Performance Evaluation of Wireless Network Applications

1
Performance Evaluation of Wireless Network
Applications
Ansgar Fehnker
2
Content

• Introduction Model Checking
• CTL model checking
• Automata
• Tools
• Timed Automata
• Timed models
• Regions and Zones
• Hybrid Systems
• Linear Hybrid Systems
• Non-linear Hybrid Systems
• SAT-based techniues for Hybrid Sytems
• Wireless protocols
• 802.11 Terminologie
• Services
• Distributed Coordination Function
• Performance and Correctness Properties of
  Wireless Network Applications
• Tools and Callenges

3
Model checking

• Model checking is an automatic verification
  technique for finite state concurrent systems.
• Developed independently by Clarke and Emerson and
  by Queille and Sifakis in early 1980s.
• Specifications are typically written in temporal
  logic.
• Verification procedure is an exhaustive search of
  the state space of the design.
• Accepted verification technique in hardware
  design
• Successfully applied for software verification

4
Model checking

• For model checking you need
• A model, also called implementation
• A property, also called specification
• AF p3

p0
p2
p3
some sort of finite transitions system
p4
some sort of temporal logic property
5
Model checking

• CTL model checking
• A Kripke structure

p0
p2
p3
p4
6
Model checking

• CTL model checking
• A Kripke structure, which defines a computation
  tree

p0
p2
p0
p2
p3
p3
p4
p2
p0
p0
p4
p3
p4
p2
p2
p0
p0
p3
p4
p4
p3
p2
7
Model checking

• CTL model checking
• A Kripke structure, which defines a computation
  tree
• CTL (computation tree logic) property
• AF p AG p EF p EG p

p0
p2
p0
p2
p3
p3
p4
p2
p0
p0
p4
p3
p4
p2
p2
p0
p0
p3
p4
p4
p3
p2
p
p
p
p
p
p
p
p
p
p
p
p
p
p
8
Model checking

• CTL model checking
• A Kripke structure, which defines a computation
  tree
• CTL (computation tree logic) property
• AF p AG p EF p EG p

p0
AF p3
p2
p0
p2
p3
p3
p4
p2
p0
p0
p4
p3
p4
p2
p2
p0
p0
p3
p4
p4
p3
p2
p
p
p
p
p
p
p
p
p
p
p
p
p
p
9
Model checking

• CTL model checking
• A Kripke structure, which defines a computation
  tree
• CTL (computation tree logic) property
• AF p AG p EF p EG p

p0
EG p3
p2
p0
p2
p3
p3
p4
p2
p0
p0
p4
p3
p4
p2
p2
p0
p0
p3
p4
p4
p3
p2
p
p
p
p
p
p
p
p
p
p
p
p
p
p
10
Model checking

• CTL model checking
• A Kripke structure, which defines a computation
  tree
• CTL (computation tree logic) property
• AF p AG p EF p EG p

p0
AG (p2 ? EG (p2 v p4))
p2
p0
p2
p3
p3
p4
p2
p0
p0
p4
p3
p4
p2
p2
p0
p0
p3
p4
p4
p3
p2
p
p
p
p
p
p
p
p
p
p
p
p
p
p
11
Model Checking

• Important properties
• Safety Properties
• Nothing bad will happen (AG ? p)
• Reachbility Properties
• Something bad/good might happen (EF p)
• Liveness Properties
• Something good will happen (AF p)

12
Model checking

• Automata
• Introduce label for compositional modelling

a
a
a
p0
p2
p3
q0
q1
b
c
b
c
p4
q2
13
Model checking

• Automata
• Introduce label for compositional modelling
• Composition is a Kripke structure

a
a
a
p0
p2
p3
q0
q1
b
c
b
c
p4
q2
a
a
p0,q0
p2,q1
p3,q1
p0,q1
b
State explosion problem exponential growth of the
number of states
c
p4,q2
p0,q2
p2,q0
p3,q0
14
Model Checking Techniques

• Explicit State Model Checking
• Enumerates all (reachable) states explicitly
• SPIN
• Symbolic State Model Checking
• Represents sets of states symbolically (e.g. as
  BDD)
• SMV, nuSMV
• Bounded Model Checking
• Translate a bounded problem to a SAT-solving
  problem
• CBMC
• Counterexample Guided Abstraction Refinement
• Combines abstraction techniques with SAT-based
  techniques
• SLAM, BLAST

15
Symbolic Model Checking
I0 00 R (00,01),(01,11),(01,10), (10,00),
(11,00),(11,01) Kripke structure
00
01
10
11
I0(x1,x0) ? x0 ? ? x1 R(x1,x0,y1,y0) (? x0 ?
? x1 ? y0 ? ? y1) ? (x0 ? ? x1 ? y0 ) ? (? x0
? x1 ? ? y0 ? ? y1 ) ? (x0 ? x1 ? ? y1
) characteristic function
Ordered BDD

• Represent sets of states and transition relation
  symbolically.
• Model checking algorithm defined as operations on
  the symbolic representation.

16
Symbolic Model Checking
I0 00 R (00,01),(01,11),(01,10), (10,00),
(11,00),(11,01) Kripke structure
00
01
10
11
I0(x1,x0) ? x0 ? ? x1 R(x1,x0,y1,y0) (? x0 ?
? x1 ? y0 ? ? y1) ? (x0 ? ? x1 ? y0 ) ? (? x0
? x1 ? ? y0 ? ? y1 ) ? (x0 ? x1 ? ? y1
) characteristic function
x0
x1
x1
y0
y0
y0
y1
1
0
Ordered BDD

• Represent sets of states and transition relation
  symbolically.
• Model checking algorithm defined as operations on
  the symbolic representation.

17
Beyond Finite State Model Checking

• Timed Automata
• For modelling timing in systems
• extends automata with global time and local
  clocks
• increases uniformly in all control locations
• increases uniformly in all components
• super-dense time
• Hybrid Automata
• For modelling continuous behaviour
• extend timed automata with continuous dynamics
• continuous behaviour defined by differential
  equations or inclusions
• discrete switching between modes

18
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
19
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
20
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
21
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
22
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
23
Timed Automata
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
24
Timed Automata
Intelligent Light Control
Timed automata model timing aspects of the
system with clocks.

• Clocks
• increase uniformly
• can be reset
• can be used in guards and invariants.

press?
Off
Light
Bright
press?
press?
x0
xlt3
press?
x 3
Spec If light is off, press switch once for
dimmed light, press switch twice quickly for
bright light. otherwise the light is turned off.
25
Timed Automata
Location Finite set Invariant Boolean
combination of comparisons with Nat Enforces
progress Guard Boolean combination of
comparisons with Nat Enables transitions Label U
sed for synchronization Reset Set of clocks that
is set to zero
n ylt4
x5 ygt3 a x0
m
State (location , xv , yu ) where v,u are
in R
Discrete Transitions (n ,x2.4,y3.1415 )
(m ,x0,y3.1415) Delay
Transitions (n,x2.4,y3.1415)
(n,x3.1071,y3.8486)
Infinite number of states
a
and transitions
0.7071
26
Timed Automata

• Decidability
• Model checking a timed automata given a
  TCTL-formula can be done by model checking its
  region graph against a CTL-formula
• Alur Dill A Theory of Timed Automata, 1994

This approach to model checking timed automata is
inefficient
27
Timed Automata
A zone is a conjunction of simple constraints of
the following form xltn, xgtn, xn, xn x-yltm,
x-ym x,y are clocks, n ? N, m ? Z
y
1 ? y ? 4 0 ? x ? 3 -2 ? x-y? 0
x
28
Timed Automata
A zone is a conjunction of simple constraints of
the following form xltn, xgtn, xn, xn x-yltm,
x-ym x,y are clocks, n ? N, m ? Z
y
1 ? y ? 4 0 ? x ? 3 -2 ? x-y? 0
Efficient model checking algorithm for diagonal
free timed automata Tools Kronos, Uppaal
x
29
Beyond Finite State Model Checking

• Timed Automata
• For modelling timing in systems
• extends automata with global time and local
  clocks
• increases uniformly in all control locations
• increases uniformly in all components
• super-dense time
• Hybrid Automata
• For modelling continuous behaviour
• extend timed automata with continuous dynamics
• continuous behaviour defined by differential
  equations or inclusions
• discrete switching between modes

30
Timed Automata
Intelligent Light Control
press?
press?
press?
t0
tlt3
press?
t 3
Additional Spec The energy consumption is 0 if
the light is off, flo if the light is dimmed, and
fhi if the light is bright.
31
Timed Automata
Intelligent Light Control
Continuous dynamics defined by differential
equations
press?
x0
xflo(x)
xfhi(x)
.
.
.
press?
press?
t0
tlt3
press?
t 3
Additional Spec The energy consumption is 0 if
the light is off, flo if the light is dimmed, and
fhi if the light is bright.
32
Timed Automata
Intelligent Light Control
Continuous dynamics defined by differential
equations or differenrial inclusions
press?
x0
x?flo(x)
x?fhi(x)
.
.
.
press?
press?
x0
xlt3
press?
x 3
Additional Spec The energy consumption is 0 if
the light is off, in flo if the light is dimmed,
and in fhi if the light is bright.
33
Hybrid Automata

• Linear Hybrid Automata
• Constant rates, rates in intervals.
• Symbolic states can be represented by linear
  inequalities
• Successor computable
• The reachabilty problem is undecidable.
• Tool HyTech

.
34
Hybrid Automata

• Linear Hybrid Automata
• Constant rates, rates in intervals.
• Symbolic states can be represented by linear
  inequalities
• Successor computable
• The reachabilty problem is undecidable.
• Tool HyTech
• Application examples
• Railroad crossing
• Electronic height control
• Engine cut-off control
• Bi-Phase Mark

.
Some Lessons from the HyTech Experience HPW01
35
Hybrid Automata

• Non-linear hybrid automata
• Arbitrary differential equations
• Polyhedral (or ellipsoidal) over-approximations
• Undecidable and computational expensive
• Tools Hybrid SAL, CheckMate, Charon, VeriShift

.
X0
leading
36
Hybrid Automata

• Non-linear hybrid automata
• Arbitrary differential equations
• Polyhedral (or ellipsoidal) over-approximations
• Undecidable and computational expensive
• Tools Hybrid SAL, CheckMate, Charon, VeriShift
• Application examples
• Conflict resolution in aircrafts
• Car platoons
• Electronic throttle control
• Chemical reactors
• Sporulation initiation network
• Adaptive cruise control

.
X0
following
leading
37
SAT-based Techniques for HA

• Bounded Model Checking
• Represent sets of states and the transition
  relation as Boolean combination of linear
  constraints over real valued variables and
  propositional variables
• Formulate reachability (AG ? p) within k steps as
  SAT-problem
• Init(s0) ? ?i0,..,k INV(si) ? ?i0,..,k-1
  R(si,si1) ? Vi0,..,k ? p(si)

38
SAT-based Techniques for HA

• Bounded Model Checking
• Represent sets of states and the transition
  relation as Boolean combination of linear
  constraints over real valued variables and
  propositional variables
• Formulate reachability (AG ? p) within k steps as
  SAT-problem
• Init(s0) ? ?i0,..,k INV(si) ? ?i0,..,k-1
  R(si,si1) ? Vi0,..,k ? p(si)
• Incomplete
• Good for finding counterexamples

39
Counterexample Guided Abstraction Refinement

• Abstraction
• Partition the hybrid state space
• For each transition there is a transition in the
  abstraction
• If abstraction is safe, then the hybrid system is
  too
• CEGAR Loop
• Find a counter example in the abstraction
• Check if counter example is spurious
• If CE spurious, refine abstraction else
  Valid CE found
• If abstraction contains new counterexamples goto 2

40
Counterexample Guided Abstraction Refinement

• Abstraction
• Partition the hybrid state space
• For each transition there is a transition in the
  abstraction
• If abstraction is safe, then the hybrid system is
  too
• CEGAR Loop
• Find a counter example in the abstraction
• Check if counter example is spurious
• If CE spurious, refine abstraction else
  Valid CE found
• If abstraction contains new counterexamples goto 2

41
Counterexample Guided Abstraction Refinement

• Abstraction
• Partition the hybrid state space
• For each transition there is a transition in the
  abstraction
• If abstraction is safe, then the hybrid system is
  too
• CEGAR Loop
• Find a counter example in the abstraction
• Check if counter example is spurious
• If CE spurious, refine abstraction else
  Valid CE found
• If abstraction contains new counterexamples goto 2

Init(s0) ? ?i0,..,k INV(si) ? ?i0,..,k-1
R(si,si1) ? Vi0,..,k ? p(si) ? ?i0,..,k a(si)
42
Counterexample Guided Abstraction Refinement

• Abstraction
• Partition the hybrid state space
• For each transition there is a transition in the
  abstraction
• If abstraction is safe, then the hybrid system is
  too
• CEGAR Loop
• Find a counter example in the abstraction
• Check if counter example is spurious
• If CE spurious, refine abstraction else
  Valid CE found
• If abstraction contains new counterexamples goto 2

Init(s0) ? ?i0,..,k INV(si) ? ?i0,..,k-1
R(si,si1) ? Vi0,..,k ? p(si) ? ?i0,..,k a(si)
43
Counterexample Guided Abstraction Refinement

• Abstraction
• Partition the hybrid state space
• For each transition there is a transition in the
  abstraction
• If abstraction is safe, then the hybrid system is
  too
• CEGAR Loop
• Find a counter example in the abstraction
• Check if counter example is spurious
• If CE spurious, refine abstraction else
  Valid CE found
• If abstraction contains new counterexamples goto 2

Init(s0) ? ?i0,..,k INV(si) ? ?i0,..,k-1
R(si,si1) ? Vi0,..,k ? p(si) ? ?i0,..,k a(si)
44
Beyond Finite State Model Checking

• Timed Automata
• For modelling timing in systems
• extends automata with global time and local
  clocks
• increases uniformly in all control locations
• increases uniformly in all components
• super-dense time
• Hybrid Automata
• For modelling continuous behaviour
• extend timed automata with continuous dynamics
• continuous behaviour defined by differential
  equations or inclusions
• discrete switching between modes

What about protocols for wireless networks?
45
Wireless Network Applications

• Wireless sensor networks
• Aggregate of small, portable devices
• battery-operated computing power
• wireless communications
• gather sensor information in a distributed
  fashion
• multi-hop communication

46
Wireless Network Applications

• Wireless sensor networks
• Aggregate of small, portable devices
• battery-operated computing power
• wireless communications
• gather sensor information in a distributed
  fashion
• multi-hop communication
• Challenges for network and applications
  protocols
• unpredictable behaviour of the environment.
• dynamic network wrt spatial distribution and
  adhoc node addition.
• resilience to message loss and node failure.
• power efficiency to maximise battery life and
  network lifetime.

47
IEEE 802.11x
IEEE Std 802.11, 1999 Edition, Reaffirmed
2003 Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications IEEE Std
802.11g, 2003 Amendment Further Higher Data
Rate Extension in the 2.4 GHz Band IEEE
P802.11e/D13.0, 2005 Amendment Medium Access
Control (MAC) Quality of Service (QoS)
Enhancements
48
IEEE Std. 802.11

• Terminology
• Station (STA)

STA
STA
STA
STA
49
IEEE Std. 802.11

• Terminology
• Station (STA)
• Basis service set (BSS)

BSS
STA
STA
BSS
STA
STA
50
IEEE Std. 802.11

• Terminology
• Station (STA)
• Basis service set (BSS)
• independent BSS (IBSS)

BSS
STA
STA
BSS
STA
STA
51
IEEE Std. 802.11

• Terminology
• Station (STA)
• Basis service set (BSS)
• independent BSS (IBSS)
• Access point (AP)
• Distribution System (DS)

BSS
STA
STA
DS
BSS
STA
STA
52
IEEE Std. 802.11
ESS

• Terminology
• Station (STA)
• Basis service set (BSS)
• independent BSS (IBSS)
• Access point (AP)
• Distribution System (DS)
• Extended Service Set (ESS)

BSS
STA
STA
DS
BSS
STA
STA
53
IEEE Std. 802.11
ESS

• Terminology
• Station (STA)
• Basis service set (BSS)
• independent BSS (IBSS)
• Access point (AP)
• Distribution System (DS)
• Extended Service Set (ESS)
• Portal

BSS
STA
STA
DS
BSS
portal
STA
STA
LAN
54
IEEE Std. 802.11
ESS

• Terminology
• Station (STA)
• Basis service set (BSS)
• independent BSS (IBSS)
• Access point (AP)
• Distribution System (DS)
• Extended Service Set (ESS)
• Portal
• Scope
• 802.11 does not specify details of DS
  implementation
• 802.11 specifies services

BSS
STA
802.111 MAC/PHY
STA
DS
BSS
portal
802.111 MAC/PHY
STA
STA
LAN
55
IEEE Std. 802.11
ESS

• Services
• Authentication
• Deauthentication
• Privacy
• MSDU delivery
• Association
• Disassociation
• Distribution
• Integration
• Reassociation

BSS
STA
STA
DS
BSS
STA
STA
56
IEEE Std. 802.11
ESS

• Services
• Authentication
• Deauthentication
• Privacy
• MSDU delivery
• Association
• Disassociation
• Distribution
• Integration
• Reassociation

BSS
STA
STA
Station service (SS)
DS
BSS
STA
STA
57
IEEE Std. 802.11
ESS

• Services
• Authentication
• Deauthentication
• Privacy
• MSDU delivery
• Association
• Disassociation
• Distribution
• Integration
• Reassociation

BSS
STA
STA
Station service (SS)
DS
BSS
DS service (DSS)
STA
STA
58
IEEE Std. 802.11

• Services
• Authentication
• Deauthentication
• Privacy
• MSDU delivery
• Association
• Disassociation
• Distribution
• Integration
• Reassociation

Station service (SS)
DS service (DSS)
59
IEEE Std. 802.11

• Services
• Authentication
• Deauthentication
• Privacy
• MSDU delivery
• Association
• Disassociation
• Distribution
• Integration
• Reassociation

Station service (SS)
DS service (DSS)

• 801.11 defines for each services sequence of
  messages
• timing, lossy communication, etc is dealt with on
  PHY/MAC level

60
Distributed Coordination Function

• Basic Access Method
• wait DIFS before transmission
• enter exponential backoff procedure if
  transmission occurs
• sense medium after transmission
• if collision gt enter backoff procedure
• if no ack gt enter backoff procedure
• send another gt enter backoff procedure

new data
sender 1
packet
DIFS
DIFS
SIFS
ACK
sender 2
0
6
5
4
3
2
1
DIFS
busy
DIFS
SIFS
ACK
61
Distributed Coordination Function

• Basic Access Method
• wait DIFS before transmission
• enter exponential backoff procedure if
  transmission occurs
• sense medium after transmission
• if collision gt enter backoff procedure
• if no ack gt enter backoff procedure
• send another gt enter backoff procedure
• RTC/CTS Method
• Send a short Request to Send Message,
• Wait for a Clear to Send Message
• RTC, CTS, data and ACK messages separated by SIFS
• Avoid collision by exponential backoff procedure

62
Wireless Network Applications

• Wireless sensor networks
• Aggregate of small, portable devices
• battery-operated computing power
• wireless communications to
• gather sensor information in a distributed
  fashion
• multi-hop communication
• Challenges for network and applications
  protocols
• unpredictable behaviour of the environment.
• dynamic network wrt spatial distribution and
  adhoc node addition.
• resilience to message loss and node failure.
• power efficiency to maximise battery life and
  network lifetime.

63
Wireless Network Applications

• Safety Properties
• If message is lost it will not be acknowledged
• Acknowledgment ACK will not arrive after
  ACKTimeout time
• Safety plus Optimality
• What is the minimal time for a node to
  authenticate itself?
• What is the minimal energy required for
  authentication?
• What is the minimal battery life of a single
  mode?
• What is minimal life time of the network given
  battery failure?
• Liveness
• Each node will be authenticated eventually
• Liveness plus Optimality
• What is the maximal time required for
  authentication?
• What is the worst-case average energy per
  successful transmission?

64
Wireless Network Applications

• Safety Properties
• If message is lost it will not be acknowledged
• Acknowledgment ACK will not arrive after
  ACKTimeout time
• Liveness
• Each node will be authenticated eventually
• Timed Automata

automatically generated models
Uppaal model of the sender
65
Wireless Network Applications

• Safety plus Optimality
• What is the minimal time for a node to
  authenticate itself?
• What is the minimal energy required for
  authentication?
• Linearly Priced Timed Automata
• Extends TAs with one integrator
• Integrator can not be used in guards, invariant,
  reset
• Optimal reachability decidable due to syntactic
  restrictions
• Successfully used for scheduling benchmarks

Liveness?
Planes have to keep separation distance to avoid
turbulences caused by preceding planes
Runway
66
Wireless Network Applications

• Safety plus Optimality
• What is the minimal battery life of a single
  mode?
• What is minimal life time of the network given
  battery failure?
• Linear Hybrid Automata
• Suitable to model energy consumption
• Energy level can be used to guard transition
• Challenges
• Model checking algorithms do not support
  optimality
• Size of the composition

Hybrid SAT-solving?
67
Wireless Network Applications

• Liveness plus Optimality
• What is the maximal time required for
  authentication?
• What is the worst-case average energy per
  successful transmission?
• Doubly Priced Timed Automata
• Extends TAs with two integrators (cost/benefit)
• Optimal cost/benefit decidable (BBL 2004)
• No efficient implementation available yet

What about probabilities?
68
Wireless Network Applications

• Safety Properties
• If message is lost it will not be acknowledged
• Acknowledgment ACK will not arrive after
  ACKTimeout time
• Safety plus Optimality
• What is the expected minimal time for a node to
  authenticate itself?
• What is the expected minimal battery life of a
  single mode?
• What is expected minimal life time of the network
  given battery failure?
• Liveness
• Each node will be authenticated eventually
• Liveness plus Optimality
• What is the expected maximal time required for
  authentication?
• What is the expected worst-case average energy
  per successful transmission?

69
Probabilistic Systems

• Probabilistic Timed Automata
• Wireless protocols rely
• on random choices
• Correctness with a given
• probability
• Expected optimal reachability
• PRISM
• Model checker for Probabilistic Timed Automata
  (PTA)
• Expected Optimal Reachability decidable for
  diagonal-free closed PTAs

detail from a tdma-based protocol
More in the next talk
70
Problems and Tools
HyTech
Does cost influence behaviour?
Linear hybrid automata
yes
Hybrid SAT based
no
Expected optimality?
Probabilistic timed automata
yes
PRISM
no
Reachability?
yes
Linearly priced timed automata
Uppaal
no
Double priced timed automata
UPPAAL
71
The Project

• The aim of the project is to apply formal methods
  to wireless networks.
• Research will focus on the following dimensions
• Notations, analysis tools and reusable formal
  models for wireless network protocols.
• Model checking techniques for performance
  evaluation.
• Abstraction techniques to scale probabilistic and
  hybrid model checking techniques.

• The aim of the project is to apply formal methods
  to wireless networks. These applications will
  drive research on the following dimensions
• Notations, analysis tools and reusable formal
  models for wireless network protocols.
• Model checking techniques for performance
  evaluation.
• Abstraction techniques to scale probabilistic and
  hybrid model checking techniques.

72
Task and Challenges

• Development of more accurate formal models of
  system behaviour and properties. Enhancement and
  improvement of formal methods techniques.
• Identification of case studies
• Formalisation of network behaviour
• Analysis with existing model checkers
• Modelling notation and semantics
• Mapping to existing tools
• Integration with proof-based techniques
• Abstraction refinement techniques
• Hybrid SAT-solving