TOTAL ORDER BROADCAST

4. Academic Interests 4.A. Current Research Interests a. Formal Methods with special interests in system modeling, Refinement of distributed systems and verification of critical properties. b. Verification and reasoning about distributed database systems using Event-B.

To build a high quality and zero defects medical devices and softwares is a crucial task. Formal modeling techniques help to achieve this target at certain level. Formal modeling of High-Confidence Medical devices those are too much error prone in operating, are an International Grand Challenge in the area of Verified Software. Formal modeling of an artificial pacemaker is also one of the proposed challenge. The architecture and functional behaviour of the double electrode pacemaker is more complex than the single electrode pacemaker. Proof-based an incremental approach, we use to develop the formal model of functional behaviour of the double electrode pacemaker. The incremental proof-based development is mainly driven by the refinement between an abstract model of the system and its detailed design through a series of refinements, which adds parametric based functional properties to the abstract system-level specifications using some intermediate models. The properties express system architecture and action-reaction under real-time constraints. This technical report focuses on the formal development of the double electrode operating modes and finds the common architecture of operating modes in tree form that helps to make the consistent system. The Event B modeling language is used to express the double electrode pacemaker and generated proof obligations are proved by RODIN platform. Finally, the pacemaker model has been validated by an Event B animator; ProB tool.

Uniform reliable broadcast (URB) is an important abstraction in distributed systems, offering delivery guarantee when spreading messages between processes. Informally, URB guarantees that if a process (correct or not) delivers a message m, then all correct processes deliver m. This abstraction has been extensively investigated in distributed systems where all processes have unique identifiers. Furthermore, the majority of papers in the literature usually assume that the communication channels of the system are reliable, which is not always the case in real systems. In this paper, the URB abstraction is investigated in anonymous asynchronous message passing distributed systems with process crash failures and fair lossy channels. For that, we assume the availability of a random number generator that generates unique global values with very high probability. Firstly, a simple URB algorithm is given assuming a majority of correct processes. Then, we prove the impossibility of solving URB without a majority of correct processes if no failure detector is used. Subsequently, a new failure detector class AΘ is proposed, which can be used to implement URB with any number of correct processes. However, the two previous URB algorithms are non-quiescent because every correct process, to offset the loss of messages caused by fair lossy channels, has to broadcast all URB_delivered messages forever. Hence, a perfect anonymous failure detector AP * is proposed, together with AΘ, to make the URB algorithm quiescent. Finally, we discuss an alternative failure detector AΘ P * , which combines the properties of AΘ and AP * .

In a replicated database system, copies of the database are kept across several sites for fault-tolerance and availability. Data access in such systems is usually done within a transactional framework. A readonly transaction accesses data locally and an update transaction modifies the database at all sites. Total order broadcast primitives have been proposed to support transactions and allow fault-tolerant cooperation between the sites in a distributed system. In this paper, we identify and analyze the problem of formation of deadlocks among conflicting update transactions due to race conditions and outline how a system of total order broadcast prevents deadlocks and transaction failures. Later we outline how a refinement based approach with Event-B can be used for formal development of the models of total order broadcast. In this approach we begin with the abstract model of a total order broadcast and verify that the required ordering properties are preserved by the system. Subsequently, in a series of refinement steps we outline how an abstract total order can correctly be implemented by using a notion of sequence number. This technique requires us to discharge proof obligations due to consistency and refinement checking. To discharge the proof obligations we are required to discover invariants that describes the relationship between the abstract total order and the underlying mechanism.

The use of formal methods to develop a model of a system, specifying critical properties and the verification of them is a way of obtaining better design of dependable services. Event-B is a formal technique for the development of models of distributed systems. This technique consists of describing rigorously the problem in an abstract model, introducing solutions or the design details in refinement steps to obtain more concrete specifications, and verifying that the proposed solutions are correct. This technique ...

Reliable broadcast is a powerful primitive guaranteeing that, intuitively, all processes in a distributed system deliver the same set of messages. Œere is a twofold reason why this primitive is appealing: (i) we can implement it deterministically in a completely asynchronous environment, unlike stronger primitives like consensus and total-order broadcast, and yet (ii) it is powerful enough to implement numerous useful applications like payment systems. Œe problem we tackle in this paper is that of dynamic reliable broadcast, i.e., enabling processes to join or leave the system. Œis is desirable property for long-lived applications supposed to be highly available, yet has been precluded in previous asynchronous reliable broadcast protocols. We introduce the first specification of a dynamic Byzantine reliable broadcast (dbrb) primitive that is amenable to an asynchronous implementation. Indeed, we present an algorithm that implements this specification in an asynchronous environment. ...

Total Order Broadcast (or Atomic Broadcast) primitives have received a lot of attention, this paper concentrates on Total Order Multicast to Multiple Groups in the context of asynchronous distributed systems in which processes may suffer crash failures. ªMulticast to Multiple Groupsº means that each message is sent to a subset of the process groups composing the system, distinct messages possibly having distinct destination groups. ªTotal Orderº means that all message deliveries must be totally ordered. This paper investigates a consensus-based approach to solve this problem and proposes a corresponding protocol to implement this multicast primitive. This protocol is based on two underlying building blocks, namely, Uniform Reliable Multicast and Uniform Consensus. Its design characteristics lie in the two following properties: The first one is a Minimality property, more precisely, only the sender of a message and processes of its destination groups have to participate in the total order multicast of the message. The second property is a Locality property: No execution of a consensus has to involve processes belonging to distinct groups (i.e., consensus is executed on a ªper groupº basis). This Locality property is particularly useful when one is interested in using the Total Order Multicast primitive in large-scale distributed systems. In addition to a correctness proof, an improvement that reduces the cost of the protocol is also suggested.

Total Order Broadcast (or Atomic Broadcast) primitives have received a lot of attention, this paper concentrates on Total Order Multicast to Multiple Groups in the context of asynchronous distributed systems in which processes may suffer crash failures. ªMulticast to Multiple Groupsº means that each message is sent to a subset of the process groups composing the system, distinct messages possibly having distinct destination groups. ªTotal Orderº means that all message deliveries must be totally ordered. This paper investigates a consensus-based approach to solve this problem and proposes a corresponding protocol to implement this multicast primitive. This protocol is based on two underlying building blocks, namely, Uniform Reliable Multicast and Uniform Consensus. Its design characteristics lie in the two following properties: The first one is a Minimality property, more precisely, only the sender of a message and processes of its destination groups have to participate in the total order multicast of the message. The second property is a Locality property: No execution of a consensus has to involve processes belonging to distinct groups (i.e., consensus is executed on a ªper groupº basis). This Locality property is particularly useful when one is interested in using the Total Order Multicast primitive in large-scale distributed systems. In addition to a correctness proof, an improvement that reduces the cost of the protocol is also suggested.

Some form of migrating process, i.e., a process that can change the node during its execution, is being frequently proposed as a basic component for designing distributed applications. Similarly to distributed applications based on static processes, applications based on processes that can migrate also need forms of reliable cooperation between processes. In order to fulfil part of this requirement, we

During the last two decades the design and development of total order (TO) communications has been one of the main research topics in dependable distributed computing. The huge amount of research work has produced several TO specifications and a wide variety of TO implementations with different guarantees whose differences are often left hidden or unclear. This paper presents a systematic classification of six distinct TO specifications based on a well-defined formal framework. The classification allows us (i) to define in a formal way the differences among the behaviors of faulty and correct processes admitted by each specification, and (ii) to easily match TO implementations with respect to their enforced specification. The classification is applied to study the properties of eight variations of TO implementations based on a fixed sequencer given in a well-known context, namely primary component group communication systems.

Recent advances in communication technology enable the emergence of a new generation of applications that integrates mobile devices with classical high performance systems as part of a common computing environment. In such environments, keeping the coherence of shared data (distributed objects, for example) represents a real challenge as communications are strongly influenced by the performance and the reliability of mobile devices (laptops, PDAs and cellular telephones) and wireless networks (WiFi, Bluetooth). Indeed, data incoherence may arise due to message losses or node volatility, which blocks the algorithms used to synchronize these data. In this paper, we analyze the main challenges concerning the manipulation of shared distributed objects in a pervasive environment. We demonstrate how a membership service can be enhanced to tolerate temporary disconnections and message losses without blocking, while reducing the number of exchanged message.

Total Order Broadcast protocols are important tools to ensure coherence across distributed systems. Contrarily to classical distributed systems, pervasive systems bring important constraints related to the performance and reliability of the network and the availability of the devices (laptops, PDAs and cellular telephones). We propose in this paper a self-stabilizing group membership service that helps a token-based Total Order Broadcast protocol to progress in a volatile environment. This group membership service is organized in two hierarchical levels so that unstable nodes are kept in the group without interfering with the Total Order Broadcast protocol. As a result, we avoid expensive membership view changes while keeping the coherence among the nodes.

A large class of safety-critical control systems contains monitoring subsystems that display certain system parameters to (human) operators. Ensuring that the displayed data are sufficiently fresh and non-corrupted constitutes an important part of safety requirements. However, the monitoring subsystems are typically not a part of a safety kernel and hence often built of SIL1 and SIL2 components. In this paper, we formalise a recently implemented industrial approach to architecting dependable monitoring systems that ensures data freshness and integrity despite unreliability of their components. Moreover, we derive an architectural pattern that allows us to formally reason about data freshness and integrity. The proposed approach is illustrated by an industrial case study.

Total Order Broadcast protocols are important tools to ensure coherence across distributed systems. Contrarily to classical distributed systems, pervasive systems bring important constraints related to the performance and reliability of the network and the availability of the devices (laptops, PDAs and cellular telephones). We propose in this paper a self-stabilizing group membership service that helps a token-based Total Order Broadcast protocol to progress in a volatile environment. This group membership service is organized in two hierarchical levels so that unstable nodes are kept in the group without interfering with the Total Order Broadcast protocol. As a result, we avoid expensive membership view changes while keeping the coherence among the nodes.

A reliable broadcast is communication primitive used to develop fault tolerant distributed applications. It in due course delivers messages to all participating sites irrespective of their ordering. Total order broadcast impose restriction on message ordering and satisfies total order requirement.

A clear specifications, rigorous validation and verification is key to obtain better design of dependable services in such applications. With the help of formal methods one can specify and verify systems in systematic rather than ad hoc manner. It reveals ambiguities, incompleteness, and inconsistencies in a
system by facilitating clear specification, rigorous validation and verification.

In this paper, we present a formal development of total order broadcast. The model have been developed and checked by using event-B techniques supported by the RODIN tool. Event-B is a formal technique that supports the incremental design of a distributed applications using notion of refinements.

The development of complex system makes challenging task for correct software development. Due to faulty specification, software may involve errors. The traditional testing methods are not sufficient to verify the correctness of such complex system. In order to capture correct system requirements and rigorous reasoning about the problems, formal methods are required. Formal methods are mathematical techniques
that provide precise specification of problems with their solutions and proof of correctness. In this paper, we have done formal verification of check pointing process in a distributed database system using Event B. Event-B is an event driven formal method which is used to develop formal models of distributed database systems. In a distributed database system, the database is stored at different sites that are connected together through the network. Checkpoint is a recovery point which contains the state information about
the site. In order to do recovery of a distributed transaction a global checkpoint number (GCPN) is required. A global checkpoint number decides which transaction will be included for recovery purpose. All transactions whose timestamp are less than global checkpoint number will be marked as before checkpoint transaction (BCPT) and will be considered for recovery purpose. The transactions whose timestamp are
greater than GCPN will be marked as after checkpoint transaction (ACPT) and will be part of next global checkpoint number.

In the last two decades the development of Total Order (TO) broadcast and multicast communication over asynchronous distributed systems have been one of the main research issues in dependable distributed computing. As a result, a huge amount of works has been carried out, ranging from service specifications to a variety of TO implementations over different communication platforms. Differences among such specifications can make very difficult the choice of the right TO primitive, by an application designer, to enable the application to meet its correctness requirements. The aim of this paper is thus to present a clear classification of total order broadcast specifications. In particular, six specifications of total order broadcast primitives proposed in the literature are organized into a hierarchy that allows (i) to classify existing implementations of total order communication primitives, and (ii) to select the right primitive according to the application requirements in order to maximize performance.

Two methods have been identified for Event-B model decomposition: shared variable and shared event. The purpose of this paper is to introduce the two approaches and the respective tool support in the Rodin platform. Besides alleviating the complexity for large systems and respective proofs, decomposition allows team development in parallel over the same Event-B project which is very attractive in the industrial environment.

In this paper, we present a performance comparison of database replication techniques based on total order broadcast. While the performance of total order broadcast-based replication techniques has been studied in previous papers, this paper presents many new contributions. First, it compares with each other techniques that were presented and evaluated separately, usually by comparing them to a classical replication scheme like distributed locking. Second, the evaluation is done using a finer network model than previous studies. Third, the paper compares techniques that offer the same consistency criterion (one-copy serializability) in the same environment using the same settings. The paper shows that, while networking performance has little influence in a LAN setting, the cost of synchronizing replicas is quite high. Because of this, total order broadcast-based techniques are very promising as they minimize synchronization between replicas.

In a replicated database system, copies of the database are kept across several sites for fault-tolerance and availability. Data access in such systems is usually done within a transactional framework. A read-only transaction accesses data locally and an update transaction modifies the database at all sites. Total order broadcast primitives have been proposed to support transactions and allow fault-tolerant cooperation between the sites in a distributed system.

Causal and total order broadcast has been proposed as a mechanism to provide fault tolerance for constructing reliable distributed systems. The use of formal methods to develop a model of a system, specifying critical properties and the verification of them is a way of obtaining better design of dependable services.

Abstract The use of formal methods to develop a model of a system, specifying critical properties and the verification of them is a way of obtaining better design of dependable services. Event-B is a formal technique for the development of models of distributed systems. This technique consists of describing rigorously the problem in an abstract model, introducing solutions or the design details in refinement steps to obtain more concrete specifications, and verifying that the proposed solutions are correct.