Formal Automated Transformation of Lotos Specifications to SDL Specifications Hazem El-Gendy, Ph. D., P. Eng. Faculty of Computer & Information Sciences, Misr International University Cairo, Egypt, Tel.: +20 2 3354158, Fax:+20 2 3369686, e-mail: [email protected] Keywords: Computer/Telecommunications protocol, Lotos, SDL, Formal Description Technique (FDT), Formal Method, Transformation, Software, Verification, Testing. Abstract: In this paper, a formal method for automated transformation of a Lotos specification to an SDL specification is presented. The method is applicable to various Lotos specifications and to various communications protocols for various ISO OSI layers. This formal automated transformation facilitates immediate indirect applicability of future formal methods for derivation of testing sequences for SDL specifications to Lotos specifications. Firstly, the formal automated transformation method is applied to generate an SDL version. Then, the SDL-based derivation method is applied. This facilitates the best coverage of the testing sequences for Lotos specifications as the formal test derivation method with the best coverage can be applied. This also facilitates comparison of various test derivation methods in terms of coverage. It also facilitates alignment of ISO/IEC protocol/telecommunications protocols and TSS/ITU protocols. I. INTRODUCTION Computer/telecommunications protocols are having an important role in today’s development. The complexity of computer/telecommunications protocols and standards necessitates the use of formal methods throughout their development [1-21]. International Standards Organization (ISO) and International Electro Committee (IEC) have jointly developed Lotos [1] for the specification of computer/telecommunications protocols. Lotos is a high level algebric Formal Description Technique (FDT) that is very design oriented. Therefore, it is supported by powerful methods and tools for verification. The Telecommunications Standardization Section of the International Telecommunications Section (TSS/ITU; formerly, CCITT) has developed Specification Description Language (SDL‎) [21] for formal specification of computer/communications protocols. SDL is a Formal Description Technique (FDT) that is based on Extended Finite State Machine and therefor is very implementation oriented. To arrive at single International Standards for computer/telecommunications protocols and coordinate/align the computer/telecommunications protocols developed by both TSS/ITU, and ISO & IEC, there is an urgent need to develop a common semantic model for SDL and Lotos [2,3,4,20]. This common semantic model must include a sound theory for what constitutes a semantic equivalence of the specifications of behavior process specifications. It must

include also sound methods and tools for automated transformation of Lotos specifications to SDL specifications and the other way as well. Formal transformation means non-error prone transformation and more cost effective transformation and faster transformation [2,3,4,20]. El-Gendy has developed a theory for semantic equivalence of behavior process specifications in [2,3.4]. He has also developed a base for mapping of Lotos constructs/specifications to transitional specifications in [5,19] and used it to develop formal testing methods that support full automation. In this paper, we develop a formal method for transformation of Lotos specifications into corresponding SDL specifications. The method is supported by algorithms that facilitate full automation. This formal transformation facilitates also developing the computer/telecommunications protocols and standards in Lotos where verification of these designs are possible. Then, transforming these designs into corresponding SDL versions where derivation of implementation is easier. In the remaining of this paper, we provide an overview of the method in Section II. Then, in Section III, we develop the formal method for the construction of the SDL specification. In Section IV, we illustrate the method by an example of an ISO/IEC Transport Layer Protocol. We conclude the paper in Section V. II. OVERVIEW OF THE METHOD & CONCEPTS Our method is applicable to specifications that use sets of the following Lotos operators: a; A i; A A1 [] A2 A1 [> A2 A1 [g1, .., gn] A2 A1 ||| A2 A1 >> A2 A1 || A2 The syntax and semantics of these operators are given in [1]. Our method is based on constructing a ‘data oriented’restricted behavior tree T [19] from the given Lotos based specification. After T is constructed, we construct the SDL specification from T by using an algorithm that we develop. In the subsequent sections, we describe our method in detail. II.1. ‘Data Oriented’-Restricted Behavior Tree T & Its Characterization El-Gendy [19] introduced the ‘Data Oriented’-Restricted Behavior Tree T. T is a tree that represents both the control flow aspects of the given Lotos specification and the corresponding data flow aspects [8,20]. It is always a finite size tree. Each node of T stands for a Lotos behavior expression. In T, if two or more nodes stand for identical or CT Equivalent expressions, then at most one of them is not a leaf. To limit and/or reduce the size of T,

we detect loops and as many Lotos behavior expressions that are CT Equivalent as possible. Given a Lotos specification, the corresponding ‘data oriented’-restricted behavior tree T is constructed by applying the algorithm given in [19]. II.2. Structure of T T is constructed in a breadth-first manner, by employing a number of expansion rules. The root of T stands for the normalized form of the given Lotos behavior specification. To extend T below a node n, we explore all possible events that can be executed starting from node n. This is done by finding the rule that is applicable to the expression represented by node n, and then, applying this rule. The application of the selected rule generates a number of sub-expressions that result from identifying the first events preceding these subexpressions (not necessarily different). Each of the resulting sub-expressions is represented by a node that is added to the tree as a child of node n. Then, we check the identicality or CT Equivalence [2,3,4] of the expressions of these newly generated nodes against the expression of every other node currently in T. If the expression of any of the newly generated nodes is CT Equivalent to the expression of any one of the other nodes, we re-label the new node to have the same label as the other node and do not extend the tree below the newly generated node. So, the newly generated node becomes a leaf in T. This facilitates limiting the size of T. If the expressions of two or more of the newly generated nodes are identical or CT Equivalent, we relabel all of them with the same label and extend the tree below only one of them. Then, in a breadth-first manner, we choose the next node for further extension [8]. Each node n of T has the following: - a label (nl), - an expression label (el) which identifies the expression the node stands for, - an edge label which identifies the incoming edge of node n, - a number of pointers pointing to its children (if any), and - a set of conditions for execution conditions of the node’s children, a condition for each child. The label of an edge (nlj, nlk) is the identifier of an event such that elj –eventÆelk where elj and elk are the expressions represented by the nodes nlj and nlk, respectively. III. CONSTRUCTION OF SDL SPECIFICATION After T has been constructed, the corresponding SDL Specification is constructed by using Algorithm 1 below. ALGORITHM_1: Construct SDL Specification i) Generate, for every distinct node in T, a corresponding SDL state;

ii) Generate, for every edge (nlj, nlk) in T from node nlj to node nlk, an SDL transition as follows: 1. If the edge is ?a (the receiving of an interaction a), generate an SDL receive input a; 2. If the edge is !a (the sending of an interaction a), generate an SDL send input a; c) For every conditional edge generate an SDL condition checking box. d) End It is important to note that Algorithm_1 covers different cases including the representation of a Lotos internal (unobservable) even i. In such cases, the SDL transition contains neither a sending output nor receiving input but contains an SDL function statement. IV. EXAMPLE FOR DERIVATION OF SDL SPECIFICATIONS Consider the Lotos specification for Class 0 transport protocol restricted to the case where the protocol entity is the initiator. process TPC0[tcreq,tdind,cre,cc,tccon,dr,ndind,tdreq,dt,tdatr,ndre q] :no exit := ([NoResources]→?tcreq; !tdind; TPC0[tcreq,tdind,cr,c c,tccon,dr,ndind,tdreq,dr,tdatr, ndreq] [Resources] → ?tcreq; !cr; ( ( ?dr; !tdind; TPC0[tcreq,tdind,cr,cc,tccon,d r,ndind,tdreq,dt,tdatr,ndreq] [] (?cc; !tccon; exit) ) ) >> (Data_phase[tdatr,dt] [> Disconnection_phase[tdreq,ndreq,ndind,tdind)] endproc where process Data_phase[tdatr,dt] ::exit = ?tdatr; i; Data_phase[tdatr,dt] [] ?dt; i; Data_phase[tdatr,dt] endproce process Disconnection[tdreq,ndreq,ndind,tdind] ::no exit := ?tdreq; !ndreq; TPC0[tcreq,tdind,cr,cc,tccon,dr,ndind,tdreq,dr,tdatr,ndre q] [] ?ndind; !tdind; TPC0[tcreq,tdind,cr,cc,tccon,dr,ndind,tdreq,dt,tdatr,ndreq ] endproc By applying Algorithm_1 in [19], we get the behavior tree shown in Figure 1.

The Lotos expression represented by the node: el0 := TPC0 el1 := !tdind; TPC0 el2 := ( !cr; ( ?dr; !tdind; TPC0 ) [] (?cc; tccon; exit) ) >> (Data_phase[tdatr,dt] [> Disconnection_phase[tdreq,ndreq,ndind,tdind]) el4 := ( ( ?dr; !tdind; TPC0 ) [] ( ?cc; tccon; exit ) ) >> (Data_phase[tdatr,dt] [> Disconnection[tdreq,ndreq,ndind,tdind] ) el6 := ( !tccon; exit ) >> ( Data_phase[tdatr,dt] [> Disconnection[tdreq,ndreq,ndind,tdind]) el7 := Data_phase[tdatr,dt] [> Discoonection[tdreq,ndreq,ndind,tdind] := ( ?tdatr; Data_phase[tdatr,dt] [] ?dt; Data_phase[tdatr,dt] [> ( ?tdreq; !ndreq; TPC0 [] ?ndind; !tdind; TPC0 ) el10 := !ndreq; TPC0 NoResources->?tcreq

Resources->tcreq

el0

el2

el1

!cr

!tdid el4

el0

?cc

?dr

el6

el1

!tccon el7

?tdatr ?dt el7

el7

?ndind ?tdreq el1

el10 !ndreq el0

Figure 1. The Restricted Behavior Tree for the Transport Protocol

ALGORITHM_1, in this paper, generates the following SDL Specification shown in Figure 2. V. CONCLUSIONS A formal method for automated transformation of a Lotos specification to a corresponding SDL specification has been presented. The method firstly derives a ‘Data Oriented’-Restricted Behavior Tree T from the given specification. Then, an algorithm is used to construct the SDL specification from the ‘Data Oriented’-Restricted Behavior Tree. A complete illustration of our technique was given on an example of a transport layer protocol.

Lotos and SDL currently use different formal methods for specifying data types. Our method focuses only on the specification of the dynamic behavior rather than the transformation of the data types. However, both ISO Technical Groups in charge of the development/evolution of Lotos and TSS/ITU are considering adopting the ISO Abstract Syntax Notation 1 (ASN.1) standard for data types. ASN.1 is a very well recognized standard for data types that has been used extensively in the industry. The adoption of ASN.1 will harmonize both Lotos and SDL, as far as data types are considered, and result in no need to develop an automated method to transform data types.

Idle

Yes

Resources

No

TCReq

TCReq

CR

TDInd

S2

Idle

CConf

CR

TCConf TDInd Data Trans

Idle

TDatR

Data Trans

Dt

TDReq

Data Trans

NDInd

NDReq

Idle

TDInd

Idle

Figure 2: SDL Specification of the Protocol References 1.

ISO/IEC 8807, “Information processing Systems Open Systems Interconnection - LOTOS - A Formal Description Technique Based on Temporal Ordering of Observational Behaviour”, 1992. 2. Hazem El-Gendy, H. El-Sayed, and A. Fayez, “Equivalence of Behaviour Specifications of Processes”, Proceedings of the International Conference on Telecommunications sponsored by IEEE, IEE, and URSI, Chalkidiki, Greece, 22-25 June 1998, pp. 171-175. 3. Hazem El-Gendy, Hani El-Sayed, and Abdel-Wahab Fayez, “Comparative Analysis of the Notions of Equivalence of Process Specifications”, Proceedings of the International Symposium for Computers and Communications sponsored by both IEEE Computer Society and IEEE Communications Society, Athens,

Greece, June 30 - July 2, 1998, pp. 711-716. Hazem El-Gendy, “A New Theory for Equivalence between Process Specifications”, Proceedings of the IEEE International Conference on Electronics, Circuits, and Systems, Rodous, Greece, October 16-18, 1996, pp. 11861189. Was also accepted for Publications in the Proceedings of the International Conference on Networks sponsored by the International Association of Science and Technology for Development (IASTED), Orlando, Florida, USA, Jan. 8-10, 1996. 5. Hazem El-Gendy, “A New Method for Deriving Test Sequences For Protocols Specified in Lotos”, Proceedings of the International Conference on Networks sponsored by the International Association of Science and Technology for Development (IASTED), Orlando, Florida, USA, January 8-10, 1996, pp.205-208.

4.

6.

Hazem El-Gendy and Osman Abou-Rabia, “Derivation of Test Sequences for Protocols Specified in Lotos”, Proceedings of the IEEE International Conference on Electronics, Circuits, and Systems, Amman, Jordan, December 1995, pp. 220-225. 7. Hossein Saiedian, “An Invitation to Formal Methods”, IEEE Computer, April 1996, pp. 16-30. 8. Hazem El-Gendy, and Hoda Baraka, “Transformation of Lotos Specifications to Estelle-Based Specifications”, Proceedings of the International Symposium on Computers & Communications sponsored by both IEEE Communications Society and IEEE Computer Society, Alexandria, Egypt, July 1-3, 1997, pp. 215-220. 9. Tommaso Bolognesi, Ferdinando Lucidi, Sebastiano Trigila, “Converging Towards a Timed Lotos Standard”, Journal of Computer Standards & Interfaces, Vol. 16, 1994, pp. 87-118. 10. Caglan M. Aras, James F. Kurose, Douglas S. Reeves, and Henning Schulzrinne, “Real-Time Communication in Packet Switched Networks”, Proceedings of the IEEE, Vol. 82, No. 1, January 1994, Special Issue on Real-Time Systems, pp. 122-139. 11. Mihaela Sigireanu and Radu Mateescu, “Validation of the Link Layer Protocol of the IEEE-1394 Serial Bus (“FierWire”): an Experiment with E-Lotos”, INRIA Technical Report No. 3172, 1997. A short version of this report is also available in Ignac Lovrek, editor, Proceedings of COST 247 2 nd International Workshop on Applied Formal Methods in System Design, Zagreb, Croatia, June 1997. 12. Anton Dahbura and Krishan Sabnani, “Formal Methods for Generating Protocol Conformance Test Sequences”, Proceedings of the IEEE, Vol. 78, No. 8, Aug. 1990, pp. 1317-1326. 13. D. Sidhu and T. Leung, “Formal Methods for Protocol Testing: A Detailed Study”, IEEE Transactions on Software Engineering, Vol. 15, No. 4, April 1989, pp. 413-426. 14. M. Susan Bloor and Jon Owen, “Learning Lessons from Conformance Testing”, Journal of

Computer Standards & Interfaces, Vol. 17, 1995, pp. 231-251. 15. Chih-Yung Chang and Shin-Chih Tu, “Active RouteMaintenance Protocol for Signal-Based Communication Path in ad hoc Networks”, Journal of Network and Computer Applications, Vol. 25, Issue 3, July 2002, Academic Press, pp. 161-177. 16. S. Farahvash, K. Akhavan, and M. Kavehrad“ ,Packet Transmission Over a Fixed Wireless Loop Using Adaptive Rate Techniques”, International Journal of Wireless Information Networks, Vol. 9, No. 3, July 2002, pp. 165178. 17. J. Q. Bao and L. Tong“ ,Protocol-Aided Channel Equalization in Wireless ATM”, IEEE Journal on Selected Areas in Communications, Vol. 18, No. 3, March 2000, pp. 418-435. 18. D. P. A. Greenwood and R. A. Carrasco, “Neural Networks for the Adaptive Control of Disruptive NonLinear Network Traffic”, IEE Proceedings Communications, Vol. 147, No. 5, October 2000, pp. 285291. 19. Hazem El-Gendy, “Testing Data Flow Aspects of Communications Protocols, Software, and Systems Specified in Lotos”, Proceedings of the International Conference on Computer Science, Software, Information Technology, e-Business, and Applications sponsored by the International Society for Computers and Their Applications, Rio de Janeiro, Brazil, June 5-7, 2003. 20. Hazem El-Gendy, “Using Formal Methods: Importance and Experience”, accepted for Publications in the Proceedings of the International Conference on Computer Science, Software, Information Technology, eBusiness, and Applications sponsored by the International Society for Computer & Their Applications, June 5-7, 2003. 21. TSS/ITU (CCITT) Recommendation Z.100, “Specification and Description Language SDL”, 1992.