implementation phases.
1313
Model Architecture (1/5)Model Architecture (1/5)
from bottom to extract upper levelsfrom bottom to extract upper levels
from top to abstract lower leversfrom top to abstract lower levers
network topology
node behaviors
communication interactions
functional transactions
data declaration
algorithms
1414
Model Architecture (2/5)Model Architecture (2/5)
network topology
node behaviors
communication interactions
functional transactions
data declaration
algorithms
focus on entire network environmentsfocus on entire network environments, including , including
the participating entities and their relationship the participating entities and their relationship
from the network topology point of viewfrom the network topology point of view
Especially, the number of different types of Especially, the number of different types of
entities and their position in the network entities and their position in the network
environments should be considered carefully. environments should be considered carefully.
1515
Model Architecture (3/5)Model Architecture (3/5)
focuses on the execution states and their focuses on the execution states and their
transfer relation in a specific entitytransfer relation in a specific entity, such as a , such as a
peer nodepeer node
As for network protocols, packet requests and As for network protocols, packet requests and
responses, together with some connectivity responses, together with some connectivity
control actions are usually modeled in this layer control actions are usually modeled in this layer
network topology
node behaviors
communication interactions
functional transactions
data declaration
algorithms
1616
Model Architecture (4/5)Model Architecture (4/5)
focuses on messages interactionsfocuses on messages interactions
As for network protocols, collecting property As for network protocols, collecting property
data, generating requests, parsing response data, generating requests, parsing response
and switching to subsequent processing are and switching to subsequent processing are
major modeling issues in this layermajor modeling issues in this layer
network topology
node behaviors
communication interactions
functional transactions
data declaration
algorithms
1717
Model Architecture (5/5)Model Architecture (5/5)
focuses on the most detailed functionalitiesfocuses on the most detailed functionalities: :
maintenance of key data structures, sampling maintenance of key data structures, sampling
the required data, and core algorithms, etcthe required data, and core algorithms, etc
iteratively refine the models and avoid iteratively refine the models and avoid
redundant or inaccurate modeling to relieve redundant or inaccurate modeling to relieve
state space explosionstate space explosion
network topology
node behaviors
communication interactions
functional transactions
data declaration
algorithms
1818
Architecture summeryArchitecture summery It facilitates modeling system functionalities It facilitates modeling system functionalities
into several abstract layers, and expressing into several abstract layers, and expressing behavior details accurately and flexibly. behavior details accurately and flexibly.
It is quite suitable and feasible for guiding It is quite suitable and feasible for guiding complex system modelingcomplex system modeling. According to . According to different modeling and analysis purposes, we different modeling and analysis purposes, we could adjust the modeling scale inter-layer could adjust the modeling scale inter-layer and inner-layer, and perform efficient and inner-layer, and perform efficient analysis in suitable layers. analysis in suitable layers.
CPN is considered to be an effective CPN is considered to be an effective actualization of above modeling architectureactualization of above modeling architecture, , and the following sections demonstrate the and the following sections demonstrate the validity of such actualization. validity of such actualization.
1919
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
2020
OverviewOverview
algorithmlayer
transactionlayer
interactionlayer
top
Trackerupdaterec
generate
Seedrecving
sendinghandleBM
checkREQ
updates
Leecherrecving
sending
choking
updates
handleBM
checkREQ
checkBM
updateRS
updateBM
updateBM
updatePIC
updateHS
checkBMupdateRS
sendHMupdateBM
rarestselction
networklayer
nodelayer 44 page 44 page
instances (24 if instances (24 if replicated page replicated page instances are not instances are not countedcounted
assumes:assumes: communication communication
infrastructure is infrastructure is reliablereliable
no vulnerabilities no vulnerabilities during protocols during protocols executionexecution
2121
Data modelingData modeling It is well-known that complex color It is well-known that complex color
sets will possibly result in more sets will possibly result in more difficult analysisdifficult analysis
hold the following principlehold the following principle
capture the indispensable data elementscapture the indispensable data elements
organize them using suitable color sets to organize them using suitable color sets to
achieve both clear representation and achieve both clear representation and
easy operationeasy operation
2222
Network layerNetwork layer Leecher1Leecher1 acts as a new acts as a new
joining peer, and joining peer, and Leecher2Leecher2 acts as an acts as an existing leecher with part existing leecher with part filefile
These four entities These four entities compose a least topology compose a least topology set which could cover the set which could cover the whole desired whole desired functionalities of functionalities of BitTorrentBitTorrent, and various , and various protocol executions protocol executions among these entities are among these entities are already very complicated already very complicated for feasible and effective for feasible and effective model analysis. model analysis.
Leecher2Leecher2Leecher1 Leecher1
Index
Index
Seed
Seed
net42PACKET
net32PACKET
net52
PACKET
TR2
PEERSET
TR1
PEERSET
net41PACKET
net31PACKET
net51
PACKET
TSTS_REQ
Seed
Index
Leecher1 Leecher2
2323
Node layerNode layer
success
indexes2
(HDSKMSG(indexes2), #2 indexes, pch)
indexes
packetpacket
indexes
packetpacket
if (#2 packet)<>p3then 1`packetelse empty
if (#2 packet)=p3then 1`packetelse empty
packet
hd peerset
peerset
peerset
peerset(#1 indexes, #2 indexes, started)
choking
choking1
send_shakervm2 recving
recving1
rvm1
sending
sending1
init_shake [(length peerset)>0]
send_msg
recv_peersTracker_req
STATS
forward
PACKET
recvpk
PACKET
net52In
PACKET
net31In
PACKET
recv
PEERSET
shake
INDEXES
send
PACKET
pid
INDEXES
TR1In
PEERSET
TSOut
TS_REQ
net51Out
PACKET
net32Out
PACKET
Out
Out
Out In
In
In
sending1
recving1
choking1
rmall (hd peerset) peerset
m
outline the protocol execution flows as a wholeoutline the protocol execution flows as a whole four kinds of leecher behaviors: peer list request, peer list four kinds of leecher behaviors: peer list request, peer list
parsing, packets generation and sending of the peer parsing, packets generation and sending of the peer protocol, packets receiving and parsing of the peer protocolprotocol, packets receiving and parsing of the peer protocol
these behaviors interact causally and cooperativelythese behaviors interact causally and cooperatively
2424
Interaction layerInteraction layer
(infohash, peerid)
TRANSMSG(tmsg)
TRANSMSG(tmsg)
TRANSMSG(tmsg)
if MSG.of_COMMMSG(#1 packet) then 1`(#3 packet)else empty
cmsgCOMMMSG(cmsg)
if MSG.of_COMMMSG(#1 packet) then 1`(#1 packet)else empty
TRANSMSG(tmsg)
if MSG.of_TRANSMSG(#1 packet) then 1`(#1 packet)else empty
(HDSKMSG(hmsg), peerid, #2 hmsg)
HDSKMSG(hmsg)
if MSG.of_HDSKMSG(#1 packet)then 1`(#1 packet)else empty
update_BMupdateBM1
update_PIC
updatePIC1
extract4
[#1 tmsg="have"]
extract3
[#1 tmsg="piece"]
check_REQcheckREQ1
extract2
[#1 tmsg="request"]
updatesupdates1
verify
handle_BMhandleBM1
extract1
[#1 tmsg="bitmap"]
hashverify
[(#1 hmsg)=infohash]
st
PID
INDEXES
b4
TRANS_MSG
b3
TRANS_MSG
b2
TRANS_MSG
pid
PEERID
b0
COMM_MSG
cmsg
MSG
pid2
PEERID
b1
TRANS_MSG
tmsg
MSG
hdsk
MSG
forwardOut
handleBM1
updates1
checkREQ1
updatePIC1
updateBM1
tmsg
tmsg
tmsg
tmsgSTATS
if MSG.of_TRANSMSG(#1 packet) then 1`(#3 packet)else empty
packet
recvpkInIn PACKET
parse
PACKET
Out
focuses on the processing of protocol packets focuses on the processing of protocol packets generating requests from data fields, parsing responses and generating requests from data fields, parsing responses and
switching to subsequent processing respectively are major switching to subsequent processing respectively are major modeling issues modeling issues
adjusting the model scale inter-layer and inner-layer is quite adjusting the model scale inter-layer and inner-layer is quite helpful to obtain the modest model size for feasible analysis helpful to obtain the modest model size for feasible analysis
2525
Transaction layer (1/2)Transaction layer (1/2)
uprec
reqsetsuccess
success
success
success
reqset
success
pentry
success
success
reqset
bitmap
pentry
rm pentry reqset
if (#1 uprec) = (#file (hd reqset))then 1`(hd reqset)else empty
bitmap
if (#1 uprec)=(#file (hd reqset))then 1`(listsub (#3 uprec) (intersect (#3 uprec) (#bitmaps (hd reqset))))else empty
reqset
reqset
uprec
uprec
uprec
uprec
delhave
delnull
[List.null reqset]
add
del
genpk
[not (List.null bitmap)]
check
[not (List.null reqset) andalso not (contains (#bitmaps (hd reqset)) (#3 uprec))]
storerq
storebm n1STATS
n
STATS
m
flag
STATS
oldentry
PEERENTRY
newentryBITMAP
temprqset
REQSET
tmpbm
UPDATEREC
REQ_SETREQSET
REQSET
forward Out
PACKET
bmInIn
Out
REQSETUPDATEREC
ins_new reqset {file=(#file pentry), bitmaps=(ins_new (#bitmaps pentry) (hd bitmap))}
success
STATS
reqset
reqsetif (#1 uprec)=(#file (hd reqset))then nilelse rmall (hd reqset) reqset
[not (List.null reqset) andalso contains (#bitmaps (hd reqset)) (#3 uprec)]
(TRANSMSG("noreq",1,[],0), pch, pch)
(TRANSMSG("request", #1 uprec, (hd bitmap)::[], 0), #2 uprec, pch)
fundamental page instances to model specific functionalitiesfundamental page instances to model specific functionalities requires many tradeoffs to pursue the golden section of requires many tradeoffs to pursue the golden section of
modest model size, so iterative model refinement is modest model size, so iterative model refinement is significantsignificant
2626
Transaction layer (2/2)Transaction layer (2/2)
uprec
reqsetsuccess
success
success
success
reqset
success
pentry
success
success
reqset
bitmap
pentry
rm pentry reqset
if (#1 uprec) = (#file (hd reqset))then 1`(hd reqset)else empty
bitmap
if (#1 uprec)=(#file (hd reqset))then 1`(listsub (#3 uprec) (intersect (#3 uprec) (#bitmaps (hd reqset))))else empty
reqset
reqset
uprec
uprec
uprec
uprec
delhave
delnull
[List.null reqset]
add
del
genpk
[not (List.null bitmap)]
check
[not (List.null reqset) andalso not (contains (#bitmaps (hd reqset)) (#3 uprec))]
storerq
storebm n1STATS
n
STATS
m
flag
STATS
oldentry
PEERENTRY
newentryBITMAP
temprqset
REQSET
tmpbm
UPDATEREC
REQ_SETREQSET
REQSET
forward Out
PACKET
bmInIn
Out
REQSETUPDATEREC
ins_new reqset {file=(#file pentry), bitmaps=(ins_new (#bitmaps pentry) (hd bitmap))}
success
STATS
reqset
reqsetif (#1 uprec)=(#file (hd reqset))then nilelse rmall (hd reqset) reqset
[not (List.null reqset) andalso contains (#bitmaps (hd reqset)) (#3 uprec)]
(TRANSMSG("noreq",1,[],0), pch, pch)
(TRANSMSG("request", #1 uprec, (hd bitmap)::[], 0), #2 uprec, pch)
There often exist some There often exist some seeming concurrent actions, seeming concurrent actions, which could be modeled which could be modeled sequentially without any sequentially without any harm to protocol harm to protocol functionalities.functionalities.
These behaviors are These behaviors are independent, and could independent, and could execute concurrently or execute concurrently or sequentially. If model them sequentially. If model them as concurrently execution, as concurrently execution, many unnecessary many unnecessary concurrent states will be concurrent states will be introduced, so we coercively introduced, so we coercively arrange the execution order arrange the execution order of these actionsof these actions
2727
Algorithm layerAlgorithm layer
nil
bmsettmp
bmsettmp
m+1
rm (hd bmset) bmset
bmsetm
if List.null bmset then 1`1else empty
bmset
bmsettmp^^bmset
0
if (#uprates (hd bmset))>(#uprates (hd bmsetrult)) andalso (#uprates (hd bmset))<(#uprates (hd (rev bmsetrult)))andalso m=0 then 99 else if (#uprates (hd bmset))<(#uprates (hd bmsetrult)) andalso m=99 then 100 else m
m
bmsetrult
if n=0 orelse n-1=(length bmset) orelse (#uprates (hd bmset)) >= (#uprates (hd (rev bmsetrult))) then ins bmsetrult (hd bmset)else if (#uprates (hd bmset))<= (#uprates (hd bmsetrult))then (hd bmset)::bmsetrult else List.drop(bmsetrult, 1)
if (#uprates (hd bmset)) > (#uprates (hd bmsetrult)) andalso n<(length bmset)+1 andalso (#uprates (hd bmset)) < (#uprates (hd (rev bmsetrult)))then n+1 else if List.null bmset then 0 else 1
n
bmset
bmset
go
bmset
go
go
send
resort
[m=100]
sort
store
bak
partset
BMSET
start
INT
ctl1
INT
resultset
BMSET
numINT
tempset
timectl
STATS
m
STATS
BM_SETBMSETS
BMSET
forward OutOutBMSETS
if (#uprates (hd bmset)) > (#uprates (hd bmsetrult)) andalso n<(length bmset)+1 andalso (#uprates (hd bmset)) < (#uprates (hd (rev bmsetrult)))then bmsetelse rm (hd bmset) bmset
m
[not (List.null bmset) andalso (m=0 orelse m=99)]
[not (List.null bmset) andalso m>0]
BMSET
PACKET
if (#uprates (hd bmset))>(#uprates (hd bmsetrult)) andalso (#uprates (hd bmset))<(#uprates (hd (rev bmsetrult)))then ins bmsettmp (hd bmset)else empty
if m<5then (COMMMSG("unchoke", #file (hd bmset)), #peer (hd bmset), pch)else (COMMMSG("choke", #file (hd bmset)), #peer (hd bmset), pch)
the basic choking algorithmthe basic choking algorithm the main behavior is to order the entries in BMSET according to the main behavior is to order the entries in BMSET according to
the download rates. The first four are considered as unchoking the download rates. The first four are considered as unchoking peers and corresponding unchoke packets are sentpeers and corresponding unchoke packets are sent
2828
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
2929
Overview (1/2)Overview (1/2) ObjectiveObjective
validate the BitTorrent CPN modelsvalidate the BitTorrent CPN models verify whether above models satisfy the verify whether above models satisfy the
key requirement properties of BitTorrent key requirement properties of BitTorrent system, such as no out-of-orders system, such as no out-of-orders executions executions
DifficultiesDifficulties concurrence and intricate communication concurrence and intricate communication
are essential characteristics of BitTorrent are essential characteristics of BitTorrent systems systems
constructed models are so large that the constructed models are so large that the direct state spaces analysis becomes direct state spaces analysis becomes infeasible because of state space explosion infeasible because of state space explosion
3030
Overview (2/2)Overview (2/2)
function units
system properties
simulation
state space analysis
model checking
function units
function units
system properties
function unit is a basic functional flow of the function unit is a basic functional flow of the protocol execution, different specific initial protocol execution, different specific initial marking can form different function unitsmarking can form different function units
several function units could execute sequentially several function units could execute sequentially or concurrently to form a more complex or concurrently to form a more complex functionalityfunctionality
system higher properties are usually described as system higher properties are usually described as temporal logic and verified using model checking temporal logic and verified using model checking
3131
Analysis of function unit Analysis of function unit (1/3)(1/3) SimulationSimulation
immediate visual feedbacksimmediate visual feedbacks performed frequently to find modeling performed frequently to find modeling
errorserrors
FindingsFindings most of concurrent behaviors existed in most of concurrent behaviors existed in
the model could be serialized by the model could be serialized by assigning an execution order manuallyassigning an execution order manually
there are still some true concurrent there are still some true concurrent behaviors behaviors
461:2
451:2
442:2
432:2
422:2
412:2
392:2
402:2
381:2
371:2
362:2
352:2
342:2
322:2
332:2
311:2
301:2
292:2
282:2
262:2
272:2
251:2
241:2
232:2
212:2
222:2
182:2
201:2
172:2
191:2
161:2
142:2
151:2
121:2
131:2
111:2
101:1
91:1
81:1
71:1
61:1
51:1
41:1
31:1
21:1
10:1
these traces are these traces are
meaningless for meaningless for
analysis because analysis because
of too detailed of too detailed
interleaving interleaving
executions executions
3232
Analysis of function unit Analysis of function unit (2/3)(2/3) function unit represents a relatively function unit represents a relatively
independent functional flowindependent functional flow of of protocol executions with no or protocol executions with no or controllable true concurrent behaviorscontrollable true concurrent behaviors
cover all paths of the modelcover all paths of the model, and their , and their sequentially or concurrently sequentially or concurrently executions form all feasible executions form all feasible functionalities of original specificationfunctionalities of original specification
perform both simulation and state perform both simulation and state spaces based analysis to validatespaces based analysis to validate the the reliable execution of such function reliable execution of such function unitunit
3333
Analysis of function unit Analysis of function unit (3/3)(3/3) Four Function Units:Four Function Units:
1.1. Leecher1 asks Tracker for peer list of the Leecher1 asks Tracker for peer list of the sharing file, and Tracker replies with list sharing file, and Tracker replies with list containing Leecher2 and Seedcontaining Leecher2 and Seed
2.2. Leecher1 connects to Leecher2, and Leecher1 connects to Leecher2, and download one piece without further pieces download one piece without further pieces requestsrequests
3.3. Leecher1 connects to Seed, downloads two Leecher1 connects to Seed, downloads two pieces, and announces Leecher2 that it has pieces, and announces Leecher2 that it has the entire file using piece having packetthe entire file using piece having packet
4.4. Leecher1 executes the rarest first piece Leecher1 executes the rarest first piece selection, and Seed executes choking selection, and Seed executes choking algorithm when receiving piece request from algorithm when receiving piece request from Leecher1Leecher1
3434
Properties verification (1/5)Properties verification (1/5) state space generated for a function unit state space generated for a function unit
only contains the states that could be only contains the states that could be reached from a specific initial marking, reached from a specific initial marking, and the size of state space is usually not and the size of state space is usually not largelarge
checking higher system properties needs checking higher system properties needs full state space to enumerate every full state space to enumerate every possible execution of protocol systemspossible execution of protocol systems
introduce a finite abstraction towards introduce a finite abstraction towards hieratical CPN modelshieratical CPN models
3535
According to modeling architecture, abstract According to modeling architecture, abstract
models only cover network, node and interaction models only cover network, node and interaction
layerslayers
interaction layers in abstract models are modeled interaction layers in abstract models are modeled
as leaf page instances without substitution as leaf page instances without substitution
transitions, that is, replacing them with ordinary transitions, that is, replacing them with ordinary
transitionstransitions
besides, abstract models will contain some new besides, abstract models will contain some new
places representing key data structures, the places representing key data structures, the
same as that appeared in original models same as that appeared in original models
bitmap
tl bitmap
bitmap
(hd (#3 tmsg))::bitmap
tl bitmap
bitmap
tmsg
tmsg
peerid
(TRANSMSG("request", #2 tmsg, bitmap, 0), peerid, pch)
peerid
peerid
peerid
if peerid<>p2then 1`(TRANSMSG("have",#2 tmsg, #3 tmsg, 0),p2, pch)else empty
(TRANSMSG("piece", #2 tmsg, #3 tmsg, 0), peerid, pch)
tmsg
tmsg
(TRANSMSG("request", #2 cmsg,(hd bitmap)::[], 0), peerid, pch)cmsgcmsg
COMMMSG(cmsg)
(COMMMSG("unchoke",#2 cmsg), peerid,pch)
peerid
cmsg
(COMMMSG("interested", #2 tmsg), peerid, pch)
peerid
tmsg
(infohash, peerid)
tmsg
TRANSMSG(tmsg)
tmsg
TRANSMSG(tmsg)
if MSG.of_COMMMSG(#1 packet) then 1`(#3 packet) else empty
cmsgCOMMMSG(cmsg)
if MSG.of_COMMMSG(#1 packet) then 1`(#1 packet)else empty
if MSG.of_TRANSMSG(#1 packet) then 1`(#3 packet) else empty
tmsg
TRANSMSG(tmsg)
if MSG.of_TRANSMSG(#1 packet) then 1`(#1 packet)else empty
(HDSKMSG(hmsg), peerid, #2 hmsg)HDSKMSG(hmsg)
if MSG.of_HDSKMSG(#1 packet)then 1`(#1 packet)else empty
packet
sendt4
[not (List.null bitmap)]
sendt3
sendt2
sendc2
[not (List.null bitmap)]
extrc2
[#1 cmsg="unchoke"]
sendc1
sendt1
extract3
[#1 tmsg="piece"]
extract2
[#1 tmsg="request"]
extrc1
[#1 cmsg="interested"]
extract1
[#1 tmsg="bitmap"]
hashverify
[(#1 hmsg)=infohash]
parse
bnFusion 1
BITMAP
hv
BITMAP
bm
Fusion 1
BITMAP
b31 TRANS_MSG
uncCOMM_MSG
PID INDEXES
b3
TRANS_MSG
b2
TRANS_MSG
pid PEERID
inCOMM_MSG
cmsgMSG
pid2
PEERID
b1
TRANS_MSG
tmsg
MSG
hdsk
MSG
recvpkIn
PACKET
forward Out
PACKET
Out
In
Fusion 1
Fusion 1
Properties verification (2/5)Properties verification (2/5)
3636
Properties verification (3/5)Properties verification (3/5) Such abstraction takes effects:Such abstraction takes effects:
the functionalities of original transaction the functionalities of original transaction layer or algorithm layer model have been layer or algorithm layer model have been validated, the ordinary transitions could validated, the ordinary transitions could represent equal and valid functionalities as represent equal and valid functionalities as original substitution transitionsoriginal substitution transitions
original transaction layer models are always original transaction layer models are always independent in functionalities with each independent in functionalities with each other except for accessing the common data other except for accessing the common data structures, so we reserve these data structures, so we reserve these data structures in new abstract models to keep structures in new abstract models to keep the interaction relationship between the interaction relationship between corresponding behaviorscorresponding behaviors
3737
Properties verification (4/5)Properties verification (4/5) a kind of over-approximationa kind of over-approximation
if the property passes verification on the if the property passes verification on the abstract models, it also holds in original abstract models, it also holds in original detailed models detailed models
abstract model has 10 page instances abstract model has 10 page instances in totalin total consider the concurrent execution of consider the concurrent execution of
function units (2) and (3) for analysisfunction units (2) and (3) for analysis The full state space contains 9180 states The full state space contains 9180 states
and 22546 arcsand 22546 arcs no home markings, no live transitions no home markings, no live transitions 16 dead markings: exactly correspond to 16 dead markings: exactly correspond to
different concurrent execution results. different concurrent execution results.
3838
Properties verification (5/5)Properties verification (5/5)
considering a situation that a pconsidering a situation that a peer receives a piece without haeer receives a piece without having received a unchoke messaving received a unchoke message beforege before
specify specify BTFormulaBTFormula to check suc to check such situation never happens h situation never happens
fun IsUnchoke a = (Bind.receives1'sendc2 (1, {peerid=p2, cmsg=("unchoke",1), bitmap=[1,2]}) = ArcToBE a);
fun IsRecvPiece a = (Bind.receives1'sendt3 (1, {peerid=p2, tmsg=("piece", 1, [1], 0), bitmap=[]}) = ArcToBE a);
val BTFormula = INV(OR(MODAL(AF("Unchoke", IsUnchoke)), NOT(MODAL(AF("ReceivePiece", IsRecvPiece)))));
eval_node BTFormula InitNode;
use (ogpath^"/ASKCTL/ASKCTLloader.sml")
3939
Analysis summaryAnalysis summary From the point of view of model From the point of view of model
validation, function units simulation validation, function units simulation and analysis help validate the and analysis help validate the effectiveness of protocol detailed effectiveness of protocol detailed behaviors, and higher properties behaviors, and higher properties checking help verify the satisfiability checking help verify the satisfiability to protocol requirementsto protocol requirements
this abstraction guided checking this abstraction guided checking method not only takes full advantage method not only takes full advantage of sufficient validation to function of sufficient validation to function units, but also makes higher properties units, but also makes higher properties checking practical and effectivechecking practical and effective
4040
OutlineOutline
MotivationMotivation
BackgroundBackground
Modeling ArchitectureModeling Architecture
Detailed ModelsDetailed Models
Model Validation and AnalysisModel Validation and Analysis
ConclusionConclusion
4141
ConclusionConclusion BitTorrent has complex communications and BitTorrent has complex communications and
concurrent behaviors, which are major concurrent behaviors, which are major hurdles for formal functional modeling and hurdles for formal functional modeling and validationvalidation
utilize CPN as an effective actualization of utilize CPN as an effective actualization of hieratical modeling architecture to hieratical modeling architecture to construct BitTorrent CPN modelsconstruct BitTorrent CPN models
simulation, state space analysis and model simulation, state space analysis and model checking used together in both function checking used together in both function unit level and system requirement level, to unit level and system requirement level, to validate the models, and check whether validate the models, and check whether these models satisfy the requirement these models satisfy the requirement properties of BitTorrent properties of BitTorrent
4242
Future ResearchFuture Research
from model perspectivefrom model perspective add time factors towards algorithmsadd time factors towards algorithms improve models completeness and improve models completeness and
soundnesssoundness
from methodology perspectivefrom methodology perspective optimize validation processoptimize validation process test case generation from CPN modelstest case generation from CPN models
Thank youThank you
Q & AQ & A