用于通信网络协议开发的形式化方法

阐述了在开发通信网络协议中遇到的困难，提出用协议工程的方法来开发通信网络协议。介绍了协议工程、形式化方法及核心技术形式描述技术和几个应用较广泛、较常见的形式化方法，即SDL、ESTELLE、Petri网、LOT0s，并给出了对这些形式化方法的分析和评价。     

不可否认协议的Petri网建模与分析

Petri网是一种描述及分析并发行为的工具,在安全协议的形式化分析中得到了广泛的应用．作为一种特殊的安全协议,不可否认协议虽然已得到了多种形式化方法的分析,但还没有人使用Petri网来分析它们．以一般安全协议的Petri网分析方法为基础,提出了使用Petri网分析不可否认协议的建模及分析方法,该方法可以描述并分析一些其他形式化方法无法描述的协议性质．使用该方法分析Zhou和Gollmann于1996年提出的一个公平不可否认协议,可以发现该协议的一个许多其他形式化方法不能发现的已知缺陷．     

Modeling and verification of the SDL-specified communication protocols using high-level Petri nets

To simplify modeling and verification of communication protocols presented in the SDL language, the so-called hierarchical typed timed Petri nets (HTT nets), which are substantial modifications of colored Petri nets, are introduced. A method of translation of the SDL language into HTT nets is described. A program complex SPV (SDL Protocol Verifier), which includes a translator from SDL into HTT nets and means for editing, simulation, visualization, and verification of these net models, is presented. For the verification, a model checking method for properties presented by μ-calculus formulas is used. Experiments on application of the SPV complex for modeling and verifying two ring protocols (RE and ATMR protocols), an optimized version of the sliding window protocol (i-protocol), and a dynamic version of the InRes protocol are described     

一种兼顾协议正确性验证和性能评估的Petri网方法

基于Petri网的协议形式化分析方法由于其精炼、简洁和无二义性逐步成为分析协议的一条可靠和准确的途径,但是协议的形式化分析目前研究还不够深入,协议分析的两个重点内容正确性验证和性能评估所需要的模型不同,一种模型只能解决一方面的工作。为了有效地解决这一问题,文中提出了一种用原型Petri网作为协议验证模型的思路和方法,在不改变原型Petri网结构的基础上对变迁赋予发生时延,解决了协议的性能评估问题。本文还给出了协议验证内容与Petri网分析方法的对应关系,并对0-1停止等待协议进行了详细的分析,最后把0-1停止等待协议的原型Petri网模型转化为时延Petri网,对协议的性能进行了评估。     

基于着色Petri网仿真模型的安全协议分析

采取形式化方法验证协议的安全性,Petri网是有效的方法之一,但传统Petri网分析过程中经常会出现状态空间爆炸问题。该文采用了基于着色Petri网建立安全协议及入侵者攻击的仿真模型方法,从而获得仿真数据。该方法利用逆向状态分析和Petri网可达性分析,能有效地发现协议中的安全漏洞。并且,如果能恰当地控制好状态空间,则能有效地克服Petri网分析过程中的状态空间爆炸问题。该文给出的利用着色Petri网建立安全协议仿真模型分析的一般方法,实例说明该方法具有普适性,并且方便利用Petri网自动化分析工具实现自动化分析。     

着色Petri网应用研究

着色Petri网是在经典Petri网理论基础上增加了token类型和网的模块这两个功能,它现在已成为一种较完善的语言,可以用来对各种系统规范和协议等进行设计、规范描写、仿真和验证等。文章对着色Petri网的基本理论进行了简单介绍,并对一个简单的通信协议进行建模和分析,提出了今后着色Petri网发展的一个主要方向。     

Deciding a class of path formulas for conflict-free petri nets

The aim of this paper is to develop a unified approach for deriving complexity results for problems concerning conflict-free Petri nets. To do so, we first define a class of formulas for paths in Petri nets. We then show that answering the satisfiability problem for conflict-free Petri nets is tantamount to solving a system of linear inequalities (which is known to be in P). Since a wide spectrum of Petri net problems (including various fairness-related problems) can be reduced to the satisfiability problem in a straightforward manner, our approach offers an umbrella under which many Petri net problems for conflict-free Petri nets can be shown to be solvable in polynomial time. As a side-product, our analysis provides evidence as to why detecting unboundedness for conflict-free Petri nets is easier (provided P ≠ NP) than for normal and sinkless Petri nets (which are two classes that properly contain conflict-free Petri nets). A preliminary version was presented at the 14th International Conference on Application and Theory of Petri Nets, Chicago, IL, USA, June 1993.     

计算机网络通信协议验证技术的研究

协议设计、开发的复杂性的增加导致了协议工程技术的出现，该文主要介绍了协议工程活动中的协议验证与分析阶段，阐述了验证技术的目的与方法，分析了当今常用的协议模型技术，重点介绍了基于Petri网，FMS，以及时序逻辑TL模型的协议验证技术。     

时间自动机与网络协议验证

随着网络协议复杂性的增大，其自身的潜在错误变得更加重要。使用形式化的方法来描述和验证网络协议可以发现其中的潜在错误。时间自动机是形式化方法的一种，可以很好地应用于网络协议验证中。目前基于时间自动机已经开发出了多种自动验证工具。文章介绍了网络协议验证的几种方法，并以KRONOS验证FDDI协议为例说明了用时间自动机验证协议的方法。     

基于有色Petri网的一种密码协议的描述和分析

Petri网作为一种数学工具,已被广泛应用于过程的描述、分析和验证。文章使用有色Petri网对文献[1]中提到的一种密码协议进行描述和分析,发现并验证该协议的安全缺陷。     

协议形式化开发环境的规范语言

LOTOS（languageoftemporalorderingspecification）是一种基于进程代数CCS的协议规范语言，面向协议验证，但它不能描述协议的某些性质．本文提出了一种LOTOS的扩充语言ELOTOS（extendedLOTOS），它在LOTOS的基础上引入了异步通讯机制、时间描述、事件发生的随机性描述．     

用UML与Petri网为智能代理建模

统一建模型语言（UML）已经成为软件系统的分析与设计的标准工具，但由它扩充而成的代理统一建模型语言（AUML）还没变成一个标准，目前的AUML规格说明还有很多的局限性，还不能胜任多代理系统的开发．Petri网是仿真、验证软件系统执行的正确性与有效性的形式化工具．本文主要分析当前AUML规格说明和Petri网概念．找出它们之间的结合点，提出用Petri网扩充AUML的方法．将其应用于多代理系统的开发，就能实施之前运用Petri网进行系统的正确性与有效性验证．     

Model checking multi-level and recursive nets

With the increasing complexity of the problems and systems arising nowadays, the use of multi-level models is becoming more frequent in practice. However, there are still few reports in the literature concerning methods for analyzing such models without flattening the multi-level structure. For instance, several variants of multi-level Petri nets have been applied for modeling interaction protocols and mobility in multi-agent systems and coordination of cross-organizational workflows. But there are few automated tools for analyzing the behavior of these nets. In this paper we explain how to detect faults in models based on a representative class of multi-level nets: the nested Petri nets. We translate a nested net into a verifiable model that preserves its modular structure, a PROMELA program. This allows the use of SPIN model checker to verify properties related to termination, boundedness and reachability.     

A methodology of testing high-level Petri nets

Petri nets have been extensively used in the modelling and analysis of concurrent and distributed systems. The verification and validation of Petri nets are of particular importance in the development of concurrent and distributed systems. As a complement to formal analysis techniques, testing has been proven to be effective in detecting system errors and is easy to apply. An open problem is how to test Petri nets systematically, effectively and efficiently. An approach to solve this problem is to develop test criteria so that test adequacy can be measured objectively and test cases can be generated efficiently, even automatically. In this paper, we present a methodology of testing high-level Petri nets based on our general theory of testing concurrent software systems. Four types of testing strategies are investigated, which include state-oriented testing, transition-oriented testing, flow-oriented testing and specification-oriented testing. For each strategy, a set of schemes to observe and record testing results and a set of coverage criteria to measure test adequacy are defined. The subsumption relationships and extraction relationships among the proposed testing methods are systematically investigated and formally proved.     

Verifying soundness of business processes: A decision process Petri nets approach

This paper presents a trajectory-tracking approach for verifying soundness of workflow/Petri nets represented by a decision-process Petri net. Well-formed business processes correspond to sound workflow nets. The advantage of this approach is its ability to represent the dynamic behavior of the business process. We show that the problem of finding an optimum trajectory for validation of well-formed business processes is solvable. To prove our statement we use the Lyapunov stability theory to tackle the soundness verification problem for decision-process Petri nets. As a result, applying Lyapunov theory, the well-formed verification (soundness) property is solved showing that the workflow net representation using decision process Petri nets is uniformly practically stable. It is important to note that in a complexity-theoretic sense checking the soundness property is computationally tractable, we calculate the computational complexity for solving the problem. We show the connection between workflow nets and partially ordered decision-process Petri net used for business process representation and analysis. Our computational experiment of supply chains demonstrate the viability of the modeling and solution approaches for solving computer science problems.     

Uncovering ISO ROSE protocol errors using Estelle

One of the main objectives of ISO in developing FDTs is that protocol specified in them can be verified. However, standardized FDTs have been designed largely for specification purpose; success of using them for protocol verification has been rarely reported. We have developed a technique of translating Estelle specifications into Numerical Petri nets, which can then be verified by a proven automated verification tool, PROTEAN. The merits of our approach are that specifications are fully based on standard Estelle, and dynamic behaviours of an Estelle specification can be handled. In this paper, we present a success story of using Estelle and the techniques we have developed to uncover ISO ROSE protocol errors. We find that Estelle is an FDT capable of analysing and verifying real protocols and it is therefore important to the development of ISO protocol standards.     

ITL semantics of composite Petri nets

interval temporal logic (itl) and Petri nets are two well developed formalisms for the specification and analysis of concurrent systems. itl allows one to specify both the system design and correctness requirements within the same logic based on intervals (sequences of states). As a result, verification of system properties can be carried out by checking that the formula describing a system implies the formula describing a requirement. Petri nets, on the other hand, have action and local state based semantics which allows for a direct expression of causality aspects in system behaviour. As a result, verification of system properties can be carried out using partial order reductions or invariant based techniques. In this paper, we investigate a basic semantical link between temporal logics and compositionally defined Petri nets. In particular, we aim at providing a support for the verification of behavioural properties of Petri nets using methods and techniques developed for itl.     

Verification of Estelle-Specified Communication Protocols Using High-Level Petri Nets

Estelle specifications are considered that include certain dynamic constructs. A method of translation of these specifications into modified colored Petri nets is described. Static Estelle specifications are translated into hierarchical typed time nets (HTT nets), which are extensions of safe colored Petri nets through the introduction of the notions of time, priorities, and places (which are queues of tokens). A program complex EPV is presented that is designed for verification of static Estelle specifications of communication protocols by translating them into HTT nets. Experiments are described on simulation and search for semantic errors in protocols used in practice.     

Reduction rules for reset/inhibitor nets

Reset/inhibitor nets are Petri nets extended with reset arcs and inhibitor arcs. These extensions can be used to model cancellation and blocking. A reset arc allows a transition to remove all tokens from a certain place when the transition fires. An inhibitor arc can stop a transition from being enabled if the place contains one or more tokens. While reset/inhibitor nets increase the expressive power of Petri nets, they also result in increased complexity of analysis techniques. One way of speeding up Petri net analysis is to apply reduction rules. Unfortunately, many of the rules defined for classical Petri nets do not hold in the presence of reset and/or inhibitor arcs. Moreover, new rules can be added. This is the first paper systematically presenting a comprehensive set of reduction rules for reset/inhibitor nets. These rules are liveness and boundedness preserving and are able to dramatically reduce models and their state spaces. It can be observed that most of the modeling languages used in practice have features related to cancellation and blocking. Therefore, this work is highly relevant for all kinds of application areas where analysis is currently intractable.