Front. Comput. Sci.
, 2024, 18(2): 182401
https://doi.org/10.1007/s11704-022-2258-3
RESEARCH ARTICLE
A proof system of the CaIT calculus
Ningning CHEN, Huibiao ZHU (
Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai 200062, China
Higher Education Press 2024
Abstract The Internet of Things (IoT) can realize the
interconnection of people, machines, and things anytime,
anywhere. Most of the existing research mainly focuses on the
practical applications of IoT, and there is a lack of research on
modeling and reasoning about IoT systems from the
perspective of formal methods. Thus, the Calculus of the
Internet of Things (CaIT) has been proposed to specify and
analyze IoT systems before the actual implementation, which
can effectively improve development efficiency, and enhance
system quality and reliability. To verify the correctness of IoT
systems described by CaIT, this paper presents a proof system
for CaIT, in which specifications and verifications are based on
the extended Hoare Logic with time. Furthermore, we explore
the cooperation between isolated proofs to validate the
postconditions of the communication actions occurring in these
proofs, with a particular focus on broadcast communication.
We also demonstrate the soundness of our proof system. A
simple “smart home” is given to illustrate the availability of our
proof system.
Keywords Internet of Things (IoT), Calculus of the Internet
of Things (CaIT), extended hoare logic, cooperation, smart
home
1 Introduction
By embedding “Things” with sensing, processing, and
communication capabilities in IoT, smart devices can
automatically collect information from shared resources (such
as the Internet, physical environment) to provide smart and
innovative services [1,2]. The rapid increase of smart devices
makes the applications and technologies of IoT in high
demand worldwide [3–5]. Thus, a series of promising
technologies (e.g., 5G, machine learning, edge computing, and
Industry 4.0) have been applied to the IoT paradigm,
accelerating the evolution from IoT to IoT 2.0 [6]. However,
with the increasing complexity of the IoT system, its quality
and reliability are difficult to guarantee, the development cost
becomes higher, and new security issues are constantly
emerging. Formal methods (such as model checking and
theorem proving) allow us to model, verify, and reason about
IoT systems before practical implementation [7–9], which can
Received May 1, 2022; accepted December 16, 2022
E-mail: hbzhu@sei.ecnu.edu.cn
✉)
effectively alleviate the above problems. Unfortunately, most
of the work focuses on IoT applications, but very little work
concentrates on modeling the interaction between system
components and verifying the correctness of IoT systems from
the view of formal methods [10].
To the best of our knowledge, only a few studies focus on
the specification and verification of IoT systems from a
process calculus perspective, including only the IoT-calculus
[10], IoT-LYSA [11], and CaIT [12]. However, neither IoT-
calculus nor IoT-LYSA considers the time-related aspects of
process actions. Thus, Lanotte et al. have presented CaIT,
which can model timed behaviors with desirable time,
consistency, and fairness properties [12]. Unfortunately, CaIT
can only support point-to-point communication, not broadcast
communication which is more common in IoT systems.
Therefore, we choose CaIT as the research object and enrich it
by establishing broadcast primitives.
The main contributions of this paper are shown as follows:
● We present a proof system for CaIT to prove the
correctness of IoT systems, where specifications are
based on Hoare triples [13,14]. To further express the
timing of observable actions, Hooman has introduced
the concept of time into the classical Hoare triples [15].
Relying on the extended Hoare Logic, our proof system
can describe not only the terminating computations but
also the nonterminating computations.
● We explore the cooperation between isolated proofs.
Using our proof system, we can generate an isolated
proof for each process. In these isolated proofs, each
statement has its precondition and postcondition. When
we explore their communication actions, the
postcondition of an input action cannot be validated in
isolation since the corresponding output action occurs
in another proof. Thus, we investigate the cooperation
between isolated proofs. If isolated proofs can help each
other to validate the postconditions of their
communication actions, they are cooperative, meaning
that they transmit messages correctly. Here, we focus
not only on point-to-point communication but also on
broadcast communication.
● A simple “smart home” is given to illustrate how our
proof system works. By verifying some properties of
the “smart home”, we can say that our proof system is
useful in the actual scene.
2 Front. Comput. Sci., 2024, 18(2): 182401

The rest of this paper is organized as follows. Section 2 coordinate, and the location of a node indicates its position in
briefly introduces the syntax of CaIT. Section 3 describes the the coordinate. Furthermore, we can get the distance between
structural congruence and specifications applied in our proof two nodes by defining the function Dis(l, l1 ) (an application of
system. In Section 4, we propose a proof system for CaIT and the Euclidean distance [17]). For example, a node at l can
explore the cooperation between isolated proofs. In Section 5, communicate with another node at l1 via the channel c′ iff
we prove the soundness of our proof system. In Section 6, a Dis(l, l1 ) is lesser than or equal to Rng(c′ ), that is,
simple “smart home” shows the application of our proof Dis(l, l1 ) ⩽ Rng(c′ ). Otherwise, they cannot communicate via
system. Section 7 discusses some related work. Finally, the c′. Then we orderly show the details of CaIT from the top
conclusion and future work are in Section 8. level to the bottom level.
Network level:
2 The CaIT calculus (1) 0 means an empty network.
Compared to the original CaIT calculus [12], this paper (2) N∥N1 shows the networks N and N1 run in parallel.
introduces the more general broadcast communication and (3) N; N1 stands for the sequential composition. It firstly
adds operations that facilitate modeling node mobility and the executes network N . After N terminates successfully, network
interactions of sensors and actuators with the environment. N1 starts working.
For simplicity, we still use the name CaIT here. In this section, (4) (vc′ )N indicates that channel c′ is private to network N.
we introduce the syntax of CaIT, shown in Table 1 where the We present (vc̃)N as an abbreviation for (vc1 ) · · · (vck )N, where
extensions are in bold. This calculus has a three-level c̃ = c1 , ..., ck .
(5) n [Γ ▷◁ B]ul stands for a network node corresponding to an
structure: the upper level illustrates the networks, the middle
object of the IoT systems (e.g., a car, a house, and a phone). n
one shows the body of nodes, and the lower level represents
is the node ID, and B is the node body which has a parallel
the processes.
composition of up to three kinds of elements: processes,
At first, we define some functions. The function Rng(c′ ) is a
sensors, and actuators. Γ is the physical interface that can map
mapping from channel c′ to its transmission range, where the
the names of sensors and actuators to values. To ensure the
transmission range of each channel is set by considering many security of nodes, each Γ is private to a node, but public to that
factors in real IoT scenarios, such as geographical node internally. For a given node n [Γ ▷◁ B]ul, sensors contained
environment, system anti-interference ability, electromagnetic in Γ can be read only by this node. Similarly, only this node
environment, transmission medium [16]. The actual IoT scene can modify the values of actuators in Γ . The current location
is abstractly described as a three-dimensional space of node n is l. We define u ∈ {s, m} to distinguish stationary
nodes (formed by u = s), and mobile nodes (denoted by
Table 1 The syntax of the CaIT calculus
u = m).
Network Body level:
N, N1 ::= 0 Empty network (1) B∥B1 is the parallel composition.
| N∥N1 Parallel composition (2) P represents a process, indicating ongoing computations.
| N; N1 Sequential composition
(3) (s ← v3 ); B illustrates a sensor whose name is s , and its
| (vc′ )N Channel restriction
current value is v3. By applying sensors, nodes can obtain a
n [Γ ▷◁ B]l
u
| Node
particular piece of information from the environment, such as
Body
the current physical temperature.
B, B1 ::= B∥B1 Parallel composition
(4) (a → v4 ); B models an actuator whose name is a, and its
| P Process
value is v4. A node can provide a value to the environment
| (s ← v3 ); B Sensor
with actuators. To guarantee that nodes can exchange
| (a → v4 ); B Actuator
information with the environment in time, we require that
Process
P, Q ::= nil Termination (s ← v3 ); B and (a → v4 ); B are executed instantly.
| skip Skip Process level:
| P∥Q Parallel composition (1) nil means this process terminates.
| [b]P,Q Conditional choice (2) skip does nothing and has no effect.
| !⟨v2 ⟩bc ; P Broadcast output (3) P∥Q denotes the parallel composition of processes P and
| ρ; P Intra-node action Q.
| ⌊π; P⌋Q Action with timeout (4) [b]P,Q is the conditional choice, where b has the form
| while b do P od Iteration w = w′ , and w and w′ are expressions. When the Boolean
ρ ::= σ Delay expression b is true (that is, w is equal to w′), process P works;
| @l˜ Querying location otherwise, process Q.
| s?y Sensor reading (5) !⟨v2 ⟩bc ; P represents that a node can transmit the value v2
| a!v Actuator writing via broadcast channel bc immediately, then P starts to execute
π ::= c!⟨v1 ⟩ Point-to-point output after that.
| c?(x1 ) Point-to-point input (6) ρ; P stands for intra-node actions with ρ ∈
| ?(x2 )bc Broadcast input {σ, @l,˜ s?y, a!v}. σ; P indicates that after waiting for one time
| move_l′ Migration unit, process P executes. @l;˜ P obtains the current location of
 Ningning CHEN et al.
the node in which this process is running. Then the obtained
location is assigned to variable l˜, which is available for the
following process P . A node reads a value from sensor s and
stores it into variable y , formed by s?y; P . The value v is
written into the actuator a, described by a!v; P. Particularly, Γ
can be updated by a!v; P and (s ← v3 ); B. For example, the
value of sensor s can be changed to value v3 due to the
execution of (s ← v3 ); B.
(7) ⌊π; P⌋Q denotes actions with timeouts, where
π ∈ {c!⟨v1 ⟩, c?(x1 ), ?(x2 )bc , move_l′ }. For processes ⌊c!⟨v1 ⟩;
P⌋Q and ⌊c?(x1 ); P⌋Q , if processes can communicate before
one time unit via point-to-point channel c , the following
process is P . Otherwise, Q begins to execute after waiting for
one time unit. Similarly, ⌊?(x2 )bc ; P⌋Q indicates that if this
process can get the value via broadcast channel bc before one
time unit, it continues as P after that. Otherwise, it runs like Q
after one time unit. ⌊move_l′ ; P⌋Q describes the migration
process. After waiting for one time unit, if the node can move
to a given destination l′ (a location), this process terminates,
and the following process P starts at new location l′;
otherwise, Q gains the control at its original location after one
time unit. π; P denotes that this process keeps waiting until
action π has finished.
(8) while b do P od is an iteration construction.
3 Specification
In this section, we give a detailed introduction to the structural
congruence and the specifications used in our proof system.
3.1 Structural congruence
The structural equivalence ≡ is used to rearrange an IoT
network to apply the rules of our proof system, shown in
Table 2.
3.2 Specification
In this subsection, we introduce the formalism to specify and
verify IoT systems described by CaIT. Specifications are
based on Hoare triples (precondition, CaIT program,
postcondition). The correctness formulas are depicted as
{p} N {q}, where p and q are assertions, and N is an IoT
network. To specify and design distributed real-time systems,
Hooman et al. extended the classical Hoare Logic by
introducing the concept of time [15]. Inspired by this, we
introduce a particular variable time into assertions to express
the timing of observable actions. In precondition p, we give
the assumptions of the values of objects at the activation time
(i.e., the beginning time) of N , the beginning time of N , and
the timed occurrence of observable behaviours, which
describes the set of initial or input states in which N is started.
Table 2 The structural equivalence
NULL : N∥0 ≡ N
NCOMM : N∥N ′ ≡ N ′ ∥N
NASSOC : (N∥N ′ )∥N ′′ ≡ N∥(N ′ ∥N ′′ )
NPLIT : n [Γ ▷◁ P∥Q]ul ≡n [Γ ▷◁ P]lu ∥n [Γ ▷◁ Q]ul
CHANRE − 1 : (vc)0 = 0
CHANRE − 2 : (vc)(vd)N = (vd)(vc)N
CHANRE − 3 : (vc)(N∥N1 ) = N∥(vc)N1 , i f c not in N1 .
A proof system of the CaIT calculus 3
Postcondition q is defined as the commitment, which indicates
the values of the objects at termination (if N terminates), the
termination time (if N does not terminate, time = ∞ ), and the
timed occurrence of observable actions, depicting the set of
desirable final or output states. As a result, our formalism can
address partial correctness as well as progress properties. In
detail, the correctness formula {p} N {q} is true from the view
of partial correctness if every terminating execution of N
starts from a state satisfying p and terminates in a state
satisfying q. Furthermore, we can verify whether the execution
of N satisfies some properties by setting assertions p and q. In
a formula {p} N {q}, the assertions p and q are described by
the first-order logic with some primitives, shown as follows:
● Val stands for the logical values, i.e., v0, v1, . . ., vn.
● Set T ime contains logical discrete time variables, i.e., t,
t0 , t1, . . ., tn .
● The global clock is represented by a variable time that
ranges over T ime. If time appears in precondition p, it
records the beginning time of the network N . If time
occurs in postcondition q, it records the termination
time (time = ∞ if N does not terminate).
● Var is a set of variables, ranging over Val . The
variables involved in the network N are packaged in the
set Var(N).
● Node is the set of nodes of a network. Node(N) contains
the nodes in N . For channel restriction (e.g., (vc′ )N ),
Node((vc′ )N) = Node(N) holds, meaning that they
contain the same nodes.
● We define function Chan to obtain the set of
communication channels, including point-to-point
channels and broadcast channels, shown in Table 3.
Clearly, the Chan(N) = Chan((vc′ )N) holds.
● Given a network N , Obs(N) is the set of observable
channels for nodes outside of N . If the network N does
not involve channel restriction (i.e., N cannot be (vc′ )N1
for any channel c′ and any network N1),
Obs(N) = Chan(N) holds. Otherwise, Obs((vc′ )N) =
Obs(N1 ) − {c′ } for N = (vc′ )N1. Summarily, c′ ∈ Obs(N)
Table 3 The definition of function Chan
Chan(n [Γ ▷◁ B]ul ) = Chan(B),
Chan(B∥B1 ) = Chan(B) ∪ Chan(B1 ),
Chan((s ← v3 ); B) = Chan(B),
Chan((a → v); B) = Chan(B),
Chan(nil) = ∅,
Chan(skip) = ∅,
Chan(P∥Q) = Chan(P) ∪ Chan(Q),
Chan([b]P, Q) = Chan(P) ∪ Chan(Q),
Chan(!⟨v⟩bc ; P) = {bc} ∪ Chan(P),
Chan(ρ; P) = Chan(P), where ρ ∈ {σ, @l,˜ s?y, a!v}.
Chan(⌊π; P⌋Q) = Chan(π) ∪ Chan(P) ∪ Chan(Q),
where π ∈ {c!⟨v⟩, c?(x), ?(x2 )bc , move_l′ )}.
Chan(c!⟨v⟩) = {c}, Chan(c?(x)) = {c},
Chan(?(x2 )bc ) = {bc}, Chan(move_l′ ) = ∅,
Chan(while b do P od) = Chan(P),
Chan(0) = ∅,Chan(N∥N1 ) = Chan(N) ∪ Chan(N1 ),
Chan(N; N1 ) = Chan(N) ∪ Chan(N1 ).
4 Front. Comput. Sci., 2024, 18(2): 182401
indicates that nodes in N can communicate with nodes
outside of N via c′. c′ < Obs(N) denotes that c′ is
hidden and invisible for nodes outside of N . The set
Obs is the basis for exploring the channel restriction in
subsection 4.4.
In addition, some notations are defined for the construction
of our proof system, shown below:
(1) act at t : It denotes that an observable action act occurs
at time t.
(2) act during I ≡ ∀t ∈ I : act at t : It represents that the
observable action act is executed during the time interval I .
(3) act in I ≡ ∃t ∈ I : act at t : It shows that the observable
action act takes place at some time point in the time interval I .
(4) p[v0 /x] : It replaces any free occurrence of variable x in
assertion p with v0.
In CaIT, nodes communicate with each other via broadcast
communications or point-to-point communications. To
describe communications by message passing via channels,
our assertions are defined based on the following primitives,
where v ∈ Val, t ∈ T ime, n is a node ID, c ∈ Chan is a point-to-
point channel and bc ∈ Chan is a broadcast channel.
● [c!@n] at t : Node n is waiting to send a value via
channel c at time t.
● [c!⟨v⟩@n] at t : Node n begins to transmit value v via
channel c at time t.
● [c?@n] at t : Node n is waiting to receive a value via
channel c at time t.
● [c?(v)@n] at t : Node n starts to receive the value v via
channel c at time t.
● [!⟨v⟩bc @n] at t : At time t, node n sends value v via
channel bc immediately.
● [?bc @n] at t : At time t, node n is waiting to accept a
value via channel bc .
● [?(v)bc @n] at t : Node n starts receiving value v via
channel bc at time t.
4 Proof system for CaIT
This section proposes a proof system for CaIT to prove the
correctness of IoT systems described by CaIT. In subsection
4.1, we introduce some existing auxiliary axioms and rules.
For the basic commands of CaIT, the corresponding rules are
given in subsection 4.2. In subsection 4.3, we explore the
proof rules of parallel composition and show the details of the
cooperation between isolated proofs. Finally, we investigate
the channel restriction in subsection 4.4.
4.1 Auxiliary axioms and rules
In this subsection, we give some auxiliary axioms and rules,
which are similar to those in the previous work [13].
Differently, we further introduce the notion of time into
assertions to express the timing of observable actions in IoT
systems.
Axiom 1 Nontermination
{p ∧ time = ∞} N {p ∧ time = ∞}.
The Nontermination axiom describes the case in which the
predecessor process of the CaIT program N produces a
nonterminating computation, where the precondition of N
(which is also the postcondition of the predecessor process)
contains time = ∞ , denoting that the predecessor process does
not terminate. In this case, N will never be executed and has
no effect, so the postcondition and the precondition are the
same in this rule.
Rule 2 Substitution
{p} N {q}
.
{p[e/x]} N {q}
If a variable x appears in precondition p but does not freely
occur in postcondition q, it can be replaced by any arbitrary
expression e .
Rule 3 Disjunction
{p1 } N {q1 }, {p2 } N {q2 }
.
{p1 ∨ p2 } N {q1 ∨ q2 }
Rule 4 Conjunction
{p1 } N {q1 }, {p2 } N {q2 }
.
{p1 ∧ p2 } N {q1 ∧ q2 }
Rule 5 Sequential composition
{p} N {r} , {r} N1 {q}
.
{p} N; N1 {q}
Assertion r is the postcondition of N , which is also the
precondition of N1. r can describe not only the terminating
computations of N but also its nonterminating computations.
If N does not terminate, assertion q can be deduced using the
Nontermination axiom.
Rule 6 Consequence
p → p1 , {p1 } N {q1 }, q1 → q
.
{p} N {q}
The precondition can be strengthened, and postconditions
can be weakened.
Rule 7 While
We assume that a model in the semantics of While
b do P od starts from a state satisfying the invariant I . The
computation produced by this model can be a terminating
computation (described by q) or a nonterminating computation
(denoted by qin f it ). Below are detailed explanations for the
two cases.
(1) Firstly, q stands for a terminating computation that is
composed of a finite number of terminating computations
produced by P . From the first and second conditions (i.e., the
formulas (1) and (2)), we know that I ∧ b is valid for the initial
state of all these terminating computations, except for the last
one. Based on the second condition (i.e., formula (2)), we can
have q by using the Skip rule defined in subsection 4.2.
(2) Secondly, qin f it means that the computation generated by
this statement is a nonterminating computation, which has the
 Ningning CHEN et al. A proof system of the CaIT calculus 5

following two possibilities. Rule 11 Point-to-point output

(a) In the first case, the nonterminating computation is
produced by the predecessor process (called the initial
model) of While b do P od. Here, we suppose that the
initial model satisfies I and does not terminate, so it
generates a nonterminating computation. In this case,
the successor process (i.e., While b do P od) will never
be executed and has no effect since it follows a
nonterminating computation. According to the
Nontermination axiom, we know that the execution
result of the whole model is equal to the result of the
In the point-to-point output rule, time in the precondition
initial model. I0 is defined according to I , which is used
p ∧ time < ∞ is replaced by t0 , recording the starting time. In
to obtain the postcondition qin f it describing the
this paper, the time unit can be specified according to
nonterminating computations, shown by the formula (3)
(i.e., the shaded area on the last two lines of the requirements: one second, one hour, one day, etc. Here,
premises in the While rule). local(I0 ) = ∅ denotes that adding one time unit simulates the passage of time discretely.
there are no local objects in assertion I0 . Formula And [t0 , t0 + 1) represents a continuous time interval, which is
∀t1 < ∞, ∃t2 > t1 : I0 [t2 /time] aims to assign an infinite used to describe the continuously dynamic evolution of time,
value to time in I0 , which implies qin f it , meaning that a where [t0 , t0 + 1) = {t ∈ T ime | t0 ⩽ t < t0 + 1}. As mentioned
nonterminating computation is generated in this case. before, the point-to-point output action is executed with
Obviously, in this case, the whole model also satisfies timeout, which has two execution results. If the value v is sent
time = ∞ . Therefore, qin f it ∧ time = ∞ is the final via point-to-point channel c within one time unit after t0 , the
postcondition of this case. postcondition is p1, and then this process executes P .
(b) In another case, the nonterminating computation is Otherwise, the postcondition is p2 , denoting that this action
caused by While b do P od itself, and there are also does not happen before one time unit, and then the process
two possibilities. Firstly, qin f it can be a nonterminating performs like Q .
computation produced by a nonterminating computation Rule 12 Point-to-point input
of P . For instance, P generates a nonterminating
computation, because it contains a nonterminating
iteration structure (e.g., While b1 do P1 od). Secondly,
qin f it can be a nonterminating computation composed of
an infinite number of terminating computations
generated by P . For example, the Boolean expression b
is always satisfied, which makes P repeatedly execute.
In the above two cases, qin f it can be derived from the
third condition (i.e., the formula (3)). Further,
qin f it ∧ time = ∞ is the final postcondition.
Rule 8 Nondeterministic choice We use t0 to mark the beginning time of this statement. This
statement must wait for receiving messages from point-to-
{p} N1 {q1 }, {p} N2 {q2 } point channel c with timeout, which has two execution results.
.
{p} N1 ⊓ N2 {q1 ∨ q2 } If the node receives a value via c within one time unit after t0 ,
In this rule, we discuss the nondeterministic choice. In this the postcondition is p1, and the obtained value v is accessible
structure, either N1 is executed, which leads to q1, or N2 is for the following process P . Otherwise, the postcondition is
selected, resulting in q2 . p2 , and the control passes to Q after one time unit.
Rule 13 Broadcast output
4.2 Proof rules for basic commands
Here, we define the proof rules for the basic commands in an
IoT network described by CaIT.
Axiom 9 Nil

{p} 0 {p} .
The empty network 0 terminates immediately and has no To explore the broadcast output action, we give this rule
effect. with the precondition p ∧ time < ∞ . time in p ∧ time < ∞ is
Rule 10 Skip replaced by t0 to record the starting time of the statement. The
value v is sent immediately via broadcast channel bc at time
{p} Skip {p} . t0 , leading to postcondition p1. Then the process continues
Skip action does nothing and has no impact. as P .
6 Front. Comput. Sci., 2024, 18(2): 182401
Rule 14 Broadcast input
To investigate the broadcast input statement, we define this
rule with the precondition p ∧ time < ∞ . There are also two
execution results of the rule. If this statement receives a value
via channel bc within one time unit after its starting time, the
postcondition is p1, and the received message is accessible for
the next process P . Otherwise, the postcondition is p2 , and
this process continues like Q .
Rule 15 Delay
{q[time + 1/time] ∧ time < ∞}n [Γ ▷◁ σ; P]ul {q ∧ time < ∞}.
Delay rule suspends the execution of the statement for one
time unit. To obtain the postcondition q ∧ time < ∞, we define
the precondition q[time+1/time] ∧ time < ∞. The initial time
plus one time unit equals the termination time recorded in
postcondition, meaning that this process delays one time unit.
Rule 16 Migration
δ is the fixed maximum distance that the node n can move in
one time unit. m means that node n is a mobile node. This
statement waits for one time unit firstly, leading to
postcondition p ∧ time < ∞ . Taking p ∧ time < ∞ as the
precondition, if the distance between the current location l and
the destination l′ is lesser than or equal to δ , the process
performs like P at the new location l′. Otherwise, Q starts
executing at its original location l.
Rule 17 Querying location
This statement queries the current location l(time) of the
node in which this process is running. l(time) is accessible for
the following process P .
Rule 18 Sensor reading
In sensor reading rule, this statement reads a value Γ(s)
from sensor s at the trigger time of this process, resulting in
p1. The obtained value is accessible for the next process P .
Rule 19 Sensor
Sensor rule illustrates that a node reads a particular piece of
information from the environment using a sensor. This
statement is executed immediately at its beginning time t0 . If
the current value Γ(s) stored in sensor s is not equal to the
newly obtained value v , p1 is the postcondition. And Γ is
updated to Γ′, which is accessible for the remaining system B .
Otherwise, if the value in sensor s does not need to be
updated, the postcondition is p2 , and it continues to execute
under Γ .
Rule 20 Actuator writing
At the starting time of this statement, it immediately writes
the value v to an actuator a, leading to p1. Consistently, Γ is
updated to Γ′, which is available for the following process P .
Rule 21 Actuator
A node can provide a value to the environment through an
actuator a, formed by (a → v); B . This action is executed at the
starting time of this statement, leading to postcondition p1.
Then the remaining system B starts to execute.
Rule 22 Conditional choice
b is a Boolean expression, which has the form w = w′ . If b is
true (i.e., w is equal to w′), then process P is executed, which
leads to q1. Otherwise, this process performs as Q , leading to
q2 .
Example 1. We prove the following example to demonstrate
the application of our proof system, especially the While rule.
The proof of this example denotes that our proof system is not
 Ningning CHEN et al. A proof system of the CaIT calculus 7

restricted to partial correctness , but allows us to explore the

properties of both terminating and nonterminating
computations.
N ≡ n [Γ ▷◁ While x , 0 do ⌊c?(x); P1 ⌋P1 od]ul
P1 ≡ While x = 0 ∧ y , 1 do ⌊?(y)bc ; S kip⌋S kip od
Next, we need to prove that

where,
C ≡(time = ∞ ∧ ∀t1 < ∞ : ¬[c?(0)@n] at t1 )∨
(time = ∞ ∧ ∀t2 < ∞ : ¬[?(1)bc @n] at t2 )∨
(time < ∞ ∧ ∃t1 , t2 < ∞ : ¬[c?(0)@n] at t1 ∧
[?(1)bc @n] at t2 ).
In postcondition C , we describe three execution results of
this example. In the first case (i.e., the first line), this example
does not terminate (denoted by time = ∞ ) if it cannot receive 0
via channel c . The second case (i.e., the second line) is
similar. In contrast, the last case (i.e., the last two lines)
indicates that this example terminates (represented by
By applying the while rule, we can obtain
time < ∞ ) if it receives 0 via c and 1 via bc .
We use the While rule based on the following assertions.
qin f it ≡(∀t1 < ∞ : ¬[c?(0)@n] at t1 )∨
(∀t2 < ∞ : ¬[?(1)bc @n] at t2 )

q ≡time < ∞ ∧ ∃t1 , t2 < ∞ : [c?(0)@n] at t1 ∧ From the consequence rule and the fact “time = 0 ∧ x ,
bc 0 ∧ y , 1 → I ”, we can get {time = 0 ∧ x , 0 ∧ y , 1} n [Γ ▷◁
[?(1) @n] at t2 While x , 0 do ⌊c?(x); P1 ⌋P1 od]ul {(qin f it ∧ time = ∞) ∨ q}.
I ≡(time = ∞ ∧ qin f it )∨ Further, (qin f it ∧ time = ∞) ∨ q is equal to (((∀t1 < ∞ :
¬[c?(0)@n] at t1 ) ∨ (∀t2 < ∞ : ¬[?(1)bc @n] at t2 )) ∧ time =
(time < ∞ ∧ (∃time′ ⩽ time, ∀t1 < time′ : ∞)∨(time < ∞ ∧ ∃t1 , t2 < ∞ : [c?(0)@n] at t1 ∧[?(1)bc @n] at t2),
¬[c?(0)@n] at t1 ∧ (x = 0 ↔ [c?(0)@n] at time′ ))∧
which implies the final postcondition C .
(∀t2 < time : ¬[?(1)bc @n] at t2 ∧ After the above proofs, the assertion formula of this
(y = 1 ↔ [?(1)bc @n] at time))) example has been proved.

I0 ≡(∀t1 < time : ¬[c?(0)@n] at t1 )∨
(∀t2 < time : ¬[?(1)bc @n] at t2 )
● If this example does not receive 0 via c or 1 via bc , it
keeps executing and never terminates, as described by
qin f it .
● If this example receives not only 0 via c but also 1 via
bc , it terminates, as represented by q.
● I is an invariant, which must be satisfied during the
execution of this example. The invariant I considers
both terminating and nonterminating cases.
● I0 is implied by I , which only considers the nontermina-
ting case, and is used to derive qin f it .
To apply the While rule, we have to prove the following
formulas.
4.3 Proof rules for parallel composition
Using our proof system, we can give proofs for isolated
processes. Now we define parallel composition rule to
combine these isolated proofs based on the test for
cooperation between them.
Rule 23 Parallel composition
{p} N1 {q1 }, {p} N2 {q2 }, Comb(q1 , q2 ) → q
{p} N1 ∥ N2 {q}
where N1 =n1 [Γ1 ▷◁ B1 ]ul 1 and N2 =n2 [Γ2 ▷◁ B2 ]ul 2 .
1 2
Here, we consider two possibilities for Comb:
1. If time does not appear in q1 and q2 , we have:
Comb(q1 , q2 ) ≡ q1 ∧ q2
2. Otherwise, the values of time in q1 and q2 may be
different. To obtain a more general rule, we firstly record the
values of time in q1 and q2 using variables t1 and t2 ,
8 Front. Comput. Sci., 2024, 18(2): 182401
respectively. Then we take the maximum of t1 and t2 as the
termination time of the parallel composition.
Comb(q1 , q2 ) ≡q1 [t1 /time] ∧ q2 [t2 /time]∧
time = max(t1 , t2 )
provided that
(1) Var(N1 ) ∩ Var(N2 ) = ∅.
(2) Var(qi ) ⊆ Var(Ni ), Chan(qi ) ⊆ Chan(Ni ), for i = 1, 2.
(3) To ensure isolated proofs transmit messages correctly, we
explore the cooperation between their communication actions.
For example, let post1 and post2 be the postconditions of a
pair of input and output actions, respectively. post1 depicts the
receiving of value v . post2 describes the sending of value v′. If
conditions (involving distance, time, and channel
observability) are both satisfying, it means that the
communication occurs successfully. Then, these isolated
proofs cooperate if and only if they can help each other to
validate the postconditions of their communication actions
(i.e., v = v′), denoting that the messages are delivered correctly
via channels. We give the following two rules to establish the
cooperation.
Rule 24 Point-to-point communication
where c is a point-to-point channel, and the communication
condition is below.
Com1 ((n1 , l1 ), (n2 , l2 ), c) =d f c ∈ Obs(n1 ) ∧ c ∈ Obs(n2 )∧
Dis(l, l1 ) ⩽ Rng(c)
This rule indicates that the point-to-point communication
occurs successfully based on the following two assumptions.
Firstly, only nodes (or networks) where c is an observable
channel can communicate with the outside via c , i.e.,
c ∈ Obs(n1 )∧c ∈ Obs(n2 ). In addition, the distance between
them must be within the communication range of c , that is,
Dis(l1 , l2 ) ⩽ Rng(c) .
Rule 25 Broadcast communication
where bc is a broadcast channel, and the communication
condition is as follows.
Com2 ((n1 , l1 ), (n2 , l2 ), bc) =d f bc ∈ Obs(n1 )∧
bc ∈ Obs(n2 ) ∧ Dis(l1 , l2 ) ⩽ Rng(bc)
Point-to-point cooperation:
Now, we establish the cooperation of point-to-point
communications with the example of c!⟨v⟩ and c?(x). Each of
the two actions executes with the timeout, having two
execution results. First, the formula {pre1 } n1 [Γ1 ▷◁ ⌊c!⟨v⟩;
skip⌋skip]ul 1 {post1 } is extracted from the isolated proofs,
1
denoting that the value v is sent successfully via channel c
within one time unit after the starting time. Similarly,
{pre2 } n2 [Γ2 ▷◁ ⌊c?(x); skip⌋skip]ul 2 {post2 } means that a value
2
is received via channel c within one time unit after the
activeness time. Under the following conditions, we can
determine whether the communication takes place smoothly.
If it occurs successfully, we still need to check whether they
help each other to validate their postconditions.
(1) Condition
By defining Condition1, we check the observability of
channel c , the distance between two nodes, and the starting
time recorded in pre1 and pre2. Firstly, only nodes (or
networks) where c is an observable channel can communicate
with the outside via c (i.e., c ∈ Obs(n1 ) ∧ c ∈ Obs(n2 )).
Additionally, the distance between n1 and n2 should be within
the transmission range of channel c , that is,
Dis(l1 , l2 ) ⩽ Rng(c) . As mentioned before, both point-to-point
output actions and point-to-point input actions are executed
with timeouts. Thus, if the beginning time of the point-to-
point output action is t1, only when the corresponding point-
to-point input action starting from t2 is also ready within
[t1 , t1 + 1), this point-to-point communication is possible. If the
above two conditions are both satisfied, we can say that this
communication successfully occurs. We give the following
formal to combine the above conditions.
Condition1 =d f c ∈ Obs(n1 ) ∧ c ∈ Obs(n2 )∧
( )
(t1 ⩽ t2 ∧ t2 < t1 + 1)∨
Dis(l1 , l2 ) ⩽ Rng(c) ∧
(t2 ⩽ t1 ∧ t1 < t2 + 1)
(2) Cooperation
● First, we need to check whether pre1 [t1 /time]
∧pre2 [t2 /time] ∧ Condition1 is satisfied, where pre1
[t1 /time] represents that the starting time listed in pre1
is recorded by t1.
● If the result is true, this communication occurs at
max(t1 , t2 ) at which both sides are ready. A new
assertion p can be generated from pre1 [t1 /time]∧
pre2 [t2 /time] ∧ Condition1 by updating the value of
time to max(t1 , t2 ), shown by pre1 [t1 /time]∧
pre2 [t2 /time] ∧ Condition1 ∧ time = max(t1 , t2 ) → p .
Then, we go to the next step. Otherwise, they are
cooperative.
● Taking the new assertion p as the precondition, we can
obtain {p} n1 [Γ1 ▷◁ ⌊c!⟨v⟩; skip⌋skip]ul 1 ∥n2 [Γ2 ▷◁ ⌊c?(x);
1
skip⌋skip]ul 2 {q} using point-to-point communication
2
rule.
● If post1 ∧ post2 can be deduced from q with
Consequence rule, they cooperate, indicating that the
 Ningning CHEN et al. A proof system of the CaIT calculus
message is transmitted correctly. Otherwise, they are
not cooperative (i.e., the message is transmitted
wrongly).
Broadcast communication cooperation:
Similarly, we introduce the cooperation of broadcast
communications with !⟨v⟩bc and ?(x)bc. Although the value can
be sent to more than one node, we only discuss one receiver
here. For more complex cases, this procedure can be used
repeatedly. {pre1 } n1 [Γ1 ▷◁!⟨v⟩bc ; skip]ul 1 {post1 } denotes that
1
the value v is sent immediately via bc at its trigger time.
{pre2 } n2 [Γ2 ▷◁ ⌊?(x)bc ; skip⌋skip]ul 2 {post2 } stands for the
2
successful reception of a value via bc within one time unit
after the starting time. Based on the following conditions, we
check whether the communication executes successfully. If it
happens, we must discuss whether they help each other
validate their postconditions.
(1) Condition
The conditions involve the observability of channel c , their
distance, and the starting time, which are similar to the point-
to-point. The difference is that the broadcast output action
happens immediately, while the broadcast input action
executes with a timeout. When the broadcast output action
occurs, the corresponding input actions should be ready to
receive the value. In other words, if the broadcast output
action occurs at t1, and the starting time of one corresponding
broadcast input action is t2 , only when t1 is within the time
interval [t2 , t2 + 1), this broadcast communication is possible.
We give the following formula for these conditions.
Condition2 =d f bc ∈ Obs(n1 ) ∧ bc ∈ Obs(n2 )∧
Dis(l1 , l2 ) ⩽ Rng(bc) ∧ (t2 ⩽ t1 < t2 + 1)
(2) Cooperation
● We check whether pre1 [t1 /time] ∧ pre2 [t2 /time]∧
Condition2 is valid. If it is valid, a new assertion p can
be obtained from pre1 [t1 /time] ∧ pre2 [t2 /time]
∧Condition2 by updating the time to t1 at which the
broadcast output action happens, which is formed by
pre1 [t1 /time] ∧ pre2 [t2 /time] ∧ Condition2 ∧ time =
t1 → p. Then we go to the next step. Otherwise, they are
cooperative.
● Using broadcast communication rule with the
precondition p, we gain {p} n1 [Γ1 ▷◁!⟨v⟩bc ; skip]ul 1 ∥n2
1
[Γ2 ▷◁ ⌊?(x)bc ; skip⌋skip]ul 2 {q}.
2 using the parallel composition rule to combine (vc′ )M and N .
● By using the consequence rule, we can say that they
cooperate if pos1 ∧ post2 can be implied from q. If not,
they are not cooperative.
Example 2. The following example shows how parallel
composition rule works. We need to prove
{time = 0 ∧ v = z} N1 ∥N2 {v = z ∧ x = z}
where N1 =n1 [Γ1 ▷◁ ⌊c!⟨v⟩; σ⌋σ]ul 1 ,
1
N2 =n2 [Γ2 ▷◁ ⌊c?(x); skip⌋σ]lu2 ,
2
c ∈ Chan(n1 ) ∧ c ∈ Chan(n2 ) ∧ Dis(n1 , n2 ) ⩽ Rng(c).
The following isolated proofs can be generated by applying
9
our proof system.
{time = 0 ∧ v = z} N1 {v = z},
{time = 0 ∧ v = z} N2 {x = z}
According to the definition of parallel composition rule,
we should check some conditions. First, Var(N1 )∩
Var(N2 ) = ∅ is satisfied. Then both Chan(qi ) ⊆ Chan(Ni ) and
Var(qi ) ⊆ Var(Ni ) hold, where i = 1, 2. Finally, we should
check whether they cooperate. We extract the following
formulas from proofs, denoting that the output action and the
input action happen within one time unit after their own
starting time, respectively.
{pre1 } n1 [Γ1 ▷◁ ⌊c!⟨v⟩; skip⌋skip]ul 1 {post1 },
1
{pre2 } n2 [Γ2 ▷◁ ⌊c?(x); skip⌋skip]lu2 {post2 }
2
where, pre1 ≡ {time = 0 ∧ v = z},
post1 ≡ {time = 0 ∧ v = z},
pre2 ≡ {time = 0 ∧ v = z},
and post2 ≡ {time = 0 ∧ x = z}.
It is clear that pre1 [t1 /time] ∧ pre2 [t2 /time] ∧ Condition1
holds, then we can obtain the assertion {time = 0 ∧ v = z}. By
using point-to-point communication rule with precondition
{time = 0 ∧ v = z}, we have {time = 0 ∧ v = z} n1 [Γ1 ▷◁ ⌊c!⟨v⟩;
skip⌋skip]ul 1 ∥n2 [Γ2 ▷◁ ⌊c?(x); skip⌋skip]ul 2 {time = 0 ∧ v = z∧
1 2
x = v}. post1 ∧ post2 can be deduced from {time = 0∧
v = z ∧ x = v} using consequence Rule. Thus the proofs of N1
and N2 cooperate. Applying parallel composition rule,
{time = 0 ∧ v = z} N1 {v = z} and {time = 0 ∧ v = z} N2 {x = z}
combine to {time = 0 ∧ v = z} N1 ∥N2 {v = z ∧ x = z} .
4.4 Channel restriction
In this subsection, we explore the channel restriction with the
example (vc′ )M∥N , where both M and N can be a single node
or a parallel composition of multiple nodes. The details are
shown below.
(1) Based on our proof system, we can get isolated proofs of
networks M and N with Obs(M) and Obs(N) . By doing this,
the communications within M or N have been addressed with
the notion of cooperation, especially communications via c′
within M . Next, we explore the parallel composition of
(vc′ )M and N .
(2) For (vc′ )M , channel c′ is private for the network M . In
other words, c′ is invisible for nodes outside of M (e.g.,
network N ). Therefore, we have to hide channel c′ before
For all node n ∈ Node(M), we update its Obs(n) to Obs′ (n),
where Obs′ (n) = Obs(n) − {c′ }.
(3) Now, we can get Obs((vc′ )M) which is the union of
Obs′ (n) for all node n in Node((vc′ )M) , where
Node((vc′ )M) = Node(M). (vc′ )M and N cannot communicate
via c′ due to c′ < Obs((vc′ )M), that is, they are cooperative.
Then we can obtain the final proof of (vc′ )M∥N by applying
the parallel composition rule to the isolated proofs of M and
N with the Obs((vc′ )M) and Obs(N) .
5 Soundness
We explore the soundness of our proof system. First, we
10 Front. Comput. Sci., 2024, 18(2): 182401
define the partial correctness semantics of CaIT programs
and list its properties. We then propose a formal definition of
the soundness of the CaIT program. Finally, we prove the
soundness of each rule in our proof system from the
perspective of partial correctness , which means that our
proof system is sound for partial correctness .
5.1 Partial correctness semantics
Definition 5.1 Let N be a CaIT program, σ be the initial state
of N , and ⟨N, σ⟩ be a configuration denoting that N is
executed in state σ [13]. The partial correctness semantics of
a CaIT program is a mapping from the initial state to the final
state.
M[[N]] = Σ → P(Σ),
M[[N]](σ) = {τ|⟨N, σ⟩ →∗ ⟨0, τ⟩},
where,
● ⟨N0 , σ0 ⟩ → ⟨N1 , σ1 ⟩ is a transition, which means that
executing N0 one step in a state σ can switch to state σ1
with the remaining process N1. Here, 0 is an empty
program, and τ is the final state.
● The transitive and reflexive closure of the transition
relation (i.e., →) is described as →∗.
● Σ is the set of states and P(Σ) stands for all subsets of Σ.
M[[N]] represents the partial correctness semantics of N .
Starting from the initial state σ, N terminates in the final state
τ contained in M[[N]](σ). Next, we present the following
Lemma 5.2 to briefly introduce properties of the
partial correctness semantics (see [13] for more details).
Lemma 5.2. (Input/output)
(1) M[[N]] is monotonous;
that is, X ⊆ Y ⊆ Σ impliesM[[N]](X) ⊆ M[[N]](Y) .
(2) M[[N1 ; N2 ]](X) = M[[N1 ]](M[[N2 ]](X)).
(3) M[[[b]N1 , N2 ]](X) = M[[N1 ]](X ∩ [[b]])∪
M[[N2 ]](X ∩ [[¬b]]) .
(4) M[[(N1 ; N2 ); N3 ]](X) = M[[N1 ; (N2 ; N3 )]](X).
(5) M[[While b do N od]](X) =
∪∞
k=0 M[[(While b do N od) ]].
k ∧ [?(v)bc @n] at t′ ∧ time = t′ .
5.2 Verification
We give the meaning of assertion p as [[p]] = {σ|σ |= p}. The
assertion p is true if all states σ satisfy p (i.e.,
∑
∀σ ∈ : σ |= p ). Following lemmata describe properties for
the meanings of assertions.
Lemma 5.3. (Meaning of assertion)[13]
(1) [[¬p]] = Σ − [[p]],
(2) [[p ∨ q]] = [[p]] ∪ [[q]],
(3) [[p ∧ q]] = [[p]] ∩ [[q]],
(4) p → q is true, iff [[p]] ⊆ [[q]],
(5) p ↔ q is true, iff [[p]] = [[q]].
Definition 5.4. (Soundness of proof system)
● From the view of partial correctness , the correctness
formula {p} N {q} is true if M[[N]]([[p]]) ⊆ [[q]],
described as |= {p} N {q}.
● Let ⊢A φ denote that the formula φ is provable in the
proof system A. For all correctness formula {p} N {q}, if
⊢A {p} N {q} implies ⊨ {p} N {q}, the proof system A is
sound for partial correctness .
Theorem 5.5 From the perspective of the partial correctness
semantics, the proof system proposed for CaIT is sound.
To prove Theorem 5.5, we need to prove the soundness of
all axioms and proof rules. For simplicity, here we only give
the detailed proofs for the soundness of the rules broadcast
output, broadcast input, and parallel combination. The
proofs for other rules are similar.
(1) Broadcast output rule
Proof The broadcast output action (described as N1) executes
immediately at the activeness time. Further, we get
M[[!⟨v⟩bc @n]][[p]] ⊆ [[p′1 ]], where p is the precondition, and p′1
is as follows:
p′1 = p[t0 /time] ∧ [!⟨v⟩bc @n] at t0 ∧ time = t0
According to the premises of the broadcast output rule, we
can obtain
p′1 → p1 , M[[n [Γ ▷◁ P]ul ]]([[p1 ]]) ⊆ [[q]].
From the Lemma 5.3(4), [[p′1 ]] ⊆ [[p1 ]] holds. By the
monotony of M[[N1 ]], we have M[[n [Γ ▷◁ P]ul ]]
′
([[p1 ]]) ⊆ M[[n [Γ ▷◁ P]l ]]([[p1 ]]) ⊆ [[q]]. Further, we get
u
M[[N1 ]]([[p]]) ⊆ [[q]]. Thus, the Broadcast Output rule is
sound from the partial correctness .
(2) Broadcast input rule
Proof For the broadcast input action (denoted by N ), there are
two possibilities.
(1) The broadcast input action ?(v)bc @n may occur within one
time unit. Therefore, there is a moment t′ ∈ [t0 , t0 + 1) such that
M[[#t′ ; ?(v)bc @n]] ⊆ [[p′ ]] holds, where
p′ = p[t0 /time] ∧ ∃t′ ∈ [t0 , t0 + 1) : [?bc @n] during [t0 , t′ )
(2) The broadcast input action may not happen before one
time unit. M[[#1]] ⊆ [[p′′ ]] holds, where
p′′ = p[t0 /time] ∧ [?bc @n] during [t0 , t0 + 1) ∧ time = t0 + 1.
According to premises of the broadcast input rule, we have
p′ → p1 , M[[n [Γ ▷◁ P]ul ]]([[p1 ]]) ⊆ [[q1 ]],
p′′ → p2 , M[[n [Γ ▷◁ Q]ul ]]([[p2 ]]) ⊆ [[q2 ]].
Based on the Lemma 5.3(4), [[p′ ]] ⊆ [[p1 ]] and
[[p′′ ]] ⊆ [[p2 ]] are both satisfied. From the monotony of
M[[N]], we can gain
M[[n [Γ ▷◁ P]ul ]]([[p′ ]]) ⊆ M[[n [Γ ▷◁ P]ul ]]([[p1 ]]) ⊆ [[q1 ]],
M[[n [Γ ▷◁ Q]ul ]]([[p′′ ]]) ⊆ M[[n [Γ ▷◁ Q]ul ]]([[p2 ]]) ⊆ [[q2 ]].
Now, we can obtain M[[N]]([[p]]) ⊆ [[q1 ]] ∪ [[q2 ]]. Further,
we can know [[q1 ]] ∪ [[q2 ]] = [[q1 ∨ q2 ]] holds with the
Lemma 5.3(2). Then we obtain M[[N]]([[p]]) ⊆ [[q1 ∨ q2 ]].
 Ningning CHEN et al. A proof system of the CaIT calculus
Consequently, the Broadcast Input rule is sound from the
perspective of partial correctness .
(3) Parallel composition rule
Proof We use variables t1 and t2 to replace the time in
assertions q1 and q2 , respectively. From the premises of the
Parallel Composition rule, we get
M[[N1 ]]([[p]]) ⊆ [[q1 ]],
M[[N2 ]]([[p]]) ⊆ [[q2 ]],
Comb(q1 , q2 ) ≡ q1 [t1 /time] ∧ q2 [t2 /time] ∧ time = max(t1 , t2 ),
Comb(q1 , q2 ) → q
provided that
(1) Var(N1 ) ∩ Var(N2 ) = ∅.
(2) Var(qi ) ⊆ Var(Ni ), Chan(qi ) ⊆ Chan(Ni ), for i = 1, 2 .
(3) Two parallel components cooperate.
The final terminating time of this parallel composition is the
larger one of the two processes. For i = 1, 2, there is
ti ∈ M[[Ni ]]([[p]) to make time = max(t1 , t2 ) hold, that is, each
final state of M[[N1 ∥N2 ]]([[p]]) satisfies assertion
Comb(q1 , q2 ) . According to Comb(q1 , q2 ) → q and Lemma
5.3(4), we know that [[Comb(q1 , q2 )]] ⊆ [[q]]. With the
monotony of M[[N]], we get M[[N1 ∥N2 ]]([[p]]) ⊆
[[Comb(q1 , q2 )]] ⊆ [[q]]. Consequently, the parallel
compositional rule is sound for partial correctness . The
proofs of rules point-to-point communication and broadcast
communication are similar. For simplicity, we omit their
details here.
6 A case of smart home
Using our proof system, we prove a system “smart home”
which has been adopted to explore the equivalence between
IoT systems in [12]. The whole system is the parallel where C pro ≡ C1 ∧ C2 ∧ C3 ∧ C4 with
composition of the smart home Home and the smart phone
Phone.
As shown in Fig. 1, this house contains an entrance and a
lounge separated by a patio. This house spans over four
continuous physical locations loci , where i = 1, 2, 3, 4. The
distance between two locations can be described by
d(loci , loc j ) = |i − j|. The entrance is at loc1. From loc2 to loc3, C3 ≡ ∀t < ∞, ∀te ∈ R :[(tepm ← te)@nb ] at t ∧ te ⩾ θ
there is a patio. Finally, a lounge is at loc4. In the entrance and
the lounge, each one has a light (actuator light j ) governed by
their light manager processes LMng j , where j ∈ {1, 2}. A
boiler (actuator boiler ) is in the patio, managed by the boiler
manager process BMng . The patio also has a centralized light
manager process CLMng to support lights control. The
domain of these actuators is {on, o f f } , and their initial values
are both o f f , such as ΓL1 (light1 ) = o f f . As a mobile node,
Phone contains three processes: the migrating process Move,
Fig. 1 A simple smart home implied from [12]
11
the boiler control process BCtrl and the light control process
LCtrl . This “smart home” is equipped with some sensors,
including bs in Phone, to set the mode of the boiler, and temp
in Home , for sensing the physical temperature.
Users can only enter this house from the entrance with their
phones. Process Move describes the moving trail of Phone,
which moves one unit each time. Initially, Phone is placed
outside Home , denoted by “l1 (0) = out ”. With process LCtrl ,
Phone sends its real time location to CLMng via broadcast
channel g, where Rng(g) = 4 . When Phone is at loc1 or loc4,
CLMng orders the light manager process to turn on the light at
the current location. Using the phone touchscreen button
(sensor bs ), a user can set the mode of the boiler. When Phone
receives related commands, BCtrl immediately forwards them
to BMng via broadcast channel b, where Rng(b) = 4 .
According to the structure congruence defined in subsection
3.1, Phone can be described as the parallel composition of
three components. The whole system is shown below:
de f de f
S ys = Home ∥ Phone Home = L1 ∥ L2 ∥ L3 ∥ L4
de f de f
L1 = n1 [ΓL1 ▷◁ LMng1 ]loc
s L2 = nb [ΓB ▷◁ BMng]loc
s
1 2
de f
L3 = nc [∅ ▷◁ CLMng]loc
s de f
L4 = n2 [ΓL2 ▷◁ LMng2 ]loc
s
de f
3 4
Phone = np [Γ p ▷◁ Move ∥ BCtrl ∥ LCtrl]m
l ∈Loc 1
de f
= np [Γ p ▷◁ Move]lm∈Loc ∥ np [Γ p ▷◁ BCtrl]m
l1 ∈Loc
1
∥ np [Γ p ▷◁ LCtrl]m
l ∈Loc
1
where, Loc = {out, loc1 , loc2 , loc3 , loc4 } and l1 (0) = out .
This system should satisfy some run-time properties, which
are represented by the following proof with some assertions:
C1 ≡ ∀t < ∞ :[(bs ← man)@n p ] at t →
[(bolier!on)@nb ] in [t, t + 1)
C2 ≡ ∀t < ∞, ∀te ∈ R :[(tepm ← te)@nb ] at t ∧ te < θ
→ [(bolier!on)@nb ] in [t, t + 1)
→ [(bolier!o f f )@nb ] in [t, t + 1)
C4 ≡ ∀t < ∞ :[(light1 !on)@n1 ] at t ∧
[(light2 !o f f )@n2 ] at t, and vice versa.
● If the boiler is in manual mode, or the physical
temperature sensed by temp is lesser than a given
threshold θ , it will be switched on within one time unit,
denoted by C1 and C2 .
● If the boiler is in automatic mode and the physical
temperature is greater than or equal to θ , it is switched
off within one time unit, denoted by C3.
● Assertion C4 ensures that the lights of the two rooms
should not be switched on at the same time.
6.1 The proof of Move
Process Move models the moving trace of Phone. To ensure
two lights cannot be switched on simultaneously, Phone does
12 Front. Comput. Sci., 2024, 18(2): 182401
not appear at loc4 within one time unit once it occurs at loc1,
and vice versa.
C M ≡∀t ∈ [1, ∞), ∀t1 ∈ [t − 1, t) :
(l1 (t) = loc1 → l1 (t1 ) , loc4 ) ∧
(l1 (t) = loc4 → l1 (t1 ) , loc1 )
where l1 (t) denotes the location of Phone at time t. We show
the proof outline of Move as below with the corresponding
rule:
where I M ≡ ∀t ∈ [1, time), ∀t1 ∈ [t − 1, t) :
(l1 (t) = loc1 → l1 (t1 ) , loc4 )∧
(l1 (t) = loc4 → l1 (t1 ) , loc1 ).
Lock stands for the (k + 1)th element of array Loc .
6.2 The proof of BCtrl
Process BCtrl is defined to control the boiler. Whenever the
Phone receives commands to set the mode of the boiler via
sensor bs , it must immediately forward these commands to
BMng via the broadcast channel b.
C B ≡∀t < ∞, ∀z ∈ {man, auto} : [(bs?z)@n p ] at t →
[!⟨z⟩b @n p ] at t
We give the proof outline of process BCtrl as below with the
corresponding rule:
where IB ≡ ∀t < time, ∀z ∈ {man, auto} :
[(bs?z)@n p ]at t → [!⟨z⟩b @n p ] at t,
pB1 ≡ IB ∧ time < ∞ ∧ [(bs?Γ p (bs))@n p ] at time,
pB2 ≡ IB ∧ time < ∞.
6.3 The proof of LCtrl
LCtrl queries the location of the Phone in time, and it
immediately transmits the obtained location via broadcast
channel g to CLMng. To avoid repeated opening a light, LCtrl
must ensure that the interval between sending location
information is greater than or equal to one time unit.
C L ≡∀t ∈ [1, ∞), ∀t1 ∈ [t − 1, t) : [!⟨l1 (t)⟩g @n p ] at t →
¬[!⟨l1 (t1 )⟩g @n p ] at t1 .
We describe the proof outline of process LCtrl as follows with
the corresponding rule:
where IL ≡ ∀t ∈ [1, time), ∀t1 ∈ [t − 1, t) :
[!⟨l1 (t)⟩g @n p ] at t → ¬[!⟨l1 (t1 )⟩g @n p ] at t1 ,
pL1 ≡IL ∧ time < ∞ ∧ [[@l1 (time)]@n p ] at time,
pL2 ≡IL ∧ time < ∞ ∧ [[@l1 (time)]@n p ] at time∧
[!⟨l1 (time)⟩g @n p ] at time,
pL2 ≡qL [time + 1/time]
qL →IL ∧ time < ∞.
6.4 The combination of Phone
Before combing the above components of Phone, we need to
check the conditions listed in the definition of Parallel
Composition rule. The conditions about variables and
channels are both satisfied here. There is no communication
between these components. Therefore, they are cooperative.
where C P ≡ C P1 ∧ C P2 with
C P1 ≡∀t < ∞, ∀z ∈ {man, auto} : [(bs?z)@n p ] at t →
[!⟨z⟩b @n p ] at t,
C P2 ≡∀t ∈ [1, ∞) :
([!⟨loc1 ⟩g @n p ] at t → ¬[!⟨loc4 ⟩g @n p ] in [t − 1, t))∧
([!⟨loc4 ⟩g @n p ] at t → ¬[!⟨loc1 ⟩g @n p ] in [t − 1, t)).
Phone forwards the commands about setting the mode of
the boiler in time. Only when the Phone moves to loc1 or loc4,
it can turn on the lights of the corresponding location. Hence,
 Ningning CHEN et al. A proof system of the CaIT calculus
if the Phone sends its location as loc1 via channel g, then it
cannot provide its location as loc4 within one time unit and
vice versa.
6.5 The proof of CLMng
Phone sends its location to CLMng via the broadcast channel
g timely. When Phone is at loc1 or loc4, CLMng immediately
orders the corresponding light manager process to switch on
the light of the current location of Phone.
CC ≡∀t < ∞ : ([?(loc1 )g @nc ] at t → [!⟨on⟩c1 @nc ] at t)∨
([?(loc4 )g @nc ] at t → [!⟨on⟩c2 @nc ] at t)
The proof outline of CLMng is shown below with the
corresponding rule:
To describe this proof more clearly, we split it into the
following formulas:
where IC ≡ ∀t < time : ([?(loc1 )g @nc ] at t →
[!⟨on⟩c1 @nc ] at t)∨
([?(loc4 )g @nc ] at t → [!⟨on⟩c2 @nc ] at t),
pC1 ≡IC ∧ time < ∞ ∧ [?(l1 (time))g @nc ] at time,
pC2 ≡IC ∧ time < ∞,
qC1 ≡IC ∧ time < ∞ ∧ [?(loc1 )g @nc ] at time∧
[!⟨on⟩c1 @nc ] at time,
qC2 ≡IC ∧ time < ∞ ∧ [?(loc4 )g @nc ] at time∧
[!⟨on⟩c2 @nc ] at time,
(IC ∧time < ∞) ∨ qC1 ∨ qC2 ∨ pC2 → IC ∧ time < ∞.
The value of time in each assertion may be different.
Therefore, pC1 ∨ pC2 , pC2 . Here, pC1 denotes that this
process successfully receives the value via g within one time
unit after the starting time. pC2 represents the failure situation.
6.6 The proof of BMng
BMng controls the boiler. If the boiler is in manual mode, or
the temperature sensed by sensor temp is less than a given
threshold θ , BMng switches on the boiler within one time unit.
Otherwise, BMng switches off the boiler within one time unit
once it is in automatic mode, and the temperature is greater
13
than or equal to θ .
C BM1 ≡∀t < ∞, ∀te ∈ R, ∀x ∈ {man, auto} :
([?(x)b @nb ] at t ∧ x = man)∨
([(temp?te)@nb ] at t ∧ te < θ) →
[(bolier!on)@nb ] in [t, t + 1),
C BM2 ≡∀t < ∞, ∀te ∈ R : [(temp?te)@nb ] at t∧
te ⩾ θ → [(bolier!o f f )@nb ] in [t, t + 1),
C BM ≡C BM1 ∧ C BM2 .
The proof outline of BMng is given as follows with the
corresponding rule:
where
Maual : While x = man do ?(x)b ; [x = man] σ,skip end
T empCt : temp?te; [te < θ](boiler!on; σ),boiler!o f f ; σ
Similarly, this proof outline is split into the following
formulas:
where IBM1 ≡ ∀t < time, ∀te ∈ R, ∀x ∈ {man, auto} :
([?(x)b @nb ] at t ∧ x = man)∨
([(temp?te)@nb ] at t ∧ te < θ) →
[(bolier!on)@nb ] in [t, t + 1),
IBM2 ≡∀t < time, ∀te ∈ R : [(temp?te)@nb ]at t∧
te ⩾ θ → [(bolier!o f f )@nb ] in [t, t + 1),
IBM ≡IBM1 ∧ IBM2 ,
pBM1 ≡IBM ∧ time < ∞ ∧ [?(Γ p (bs))b @nb ] at time,
pBM2 ≡IBM ∧ time < ∞,
pBM3 ≡IBM ∧ time < ∞ ∧ [?(Γ p (bs))b @nb ] at time∧
Γ p (bs) = man ∧ [(bolier!on)@nb ] at time.
6.7 The combination of Home
We combine all components of Home using parallel
composition rule. The first two conditions are both satisfied.
Then we check whether they cooperate. We only check the
cooperation of one communication happening in the broadcast
14 Front. Comput. Sci., 2024, 18(2): 182401
channel c1. Others are similar. We extract the following
formulas from isolated proofs, representing the broadcast
input action and the broadcast output action happening within
one time unit after their starting time, respectively.
{pre1 }nc [∅ ▷◁!⟨on⟩c1 ; skip]loc
s
{post1 },
3 process calculus called IoT-LYSA, which employs static
{pre2 }n1 [ΓL1 ▷◁ ⌊?(x1 )c1 ; skip⌋skip]loc
s
1
{post2 }
where
pre1 ≡{IC ∧ time < ∞ ∧ [?(l1 (time))g @nc ] at time∧
l1 (time) = loc1 },
post1 ≡{IC ∧ time < ∞ ∧ [?(loc1 )g @nc ] at time∧
[!⟨on⟩c1 @nc ] at time},
pre2 ≡{ILM1 ∧ time < ∞}, and
post2 ≡{ILM1 ∧ time < ∞ ∧ [?(on)c1 @n1 ] at time}.
If pre1 [t1 /time] ∧ pre2 [t2 /time] ∧ Condition2 is invalid, they
are cooperative. Otherwise, the new assertion p can be implied
from pre1 [t1 /time] ∧ pre2 [t2 /time] ∧ Condition2 ∧ time = t1.
Applying broadcast communication rule with precondition
p, we can obtain the postcondition {IC ∧ ILM1 ∧ time <
∞ ∧ [?(loc1 )g @nc ] at time ∧ [!⟨on⟩c1 @nc ] at time ∧ [?(on)c1 @
n1 ] at time} which is equal to post1 ∧post2. Other
communications can be verified similarly. The results show
that these isolated proofs of all components of Home are both
cooperative, denoting messages are transmitted correctly.
Therefore, we have
where C Home ≡ ∃t1 , t2 , t3 , t4 · C LM1 [t1 /time]∧
C LM2 [t2 /time] ∧ C BM [t3 /time] ∧ CC [t4 /time]
∧ time = max(t1 , t2 , t3 , t4 ).
6.8 The combination of smarthome
With parallel composition rule, we can combine Phone and
Home similarly.
The details of C pro have been given at the beginning of
Section 6.
7 Related work
In this paper, we introduce the broadcast communication into
CaIT and present a proof system for this calculus based on the
extended Hoare Logic with time.
Calculi. Currently, few process calculi are focusing on
modeling and verifying IoT systems. To the best of our
knowledge, the IoT-calculus is the first calculus to capture
some fundamental features of IoT systems, such as the partial
topology of communications and the interaction between
sensors, actuators, and computing processes, to serve end
users [10]. Then, Bodei et al. have presented a secure untimed
analysis to track the sources and paths of IoT data, and detect
how they affect the behavior of smart objects [11]. In addition,
Lanotte et al. proposed a process calculus named CaIT. with a
discrete notion of time, to explore the semantic theory of IoT
systems [12].
Now, we briefly discuss these three calculi and give our
extensions to CaIT. IoT-LYSA does not consider the impact
of node mobility on the communication capabilities of nodes.
Furthermore, neither IoT-calculus nor IoT-LYSA supports the
description of timed behaviors. Conversely, CaIT can describe
timed behaviors with desired time, consistency, and fairness.
To facilitate modeling, we add new operations to CaIT for
modeling node mobility and interactions with the physical
environment, while the original CaIT simply provides
operational rules for them. Additionally, CaIT only supports
point-to-point communication, not the more common
broadcast communication. Hence, we enrich CaIT with (local)
broadcast primitives.
Broadcast. A series of process calculi have been proposed to
explore the broadcast communication. The Calculus of
Broadcasting Systems (CBS ) [18] is the first calculus taking
broadcast as communication primitives, which allows all
nodes to receive broadcast messages simultaneously. Instead,
its direct successor CBS # [19] studies local broadcast, which
only permits adjacency nodes to receive the broadcast
messages directly. Adjacency information is recorded in
connectivity graphs, so communication topology and process
actions can be separated. Mero has established an
observational theory for Mobile Ad Hoc Networks called
CMN [20], where an ad network is described as a set of nodes
running in parallel, and one node is a located process that
allows messages to be broadcast within a specific transmission
radius.
Hoare logic. Supported by Hoare Logic [13,21], we build a
proof system for CaIT calculus to verify the correctness of IoT
systems. Hoare Logic has been widely applied in various
fields, such as reasoning about actions with loop [22],
analyzing linear systems [23], exploring BPEL-like programs
[24] and modeling dynamic networks [25]. To further explore
distributed real-time systems, Hooman et al. extended the
classical Hoare Logic by introducing the notion of time into
Hoare triples [15], which can be used to specify the
terminating and nonterminating computations. However, using
extended Hoare logic alone cannot verify whether
synchronization information is delivered correctly. In [26], the
notion of cooperation is first proposed to validate the
postassertions of communication actions of isolated proofs but
only concentrates on point-to-point communication. On the
contrary, our proof system considers the timing of observable
actions as well as the cooperation between broadcast
communication actions.
 Ningning CHEN et al. A proof system of the CaIT calculus
8 Conclusion and future work
CaIT has been proposed for modeling and reasoning about IoT
systems, with a discrete notion of time. In this paper, CaIT has
been extended by introducing broadcast communication. We
have presented a proof system for CaIT that can be used to
verify the correctness of IoT systems. In addition, we
established the notion of cooperation to validate the
postconditions of communication actions in isolated proofs,
focusing on broadcast communication. Furthermore, we have
proven the soundness of our proof system. A simple “smart
home” has been given to show the application of our proof
system.
In the future, we will explore the denotational semantics of
CaIT via the Unifying Theories of Programming (UTP)
framework [27]. Based on its denotational semantics, we will
establish a set of algebraic laws and explore the linking theory
of semantics for CaIT. Furthermore, we will implement our
proof system in the proof assistants Isabelle/HOL [28] or Coq
[29] and try to apply it to more complex physical scenarios.
Acknowledgements This work was partially supported by the National Key
Research and Development Program of China (No. 2022YFB3305102), the
National Natural Science Foundation of China (Grant Nos. 62032024,
61872145), the “Digital Silk Road” Shanghai International Joint Lab of
Trustworthy Intelligent Software (No. 22510750100)， Shanghai Trusted
Industry Internet Software Collaborative Innovation Center, and the Dean’s
Fund of Shanghai Key Laboratory of Trustworthy Computing (East China
Normal University).
References
1. Ashton K. That “internet of things” thing. RFID Journal, 2009, 22(7):
97−114
2. Gubbi J, Buyya R, Marusic S, Palaniswami M. Internet of things (IoT):
a vision, architectural elements, and future directions. Future Generation
Computer Systems, 2013, 29(7): 1645–1660
3. Zhang Y. Technology framework of the internet of things and its
application. In: Proceedings of 2011 International Conference on
Electrical and Control Engineering. 2011, 4109−4112
4. Atzori L, Iera A, Morabito G. The internet of things: a survey.
Computer Networks, 2010, 54(15): 2787–2805
5. Hosseinzadeh M, Tho Q T, Ali S, Rahmani A M, Souri A, Norouzi M,
Huynh B. A hybrid service selection and composition model for cloud-
edge computing in the internet of things. IEEE Access, 2020, 8:
85939–85949
6. Harbi Y, Aliouat Z, Refoufi A, Harous S. Recent security trends in
internet of things: a comprehensive survey. IEEE Access, 2021, 9:
113292–113314
7. Nienhuis K, Joannou A, Bauereiss T, Fox A, Roe M, Campbell B,
Naylor M, Norton R M, Moore S W, Neumann P G, Stark I, Watson R
N M, Sewell P. Rigorous engineering for hardware security: formal
modelling and proof in the CHERI design and implementation process.
In: Proceedings of 2020 IEEE Symposium on Security and Privacy.
2020, 1003−1020
8. Asavoae M, Haur I, Jan M, Ben Hedia B, Schoeberl M. Towards formal
co-validation of hardware and software timing models of CPSs. In:
Proceedings of the 9th International Workshop on Design, Modeling,
and Evaluation of Cyber Physical Systems. 2019, 203−227
9. Schmidt B. Programmnetzlisten: Ein formales Modell fur die
Verifikation von Hardwarenaher Software in Eingebetteten Systemen.
Technische Universitat Kaiserslautern, Dissertation, 2020
10. Lanese I, Bedogni L, Di Felice M. Internet of things: a process calculus
approach. In: Proceedings of the 28th Annual ACM Symposium on
Applied Computing. 2013, 1339−1346
15
11. Bodei C, Degano P, Ferrari G L, Galletta L. Where do your IoT
ingredients come from? In: Proceedings of the 18th International
Conference on Coordination Languages and Models. 2016, 35–50
12. Lanotte R, Merro M. A semantic theory of the internet of things.
Information and Computation, 2018, 259: 72–101
13. Apt K R, Olderog E R, Apt K R. Verification of Sequential and
Concurrent Programs. 3rd ed. New York: Springer, 2009
14. Hooman J. Compositional verification of real-time systems using
extended Hoare triples. In: Proceedings of the Real-Time: Theory in
Practice, REX Workshop. 1991, 252−290
15. Hooman J. Extending Hoare logic to real-time. Formal Aspects of
Computing, 1994, 6(S1): 801–825
16. Akyildiz I F, Jornet J M, Han C. Terahertz band: next frontier for
wireless communications. Physical Communication, 2014, 12: 16–32
17. van der Heijden F, Duin R P W, De Ridder D, Tax D M J.
Classification, Parameter Estimation and State Estimation: an
Engineering Approach Using MATLAB. Chichester: John Wiley &
Sons, ltd., 2004
18. Prasad K V S. A calculus of broadcasting systems. Science of Computer
Programming, 1995, 25(2–3): 285–327
19. Nanz S, Hankin C. A framework for security analysis of mobile wireless
networks. Theoretical Computer Science, 2006, 367(1–2): 203–227
20. Merro M. An observational theory for mobile ad hoc networks (full
version). Information and Computation, 2009, 207(2): 194–208
21. Hoare C A R. An axiomatic basis for computer programming.
Communications of the ACM, 1969, 12(10): 576–580
22. Barthe G, Gaboardi M, Arias E J G, Hsu J, Kunz C, Strub P Y. Proving
differential privacy in Hoare logic. In: Proceedings of the 27th IEEE
Computer Security Foundations Symposium. 2014, 411−424
23. Arthan R, Martin U, Oliva P. A Hoare logic for linear systems. Formal
Aspects of Computing, 2013, 25(3): 345–363
24. Luo C, Qin S, Qiu Z. Verifying BPEL-like programs with Hoare logic.
Frontiers of Computer Science in China, 2008, 2(4): 344–356
25. de Boer F S. A Hoare logic for dynamic networks of asynchronously
communicating deterministic processes. Theoretical Computer Science,
2002, 274(1–2): 3–41
26. Apt K R, Francez N, de Roever W P. A proof system for
communicating sequential processes. ACM Transactions on
Programming Languages and Systems, 1980, 2(3): 359–385
27. Hoare C A R, He J. Unifying Theories of Programming. London:
Prentice Hall, 1998
28. Paulson L C. Isabelle: a Generic Theorem Prover. Berlin: Springer,
1994
29. Huet G, Kahn G, Paulin-Mohring C. The coq proof assistant: a tutorial.
Rapport Technique, 1997, 178
Ningning Chen is currently a PhD candidate in
Shanghai Key Laboratory of Trustworthy
Computing, East China Normal University, China.
Her research interests contain Hoare logic, formal
methods, process algebra and IoT.
Huibiao Zhu is currently a professor in East China
Normal University, China. He earned his PhD
degree in formal methods from London South
Bank University, UK in 2005. During these years,
he has studied various semantics and their linking
theories for Verilog, SystemC, Web services and
probability system. He was the Chinese PI of the
Sino-Danish Basic Research Center IDEA4CPS.