A Formalized Methodology for Constructing Safe Multiphase Protocols

Communication protocols typically go through diierent phases, where each one performs a distinct function. Phases are implemented as layers (i.e., a protocol constructed on the OSI model) or as alternative functions (a protocol which can perform many functions, but is limited to performing one at a time). In either case, each phase is itself a protocol which can be modelled as a communicating nite-state machine. A mul-tiphase communication protocol is constructed by connecting a state (or states) of protocol A to a state (or states) of protocol B in such a way that if the component protocols A and B are safe, then the multiphase protocol is safe. Chow et al, 1985] proposed a method for connecting states which has this property. An improved method was subsequently proposed by Lin and Tarng, 1993]. In this paper, we discuss a new protocol veriication method which we use to analyze, construct, and verify a multiphase protocol. The State Transition Generation Algorithm, an algorithm which we have developed based upon the method of Lin and Tarng, is used to analyze Prolog speciications for two communicating nite-state machines being combined, and to generate any new transitions that are required to ensure the new multiphase protocol is safe. We then use a protocol modelling language and two automated protocol veriication tools to construct and verify the multiphase protocol. The multiphase protocol is shown to be safe with respect to speciic correctness criteria when the component protocols are augmented with the new transitions generated by the State Transition Generation Algorithm.