Non-deterministic transducer models of retransmission protocols over noisy channels
Introduction
Retransmission protocols use cyclic redundancy check and sliding window protocols for error detection and control respectively [14]. TinyOS serial communication protocol, Philips bounded retransmission protocol (BRP), high-level data link control (HDLC), and transmission control protocol (TCP) are examples of widely used retransmission protocols that provide reliable communication over noisy channels, i.e., channels that can corrupt messages.
In a recent work, Thakkar et al. [15] present an approach of transducer based modeling of retransmission protocols over noisy channels. They show that the usual approach of abstracting message contents by symbolic constants (e.g. [11]) is inadequate in this setting. In particular, they illustrate that unless the message contents are modeled as bit strings, the noisy channel can give rise to a sequence of message corruptions inducing the receiver to deliver an incorrect sequence of messages to its client (see [15], Section 2). Thus, we need an expressive framework to precisely model retransmission protocols. Modeling them as finite-state machines communicating asynchronously over unbounded FIFO channels however does not yield a decidable framework [6].
They show that deterministic streaming string transducers or DSSTs [2], [3] provide an intuitive and expressive modeling framework of retransmission protocols. DSSTs can model different classes of retransmission protocols such as those based on stop-and-wait, go-back-n and selective-repeat sliding window protocols [14]. In these models, the length of a message string and the number of retransmission rounds can be unbounded. Even in the presence of these sources of unboundedness, the protocol verification problem — formalized as equivalence checking problem over DSSTs — is decidable.
We first review the approach in [15]. In this approach, the protocol components — sender and receiver — and the specification are modeled using deterministic string transducers. As shown in Fig. 1, the input to a sender transducer f is a sequence of strings representing messages to be transmitted as well as acknowledgements sent by the receiver where both messages and acknowledgements are bit strings. The sender's output is the sequence of encoded or corrupt messages that arrive at the receiver over the noisy channel across all rounds of transmission. That is, the noisy behavior of the channel and the protocol's retransmission logic are modeled in the output of the sender. The receiver transducer g (1) recognizes and discards corrupt messages, and (2) extracts and outputs decoded values of correctly received messages. The protocol transducer is obtained by sequential composition of the sender and receiver transducers where .
The specification transducer h captures the desired end-to-end behavior of the protocol. It requires that (1) the messages be delivered by the receiver to its client in the same order in which they were received by the sender from its client and (2) the protocol delivers exactly those messages that are positively acknowledged (not corrupted by the channel). The verification problem is posed as functional equivalence between the transducers h and p, that is, whether and for all , . Here, the output of the transducer g is the input to the client of the receiver. Another transducer can be constructed, in a similar manner, to model the acknowledgements that the receiver would generate for the sender component and verified separately.
The deterministic models presented in [15] use a fixed string ERR in the sender's output to capture the noisy behavior of the channel. As an example, suppose the input to the sender transducer is , where ♯ is the end-marker of the message string M and a is an acknowledgement. If then it is a negative acknowledgement indicating that the previously transmitted message was received incorrectly. Otherwise, it indicates correct reception. Following the approach of [15], let the sender transducer f be: and .1 The specification transducer is and where ϵ is the empty string. A receiver transducer and when is verified to be correct as h is equivalent to .
Now, consider a non-deterministic sender transducer such that and where is an arbitrary corrupt form of M. With this, the protocol model would deliver a corrupt message to the receiver's client. In other words, with the deterministic sender f, we cannot ascertain (1) whether the receiver g handles all forms of corrupt messages and (2) whether the protocol delivers the messages correctly in the presence of arbitrary corruption. To establish these properties, we need a non-deterministic model of the sender transducer (similar to ) that emits arbitrarily corrupt messages instead of a fixed error string.
In this work, we propose to use non-deterministic streaming string transducers or NSSTs [4] for modeling the sender. NSSTs are closed under sequential composition (required to compute the protocol transducer) but equivalence checking for NSSTs is undecidable. For a sub-class of NSSTs, called functional NSSTs [4], equivalence checking is pspace-complete. We observe that the receiver transducer is deterministic due to the protocol semantics. Unfortunately, the sequential composition of an NSST and a DSST does not necessarily yield a functional NSST (see Section 4 for an example).
Nevertheless, we show that for the following two interesting classes of protocols, the senders and receivers are of the form that when composed, they result in functional NSSTs:
- 1.
Bounded retransmission rounds per message: Here, the messages can be corrupted arbitrarily but each message can be retransmitted up to a certain fixed number of rounds. This class is motivated by Philips bounded retransmission protocol (BRP) [10].
- 2.
Bounded non-determinism in message corruption: The messages can be corrupted non-deterministically but only in finitely many ways, whereas, the messages can be retransmitted an unbounded number of times.
In practice, the implementations of a protocol may differ in the choice of the number of retransmission rounds or the error detection mechanism. The protocol models we construct in this paper are generic, and different concrete models can be obtained by instantiating them and verified individually.
The expressive power of functional NSSTs is same as that of DSSTs [4]. As a consequence, our results also imply that the above classes of protocols can be modeled directly as DSSTs. However, our modular approach of modeling the (non-deterministic) sender and the (deterministic) receiver separately is much simpler compared to modeling the end-to-end protocol directly.
Section snippets
Background
A non-deterministic streaming string transducer (NSST) is described by a tuple , where Q is a finite set of states, and are finite input and output alphabets respectively, X is a finite set of string variables, E is a set of transitions which is a finite subset of where A is a set of copyless assignments from X to such that for each and , x appears at most once in , F is a partial output function from Q to such that for each
Non-deterministic protocol models
We first informally describe the retransmission protocols. In a retransmission protocol, the sender receives messages to be transmitted from its client and message acknowledgements from the receiver. The sender prepends a unique sequence number (from a finite interval) to a message and maintains pending messages in a set of buffers. Pending messages are those which are transmitted by the sender but have not been positively acknowledged by the receiver so far. The set of sequence numbers
Algorithmic verification
The protocol verification problem is formalized as equivalence checking between the protocol and specification transducers. In order to obtain the protocol transducer, we sequentially compose the sender NSST and the receiver DSST. The specification transducer is a DSST. For algorithmic verification, we require the protocol transducer to be a functional NSST. In general, the sequential composition of an NSST and a DSST is not necessarily a functional NSST. For example, let and
Related work
The sender transduction f (as well as transducers p and h) performs regular look-ahead at the acknowledgements. Therefore, single-pass rational transducers cannot define f. The transduction f however is MSO-definable [8], [9]. DSSTs are finite-state descriptions of MSO-definable string (MSOS) transductions. NSSTs are equivalent to non-deterministic MSOS transductions [4].
Our models handle unbounded message bit strings. The verification problem for finite-state machines communicating
Acknowledgement
This work is funded partially by the Robert Bosch Center for Cyber Physical Systems at the Indian Institute of Science.
References (15)
- et al.
Verifying programs with unreliable channels
Inf. Comput.
(1996) - et al.
Value-passing CCS with noisy channels
Theor. Comput. Sci.
(2012) Sur les relations rationnelles entre monoides libres
Theor. Comput. Sci.
(1976)- et al.
Expressiveness of streaming string transducers
- et al.
Streaming transducers for algorithmic verification of single-pass list-processing programs
- et al.
Nondeterministic streaming string transducers
- et al.
Formal methods for specification and analysis of communication protocols
IEEE Commun. Surv. Tutor.
(2002)