formal modeling and analysis of bittorrent using coloured petri nets jing liu, xinming ye, tao sun...

Formal Modeling and Analysis of Formal Modeling and Analysis of BitTorrent using Coloured Petri NetsBitTorrent using Coloured Petri Nets

Jing LIU, Xinming YE, Tao Jing LIU, Xinming YE, Tao SUNSUN

ICT-CAS & IMU, ChinaICT-CAS & IMU, China

2009-10-202009-10-20

22

OutlineOutline

MotivationMotivation

BackgroundBackground

Modeling ArchitectureModeling Architecture

Detailed ModelsDetailed Models

Model Validation and AnalysisModel Validation and Analysis

ConclusionConclusion

33

ICT-CASICT-CAS Jing LIU, a PhD candidateJing LIU, a PhD candidate Project Project

National Key Technologies R&D Program of National Key Technologies R&D Program of ChinaChina

integrating P2P and CDN technologies to integrating P2P and CDN technologies to distribute large-scale media contents fast and distribute large-scale media contents fast and efficiently over Internetefficiently over Internet

BitTorrent is utilized and improved to support BitTorrent is utilized and improved to support the scenario that storage servers in CDN the scenario that storage servers in CDN behaved as always-on-line seeds of P2Pbehaved as always-on-line seeds of P2P

lasted 2 years, more than 15 memberslasted 2 years, more than 15 members need an effective formal specification for easy need an effective formal specification for easy

communication and better implementationcommunication and better implementation

44

IMUIMU Xinming YE (Leader) and Tao SUNXinming YE (Leader) and Tao SUN Inner Mongolia UniversityInner Mongolia University

Research Group: 3 Professors & 8 Research Group: 3 Professors & 8 studentsstudents

Research TopicsResearch Topics Model checking based protocol Model checking based protocol

verificationverification FSM and Petri Nets based protocol FSM and Petri Nets based protocol

testing, including conformance testing testing, including conformance testing and interoperability testingand interoperability testing

55

This paperThis paper A combination of Project Engineering A combination of Project Engineering

and Theoretical Research and Theoretical Research from Engineering perspectivefrom Engineering perspective

a uniform specificationa uniform specification simulating protocol execution visuallysimulating protocol execution visually testing new algorithms before testing new algorithms before

implementationimplementation from Research perspectivefrom Research perspective

a general modeling methodologya general modeling methodology validate and analyze the protocol modelsvalidate and analyze the protocol models

Modeling BitTorrent using CPNModeling BitTorrent using CPN

66

OutlineOutline







77

Related worksRelated works MostMost

adopt various mathematical models to adopt various mathematical models to evaluate the performance of BitTorrentevaluate the performance of BitTorrent

focus on the aggregate properties, such focus on the aggregate properties, such as average downloading or uploading as average downloading or uploading rates, network utilization and cost, etcrates, network utilization and cost, etc

FewFew focus on the functional behavior modeling focus on the functional behavior modeling

in peer level, which aims to construct a in peer level, which aims to construct a formal function model of BitTorrent and formal function model of BitTorrent and validate its soundnessvalidate its soundness

88

Our contributionOur contribution A modeling architecture of BitTorrentA modeling architecture of BitTorrent guidance about model hierarchy, data abstraction and guidance about model hierarchy, data abstraction and

model refinementmodel refinement

A coloured Petri Nets based hierarchical A coloured Petri Nets based hierarchical model of BitTorrent model of BitTorrent

an unambiguous and visual formal specification for an unambiguous and visual formal specification for different implementationsdifferent implementations

facilitate the behaviors simulation and system facilitate the behaviors simulation and system properties verificationproperties verification

An effective model validation and analysis An effective model validation and analysis methodmethod

combining simulation, state space analysis and model combining simulation, state space analysis and model checking technologies checking technologies

validate the model and check whether models satisfy validate the model and check whether models satisfy the key requirement properties of BitTorrent systemthe key requirement properties of BitTorrent system

99

BitTorrent overviewBitTorrent overview

tracker

seeds Leecher

peer list request

peerlist

handshake

send bitmap

report download

status cyclically

piece request

piece sharing

handshake

send bitmap

piece request

piece sending

control packet(choke/interested)

peer list maintenance

algorithm

control packet(choke/interested)

peer selection algorithm

choking algorithm

leechers

3 Entities3 Entities TrackerTracker SeedSeed LeecherLeecher

2 Protocols2 Protocols Tracker Tracker

ProtocolProtocol

Peer ProtocolPeer Protocol

2 Algorithms2 Algorithms Piece selectionPiece selection

ChockingChocking

1010

Modeling assumptionModeling assumption Only single file sharing is consideredOnly single file sharing is considered

covers all functionalities and is more feasible for analysiscovers all functionalities and is more feasible for analysis

File piece is the basic sharing unitFile piece is the basic sharing unit the similar processing behaviors as slice sharingthe similar processing behaviors as slice sharing

Some indispensable parts are omitted or simplifiedSome indispensable parts are omitted or simplified web server related processing web server related processing Bencoding and Hash checking Bencoding and Hash checking the hash value of torrent file is used to indentify each sharthe hash value of torrent file is used to indentify each shar

ing file instead of using the whole torrent fileing file instead of using the whole torrent file Endgame mode: does not affect the main functionalities, Endgame mode: does not affect the main functionalities,

and avoid introducing huge concurrent state spaceand avoid introducing huge concurrent state space basic choking algorithm: without optimistic unchoking anbasic choking algorithm: without optimistic unchoking an

d anti-snubbingd anti-snubbing

1111

OutlineOutline







1212

Two HurdlesTwo Hurdles some sections in the specification do not need some sections in the specification do not need

to be modeledto be modeled such as system deployment procedure or some data such as system deployment procedure or some data

collection behaviors for user layer displaying. collection behaviors for user layer displaying. Modeling these behaviors contributes few to system Modeling these behaviors contributes few to system functional analysis, and to make matters worse, functional analysis, and to make matters worse, introduces incogitable but unnecessary state space introduces incogitable but unnecessary state space explosion. explosion.

some detailed algorithms or message some detailed algorithms or message interactions are not explained clearly or interactions are not explained clearly or mentionedmentioned Take the choking and interesting messages for Take the choking and interesting messages for

example, the trigger time and orders of such messages example, the trigger time and orders of such messages interaction are not mentioned clearly. It needs further interaction are not mentioned clearly. It needs further consideration and complementarities from the consideration and complementarities from the perspective of design or implementation phases. perspective of design or implementation phases.

1313

Model Architecture (1/5)Model Architecture (1/5)

from bottom to extract upper levelsfrom bottom to extract upper levels

from top to abstract lower leversfrom top to abstract lower levers

network topology

node behaviors

communication interactions

functional transactions

data declaration

algorithms

1414


network topology

node behaviors



data declaration

algorithms

focus on entire network environmentsfocus on entire network environments, including , including

the participating entities and their relationship the participating entities and their relationship

from the network topology point of viewfrom the network topology point of view

Especially, the number of different types of Especially, the number of different types of

entities and their position in the network entities and their position in the network

environments should be considered carefully. environments should be considered carefully.

1515


focuses on the execution states and their focuses on the execution states and their

transfer relation in a specific entitytransfer relation in a specific entity, such as a , such as a

peer nodepeer node

As for network protocols, packet requests and As for network protocols, packet requests and

responses, together with some connectivity responses, together with some connectivity

control actions are usually modeled in this layer control actions are usually modeled in this layer

network topology

node behaviors



data declaration

algorithms

1616


focuses on messages interactionsfocuses on messages interactions

As for network protocols, collecting property As for network protocols, collecting property

data, generating requests, parsing response data, generating requests, parsing response

and switching to subsequent processing are and switching to subsequent processing are

major modeling issues in this layermajor modeling issues in this layer

network topology

node behaviors



data declaration

algorithms

1717


focuses on the most detailed functionalitiesfocuses on the most detailed functionalities: :

maintenance of key data structures, sampling maintenance of key data structures, sampling

the required data, and core algorithms, etcthe required data, and core algorithms, etc

iteratively refine the models and avoid iteratively refine the models and avoid

redundant or inaccurate modeling to relieve redundant or inaccurate modeling to relieve

state space explosionstate space explosion

network topology

node behaviors



data declaration

algorithms

1818

Architecture summeryArchitecture summery It facilitates modeling system functionalities It facilitates modeling system functionalities

into several abstract layers, and expressing into several abstract layers, and expressing behavior details accurately and flexibly. behavior details accurately and flexibly.

It is quite suitable and feasible for guiding It is quite suitable and feasible for guiding complex system modelingcomplex system modeling. According to . According to different modeling and analysis purposes, we different modeling and analysis purposes, we could adjust the modeling scale inter-layer could adjust the modeling scale inter-layer and inner-layer, and perform efficient and inner-layer, and perform efficient analysis in suitable layers. analysis in suitable layers.

CPN is considered to be an effective CPN is considered to be an effective actualization of above modeling architectureactualization of above modeling architecture, , and the following sections demonstrate the and the following sections demonstrate the validity of such actualization. validity of such actualization.

1919

OutlineOutline







2020

OverviewOverview

algorithmlayer

transactionlayer

interactionlayer

top

Trackerupdaterec

generate

Seedrecving

sendinghandleBM

checkREQ

updates

Leecherrecving

sending

choking

updates

handleBM

checkREQ

checkBM

updateRS

updateBM

updateBM

updatePIC

updateHS

checkBMupdateRS

sendHMupdateBM

rarestselction

networklayer

nodelayer 44 page 44 page

instances (24 if instances (24 if replicated page replicated page instances are not instances are not countedcounted

assumes:assumes: communication communication

infrastructure is infrastructure is reliablereliable

no vulnerabilities no vulnerabilities during protocols during protocols executionexecution

2121

Data modelingData modeling It is well-known that complex color It is well-known that complex color

sets will possibly result in more sets will possibly result in more difficult analysisdifficult analysis

hold the following principlehold the following principle

capture the indispensable data elementscapture the indispensable data elements

organize them using suitable color sets to organize them using suitable color sets to

achieve both clear representation and achieve both clear representation and

easy operationeasy operation

2222

Network layerNetwork layer Leecher1Leecher1 acts as a new acts as a new

joining peer, and joining peer, and Leecher2Leecher2 acts as an acts as an existing leecher with part existing leecher with part filefile

These four entities These four entities compose a least topology compose a least topology set which could cover the set which could cover the whole desired whole desired functionalities of functionalities of BitTorrentBitTorrent, and various , and various protocol executions protocol executions among these entities are among these entities are already very complicated already very complicated for feasible and effective for feasible and effective model analysis. model analysis.

Leecher2Leecher2Leecher1 Leecher1

Index

Index

Seed

Seed

net42PACKET

net32PACKET

net52

PACKET

TR2

PEERSET

TR1

PEERSET

net41PACKET

net31PACKET

net51

PACKET

TSTS_REQ

Seed

Index

Leecher1 Leecher2

2323

Node layerNode layer

success

indexes2

(HDSKMSG(indexes2), #2 indexes, pch)

indexes

packetpacket

indexes

packetpacket

if (#2 packet)<>p3then 1`packetelse empty

if (#2 packet)=p3then 1`packetelse empty

packet

hd peerset

peerset

peerset

peerset(#1 indexes, #2 indexes, started)

choking

choking1

send_shakervm2 recving

recving1

rvm1

sending

sending1

init_shake [(length peerset)>0]

send_msg

recv_peersTracker_req

STATS

forward

PACKET

recvpk

PACKET

net52In

PACKET

net31In

PACKET

recv

PEERSET

shake

INDEXES

send

PACKET

pid

INDEXES

TR1In

PEERSET

TSOut

TS_REQ

net51Out

PACKET

net32Out

PACKET

Out

Out

Out In

In

In

sending1

recving1

choking1

rmall (hd peerset) peerset

m

outline the protocol execution flows as a wholeoutline the protocol execution flows as a whole four kinds of leecher behaviors: peer list request, peer list four kinds of leecher behaviors: peer list request, peer list

parsing, packets generation and sending of the peer parsing, packets generation and sending of the peer protocol, packets receiving and parsing of the peer protocolprotocol, packets receiving and parsing of the peer protocol

these behaviors interact causally and cooperativelythese behaviors interact causally and cooperatively

2424

Interaction layerInteraction layer

(infohash, peerid)

TRANSMSG(tmsg)

TRANSMSG(tmsg)

TRANSMSG(tmsg)

if MSG.of_COMMMSG(#1 packet) then 1`(#3 packet)else empty

cmsgCOMMMSG(cmsg)


TRANSMSG(tmsg)

if MSG.of_TRANSMSG(#1 packet) then 1`(#1 packet)else empty

(HDSKMSG(hmsg), peerid, #2 hmsg)

HDSKMSG(hmsg)

if MSG.of_HDSKMSG(#1 packet)then 1`(#1 packet)else empty

update_BMupdateBM1

update_PIC

updatePIC1

extract4

[#1 tmsg="have"]

extract3

[#1 tmsg="piece"]

check_REQcheckREQ1

extract2

[#1 tmsg="request"]

updatesupdates1

verify

handle_BMhandleBM1

extract1

[#1 tmsg="bitmap"]

hashverify

[(#1 hmsg)=infohash]

st

PID

INDEXES

b4

TRANS_MSG

b3

TRANS_MSG

b2

TRANS_MSG

pid

PEERID

b0

COMM_MSG

cmsg

MSG

pid2

PEERID

b1

TRANS_MSG

tmsg

MSG

hdsk

MSG

forwardOut

handleBM1

updates1

checkREQ1

updatePIC1

updateBM1

tmsg

tmsg

tmsg

tmsgSTATS


packet

recvpkInIn PACKET

parse

PACKET

Out

focuses on the processing of protocol packets focuses on the processing of protocol packets generating requests from data fields, parsing responses and generating requests from data fields, parsing responses and

switching to subsequent processing respectively are major switching to subsequent processing respectively are major modeling issues modeling issues

adjusting the model scale inter-layer and inner-layer is quite adjusting the model scale inter-layer and inner-layer is quite helpful to obtain the modest model size for feasible analysis helpful to obtain the modest model size for feasible analysis

2525

Transaction layer (1/2)Transaction layer (1/2)

uprec

reqsetsuccess

success

success

success

reqset

success

pentry

success

success

reqset

bitmap

pentry

rm pentry reqset

if (#1 uprec) = (#file (hd reqset))then 1`(hd reqset)else empty

bitmap

if (#1 uprec)=(#file (hd reqset))then 1`(listsub (#3 uprec) (intersect (#3 uprec) (#bitmaps (hd reqset))))else empty

reqset

reqset

uprec

uprec

uprec

uprec

delhave

delnull

[List.null reqset]

add

del

genpk

[not (List.null bitmap)]

check

[not (List.null reqset) andalso not (contains (#bitmaps (hd reqset)) (#3 uprec))]

storerq

storebm n1STATS

n

STATS

m

flag

STATS

oldentry

PEERENTRY

newentryBITMAP

temprqset

REQSET

tmpbm

UPDATEREC

REQ_SETREQSET

REQSET

forward Out

PACKET

bmInIn

Out

REQSETUPDATEREC

ins_new reqset {file=(#file pentry), bitmaps=(ins_new (#bitmaps pentry) (hd bitmap))}

success

STATS

reqset

reqsetif (#1 uprec)=(#file (hd reqset))then nilelse rmall (hd reqset) reqset

[not (List.null reqset) andalso contains (#bitmaps (hd reqset)) (#3 uprec)]

(TRANSMSG("noreq",1,[],0), pch, pch)

(TRANSMSG("request", #1 uprec, (hd bitmap)::[], 0), #2 uprec, pch)

fundamental page instances to model specific functionalitiesfundamental page instances to model specific functionalities requires many tradeoffs to pursue the golden section of requires many tradeoffs to pursue the golden section of

modest model size, so iterative model refinement is modest model size, so iterative model refinement is significantsignificant

2626

Transaction layer (2/2)Transaction layer (2/2)

uprec

reqsetsuccess

success

success

success

reqset

success

pentry

success

success

reqset

bitmap

pentry

rm pentry reqset

if (#1 uprec) = (#file (hd reqset))then 1`(hd reqset)else empty

bitmap

if (#1 uprec)=(#file (hd reqset))then 1`(listsub (#3 uprec) (intersect (#3 uprec) (#bitmaps (hd reqset))))else empty

reqset

reqset

uprec

uprec

uprec

uprec

delhave

delnull

[List.null reqset]

add

del

genpk


check

[not (List.null reqset) andalso not (contains (#bitmaps (hd reqset)) (#3 uprec))]

storerq

storebm n1STATS

n

STATS

m

flag

STATS

oldentry

PEERENTRY

newentryBITMAP

temprqset

REQSET

tmpbm

UPDATEREC

REQ_SETREQSET

REQSET

forward Out

PACKET

bmInIn

Out

REQSETUPDATEREC

ins_new reqset {file=(#file pentry), bitmaps=(ins_new (#bitmaps pentry) (hd bitmap))}

success

STATS

reqset

reqsetif (#1 uprec)=(#file (hd reqset))then nilelse rmall (hd reqset) reqset

[not (List.null reqset) andalso contains (#bitmaps (hd reqset)) (#3 uprec)]

(TRANSMSG("noreq",1,[],0), pch, pch)

(TRANSMSG("request", #1 uprec, (hd bitmap)::[], 0), #2 uprec, pch)

There often exist some There often exist some seeming concurrent actions, seeming concurrent actions, which could be modeled which could be modeled sequentially without any sequentially without any harm to protocol harm to protocol functionalities.functionalities.

These behaviors are These behaviors are independent, and could independent, and could execute concurrently or execute concurrently or sequentially. If model them sequentially. If model them as concurrently execution, as concurrently execution, many unnecessary many unnecessary concurrent states will be concurrent states will be introduced, so we coercively introduced, so we coercively arrange the execution order arrange the execution order of these actionsof these actions

2727

Algorithm layerAlgorithm layer

nil

bmsettmp

bmsettmp

m+1

rm (hd bmset) bmset

bmsetm

if List.null bmset then 1`1else empty

bmset

bmsettmp^^bmset

0

if (#uprates (hd bmset))>(#uprates (hd bmsetrult)) andalso (#uprates (hd bmset))<(#uprates (hd (rev bmsetrult)))andalso m=0 then 99 else if (#uprates (hd bmset))<(#uprates (hd bmsetrult)) andalso m=99 then 100 else m

m

bmsetrult

if n=0 orelse n-1=(length bmset) orelse (#uprates (hd bmset)) >= (#uprates (hd (rev bmsetrult))) then ins bmsetrult (hd bmset)else if (#uprates (hd bmset))<= (#uprates (hd bmsetrult))then (hd bmset)::bmsetrult else List.drop(bmsetrult, 1)

if (#uprates (hd bmset)) > (#uprates (hd bmsetrult)) andalso n<(length bmset)+1 andalso (#uprates (hd bmset)) < (#uprates (hd (rev bmsetrult)))then n+1 else if List.null bmset then 0 else 1

n

bmset

bmset

go

bmset

go

go

send

resort

[m=100]

sort

store

bak

partset

BMSET

start

INT

ctl1

INT

resultset

BMSET

numINT

tempset

timectl

STATS

m

STATS

BM_SETBMSETS

BMSET

forward OutOutBMSETS

if (#uprates (hd bmset)) > (#uprates (hd bmsetrult)) andalso n<(length bmset)+1 andalso (#uprates (hd bmset)) < (#uprates (hd (rev bmsetrult)))then bmsetelse rm (hd bmset) bmset

m

[not (List.null bmset) andalso (m=0 orelse m=99)]

[not (List.null bmset) andalso m>0]

BMSET

PACKET

if (#uprates (hd bmset))>(#uprates (hd bmsetrult)) andalso (#uprates (hd bmset))<(#uprates (hd (rev bmsetrult)))then ins bmsettmp (hd bmset)else empty

if m<5then (COMMMSG("unchoke", #file (hd bmset)), #peer (hd bmset), pch)else (COMMMSG("choke", #file (hd bmset)), #peer (hd bmset), pch)

the basic choking algorithmthe basic choking algorithm the main behavior is to order the entries in BMSET according to the main behavior is to order the entries in BMSET according to

the download rates. The first four are considered as unchoking the download rates. The first four are considered as unchoking peers and corresponding unchoke packets are sentpeers and corresponding unchoke packets are sent

2828

OutlineOutline







2929

Overview (1/2)Overview (1/2) ObjectiveObjective

validate the BitTorrent CPN modelsvalidate the BitTorrent CPN models verify whether above models satisfy the verify whether above models satisfy the

key requirement properties of BitTorrent key requirement properties of BitTorrent system, such as no out-of-orders system, such as no out-of-orders executions executions

DifficultiesDifficulties concurrence and intricate communication concurrence and intricate communication

are essential characteristics of BitTorrent are essential characteristics of BitTorrent systems systems

constructed models are so large that the constructed models are so large that the direct state spaces analysis becomes direct state spaces analysis becomes infeasible because of state space explosion infeasible because of state space explosion

3030

Overview (2/2)Overview (2/2)

function units

system properties

simulation

state space analysis

model checking

function units

function units

system properties

function unit is a basic functional flow of the function unit is a basic functional flow of the protocol execution, different specific initial protocol execution, different specific initial marking can form different function unitsmarking can form different function units

several function units could execute sequentially several function units could execute sequentially or concurrently to form a more complex or concurrently to form a more complex functionalityfunctionality

system higher properties are usually described as system higher properties are usually described as temporal logic and verified using model checking temporal logic and verified using model checking

3131

Analysis of function unit Analysis of function unit (1/3)(1/3) SimulationSimulation

immediate visual feedbacksimmediate visual feedbacks performed frequently to find modeling performed frequently to find modeling

errorserrors

FindingsFindings most of concurrent behaviors existed in most of concurrent behaviors existed in

the model could be serialized by the model could be serialized by assigning an execution order manuallyassigning an execution order manually

there are still some true concurrent there are still some true concurrent behaviors behaviors

461:2

451:2

442:2

432:2

422:2

412:2

392:2

402:2

381:2

371:2

362:2

352:2

342:2

322:2

332:2

311:2

301:2

292:2

282:2

262:2

272:2

251:2

241:2

232:2

212:2

222:2

182:2

201:2

172:2

191:2

161:2

142:2

151:2

121:2

131:2

111:2

101:1

91:1

81:1

71:1

61:1

51:1

41:1

31:1

21:1

10:1

these traces are these traces are

meaningless for meaningless for

analysis because analysis because

of too detailed of too detailed

interleaving interleaving

executions executions

3232

Analysis of function unit Analysis of function unit (2/3)(2/3) function unit represents a relatively function unit represents a relatively

independent functional flowindependent functional flow of of protocol executions with no or protocol executions with no or controllable true concurrent behaviorscontrollable true concurrent behaviors

cover all paths of the modelcover all paths of the model, and their , and their sequentially or concurrently sequentially or concurrently executions form all feasible executions form all feasible functionalities of original specificationfunctionalities of original specification

perform both simulation and state perform both simulation and state spaces based analysis to validatespaces based analysis to validate the the reliable execution of such function reliable execution of such function unitunit

3333

Analysis of function unit Analysis of function unit (3/3)(3/3) Four Function Units:Four Function Units:

1.1. Leecher1 asks Tracker for peer list of the Leecher1 asks Tracker for peer list of the sharing file, and Tracker replies with list sharing file, and Tracker replies with list containing Leecher2 and Seedcontaining Leecher2 and Seed

2.2. Leecher1 connects to Leecher2, and Leecher1 connects to Leecher2, and download one piece without further pieces download one piece without further pieces requestsrequests

3.3. Leecher1 connects to Seed, downloads two Leecher1 connects to Seed, downloads two pieces, and announces Leecher2 that it has pieces, and announces Leecher2 that it has the entire file using piece having packetthe entire file using piece having packet

4.4. Leecher1 executes the rarest first piece Leecher1 executes the rarest first piece selection, and Seed executes choking selection, and Seed executes choking algorithm when receiving piece request from algorithm when receiving piece request from Leecher1Leecher1

3434

Properties verification (1/5)Properties verification (1/5) state space generated for a function unit state space generated for a function unit

only contains the states that could be only contains the states that could be reached from a specific initial marking, reached from a specific initial marking, and the size of state space is usually not and the size of state space is usually not largelarge

checking higher system properties needs checking higher system properties needs full state space to enumerate every full state space to enumerate every possible execution of protocol systemspossible execution of protocol systems

introduce a finite abstraction towards introduce a finite abstraction towards hieratical CPN modelshieratical CPN models

3535

According to modeling architecture, abstract According to modeling architecture, abstract

models only cover network, node and interaction models only cover network, node and interaction

layerslayers

interaction layers in abstract models are modeled interaction layers in abstract models are modeled

as leaf page instances without substitution as leaf page instances without substitution

transitions, that is, replacing them with ordinary transitions, that is, replacing them with ordinary

transitionstransitions

besides, abstract models will contain some new besides, abstract models will contain some new

places representing key data structures, the places representing key data structures, the

same as that appeared in original models same as that appeared in original models

bitmap

tl bitmap

bitmap

(hd (#3 tmsg))::bitmap

tl bitmap

bitmap

tmsg

tmsg

peerid

(TRANSMSG("request", #2 tmsg, bitmap, 0), peerid, pch)

peerid

peerid

peerid

if peerid<>p2then 1`(TRANSMSG("have",#2 tmsg, #3 tmsg, 0),p2, pch)else empty

(TRANSMSG("piece", #2 tmsg, #3 tmsg, 0), peerid, pch)

tmsg

tmsg

(TRANSMSG("request", #2 cmsg,(hd bitmap)::[], 0), peerid, pch)cmsgcmsg

COMMMSG(cmsg)

(COMMMSG("unchoke",#2 cmsg), peerid,pch)

peerid

cmsg

(COMMMSG("interested", #2 tmsg), peerid, pch)

peerid

tmsg

(infohash, peerid)

tmsg

TRANSMSG(tmsg)

tmsg

TRANSMSG(tmsg)

if MSG.of_COMMMSG(#1 packet) then 1`(#3 packet) else empty

cmsgCOMMMSG(cmsg)


if MSG.of_TRANSMSG(#1 packet) then 1`(#3 packet) else empty

tmsg

TRANSMSG(tmsg)


(HDSKMSG(hmsg), peerid, #2 hmsg)HDSKMSG(hmsg)

if MSG.of_HDSKMSG(#1 packet)then 1`(#1 packet)else empty

packet

sendt4


sendt3

sendt2

sendc2


extrc2

[#1 cmsg="unchoke"]

sendc1

sendt1

extract3

[#1 tmsg="piece"]

extract2

[#1 tmsg="request"]

extrc1

[#1 cmsg="interested"]

extract1

[#1 tmsg="bitmap"]

hashverify

[(#1 hmsg)=infohash]

parse

bnFusion 1

BITMAP

hv

BITMAP

bm

Fusion 1

BITMAP

b31 TRANS_MSG

uncCOMM_MSG

PID INDEXES

b3

TRANS_MSG

b2

TRANS_MSG

pid PEERID

inCOMM_MSG

cmsgMSG

pid2

PEERID

b1

TRANS_MSG

tmsg

MSG

hdsk

MSG

recvpkIn

PACKET

forward Out

PACKET

Out

In

Fusion 1

Fusion 1

Properties verification (2/5)Properties verification (2/5)

3636

Properties verification (3/5)Properties verification (3/5) Such abstraction takes effects:Such abstraction takes effects:

the functionalities of original transaction the functionalities of original transaction layer or algorithm layer model have been layer or algorithm layer model have been validated, the ordinary transitions could validated, the ordinary transitions could represent equal and valid functionalities as represent equal and valid functionalities as original substitution transitionsoriginal substitution transitions

original transaction layer models are always original transaction layer models are always independent in functionalities with each independent in functionalities with each other except for accessing the common data other except for accessing the common data structures, so we reserve these data structures, so we reserve these data structures in new abstract models to keep structures in new abstract models to keep the interaction relationship between the interaction relationship between corresponding behaviorscorresponding behaviors

3737

Properties verification (4/5)Properties verification (4/5) a kind of over-approximationa kind of over-approximation

if the property passes verification on the if the property passes verification on the abstract models, it also holds in original abstract models, it also holds in original detailed models detailed models

abstract model has 10 page instances abstract model has 10 page instances in totalin total consider the concurrent execution of consider the concurrent execution of

function units (2) and (3) for analysisfunction units (2) and (3) for analysis The full state space contains 9180 states The full state space contains 9180 states

and 22546 arcsand 22546 arcs no home markings, no live transitions no home markings, no live transitions 16 dead markings: exactly correspond to 16 dead markings: exactly correspond to

different concurrent execution results. different concurrent execution results.

3838

Properties verification (5/5)Properties verification (5/5)

considering a situation that a pconsidering a situation that a peer receives a piece without haeer receives a piece without having received a unchoke messaving received a unchoke message beforege before

specify specify BTFormulaBTFormula to check suc to check such situation never happens h situation never happens

fun IsUnchoke a = (Bind.receives1'sendc2 (1, {peerid=p2, cmsg=("unchoke",1), bitmap=[1,2]}) = ArcToBE a);

fun IsRecvPiece a = (Bind.receives1'sendt3 (1, {peerid=p2, tmsg=("piece", 1, [1], 0), bitmap=[]}) = ArcToBE a);

val BTFormula = INV(OR(MODAL(AF("Unchoke", IsUnchoke)), NOT(MODAL(AF("ReceivePiece", IsRecvPiece)))));

eval_node BTFormula InitNode;

use (ogpath^"/ASKCTL/ASKCTLloader.sml")

3939

Analysis summaryAnalysis summary From the point of view of model From the point of view of model

validation, function units simulation validation, function units simulation and analysis help validate the and analysis help validate the effectiveness of protocol detailed effectiveness of protocol detailed behaviors, and higher properties behaviors, and higher properties checking help verify the satisfiability checking help verify the satisfiability to protocol requirementsto protocol requirements

this abstraction guided checking this abstraction guided checking method not only takes full advantage method not only takes full advantage of sufficient validation to function of sufficient validation to function units, but also makes higher properties units, but also makes higher properties checking practical and effectivechecking practical and effective

4040

OutlineOutline







4141

ConclusionConclusion BitTorrent has complex communications and BitTorrent has complex communications and

concurrent behaviors, which are major concurrent behaviors, which are major hurdles for formal functional modeling and hurdles for formal functional modeling and validationvalidation

utilize CPN as an effective actualization of utilize CPN as an effective actualization of hieratical modeling architecture to hieratical modeling architecture to construct BitTorrent CPN modelsconstruct BitTorrent CPN models

simulation, state space analysis and model simulation, state space analysis and model checking used together in both function checking used together in both function unit level and system requirement level, to unit level and system requirement level, to validate the models, and check whether validate the models, and check whether these models satisfy the requirement these models satisfy the requirement properties of BitTorrent properties of BitTorrent

4242

Future ResearchFuture Research

from model perspectivefrom model perspective add time factors towards algorithmsadd time factors towards algorithms improve models completeness and improve models completeness and

soundnesssoundness

from methodology perspectivefrom methodology perspective optimize validation processoptimize validation process test case generation from CPN modelstest case generation from CPN models

Thank youThank you

Q & AQ & A

formal modeling and analysis of bittorrent using coloured petri nets jing liu, xinming ye, tao sun...

Documents

analysis of bittorrent

model hierarchy

model refinementa

formal modeling

protocol testing

effective formal specification

sharing file

based protocol verificationfsm