A uniform deductive approach for parameterized protocol safety
Alain Giorgetti2005
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We present a uniform verification method of safety properties for classes of parameterized protocols. Properties like mutual exclusion or cache coherence are automatically verified for any number of similar processes communicating by broadcast and rendez-vous. The protocols are specified in a language of generalized substitutions on array data structures. Sets of states are expressed by first-order formulae with equality. Predecessors are computed by an iterative semi-algorithm. Reaching an initial state or the fixpoint is shown to be decidable and an original decision procedure is provided. As a running example, the MESI protocol illustrates this approach. Experimental results show its applicability to various properties and protocol classes. out any special structure. Consequently, the global system can be modelled by arrays indexed by this set. Our main contributions are a proof that this abstract point of view is adequate to symbolic model checking, a description of many classes of protocols falling in this case, and an original implementation based on a powerful theorem prover.
Related papers
Automated Modular Verification for Relaxed Communication Protocols
Lecture Notes in Computer Science, 2018
Ensuring software correctness and safety for communicationcentric programs is important but challenging. In this paper we introduce a solution for writing communication protocols, for checking protocol conformance and for verifying implementation safety. This work draws on ideas from both multiparty session types, which provide a concise way to express communication protocols, as well as from separationstyle logics for shared-memory concurrency, which provide strong safety guarantees for resource sharing. On the one hand, our proposal improves the expressiveness and precision of session types, without sacrificing their conciseness. On the other hand, it increases the applicability of software verification as well as its precision, by making it protocol aware. We also show how to perform the verification of such programs in a modular and automatic fashion. one of the communicating entities requires the re-validation of the entire system. Since validation might be expensive, or difficult to achieve if the source code of certain components is not available, it is desirable for the developer to be able to only validate her changes locally, rather than at the global level. Over the last decades, behavioral types [35,26] have been studied as specifications of the interactions in communicating systems. In particular, multiparty session types [23], or MPSTs, provide a user-friendly syntax for writing choreographic specifications of distributed systems, and a lightweight mechanism for enforcing communication safety. Communication is considered correct when the system's constituent processes are statically type-checked against the end-point projections of the MPST. This formalism and its numerous extensions are attractive in checking if the implementation follows the intended communication pattern, but it lacks the strong safety and correctness guarantees normally provided by the resource-aware verification systems. Specifically, the MPST approach checks if a transmission's exchanged type is the expected one. However, in their most common form, MPSTs are unable to assert something about the message's numerical properties, and even less so about its carried resources in the case of tightly coupled systems. All these, while numerical properties and resource sharing constitute the pièce de résistance for separation logic [38], a logic for reasoning about resource sharing. In this work, we attach a communication logic in the user-friendly style of MPST, to a separation logic for program verification. Even though we draw on ideas from MPST, the proposed logic differs from MPST in a number of features which yield a more expressive communication specification-without compromising its friendly syntax. The current proposal ultimately leads to stronger guarantees w.r.t. the safety and correctness of distributed system. We shall next highlight these differences. Writing Multiparty Communication Protocols. The language we propose for writing communication protocols is described in Fig. 1a. Similar to MPST, the language contains the terminal notation S− →R : c v•∆ to describe a transmission from sender S to receiver R, over channel c. Different from type approaches where a message abstracts a type, the exchanged message v is expressed in the logical form ∆ (defined in Fig. 1b). Do note that v•∆ is in fact a shorthand for the lambda function (λv. ∆). This language uses G 1 * G 2 for the concurrency of global protocols G 1 and G 2 , and G 1 ∨ G 2 for disjunctive choice between either G 1 or G 2 , and finally G 1 ; G 2 on the implicit sequentialization of G 1 before G 2 for either the same party or the same channel. Let us next consider a series of examples to introduce this language and to highlight the benefits over MPST. Example 1: We consider a cloud service for video editing, where a client sends to the cloud a file of some video format, and expects back an enhanced version of the original file, see Fig. 2a. A client-server protocol to describe this simple interaction is written as follows: CS a C− →S : c v•v : file ; S− →C : c v•v : file. The CS a lightweight protocol suffices to describe the order of communication and the exchanged message type. A rigorous specification though, also emphasizes that the server applies some filter on the original file:
Transformational Verification of Parameterized Protocols Using Array Formulas
Springer eBooks, 2006
We propose a method for the specication and the automated verication of temporal properties of parameterized protocols. Our method is based on logic programming and program transformation. We specify the properties of parameterized protocols by using an extension of stratied logic programs. This extension allows premises of clauses to contain rst order formulas over arrays of parameterized length. A property of a given protocol is proved by applying suitable unfold/fold transformations to the specication of that protocol. We demonstrate our method by proving that the parameterized Peterson's protocol among N processes, for any N ≥ 2, ensures the mutual exclusion property.
Predicate abstraction in protocol verification
Proceedings of the 8th International Conference on Telecommunications, 2005. ConTEL 2005., 2005
This paper presents how predicate abstraction can be applied to protocol verification. Predicate abstraction is a method for automatic construction of abstract state graph. Basic idea is to use n predicates φ1, . . . , φn defined on concrete state space to generate abstract state graph. Model checking is a formal verification technique which has been successfully applied to protocol verification. But model checking can only be applied to finite state systems. Many interesting systems are infinite state or number of states is so large that verification becomes infeasible. Predicate abstraction can be applied in verification of infinite state systems (or large finite state systems). Abstract state graph created by predicate abstraction can be used for verification of safety properties using a model checker. We provide simple examples of protocol verification using predicate abstraction.
Parameterized Verification of a Cache Coherence Protocol: Safety and Liveness
Lecture Notes in Computer Science, 2002
In a previous paper we presented a method which allows to compute abstractions for parameterized systems modeled in the decidable logic WS1S. These WS1S systems provide an intuitive way to describe parameterized systems of finite state processes. The abstractions can be used to establish properties of the parameterized network. To be able to prove liveness properties, an algorithm is used which enriches the abstract system with fairness constraints. We summarize this verification method and present its application by the verification of both safety and liveness properties of a non-trivial example of a cache coherence protocol, provided by Steve German. Contact Author.
Verifying Parameterized Protocols by Transforming Strati ed Logic Programs ( Preliminary Version )
2008
We propose a method for the speci cation and the automated veri cation of temporal properties of parameterized protocols. Our method is based on logic programming and program transformation. We specify the properties of parameterized protocols by using an extension of strati ed logic programs. This extension allows premises of clauses to contain rst order formulas over arrays of parameterized length. A property of a given protocol is proved by applying suitable unfold/fold transformations to the speci cation of that protocol. We demonstrate our method by proving that the parameterized Peterson's protocol among N processes, for any N≥2, ensures the mutual exclusion property.
Constructing formal rules to verify message communication in distributed systems
The Journal of Supercomputing, 2011
This study presents a method to construct formal rules used to run-time verify message passing between clients in distributed systems. Rules construction is achieved in four steps: (1) Visual specification of expected behavior of the sender, receiver, and network in sending and receiving a message, (2) Extraction of properties of sender, receiver, and network from the visual specification, (3) specification of constraints that should govern message passing in distributed systems, and (4) construction of verifier rules from the properties and the constraints. The rules are used to verify actual sender, receiver, and network behavior. Expected behavior of the client (process) is one that to be and the actual one is the behavior should be verified. The rules were applied to verify the behavior of client and servers that communicated with each other in order to compute Fibonacci numbers in parallel and some violations were discovered. Keywords Client-server • Distributed systems • Reliable message passing • Specification and verification 1 Introduction While centralized systems use shared memory to communicate between processes, distributed systems use messaged-based interaction for interprocess communications. Message passing is used in a wide range of applications from low-level ones such as remote procedure call (RPC) to high-level ones such as group communication and message-oriented middleware (MOM) [1]. In addition, in traditional technologies including Remote Method Invocation (RMI) [2], Distributed Component Object Model (DCOM) [3], and Common Object Request Broker Architecture (CORBA) [4] and
Experiments in Theorem Proving and Model Checking for Protocol Verification
1996
Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Murø state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized protocol illustrates the difficulty of using theorem proving to verify infinite-state protocols. Some of this difficulty can be overcome by extracting a finite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Murø, SMV, and the PVS model checkers on this reduced protocol.
On Efficient Models for Model Checking Message-Passing Distributed Protocols
Lecture Notes in Computer Science, 2010
The complexity of distributed algorithms, such as state machine replication, motivates the use of formal methods to assist correctness verification. The design of the formal model of an algorithm directly affects the efficiency of the analysis. Therefore, it is desirable that this model does not add "unnecessary" complexity to the analysis. In this paper, we consider a general message-passing (MP) model of distributed algorithms and compare different ways of modeling the message traffic. We prove that the different MP models are equivalent with respect to the common properties of distributed algorithms. Therefore, one can select the model which is best suited for the applied verification technique. We consider MP models which differ regarding whether (1) the event of message delivery can be interleaved with other events and (2) a computation event must consume all messages that have been delivered after the last computation event of the same process. For generalized MP distributed protocols and especially focusing on fault-tolerance, we show that our proposed model (without interleaved delivery events and with relaxed semantics of computation events) is significantly more efficient for explicit state model checking. For example, the model size of the Paxos algorithm is 1/13 th that of existing equivalent MP models.
Parametrized System Verification with Guard Strengthening and Parameter Abstraction
2005
We give complete mathematial foundations for the method, recently developed by Chou, Mannava, and Park, for verifying safety properties of cache coherence protocols. The method employs a specific form of counterexample-guided abstraction refinement and is originally described on worked-out examples of the German and FLASH protocols. We describe and prove the method at an abstract level, thus establishing its scope and opening the way to its further mechanization.
Verifying parameterized protocols by transforming stratified logic programs
We propose a method for the specication and the automated verication of temporal properties of parameterized protocols. Our method is based on logic programming and program transformation. We specify the properties of parameterized protocols by using an extension of stratied logic programs. This extension allows premises of clauses to contain rst order formulas over arrays of parameterized length. A property of a given protocol is proved by applying suitable unfold/fold transformations to the specication of that protocol. We demonstrate our method by proving that the parameterized Peterson's protocol among N processes, for any N ≥ 2, ensures the mutual exclusion property.
On Verifying Fault Tolerance of Distributed Protocols
Tools and Algorithms for the Construction and Analysis of Systems
Distributed systems are composed of processes connected in some network. Distributed systems may suffer from faults: processes may stop, be interrupted, or be maliciously attacked. Fault-tolerant protocols are designed to be resistant to faults. Proving the resistance of protocols to faults is a very challenging problem, as it combines the parameterized setting that distributed systems are based-on, with the need to consider a hostile environment that produces the faults. Considering all the possible fault scenarios for a protocol is very difficult. Thus, reasoning about fault-tolerance protocols utterly needs formal methods. In this paper we describe a framework for verifying the fault tolerance of (synchronous or asynchronous) distributed protocols. In addition to the description of the protocol and the desired behavior, the user provides the fault type (e.g., failstop, Byzantine) and its distribution (e.g., at most half of the processes are faulty). Our framework is based on augmenting the description of the configurations of the system by a mask describing which processes are faulty. We focus on regular model checking and show how it is possible to compile the input for the model-checking problem to one that takes the faults and their distribution into an account, and perform regular model-checking on the compiled input. We demonstrate the effectiveness of our framework and argue for its generality.
Formal verification of communication protocol using type theory
International Conference on Communication Technology Proceedings, 2003. ICCT 2003., 2003
In this paper, an approach is proposed to verify communication protocol using the type theoretical proof assistant Coq. Compared with existing methods of protocol verification, this approach is based directly on the simple notion of event trace. Without the burden of embedding external concurrent languages such as process algebra, finite state machine, temporal logic, etc., this approach leads to very efficient reasoning. The approach is deliberately designed to exploit the computational mechanism intrinsic to type theory so that many cases can be proved automatically by computation. Because of these advantages, even non-trivial protocols can be verified within reasonable cost. This paper shows that both safeness and liveness can be formalized and verified using only finite event traces. A simplified version of the sliding window protocol is used to illustrate the approach. All the results presented in this paper have been mechanically checked in Coq. The relevant Coq scripts are accessible through Internet.
Formal verification of an improved sliding window protocol
2002
The well-known Sliding Window protocol caters for the reliable and efficient transmission of data over unreliable channels that can lose, reorder and duplicate messages. Despite the practical importance of the protocol and its high potential for errors, it has never been formally verified for the general setting. We try to fill this gap by giving a fully formal specification and verification of an improved version of the protocol. The protocol is specified by a timed state machine in the language of the verification system PVS. This allows a mechanical check of the proof by the interactive proof checker of PVS. Our modelling is very general and includes such important features of the protocol as sending and receiving windows of arbitrary size, bounded sequence numbers and the three types of channel faults mentioned above.
1 Automatic Proofs of Protocols via Program Transformation
2007
We propose a method for the speci cation and the automated veri cation of temporal properties of protocols which regulate the activities of multiagent systems. The set of states of those systems may be in nite so that, in general, the veri cation of a property of a multiagent system cannot be performed by an exhaustive inspection. We specify a given multiagent system by means of a constraint logic program P with locally strati ed negation, and we specify a given temporal property to be veri ed by means of an atomic formula A. In order to verify that the given temporal property holds, we transform the program P into an equivalent program T such that the fact A ← belongs to T . Our transformation method consists of a set of rules and an automatic strategy that guides the application of the rules. Our method is sound for verifying properties of protocols that are expressible in the CTL logic [5]. Although our method is incomplete for proving properties of in nite state systems, it is a...
Assume-Guarantee Verification of Concurrent Systems
2009
Process algebras are a set of mathematically rigourous languages with well defined semantics that permit modelling behaviour of concurrent and communicating systems. Verification of concurrent systems within the process algebraic approach can be performed by checking that processes enjoy properties described by some temporal logic’s formulae. In this paper we present a formal framework that permits verifying properties of concurrent and communicating systems by using an assumption-guarantee approach. Each system component is not considered in isolation, but in conjunction with assumptions about the context of the component. In the paper we introduce a sound and complete proof system that permits verifying whether a process, when it is executed in an environment for which we provide some assumptions, satisfies a given formula. It is also ensured that property satisfaction is preserved whenever the context is partially instantiated (implemented) as a concrete process that verifies the assumptions we have for the environment.
Verification of Data-Aware Processes via Array-Based Systems (Extended Version)
arXiv (Cornell University), 2018
We study verification over a general model of artifact-centric systems, to assess (parameterized) safety properties irrespectively of the initial database instance. We view such artifact systems as array-based systems, which allows us to check safety by adapting backward reachability, establishing for the first time a correspondence with model checking based on Satisfiability-Modulo-Theories (SMT). To do so, we make use of the modeltheoretic machinery of model completion, which surprisingly turns out to be an effective tool for verification of relational systems, and represents the main original contribution of this paper. In this way, we pursue a twofold purpose. On the one hand, we reconstruct (restricted to safety) the essence of some important decidability results obtained in the literature for artifact-centric systems, and we devise a genuinely novel class of decidable cases. On the other, we are able to exploit SMT technology in implementations, building on the well-known MCMT model checker for array-based systems, and extending it to make all our foundational results fully operational.
Sustaining Property Verification of Synchronous Dependable Protocols Over Implementation
2007
It is often considered that a protocol that has been verified for its dependability properties at the protocol level maintains these proven properties over its implementation. Focussing on synchronous protocols, we demonstrate that this assumption can easily be fallacious using the example of an existing formally verified diagnostic protocol as implemented onto the targeted time-triggered architecture (TTA). The cause is identified as the overlap mismatch across the computation and communication phases in TTA, which does not match the system assumptions of the protocol. To address this mismatch problem, we develop the concept of a generic alignment (co-ordination) layer to implement the desired communication assumptions. The strength of this approach is that the verification of this alignment layer ensures that the formally proved properties of a protocol also hold over their implementation.
Parameterized model checking of fault-tolerant distributed algorithms by abstraction
2013 Formal Methods in Computer-Aided Design, 2013
We introduce an automated parameterized verification method for fault-tolerant distributed algorithms (FTDA). FTDAs are parameterized by both the number of processes and the assumed maximum number of faults. At the center of our technique is a parametric interval abstraction (PIA) where the interval boundaries are arithmetic expressions over parameters. Using PIA for both data abstraction and a new form of counter abstraction, we reduce the parameterized problem to finite-state model checking. We demonstrate the practical feasibility of our method by verifying safety and liveness of several fault-tolerant broadcasting algorithms, and finding counter examples in the case where there are more faults than the FTDA was designed for.
Generic Verification of Security Protocols
Lecture Notes in Computer Science, 2005
Security protocols are notoriously difficult to debug. One approach to the automatic verification of security protocols with a bounded set of agents uses logic programming with analysis and synthesis rules to describe how the attacker gains information and constructs new messages. We propose a generic approach to verifying security protocols in Spin. The dynamic process creation mechanism of Spin is used to nondeterministically create different combinations of role instantiations. We incorporate the synthesis and analysis features of the logic programming approach to describe how the intruder learns information and replays it back into the system. We formulate a generic "loss of secrecy" property that is flagged whenever the intruder learns private information from an intercepted message. We also describe a simplification of the Dolev-Yao attacker model that suffices to analyze secrecy properties.
An Improvement in Formal Verification
Formal Description Techniques VII, 1995
Part Four Verification verification tool SPIN [H92]. Section 6 contains an evaluation of the performance of this implementation, and a comparison against both the classic search method and an existing dynarnic reduction method, ali implemented as part of the same verification system. Section 7 summarizes the results. 2. DEFINITIONS We consider any verification problem that can be formalized as a reachability analysis problem in a finite labeled transition system (LTS). This specifically includes the problems of proving safety, liveness, and linear time temporal logic properties for any finite state concurrent system. An LTS is defined as a triple {S,so ,T}, where Sis a finite set of states, s 0 is a distinguished initial state inS, and T is a finite set of transitions, with Tr;;;,(SxS). In a simple forrn, an LTS can be used to formalize the behavior of a single sequential process. It can also forrnalize the combined behavior of a finite number of interacting and asynchronously executing sequential processes. Each transition of the LTS then corresponds to the execution of a specific atomic statement within one of the processes, in accordance with a standard interleaving semantics of concurrency. The LTS can be represented by a graph with nodes corresponding to the states in S and directed edges corresponding to the transitions in T. A connected path through this graph then defines the effects of a possible execution in the underlying concurrent system. There will be at least one path through the graph for every possible way in which the execution of atomic process statements could be interleaved in time. Given a transition tE Tin an LTS, we will use the notation Label(t) to refer to the process statement that is represented by transition t, and we will use Pid(t) to refer to the sequential process that contains the statement Label(t). Without loss of generality, we assume that the mapping from transitions to process statements is unique. The reverse mapping will in general not beunique. Note that, in general, a compound process statement (such as a selection ora repetition structure) could correspond to .a series of transitions in the LTS. In the remainder of this section, therefore, the term 'statement' will always refer to a simple statement (i.e., not a compound), and can therefore be used interchangeably with the term 'transition.' The semantics of a statement a =Label(t) are defined by two functions Cond and Act, where Cond(a) is the subset of S where a is enabled (or 'executable' [H92]), and Act(a,s) is that state of S that is reached when a is executed in a given sE Cond(a). Normally, a statement in a sequential process is 'enabled' or 'executable' only if it is pointed to by the current program counter of the sequential process that contains that statement. In a concurrent system, however, we can detine additional constraints on the enabledness or executability of statements. A message send operation, for instance, can be defined to be enabled only if also the destination message buffer is non-full, and a message receive operation can be defined to be enabled when also the source message buffer is non-empty. Two statements a and bare defined tobe independent at state sE S, written as { a,b}E Ind(s), if and only if the following fi ve conditions are met: (1) SE Cond(a), i.e., statement a is enabled ins, (2) sE Cond(b), i.e., statement b is enabled ins, (3) Act(a,s) E Cond(b), i.e., the execution of a cannot disable b, (4) Act(b,s) E Cond(a), i.e., the execution of b cannot disable a, (5) Act(b,Act(a,s))=Act(a,Act(b,s)), i.e., the effect of executing a followed by b is indistinguishable from that of executing b followed by a. Note that two statements from the same sequential process, i.e., with Pid(a) =Pid(b), can not be independent. If the two statements are executed sequentially, they cannot be simultaneously
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.