Lecture Notes in Computer Science 3465 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos NewYorkUniversity,NY,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA MosheY.Vardi RiceUniversity,Houston,TX,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Marco Bernardo Alessandro Bogliolo (Eds.) Formal Methods for Mobile Computing 5thInternationalSchoolonFormalMethodsfortheDesign ofComputer,Communication,andSoftwareSystems SFM-Moby2005 Bertinoro,Italy,April26-30,2005 AdvancedLectures 1 3 VolumeEditors MarcoBernardo AlessandroBogliolo UniversitàdegliStudidiUrbino"CarloBo" IstitutodiScienzeeTecnologiedell’Informazione PiazzadellaRepubblica13,61029Urbino,Italy E-mail:{bernardo,bogliolo}@sti.uniurb.it LibraryofCongressControlNumber:2005924063 CRSubjectClassification(1998):D.2,D.3,F.3,C.3,C.2.4 ISSN 0302-9743 ISBN-10 3-540-25697-0SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-25697-7SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springeronline.com ©Springer-VerlagBerlinHeidelberg2005 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:11419822 06/3142 543210 Preface Thisvolumecollectsasetofpapersaccompanyingthelecturesofthefifthedition of the International School on Formal Methods for the Design of Computer, Communication and Software Systems (SFM). Thisseriesofschoolsaddressestheuseofformalmethodsincomputerscience asaprominentapproachtotherigorousdesignofcomputer,communicationand software systems. The main aim of the SFM series is to offer a good spectrum of current research in foundations as well as applications of formal methods, which can be of help for graduate students and young researcherswho intend to approach the field. SFM 2005 (Moby) was devoted to formal methods and tools for the design of mobile systems and mobile communication infrastructures. This volume is organized into four parts related to mobile computing, which cover models and languages, scalability and performance, dynamic power management, and mid- dleware support. Each part is composed of two papers. The opening paper by Montanari and Pistore gives an overview of history- dependent automata, an extension of ordinary automata that overcomes their limitations in dealing with named calculi. In particular, the authors show that history-dependent automata allow for a compact representation of π-calculus processes, which is suitable both for theoretical investigations and for the ver- ification of models of agents and code mobility. Bettini and De Nicola’s pa- per presents X-Klaim, an experimental programming language specifically de- signed to develop distributed systems composed of several components interact- ingthroughmultipledistributedtuplespacesandmobilecode.Throughaseries of examples, the authors show that many mobile code programming paradigms can be naturally implemented by means of the considered language, which com- bines explicit localities as first-class data with coordination primitives. Gerla, Chen, Lee, Zhou, Chen, Yang and Das provide an introduction to MANET, a mobile ad hoc wireless network established for a special, often ex- temporaneous service customized to applications. After emphasizing the self- configurability, mobility and scalability attributes of MANET, the authors con- centrate on mobility and show its impact on protocols and operations. Grassi presentsanoverviewoftheperformanceissuesraisedbythehighvariabilityand heterogeneity of mobile systems, together with some approaches to the careful planningoftheperformancevalidationofsuchsystems.Theauthorthenfocuses onthedefinitionofmodel-basedtransformationsfromdesign-orientedmodelsto analysis-oriented models that comprise non-functional attributes. Acquaviva,Aldini,Bernardo,Bogliolo,Bonta`andLattanziillustrateintheir paperamethodologyforpredictingtheimpactontheoverallsystemfunctionality andefficiencyoftheintroductionofadynamicpowermanagementpolicywithin a battery-powered mobile device. The predictive methodology relies on a com- VI Preface bination of formal description techniques, noninterference analysis, and perfor- mance evaluation to properly tune the dynamic power manager operation rates. The methodology is then used by Acquaviva, Bonta` and Lattanzi in the frame- workoftheIEEE802.11standard,inordertoprovideapower-accuratemodelof awirelessnetworkinterfacecardthatallowstheenergy/performancetrade-offto bestudiedasafunctionoftrafficpatternsimposedbytheapplications. Lattanzi,AcquavivaandBoglioloaddressthelimitedstoragememoryofwire- less mobile terminals through the concept of network virtual memory. The au- thorsfirstcomparetheperformanceandenergyofnetworkswappingwiththose oflocalswappingonmicrodrivesandflashmemories,thenpresentaninfrastruc- ture providing efficient remote memory access to mobile terminals. The closing paper, by Corradini and Merelli, reports on Hermes, a middleware system for the design and the execution of activity-based applications in distributed envi- ronments.Whilemiddlewareformobilecomputinghastypicallybeendeveloped to support physical and logical mobility, Hermes provides an integrated envi- ronment where application-domain experts can focus on designing the activity workflow. We believe that this book offers a quite comprehensive view of what has been done and what is going on worldwide at present in the field of formal methods for mobile computing. We wish to thank all the lecturers and all the participantsforalivelyandfruitfulschool.Wealsowishtothankthewholestaff of the University Residential Center of Bertinoro (Italy) for the organizational andadministrativesupport,aswellastheRegioneMarche,whichsponsoredthe school within the CIPE 36/2002 framework. April 2005 Marco Bernardo and Alessandro Bogliolo SFM 2005 (Moby) Directors Table of Contents Part I: Models and Languages History-Dependent Automata: An Introduction Ugo Montanari, Marco Pistore .................................. 1 Mobile Distributed Programming in X-Klaim Lorenzo Bettini, Rocco De Nicola ................................ 29 Part II: Scalability and Performance Dealing with Node Mobility in Ad Hoc Wireless Network Mario Gerla, Ling-Jyh Chen, Yeng-Zhong Lee, Biao Zhou, Jiwei Chen, Guang Yang, Shirshanka Das......................... 69 Performance Analysis of Mobile Systems Vincenzo Grassi ............................................... 107 Part III: Dynamic Power Management A Methodology Based on Formal Methods for Predicting the Impact of Dynamic Power Management Andrea Acquaviva, Alessandro Aldini, Marco Bernardo, Alessandro Bogliolo, Edoardo Bonta`, Emanuele Lattanzi ............ 155 Dynamic Power Management Strategies Within the IEEE 802.11 Standard Andrea Acquaviva, Edoardo Bont`a, Emanuele Lattanzi.............. 190 Part IV: Middleware Support Network Swapping Emanuele Lattanzi, Andrea Acquaviva, Alessandro Bogliolo.......... 215 Hermes: Agent-Based Middleware for Mobile Computing Flavio Corradini, Emanuela Merelli .............................. 234 Author Index................................................... 271 History-Dependent Automata: An Introduction UgoMontanari1 andMarcoPistore2 1 UniversityofTrento,Italy [email protected] 2 UniversityofPisa,Italy [email protected] Abstract. InthispaperwegiveanoverviewofHistoryDependentAutomata,an extensionofordinaryautomatathatovercomestheirlimitationsindealingwith namedcalculi.Inanamedcalculus,theobservationslabellingthetransitionsof a system may contain names which represent features such as communication channels,nodeidentifiers,orthelocationsofthesystem.Anexampleofnamed calculusisπ-calculus,whichhastheabilityofsendingchannelnamesasmes- sagesandthusofdynamicallyreconfiguringprocessacquaintancesandofmodel- ingagentsandcodemobility.WeshowthatHistory-DependentAutomataallow foracompactrepresentationofπ-calculusprocesseswhichissuitablebothfor theoreticalinvestigationsandforpracticalpurposessuchasverification. 1 Introduction In the context of process calculi (e.g., Milner’s CCS [Mil89]), automata (or labelled transitionsystems)areoftenusedasoperationalmodels.Theyallowforasimplerep- resentation of process behavior, and many concepts and theoretical results for these processcalculiareindependentfromtheparticularsyntaxofthelanguagesandcanbe formulated directly on automata. In particular, this is true for the behavioral equiva- lences and preorders which have been defined for these languages, like bisimulation equivalence [Mil89,Par80]: in fact they take into account only the labelled actions a processcanperform.Automataarealsoimportantfromanalgorithmicpointofview: efficientandpracticaltechniquesandtoolsforverification[IP96,Mad92]havebeende- velopedforfinite-stateautomata.Finitestateverificationissuccessfulhere,differently than in ordinary programming, since the control part and the data part of protocols and hardware components can be often cleanly separated, and the control part is usu- allybothquitecomplexandfinitestate.Particularlyinterestingisalsothepossibilityto associatetoeachautomaton—and,consequently,toeachprocess—aminimalrealiza- tion,i.e.,aminimalautomatonwhichisequivalenttotheoriginalone.Thisisimportant both from a theoretical point of view — equivalent systems give rise to the same (up toisomorphism)minimalrealization—andfromapracticalpointofview—smaller statespacescanbeobtained. This ideal situation, however, does not apply to all process calculi. In the case of namedcalculi,inparticular,infinite-statetransitionsystemsaregeneratedinstead,also M.BernardoandA.Bogliolo(Eds.):SFM-Moby2005,LNCS3465,pp.1–28,2005. (cid:1)c Springer-VerlagBerlinHeidelberg2005 2 U.MontanariandM.Pistore by very simple processes. In a named calculus, the observations labelling the transi- tions of a system may contain names which are used to identify different features of the modeled system, such as the communication channels, the agents participating to the system, or the locations describing the spatial structure of the system. A quite in- teresting example of named calculus is π-calculus [MPW92,Mil93]. It has the ability ofsendingchannelnamesasmessagesandthusofdynamicallyreconfiguringprocess acquaintances. More importantly, π-calculus names can model objects (in the sense ofobjectorientedprogramming[Wal95])andnamesendingthusmodelshigherorder communicationandmobilecode[San93b]. The operational semantics of π-calculus is given via a labelled transition system. However labelled transition systems are not fully adequate to deal with the peculiar featuresofthecalculusandcomplicationsoccurinthecreationofnewchannels.Con- siderprocessp=(νy)x¯y.y(z).0.Channelyisinitiallyalocalchannelfortheprocess (prefix (νy) is the operator for scope restriction) and no global communication can occur on it. Action x¯y, however, which corresponds to the output of name y on the global channel x, makes name y known also outside the process; after the output has takenplace,channely canbeusedforfurthercommunications,and,infact,y isused in y(z).0 as the channel for an input transition: so the communication of a restricted namecreatesanewpublicchannelfortheprocess.Thecreationofthisnewchannelis represented intheordinarysemantics ofthe π-calculusby means ofan infinite bunch oftransitionsoftheformpx−¯(→w)w(z).0,wherewisanynamethatisnotalreadyinuse (i.e., w (cid:2)= x in our example, since x is the only name in use by p; notice that w = y is just a particular case). This way to represent the creation of new names has some disadvantages: first of all, also very simple π-calculus processes, like p, give rise to infinite-stateandinfinite-branchingtransitionsystems.Moreover,equivalentprocesses donotnecessarilyhavethesamesetsofchannelnames;so,thereareprocessesqequiv- alenttopwhichcannotusey asthenameforthenewlycreatedchannel.Specialrules areneededinthedefinitionofbisimulationtotakecareofthisproblemand,asacon- sequence,standardtheoriesandalgorithmsdonotapplytoπ-calculus. Theidealsituationofordinaryautomatacan(atleastinpart)berecoveredalsointhe fieldofnamedcalculi,byintroducinganewoperationalmodelwhichisadequatetodeal withtheselanguages,andbyextendingtothisnewmodel(partof)theclassicaltheory for ordinary automata. As model we propose the history-dependent automata (HD- automatainbrief).Asordinaryautomata,theyarecomposedofstatesandoftransitions betweenstates.Todealwiththepeculiarproblemsofnamedcalculi,however,statesand transitionsareenrichedwithsetsoflocalnames:inparticular,eachtransitioncanrefer tothenamesassociatedtoitssourcestatebutcanalsogeneratenewnames,whichcan thenappearinthedestinationstate.Inthismanner,thenamesarenotglobalandstatic, as in ordinary labelled transition systems, but they are explicitly represented within statesandtransitionsandcanbedynamicallycreated. Thisexplicitrepresentationofnamespermitsanadequaterepresentationofthebe- havior of named processes. In particular, π-calculus processes can be translated into HD-automata and a first sign of the adequacy of HD-automata for dealing with π- calculusisthatalargeclassoffinitaryπ-calculusprocessescanberepresentedbyfinite- stateHD-automata.WealsogiveageneraldefinitionofbisimulationforHD-automata. History-DependentAutomata:AnIntroduction 3 AnimportantresultisthatthisgeneralbisimulationequatestheHD-automataobtained fromtwoπ-calculusprocessesifandonlyiftheprocessesarebisimilaraccordingtothe ordinaryπ-calculusbisimilarityrelation.ThemostinterestingresultonHD-automatais thattheycanbeminimized.ItispossibletoassociatetoeachHD-automatonaminimal realization,namelyaminimalHD-automatonthatisbisimilartotheinitialone.Asin the case of ordinary automata, this possibility is important from a theoretical but also fromapracticalpointofview. InthispaperwegiveanintroductiontoHD-automata.Someofthebasicresultson ordinaryautomataandanoverviewoftheπ-calculusarebrieflypresentedinSection2. Section3introducesHD-automata,definesbisimulationonHD-automata,andpresents thetranslationofπ-calculusprocessestoHD-automata.Section4describeshowHD- automatacanbeminimizedbytakingintoaccountsymmetriesonthenamesenriching statesandtransitions.Finally,inSection5weproposesomeconcludingremarks.Fur- therresultsonHD-automata(aswellastheproofsoftheresultsthatwepresentinthis paper)canbefoundin[MP98b,MP98a,MP99,MP00]. 2 Background 2.1 OrdinaryAutomata Automata have been defined in a large variety of manners. We choose the following definitionsinceitisverynaturalandsince,aswewillsee,itcanbeeasilymodifiedto defineHD-automata. Definition1 (ordinaryautomata).AnautomatonAisdefinedby: – asetLof labels; – asetQof states; – asetT of transitions; – twofunctionss,d :T → Qthatassociateasourceandadestinationstatetoeach transition; – afunctiono:T →Lwhichassociatesalabeltoeachtransition; – aninitialstateq0 ∈Q. Givenatransitiont∈T,wewritet:q −→l q(cid:1)ifs(t)=q,d(t)=q(cid:1)ando(t)=l. Notation2. Torepresentthecomponentsofanautomatonwewillusethenameofthe automatonassubscript;so,forinstance,QB arethestatesofautomatonB anddB is itsdestinationfunction.InthecaseofautomatonA ,wewillsimplywriteQ andd x x x rather than QA and dA . Moreover, the subscripts are omitted whenever there is no x x ambiguityonthereferredautomaton. Similarnotationsarealsousedfortheotherstructureswedefineinthepaper. Often labelled transition systems are used as operational models in concurrency. Thedifferencewithrespecttoautomataisthatinalabelledtransitionsystemnoinitial stateisspecified.Anautomatondescribesthebehaviorofasinglesystem,andhencethe initialstateoftheautomatoncorrespondstothestartingpointofthesystem;alabelled