1 Formal Automated Transformation of SDL Specifications to Lotos Specifications Hazem El-Gendy, Ph. D., P. Eng.

Dr. Nabil El Kadhi

Ministry of Endowments of Egypt, Cairo, Egypt Prof. Comp. Science, EpiTech Voice Tel. & Fax: +20 2 23936088, 14/16 Rue Voltaire 94270 Kremelin Bicetre, France e-mail: [email protected] Keywords:

email: [email protected]

Formal Description Techniques, SDL, Lotos, Computer/Communications Protocols,

Specification, Distributed Real Time Systems, Formal Methods, Common Semantic Model, Verification, Testing.

Abstract: In this paper, a formal method for automated transformation of an SDL specification into a corresponding Lotos specification is presented. The method is applicable to various SDL specifications and to various communications protocols for various ISO (International Standards Organization) OSI (Open Systems Interconnections) layers. This formal automated transformation facilitates immediate indirect applicability of future formal methods for derivation of testing sequences for Lotos specifications to SDL specifications. Firstly, the formal automated transformation method is applied to generate a Lotos version. Then, the Lotos-based derivation method is applied.

This facilitates the best coverage of the testing sequences for SDL

specifications as the formal test derivation method with the best coverage can be applied. This also facilitates comparison of various test derivation methods in terms of coverage. We develop an algorithm for constructing the Lotos specifications.

I. Introduction The role of distributed systems, such as computer and telecommunications protocols and systems, are fast increasing. The diverse range of their applications is associated with serge in their numbers and diversity [1-20]. Furthermore, there is increasing demand to significantly reduce the time to go from idea of a protocol to its design and specification to their implementations. This in turn increased the need for rigorous methods for their development life cycle. The development life cycle includes the specification, the design, the verification of the designs, the implementation of the

2 designs, and the testing of the implementations. This motivated the development of formal methods for all of these phases [14]. A formal method has the following advantages over intuitive methods: 1) Less error prone 2) Less time consuming 3) Less costly because it is less time consuming and can be applied by less qualified experts (sometimes can be applied by a software program). 4) Facilitates analysis of the method for correctness, coverage, applicability, and efficiency. This facilitates extensibility of the method. ISO (International Standardization Organization) and IEC (International Electromechanical Committee) have jointly developed the Lotos [1] Formal Description Techniques (FDTs) for formal specification of computer/telecommunications protocols and distributed systems in general. Lotos is a relatively high level FDT that is design oriented due to support of parallel composition constructs and different abstraction levels. Also, verification of the designs developed in Lotos is relatively easy due to the previous point and support of tools for verification. However, implementing Lotos specifications is relatively less easy [8,19,20]. On the other hand, the Telecommunications Standardization Section of the International Telecommunications Union (TSS/ITU;

formely, CCITT) has developed SDL (Specification and

Description Language) [21]. SDL is a relatively low level FDT where the concept of a state is explicitly specified.

Consequently, implementing SDL specifications is relatively easier and testing these

implementations is also relatively easier [14, 17, 19]. Furthermore, there is an increasing demand to arrive at truly universal standards. Consequently, a requirement that every computer/telecommunications protocol standard developed be formally specified in both Lotos and SDL. Member countries can develop their own computer/telecommunications products and national standards based on either Lotos or SDL. This raises the major concern the one has to ensure the consistency between these two versions of the computer/telecommunications standard: the Lotos-

3 based version and the SDL-based version.

Nevertheless, with large number of ISO/IEC

computer/telecommunications developed and expected to be developed, using intuitive methods to transform an SDL-based standard into its corresponding Lotos-based standard is too time consuming and too expensive [14, 16]. Such needed transformations used to be done intuitively [16]. Wu et al [16] developed a formalization of Lotos and Estelle specifications to Extended Transition Systems. The formalization does not apply to specifications that involve recursion or different parallel composition operators. Also, it is based on the work on canonical testers which has been proven in [16] to be circular and suffers from fundamental problems.

Furthermore, it does not address the generation of a specific Estelle specification

corresponding to a specific Lotos specification. In this paper, we develop a formal method for transformation of any specific SDLspecification into a corresponding Lotos specification. Our method is supported by algorithms that facilitates full automation of the transformation. The rest of this paper is organized as follows. An overview of the method is given in Section II. In Section III, we develop our method for the construction of the Lotos specification. We demonstrate the method by applying it to a real protocol in Section IV. Section V concludes the paper.

II. Overview of the Method and Concepts The method has three phases: -

Map & Determine Lotos Processes:

In this phase, we develop a mapping from SDL

constructs/building blocks to Lotos behavior blocks to determine the number of Lotos behavior processes (expressions) to be used in the Lotos-based specification. The main SDL building block is the “state” while the corresponding Lotos building block is the “process”. -

Transform Specification: In this phase, a transformation method is applied to produce the specifications of the Lotos-behavior processes (expressions).

-

Designate the origin of the specification.

4 III. Transformation of the SDL Specifications into Lotos Specifications In this Section, we develop our method for the construction of the Lotos specifications.

III.1 Mapping and Determination of the Lotos-Behavior Processes The author has pointed out in [4] the mutual mapping of a Lotos-behavior expression and an FSM/EFSM state. So, to determine the Lotos-behavior processes, we have: Rule I: For every SDL-based state, generate a corresponding Lotos-behavior process. Also, it is desirable, for purposes of implementation as well as verification and testing, that the given SDL-based specification be a minimal specification meaning that it is constructed using the minimum number of states. States should represent a logical meaning in the protocol and the protocol design should not include multiple different but equivalent states (duplicates of states) [14]. Logical here means that every process represents a logical meaning in functionality of the protocol design.

III.2. Transformation of an Estelle Specification into a Lotos Specification In this Section, we develop a formal method to transform a given SDL-based specification into a Lotosbased specification. The method uses Algoithm_Generate_Specification that facilitates full automation. The algorithm has three phases. In the first phase, we determine the number of Lotos behavior processes to be used. Then, the formal behavior descriptions of these processes are generated in the second phase. The third phases identifies the origin of the Lotos specification. A Lotos event represents either an Input interaction or an Output interaction and not both. An SDL transitions, may represent an Input interaction or an Output interaction. Algoithm_Generate_Specification: Phase I "Generate the Number and Names of the Lotos Behavior Processes in the Lotos Behavior Specification": Using Rule I, generate the number of Lotos processes of the Lotos specification equal to the number of SDL states.

5 Phase II "Generate the Behavior Specifications of the Lotos Processes": For every SDL state s DO 1) For every outgoing set of transitions tj = io1 io2 . . .ion from state s to state s' DO ssk := µ1io1; µ2io2; . . . ; s' where µl = ?

if iol is an input interaction.

!

if iol is an output interaction

2) If io1 is preceded by the positive ("Yes") result of a condition c replace µio1 by c Æ µio1. 3) If io1 is preceded by the negative ("No") result of a condition c replace µio1 by ¬c Æ µio1 where ¬c is the complement of c. 4) If state s has more than one sub-sequence (k > 1) then s = ss1 [] ss2 [] . . . [] ssk . . . where [] is the Lotos choice operator. End Do End Do Phase III "Designate the origin of the specification": Set the Lotos behavior process specification that corresponds to the root of the SDL specification to be the origin of the Lotos specification.

As the number of SDL states and transitions in any SDL diagram is finite, the above algorithm is guaranteed to terminate. Consequently, it generate the Lotos specification in finite time. Furthermore, it does not require any human interaction and consequently facilitates full automation. Nevertheless, it does not impose any restrictions on any of the SDL constructs and consequently the applicability of the method is as wide as the applicability of SDL; computer/communications protocols.

consequently, it can be applied to various

6 IV.

Example

In this Section, we demonstrate the method by illustrating the application of the method to a real protocol;

an ISO Transport Layer Protocol class 0 for the case of the initiator of establishing a

connection. The protocol is as given by the SDL diagram in Figure 1.

Start No

Yes R tcreq

tcreq

cr

tdind Start

Wait cc

dr

tccon

tdind

Data

ndind tdind

tdatr Data

Start

tdat Data

tdreq

ndreq

Start Start Figure 1: SDL Specification of TPC0 for the Initiator

7 The given SDL specification has 3 states: Start, Wait, and Data. Consequently, the corresponding Lotos specification has 3 processes: Start, Wait, and Data; this is the result of applying Phase I of the algorithm. Applying Phase II of the algorithm to state "Start", for example, produces the following: ss1 := ?tcreq; !ndind; Start

applying step 1

ss2 := ?tcreq; !cr; Wait

applying step 1

Then, we get the following by applying steps 2 and 3: ss1 := ¬R Æ ?tcreq; !ndind; Start

applying step 3

ss2 := R Æ ?tcreq; !cr; Wait

applying step 2

But, the given specification has two outgoing sequences of state Start, consequently, we have: R Æ ?tcreq; !cr; Wait

Start := []

¬R Æ ?tcreq; !ndind; Start

Applying the algorithm fully to the given SDL specification, one gets the following corresponding Lotos Specification: R Æ ?tcreq; !cr; Wait

Start := [] Wait :=

¬R Æ ?tcreq; !ndind; Start ?cc; !tccon; Data

[] Data :=

?dr; !tdind; Start ?tdatr; Data

[]

?dt; Data

[] ?ndind; !tdind; Start [] ?tdreq; !ndreq; Start

V. Conclusions A formal method for automated transformation of an SDL specification into a corresponding Lotos specification has been presented.

The method is supported by an algorithm that facilitates full

8 automation. Consequently, the method is much less error prone than current intuitive methods and saves a lot of time and cost for the transformation. The scope of applicability of the method is as wide as the scope of applicability of the SDL itself. Consequently, the method can be applied to various SDL protocols. The method has applications in protocol verification where Lotos Formal Description Technique facilitates protocol verification and is supported by tools for protocol verification.

Consequently,

protocols designed and specified in SDL can be transformed into corresponding Lotos specifications and the latter versions are verified for consistency and correctness of the design of the protocol. Also, methods for the automated derivation of testing sequences to test the implementations of the protocols and that are developed for Lotos are now instantly available to SDL specification. Lotos and SDL currently use different formal methods for specifying data types. Our method focuses only on the specification of the dynamic behavior rather than the transformation of the data types. However, both ISO Technical Group in charge of the development/evolution of Lotos and TSS/ITU Technical Group in charge of the development of SDL are considering adopting the ISO Abstract Syntax Notation 1 (ASN.1) standard for data types. ASN.1 is a very well recognized standard for data types that has been used extensively in the industry. The adoption of ASN.1 will harmonize both Lotos and SDL, as far as data types are considered, and result in no need to develop an automated method to transform data types. References 1. ISO/IEC 8807, “Information processing Systems - Open Systems Interconnection - LOTOS A Formal Description Technique Based on Temporal Ordering of Observational Behaviour”, 1992. 2. Hazem El-Gendy, “A New Theory for Equivalence between Process Specifications”, Proceedings of the IEEE International Conference on Electronics, Circuits, and Systems, Rodous, Greece, October 16-18, 1996, pp. 1186-1189. Was also accepted for Publications in the Proceedings of the International Conference on Networks sponsored by the International Association of Science and Technology for Development (IASTED), Orlando, Florida, USA, Jan. 8-10, 1996. 3. Hossein Saiedian, “An Invitation to Formal Methods”, IEEE Comp., April 1996, pp. 16-30. 4. Hazem El-Gendy, and Hoda Baraka, “Transformation of Lotos Specifications to Estelle-Based Specifications”, Proceedings of the International Symposium on Computers & Communications sponsored by both IEEE Communications Society and IEEE Computer Society, Alexandria, Egypt, July 1-3, 1997, pp. 215-220. 5. Tommaso Bolognesi, Ferdinando Lucidi, Sebastiano Trigila, “Converging Towards a Timed

9 Lotos Standard”, Journal of Computer Standards & Interfaces, Vol. 16, 1994, pp. 87-118. 6. Caglan M. Aras, James F. Kurose, Douglas S. Reeves, and Henning Schulzrinne, “Real-Time Communication in Packet Switched Networks”, Proceedings of the IEEE, Vol. 82, No. 1, January 1994, Special Issue on Real-Time Systems, pp. 122-139. 7. Mihaela Sigireanu and Radu Mateescu, “Validation of the Link Layer Protocol of the IEEE1394 Serial Bus (“FierWire”): an Experiment with E-Lotos”, INRIA Technical Report No. 3172, 1997. A short version of this report is also available in Ignac Lovrek, editor, Proceedings of COST 247 2 nd International Workshop on Applied Formal Methods in System Design, Zagreb, Croatia, June 1997. 8. Anton Dahbura and Krishan Sabnani, “Formal Methods for Generating Protocol Conformance Test Sequences”, Proceedings of the IEEE, Vol. 78, No. 8, Aug. 1990, pp. 1317-1326. 9. M. Susan Bloor and Jon Owen, “Learning Lessons from Conformance Testing”, Journal of Computer Standards & Interfaces, Vol. 17, 1995, pp. 231-251. 10. Chih-Yung Chang and Shin-Chih Tu, “Active Route-Maintenance Protocol for Signal-Based Communication Path in ad hoc Networks”, Journal of Network and Computer Applications, Vol. 25, Issue 3, July 2002, Academic Press, pp. 161-177. 11. S. Farahvash, K. Akhavan, and M. Kavehrad“ ,Packet Transmission Over a Fixed Wireless Loop Using Adaptive Rate Techniques”, International Journal of Wireless Information Networks, Vol. 9, No. 3, July 2002, pp. 165-178. 12. J. Q. Bao and L. Tong“ ,Protocol-Aided Channel Equalization in Wireless ATM”, IEEE Journal on Selected Areas in Communications, Vol. 18, No. 3, March 2000, pp. 418-435. 13. D. P. A. Greenwood and R. A. Carrasco, “Neural Networks for the Adaptive Control of Disruptive Non-Linear Network Traffic”, IEE Proceedings Communications, Vol. 147, No. 5, October 2000, pp. 285-291. 14. Hazem El-Gendy, “Using Formal Methods: Importance and Experience”, International Journal on Computing Methods in Science and Engineering, Published in Greece, 2005. 15. Gregor Bochmann, “Specifications of a Simplified Transport Protocol Using Different Formal Description Techniques”, Technical Report #623, Department D’Informatique, University De Montreal, April 1987. Also in the Journal of Computer Networks and ISDN Systems, Vol. 18, No. 5, 1990, pp. 335-377. 16. Jian-Ping Wu and Samuel T. Chanson, “Translation from Lotos and Estelle Specifications to Extended Transition System and Its Verification”, Proceedings of IFIP Forte 89, Vancouver, B. C., Canada, Dec. 1989. 17. Hazem El-Gendy, Hani El-Sayed, and Abdel-Wahab Fayez, “Transformation of Estelle Specification into Lotos Specifications”, Proceedings of the 13th International Conference on Computers and Their Applications Sponsored by the International Society for Computer and Their Applications, Honolulu, Hawaii, USA, March 25-27, 1998, pp. 82-84. 18. Hazem El-Gendy, “Formal Method for Automated Transformation of Lotos Specifications to Estelle Specifications”, International Journal of Software Engineering & Knowledge Engineering, USA, Vol. 15, No. 5, October 2005, pp. 1-19. 19. Hazem El-Gendy, “Formal Automated Transformation of Lotos Specifications into SDL Specifications”, Proceedings of the 8th World Multi-conference on Systemics, Cybernetics, and Informatics sponsored by the International Institute of Informatics and Systemics (IIIS), Orlando – Florida, USA, July 18-21, 2004. 20. Hazem El-Gendy, "Study of the Characteristics of CT-Equivalence with Proves", Journal of Computational Methods in Sciences and Engineering, Volume 6, Numbers 5, 6, 2006, pp. 171179.