Towards a Model Checker for NesC and Wireless Sensor Networks Manchun Zheng 1, Jun Sun 2, Yang Liu 1, Jin Song Dong 1, and Yu Gu 2 1 National University.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

How to use TinyOS Jason Hill Rob Szewczyk Alec Woo David Culler An event based execution environment for Networked Sensors.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

Declarative sensor networks David Chu Computer Science Division EECS Department UC Berkeley DBLunch UC Berkeley 2 March 2007.

Timed Automata.

CAST i CAST iCAST / TRUST Collaboration Presenter ： David Chu 2007 June 5 A Declarative Sensor Network Architecture.

Trickle: Code Propagation and Maintenance Neil Patel UC Berkeley David Culler UC Berkeley Scott Shenker UC Berkeley ICSI Philip Levis UC Berkeley.

1 Message Oriented Middleware and Hierarchical Routing Protocols Smita Singhaniya Sowmya Marianallur Dhanasekaran Madan Puthige.

Sensor Network Platforms and Tools

Overview: Chapter 7  Sensor node platforms must contend with many issues  Energy consumption  Sensing environment  Networking  Real-time constraints.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Towards a Sensor Network Architecture: Lowering the Waistline Culler et.al. UCB.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

Systems Wireless EmBedded nesC Update Eric Brewer with help from David Culler, David Gay, Phil Levis, Rob von Behren, and Matt Welsh.

1 Efficient Memory Safety for TinyOS Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing † Intel Research.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Sample Project Ideas KD Kang. Project Idea 1: Real-time task scheduling in TinyOS EDF in TinyOS 2.x –Description is available at

Random Testing of Interrupt-Driven Software John Regehr University of Utah.

Concurrent, Distributed Systems Stock ExchangesTelecoms Commuter Rail.

Development of a Mica2 Mote Sensor Network Cliff Macklin Bill Ehrbar December 8, 2004 University of Colorado, Colorado Springs.

1 Efficient Memory Safety for TinyOS 2.1 Yang Chen Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing.

TinyOS Software Engineering Sensor Networks for the Masses.

Systems Wireless EmBedded Macroprogramming Eric Brewer (with help from David Gay, Rob von Behren, and Phil Levis)

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

TOSSIM: Visualizing the Real World Philip Levis, Nelson Lee, Dennis Chi and David Culler UC Berkeley NEST Retreat, January 2003.

Composition Model and its code. bound:=bound+1.

Formal Techniques for Verification Using SystemC By Nasir Mahmood.

Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.

Man Chun Zheng School of Computing National University of Singapore.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

PROGRAMMING LANGUAGES The Study of Programming Languages.

1 Software Development Infrastructure for Sensor Networks  Operating systems ( TinyOS )  Resource (device) management  Basic primitives  Protocols.

© Siemens AG, CT SE 1, Dr. A. Ulrich C O R P O R A T E T E C H N O L O G Y Research at Siemens CT SE Software & Engineering Development Techniques.

April 15, 2005TinyOS: A Component Based OSPage 1 of 27 TinyOS A Component-Based Operating System for Networked Embedded Systems Tom Bush Graduate College.

Designing For Testability. Incorporate design features that facilitate testing Include features to: –Support test automation at all levels (unit, integration,

WSN Done By: 3bdulRa7man Al7arthi Mo7mad AlHudaib Moh7amad Ba7emed Wireless Sensors Network.

A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.

Performance of Token- based Distributed Mutual Exclusion Algorithms Scott J. McCallen Kent State University November

TinyOS By Morgan Leider CS 411 with Mike Rowe with Mike Rowe.

Yang Liu, Jun Sun and Jin Song Dong School of Computing National University of Singapore.

Korea Advanced Institute of Science and Technology Active Sensor Networks(Mate) (Published by Philip Levis, David Gay, and David Culler in NSDI 2005) 11/11/09.

TRICKLE: A Self-Regulating Algorithm for Code Propagation and Maintenance in Wireless Sensor Networks Philip Levis, Neil Patel, Scott Shenker and David.

Lab 2 Group Communication Farnaz Moradi Based on slides by Andreas Larsson 2012.

Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying Event-based Fairness Enhanced Systems Jun SUN, Yang.

Simulation of Distributed Application and Protocols using TOSSIM Valliappan Annamalai.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

ResTAG: Resilient Event Detection with TinyDB Angelika Herbold -Western Washington University Thierry Lamarre -ENSEIRB Systems Software Laboratory, OGI.

Fall 2004EE 3563 Digital Systems Design EE 3563 VHSIC Hardware Description Language  Required Reading: –These Slides –VHDL Tutorial  Very High Speed.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Main Issues Three major issues that we are concerned with in sensor networks are – Clustering Routing and Security To be considered against the backdrop.

1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.

1 Permission-based Distributed Mutual Exclusion : Ricart-Agrawala & Maekawa Algorithms By: Sherenaz W. Al-Haj Baddar.

Xiong Junjie Node-level debugging based on finite state machine in wireless sensor networks.

Verification & Validation By: Amir Masoud Gharehbaghi

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

Programming Sensor Networks Andrew Chien CSE291 Spring 2003 May 6, 2003.

ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.

1 Software Reliability in Wireless Sensor Networks (WSN) -Xiong Junjie

Jun Sun, Yang Liu, Jin Song Dong and Xian Zhang School of Computing National University of Singapore.

Agenda  Quick Review  Finish Introduction  Java Threads.

On Concurrency Idioms and their Effect on Program Analysis Weizmann Institute of Science Guy Katz and David Harel.

Why does it need? [USN] ( 주 ) 한백전자 Background Wireless Sensor Network (WSN)  Relationship between Sensor and WSN Individual sensors are very limited.

TinyOS and nesC. Outline ● Wireless sensor networks and TinyOS ● Networked embedded system C (nesC) – Components – Interfaces – Concurrency model – Tool.

Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code

Simulation of Distributed Application and Protocols using TOSSIM

Designing For Testability

Distributed Control Applications Within Sensor Networks

Presentation transcript:

Towards a Model Checker for NesC and Wireless Sensor Networks Manchun Zheng 1, Jun Sun 2, Yang Liu 1, Jin Song Dong 1, and Yu Gu 2 1 National University of Singapore 2 Singapore University of Technology and Design

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksBackground  Wireless Sensor Network (WSN) Sensor code: TinyOS applications (NesC programs). Wireless communication: unicast, broadcast, dissemination, etc. Sensor device: light, temperature, movement, etc. Applications: Real-time transportation, medical device, military and security supervision, fire detection, etc.

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksBackground  TinyOS [1] Widely used in WSN community Designed to run on small, wireless sensors. Lightweight operating system Concurrent, interrupt-driven execution model Component libraries for device-related operations 1.D. Gay, P. Levis, D. E. Culler: Software design patterns for TinyOS. ACM Trans. Embedded Comput. Syst. 6(4): 2007.

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksBackground  TinyOS Interrupt-driven Execution Model

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksBackground  NesC (Nested C) [2] An extension of C Component-based programming model Concepts of command, event, tasks, etc Operations are split-phase 2. D. Gay, P. Levis, J. R. von Behren, M. Welsh, E. A. Brewer, D. E. Culler: The nesC language: A holistic approach to networked embedded systems. PLDI 2003: 1-11 Are NesC implementations reliable?

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksMotivation  Traditional approaches Simulation: TOSSIM [3] automatically Good to analyze the execution but unable to find an error/bug automatically. Testing/Debugging: Able to find bugs but highly restricted by test cases Limitations: all any  Unable to find all errors/bugs of any possible scenarios e.g, the code shown in previous slides 3. P. Levis, N. Lee, M. Welsh, and D. E. Culler. TOSSIM: Accurate and Scalable Simulation of Entire TinyOS Applications. In SenSys. ACM, 2003.

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks A motivating example  Tricky code result_t tryNextSend(){ atomic{ if(!sendTaskBusy){ post sendTask(); sendTaskBusy = TRUE; } }... } 1. The task sendTask() will be scheduled to execute at a later time. 2. sendTaskBusy is reset as FALSE in the task sendTask(). Is there any bug in this method? task void sendTask(){ … sendTaskBusy = FALSE; … }

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks A motivating example  Tricky code result_t tryNextSend(){ atomic{ if(!sendTaskBusy){ post sendTask(); sendTaskBusy = TRUE; } }... } If post sendTask() fails, the task will never be executed, and thus sendTaskBusy remains TRUE forever. YES! task void sendTask(){ … sendTaskBusy = FALSE; … }

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks A motivating example  Tricky code Testing, simulating, debugging is difficult to reach the scenario when post sendTask() fails. Requires a technique that automatically explores all possible system states. result_t tryNextSend(){ atomic{ if(!sendTaskBusy){ if(SUCCESS != post sendTask()) if(SUCCESS != post sendTask()) sendTaskBusy = FALSE; else sendTaskBusy = TRUE; }... } result_t tryNextSend(){ atomic{ if(!sendTaskBusy){ post sendTask(); sendTaskBusy = TRUE; } }... }

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksMotivation  Model Checking Determining whether a model satisfies a property by exhaustive searching. Model Checker Model Property Violation! e.g, []( sendTaskBusy  <>!sendTaskBusy) Whenever sendTaskBusy is true, it will eventually be reset as false.

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Our Approach  A systematic self-contained model checker for WSN Generating LTS from NesC source code directly Supporting both safety properties & liveness properties Conducting complete searching Buit as a the NesC module in PAT  PAT ( [4] A self-contained framework for developing model checkers Supporting concurrent, real-time and probabilistic systems Simulation, Verification 4. Y. Liu, J. Sun, and J. S. Dong. Developing Model Checkers Using PAT. In ATVA, pages , Singapore, Springer.

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks PAT Architecture Design

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksChallenges  Complex syntax and semantics of NesC No existent formal semantics of the NesC language  Hardware services of TinyOS E.g., messaging, sensing, etc.  The interrupt-driven execution model of TinyOS Introduces local concurrency between tasks and interrupts

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor  Features Fully automatic and domain-specific for NesC and WSNs Two levels of concurrency: network and sensor levels Safety & Liveness (temporal) properties  E.g, A buffer is released infinitely often Low-level safety properties  E.g, Access to a null pointer, array index overflow, etc.  Contributions Define formal operational semantics for WSNs and NesC automateddirectly Fully automated, dealing with NesC code directly Verification of properties of a large range

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor  Overview

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Formalization of WSNs  Semantic Model of WSN Sensor Model WSN Model  Operational Semantics NesC/C language Constructs Interrupt-driven Feature Networked Feature  Concurrency  Communication

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Case study: Trickle [5]  An algorithm Propagating and maintaining code updates in WSN  Each node Periodically broadcasts its version to neighbors Stays quiet if it has received an identical version Broadcasts code if it has heard an older version My code version is 5 I receives an older version, so I send my code. I receive a same version, so I do nothing P. Levis, N. Patel, D. E. Culler, S. Shenker: Trickle: A Self-Regulating Algorithm for Code Propagation and Maintenance in Wireless Sensor Networks. NSDI 2004: A B C

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor NetworksTrickle  Desirable Property always eventually If a node is reachable in the network, then it should always eventually be updated with the latest code.  Code Structure of NesC Implementation Top-level configuration: TrickleAppC.nc Implementation of Trickle: TrickleC.nc

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Verifying Trickle with Sensor1: Application: TrickleAppC Sensor2: Application: TrickleAppC Sensor3: Application: TrickleAppC

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks  Three topologies Single-track RingRingStar Deploying WSNs

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Verification Goals  Definition of States  Properties Safety Properties Temporal Properties (Liveness) #assert SensorNetwork |= []<> (UpdateA && UpdateB && UpdateC); Always eventually all three nodes get updated. #define FalseUpdate Sensor1.App.data == 0; //0 is the newest data. #define UpdateA Sensor1.App.data == 1; //1 is the newest data. #define UpdateB Sensor2.App.data == 1; #define UpdateC Sensor3.App.data == 1; #define AllUpdate UpdateA && UpdateB && UpdateC; #assert SensorNetwork deadlockfree; //default property #assert SensorNetwork never FalseUpdate;

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Experimental Results

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Experimental Results The liveness property is violated by SRing WSN!

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Buggy Scenario – Single-tracked Ring Version channel Code channel Data link Never updated A B C

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Real execution on Iris motes  Comparison with Real execution on Motes Trickle has been executed on Iris motes Three nodes, with the three topologies: Single tracked ring, Ring, Star Videos

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Discussion & Future Work  Scalability Reasons: Two-level concurrency, complex behaviors Reduction Techniques: partial order reduction, symmetry reduction, etc. Symbolic Model checking: BDD encoding  Timed Feature Currently, timed information is abstract Introduce a system timer without increasing the state space too much  Large Case Study Collection Tree Protocol implementation (hundreds of components)

NUS Presentation Title 2006 Towards a Model Checker for NesC and Wireless Sensor Networks Thank you