Semantic Models and Model Checking - Formal modelling and analysis of mix net implementations.

are synchronised on events lying in the intersection of their whole alphabets. For instance, the process P αPkαQ Q, executes P and Q in parallel by synchronising

them in the intersection of αP and αQ, αP _{∩ αQ. Finally, k}x∈X [αP ] P (x)

is written for the replicated alphabetised parallel composition synchronising a number of processes on events lying in the intersection of the alphabet, αP (x), of each process, P (x), for x_{∈ X .}

3.2.3 Abstraction Methods

For the analysis of the cryptographic protocols in this thesis, two abstraction methods are employed: hiding and relational renaming. By using the former, certain events are removed from the view of the environment, making them internal actions and subsequently invisible to an external observer. For example, in the process P _{\ X , all the internal events from X are hidden from the envi-} ronment and occur as internal events. In relational renaming, the process P [[a_/

b]]

behaves as P with the exception that all the events b occurring in the process are replaced by the events a. As a characteristic example, consider the process Z = (a → P ) 2 (c → Q). The relational renaming Z[[b_/

a]] would result in the

process (a _{→ P ) 2 (c → Q)[[}b_/

a]] = (b → P ) 2 (c → Q). Apart from the

one-to-one substitution, multiple substitutions (renamings), such as one-to-many P [[b,c_/

a,a]], where a maps to b and c and many-to-one P [[b,b/a,c]], where a and c

both map to b, are allowed.

3.3 Semantic Models and Model Checking

There is a wide range of semantic models in CSP that help to describe process behaviours. In this thesis the Traces, _{T , and the Failures-Divergences, FD,} models are used. For full details regarding them the reader is referred to [Ros98, Sch99, RRS+01, Ros10].

3.3.1 Traces Model

The Traces model, T , refers to a finite sequence of all the visible events that a process may perform. The trace of the STOP process is denoted as the empty sequence _{hi and is written as traces(STOP) = {hi}. The concatenation of two} traces tr1 and tr2 is denoted as tr1ˆtr2. More generally, a trace may be written

all traces is:

traces(CALL) =_{hi,

hturnP honeOni,

hturnP honeOn, chooseContacti, hturnP honeOn, chooseContact, speaki,

hturnP honeOn, chooseContact, speak, hangUpi, . . . } The processes (a → STOP) 2 (b → STOP) and (a → STOP) u (b → STOP) have the same traces _{{hi, hai, hbi}, although they exhibit different behaviours.} Some of the rules for the traces models, as presented in [Ros10], are shown in Table 3.2.

traces(SKIP ) = {hi, hXi}

traces(a→ P ) = {hi} ∪ {haiˆs | s ∈ traces(P )} traces(P 2 Q) = traces(P )_{∪ traces(Q)}

traces(P u Q) = traces(P )∪ traces(Q)

traces(P <I b>I Q) = traces(P ) if b true else traces(Q) traces(P _{k Q)} = traces(P )_{∩ traces(Q)}

traces(P \ X ) = {s \ X | s ∈ traces(P )} Table 3.2: Rules for the Traces model.

3.3.2 Failures and Failures-Divergences Models

So far it has been shown that the traces model can be used to describe what events a process may perform, but what events a process must perform has not yet been covered. In general, given only the traces of the processes P 2 Q and P _{u Q, it is not possible to distinguish between them.}

CSP provides the Failures model,F, which gives information about what events a process refuses to perform and refusals(P ) represents the set of events. In ad- dition to this, failures is a trace/refusal pair (tr, R), where tr _{∈ traces(P ) and} R is a refusal set of the process P after the trace tr. In the case where no internal events τ ’s may be performed after the execution of the trace tr, the failures

3.3. Semantic Models and Model Checking 45

model is called stable Failures. For the processes (a → STOP) 2 (b → STOP) and (a→ STOP) u (b → STOP), their failures sets are:

{(hi, ∅),

(_{hai, {a, b}), (hai, {a}), (hai, {b}), (hai, ∅),} (_{hbi, {a, b}), (hbi, {a}), (hbi, {b}), (hbi, ∅)}} and

{(hi, {a}), hi, {b}), hi, ∅),

(_{hai, {a, b}), (hai, {a}), (hai, {b}), (hai, ∅),} (_{hbi, {a, b}), (hbi, {a}), (hbi, {b}), (hbi, ∅)}}

respectively. The differences between these two sets is derived from the initial choices, that is, the first process is willing to perform any of the events a and b, while the second may refuse to carry out both of them. Hence, in contrast to the Traces model, which is unable to discern between the internal and external choice the Failures model helps to distinguish between these processes and observe how they differ.

When divergence is a possible behaviour of a system, the Failures (resp. the stable Failures) model does not suffice because it ignores any divergent action. For this reason, apart from the Traces and Failures model, CSP offers the Failures- Divergences model,_{FD, which provides information about when a process reaches} a state from where it can diverge and it is mostly used for checking liveness properties, such as deadlock and livelock freedom. Divergence is the state where a process enters into an infinite execution of internal (invisible to the environment) events τ s and refuses to perform any other visible events. A divergent trace, is defined as a sequence of all atomic events that a process may perform before reaching a state from where it can diverge. Furthermore, divergence is the worst behaviour that a component of a system may go into, because other components may wait forever to synchronise with it, leading to consumption of the system’s resources.

3.3.3 Refinement

In this thesis, the work is grounded in the Traces and Failures-Divergences models of CSP. Refinement is used in CSP to check whether a process meets the specifications described by another process. These processes are called IMPL (implementation process) and SPEC (specification process), respectively, and are written as:

to express that IMPL refines SPEC (or that SPEC is refined by IMPL).

Regarding the traces refinement, P traces-refines Q and Q_vTP , if every trace of

P is also a trace of Q, i.e. traces(P )⊆ traces(Q). If the processes P and Q refine each other, then they are taken as equivalent in the Trace model and P _≡T Q.

STOP is the process which refines every process and is written as P _{v STOP,} for any process P. Since STOP is the strictest specification, if the refinement STOP _{v P holds, then P = STOP. In a similar fashion to the traces refinement,} the notation Q _vFD P asserts that P failures-divergences refines Q and states

that Q diverges only when P does. In terms of subsets for failures-divergences semantics, the process P failures-divergences refines the process Q if and only if failures(P ) _{⊆ failures(Q) and divergences(P ) ⊆ divergences(Q). This check} is significantly slower than the traces-refinement one, being commonly used for checking the safety properties of a system and is used in this research to ascertain the robustness of Mix Net protocols in Part III.

In document Formal modelling and analysis of mix net implementations. (Page 61-64)