Debugging a Real-life Protocol with CFFD-Based Verification Tools
Risto Järnström
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this paper we describe how verification tools, which are based on model checking, were used in a real-life communication protocol design project. Parallel composition, abstraction, reduction and visualisation tools were used to examine the behaviour of the protocol. We performed all verification and debugging visually with the figures that the tools produced. A figure represents the behaviour of the system in a certain point of view, which is selected by choosing a set of system's actions to be externally observable. Visualisation is a user-friendly approach to verifying and validating systems, which does not compromise the completeness of verification. We present how the protocol was modelled and how both safety and liveness failures in the model were found.
Related papers
Model checking for concurrent software architectures
1999
in the FSP language. We then introduce CRA, problems related to it, as well as the way in which software architecture is used to guide CRA. Chapter 4 motivates and describes the use of ALTL for expressing properties of LTSs. A generic mechanism is then provided for checking that a system satisfies properties expressed as ALTL formulas or Büchi automata. This mechanism is then adjusted to cope with issues that arise when CRA is used to construct the LTS of a system. Chapter 5 concentrates on the issue of safety-property checking. Safety properties can be specified with a less expressive model than Büchi automata. This model is amenable to an efficient checking mechanism, described in this chapter. A similar technique is presented, for checking correctness of user-specified interfaces in the context of CRA. Chapter 6 discusses the notion of fairness, and relates it to liveness property checking. It proposes efficient strategies for checking liveness properties expressed as deterministic Büchi automata, and for checking a class of liveness properties termed progress. Such checks are performed under specific fairness assumptions about the system execution, which can be refined with the use of an action priority scheme. The chapter concludes with a methodology that users are advised to follow for analysing their systems. The methodology encourages the gradual transition from efficient and inexpensive checks that may not detect all possible errors in the system, to tests that are more expensive but also more thorough. Chapter 7 describes the construction and use of our analysis tool, as well as the way in which it interacts with our other tools for the development of concurrent and distributed systems. The non-trivial case study of a Reliable Multicast Transport Protocol is used to evaluate the applicability, performance and efficiency of our approach, and to compare it with similar approaches. Chapter 8 summarises and evaluates the contribution of TRACTA to model checking, discusses open issues and explores directions for future work. Appendix A is a formal presentation of the LTS model. Appendix B is a quick reference for the FSP language. Appendix C provides the semantics of the FSP language. Finally, Appendix D presents the proofs of some theorems and lemmas used in the main body of the thesis. Model Checking 2 2.1 TEMPORAL MODEL CHECKING 28 2.2 AUTOMATA-THEORETIC METHODS 35 2.3 DISCUSSION 36 2.4 SYMBOLIC REPRESENTATION 39 2.5 ON-THE-FLY VERIFICATION 41 2.6 REDUCTION 43 2.7 COMPOSITIONAL REASONING 51 2.8 DISCUSSION 52
A scalable tool for efficient protocol validation and testing
Computer Communications, 2003
Reliable protocols require early-stage validation and testing. Due to the state explosion problem in validation methods such as model checking [IEEE Trans. Software Engng 19 (1993) 24], sometimes it is not possible to test all the system states. We apply our state-of-the-art algorithm in computing the most critical states and branches to be tested. We prioritize this information to guide the validation of the protocol. We implemented this technology in a tool that visualizes the specifications of protocols with their testing priorities. Such a tool can also be used to identify faulted place in the protocol when some tests failed. It provides information such as where in the protocol is most likely to have bugs. Our tool provides many benefits, including (1) early detection and recovery of protocol faults, (2) visualization and simulation of the protocol specifications, (3) quantification of the reliability confidence of protocols, (4) making code generation directly from protocol specifications more possible, and (5) reduction of the number of introduced faults. This paper considers the case when the specification of the protocol is given in Specification and Description Language (International Telecommunication Union standard). Our technology is based on both the control flow and the data flow of the specifications. It first generates a control flow diagram from the specification and then automatically analyses the coverage features of the diagram. It collects the corresponding flow data during the simulation time to be mapped to the control flow diagram. The coverage information for the original specification is then obtained from the coverage information of the flow diagram.
Modeling and verification of a real life protocol using symbolic model checking
Lecture Notes in Computer Science, 1994
Using model checking for Trivial File Transfer Protocol validation
Fourth International Conference on Communications and Networking, ComNet-2014, 2014
This paper presents verification and model based checking of the Trivial File Transfer Protocol (TFTP). Model checking is a technique for software verification that can detect concurrency defects within appropriate constraints by performing an exhaustive state space search on a software design or implementation and alert the implementing organization to potential design deficiencies that are otherwise difficult to be discovered. The TFTP is implemented on top of the Internet User Datagram Protocol (UDP) or any other datagram protocol. We aim to create a design model of TFTP protocol, with adding window size, using Promela to simulate it and validate some specified properties using spin. The verification has been done by using the model based checking tool SPIN which accepts design specification written in the verification language PROMELA.
A Comparative Study of Decision Diagrams for Real-Time Model Checking
Lecture Notes in Computer Science, 2018
The timed automata model, introduced by Alur and Dill, provides a powerful formalism for describing real-time systems. Over the last two decades, several dense-time model checking tools have been developed based on that model. This paper considers the verification of a set of interesting real-time distributed protocols using dense-time model checking technology. More precisely, we model and verify the distributed timed two phase commit protocol, and two well-known benchmarks, the Token-Ring-FDDI protocol, and the CSMA/CD protocol, in three different state-of-the-art real-time model checkers: UPPAAL, RED, and Rabbit. We illustrate the use of these tools using one of the case studies. Finally, several interesting conclusions have been drawn about the performance, usability, and the capability of each tool.
MODEL CHECKERS –TOOLS AND LANGUAGES FOR SYSTEM DESIGN-A SURVEY
For over four decades now, variants of Model Checkers are being used as an approach for formal verification of systems consisting of software, hardware or combination of both. Though various model checking tools are available like NuSMV, UPPAAL, PRISM, PAT,FDR, it is difficult to comprehend their usage for systems in different domains like telecommunication, automobile, health and entertainment. However, industry experts and researchers have showcased the use of formal verifications techniques in various domains including Networking, Security and Semiconductor design. With current generation systems becoming more complex, there is an urgent need to better understand and use appropriate methodology, language and tool for definite domain. In this paper, we have made an effort to present Model checking in detail with relevance to available tools and languages to specific domain. For novices in the field, this paper would provide knowledge of model checkers languages and tools that would be suitable for various purposes in diverse systems.
CADP a protocol validation and verification toolbox
Computer Aided Verification, 1996
Model Checking with Automatic Guidance
2008
Model checking involves exploring state-space of system model and automatically proving or disproving the correct functionality of the system. Verification of all properties may not require exploration of the state-space in its entirety. However, traditional model checkers are not equipped with enough knowledge of the system apriori to make smart decisions so as to explore only those portions of state-space that contribute to the result. In this paper, we present a technique to provide such guidance to the model checker so that it can perform state-space exploration more intelligently. We incorporated our technique in XMC model checker, a tool for verifying process expressions in CCS against properties expressed by modal mu-calculus formulas. We demonstrate the applicability of our guidance mechanism by verifying several example protocols from XMC test-suite.
Using a formal specification and a model checker to monitor and direct simulation
Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451), 2003
We describe a technique for verifying that a hardware design correctly implements a protocol-level formal specification. Simulation steps are translated to protocol state transitions using a refinement map and then verified against the specification using a model checker. On the specification state space, the model checker collects coverage information and identifies states violating certain properties. It then generates protocol-level traces to these coverage gaps and error states. This technique was applied to the multiprocessing hardware of the Alpha 21364 microprocessor and the cache coherence protocol. We were able to generate an error trace which exercised a bug in the implementation that had not been discovered before a prototype was built.
Experiments in Theorem Proving and Model Checking for Protocol Verification
1996
Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Murø state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized protocol illustrates the difficulty of using theorem proving to verify infinite-state protocols. Some of this difficulty can be overcome by extracting a finite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Murø, SMV, and the PVS model checkers on this reduced protocol.
Model checking system software with CMC
Proceedings of the 10th workshop on ACM SIGOPS European workshop: beyond the PC - EW10, 2002
Complex systems have errors that involve mishandled corner cases in intricate sequences of events. Conventional testing techniques usually miss these errors. In recent years, formal verification techniques such as [5] have gained popularity in checking a property in all possible behaviors of a system. However, such techniques involve generating an abstract model of the system. Such an abstraction process is unreliable, difficult and miss a lot of implementation errors. CMC is a framework for model checking a broad class of software written in the C programming language. CMC runs the software implementation directly without deriving an abstract model of the code. We used CMC to model check an existing implementation of AODV (Ad Hoc On Demand Distance Vector) routing protocol and found a total of ¡ £ ¢ bugs in two implementations [7],[6] of the protocol. One of them is a bug in the actual specification of the AODV protocol [3]. We also used CMC on the IP Fragmentation module in the Linux TCP/IPv4 stack and verified its correctness for up to ¤ fragments per packet.
A Graphical Approach to Component-Based and Extensible Model Checking Platforms
2012
Model checking is applied for verification of concurrent systems by users having different skills and background. This ranges from researchers with detailed knowledge of the inner workings of the tools to engineers that are mostly interested in applying the technology as a black-box. This paper proposes JoSEL, a graphical language for specification of executable model checking jobs.
Model checking programs
2000
The majority of the work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers and model checkers. In this paper, we give arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy, we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle large states, and partial order reduction, slicing, abstraction and run-time analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, run-time analysis and slicing with model checking
A Conceptual Scheme for Compositional Model–Checking Verification of Critical Communicating Systems
Proceedings of the Tenth International Conference on Enterprise Information Systems
When we build complex business and communication systems, the question worth to be answered: How can we guarantee that the target system meets its specification? Ensuring the correctness of large systems becomes more complex when we consider that their behaviour is the result of the concurrent execution of many components. This article presents a compositional verification scheme, that integrates MEDISTAM-RT (Spanish acronym of Method for System Design based on Analytic Transformation of Real-Time Models), which is formally supported by state-of-the-art Model-Checking tools. To facilitate and guarantee the verification of large systems, the proposed scheme uses CCTL temporal logic as the property specification formal language, in which temporal properties required to any system execution are specified. In its turn, CSP+T formal language is used to formally describe a model of the system being verified, which is made up of a set of communicating processes detailing specific atomic-tasks of the system. In order to show a practical use of the proposed conceptual scheme, the critical part of a realistic industry project related to mobile phone communication is discussed.
Verification of a Real-Time Safety-Critical Protocol Using a Modelling Language with Formal Data and Behaviour Semantics
Lecture Notes in Computer Science, 2014
Formal methods have an important role in ensuring the correctness of safety critical systems. However, their application in industry is always cumbersome: the lack of experts and the complexity of formal languages prevents the efficient application of formal verification techniques. In this paper we take a step in the direction of making formal modelling simpler by introducing a framework which helps designers to construct formal models efficiently. Our formal modelling framework supports the development of traditional transition systems enriched with complex data types with type checking and type inference services, time dependent behaviour and timing parameters with relations. In addition, we introduce a toolchain to provide formal verification. Finally, we demonstrate the usefulness of our approach in an industrial case study.
Efficient model checking of properties of a distributed application: a multimedia case study
Software Testing, Verification and Reliability, 2002
obtained issuing abstractions of the system on the basis of the formula. Experimental results are shown and discussed.
McScM: A General Framework for the Verification of Communicating Machines
Lecture Notes in Computer Science, 2012
We present McScM, a platform for implementing and comparing verification algorithms for the class of finite-state processes exchanging messages over reliable, unbounded FIFO channels. McScM provides tools for the safety verification and controller synthesis of these infinite-state models. Our verification tool implements several modelchecking techniques: CEGAR with different abstraction-refinement methods, abstract interpretation, abstract regular model checking, and lazy abstraction. Seen as a general framework for the class of transition systems with finite control/infinite data, McScM delivers the basic infrastructure for implementing verification algorithms, and privileges to conveniently implement new ideas on a high level of abstraction. It also allows us to compare and benchmark different algorithmic approaches with the same backend.
Model Checking for Security Protocols
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious intruders becomes paramount. People have looked to cryptography to help solve many of these problems. However, cryptography itself is only a tool. The security of a system depends not only on the cryptosystem being used, but also on how it is used. Typically, researchers have proposed the use of security protocols to provide these security guarantees. These protocols consist of a sequence of messages, many with encrypted parts. In this paper, we develop a way of verifying these protocols using model checking. Model checking has proven to be a very useful technique for verifying hardware designs. By modelling circuits as nite-state machines, and examining all possible execution traces, model checking has found a number of errors in real world designs. Like hardware designs, security protocols are very subtle, and can also have bugs which are di cult to nd. By examining all possible execution traces of a security protocol in the presence of a malicious intruder with well de ned capabilities, we can determine if a protocol does indeed enforce its security guarantees. If not, we can provide a sample trace of an attack on the protocol.
Tools and Techniques for Model Checking Networked Programs
2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008
For software executing several threads in parallel, testing is unreliable, as it cannot cover all thread schedules. Model checking, however, can cover all possible thread interleavings. Software model checkers can directly verify an implementation, but typically cannot handle network input/output operations, which most programs require. This shortcoming can be addressed by a special model checker designed for multiple processes, or by different kinds of extensions and preprocessors for existing model checkers. This paper surveys currently existing approaches and tools.
Model checking software with well-defined APIs
Proceedings of the 10th international workshop on Formal methods for industrial critical systems - FMICS '05, 2005
The application of model checking technology to real software seems to be a promising and realistic approach to increase its quality. There are some successful examples of tools for this purpose, mainly working with self-contained programs. However, verifying software that uses external functionality provided by the operating system via APIs is currently a challenging trend. In this paper, we give a method for using the tool spin to verify distributed software systems that use the API Socket and the network protocol stack TCP/IP for communications. Our approach consists in building a model of the underlying operating system to be joined with the original C code in order to obtain the input for the model checker. We define and use a formal semantics of the API to conduct the correct construction of models. The whole modelling process is transparent to the C programmer, because it is performed automatically and without special syntactic constraints in the input C code. Regarding verification, we consider optimization techniques suitable for this application domain, and we ensure that the system only reports potential (non-spurious) errors.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.