Engineering with Logic

Conventional computer engineering relies on test-and-debug development processes, with the behavior of common interfaces described (at best) with prose specification documents. But prose specifications cannot be used in test-and-debug development in any automated way, and prose is a poor medium for expressing complex (and loose) specifications. The TCP/IP protocols and Sockets API are a good example of this: they play a vital role in modern communication and computation, and interoperability between implementations is essential. But what exactly they are is surprisingly obscure: their original development focused on “rough consensus and running code,” augmented by prose RFC specifications that do not precisely define what it means for an implementation to be correct. Ultimately, the actual standard is the de facto one of the common implementations, including, for example, the 15 000 to 20 000 lines of the BSD implementation—optimized and multithreaded C code, time dependent, with asynchronous event handlers, intertwined with the operating system, and security critical. This article reports on work done in the Netsem project to develop lightweight mathematically rigorous techniques that can be applied to such systems: to specify their behavior precisely (but loosely enough to permit the required implementation variation) and to test whether these specifications and the implementations correspond with specifications that are executable as test oracles. We developed post hoc specifications of TCP, UDP, and the Sockets API, both of the service that they provide to applications (in terms of TCP bidirectional stream connections) and of the internal operation of the protocol (in terms of TCP segments and UDP datagrams), together with a testable abstraction function relating the two. These specifications are rigorous, detailed, readable, with broad coverage, and rather accurate. Working within a general-purpose proof assistant (HOL4), we developed language idioms (within higher-order logic) in which to write the specifications: operational semantics with nondeterminism, time, system calls, monadic relational programming, and so forth. We followed an experimental semantics approach, validating the specifications against several thousand traces captured from three implementations (FreeBSD, Linux, and WinXP). Many differences between these were identified, as were a number of bugs. Validation was done using a special-purpose symbolic model checker programmed above HOL4. Having demonstrated that our logic-based engineering techniques suffice for handling real-world protocols, we argue that similar techniques could be applied to future critical software infrastructure at design time, leading to cleaner designs and (via specification-based testing) more robust and predictable implementations. In cases where specification looseness can be controlled, this should be possible with lightweight techniques, without the need for a general-purpose proof assistant, at relatively little cost.

[1]  Chucky Ellison,et al.  An executable formal semantics of C with applications , 2011, POPL '12.

[2]  Shaked Flur,et al.  Simplifying ARM concurrency: multicopy-atomic axiomatic and operational models for ARMv8 , 2017, Proc. ACM Program. Lang..

[3]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Brian Campbell,et al.  Randomised testing of a microprocessor model using SMT-solver state generation , 2014, Sci. Comput. Program..

[5]  Mark Handley,et al.  Designing DCCP: congestion control without reliability , 2006, SIGCOMM.

[6]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[7]  Edoardo Biagioni A Structured TCP in Standard ML , 1994, SIGCOMM.

[8]  Thomas Arts,et al.  Automatic testing of TCP/IP implementations using QuickCheck , 2009, Erlang Workshop.

[9]  Eddie Kohler,et al.  A readable TCP in the Prolac protocol language , 1999, SIGCOMM '99.

[10]  Nancy A. Lynch,et al.  Forward and backward simulations, part II: timing-based systems , 1993 .

[11]  Richard Hofmann,et al.  Specification-driven monitoring of TCP/IP , 2000, Proceedings 8th Euromicro Workshop on Parallel and Distributed Processing.

[12]  Hannes Mehnert,et al.  Not-quite-so-broken TLS 1 . 3 mechanised conformance checking , 2015 .

[13]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[14]  Ali Sezgin,et al.  Modelling the ARMv8 architecture, operationally: concurrency and ISA , 2016, POPL.

[15]  Xavier Leroy The objective caml system release 3 , 2001 .

[16]  Ali Sezgin,et al.  Mixed-size concurrency: ARM, POWER, C/C++11, and SC , 2017, POPL.

[17]  SewellPeter,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005 .

[18]  David Lee,et al.  A formal approach for passive testing of protocol data portions , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[19]  S. L. Murphy,et al.  A verified connection management protocol for the transport layer , 1987, SIGCOMM '87.

[20]  Stephen Kell,et al.  The missing link: explaining ELF static linking, semantically , 2016, OOPSLA.

[21]  Michael Norrish,et al.  Timing UDP: Mechanized Semantics for Sockets, Threads, and Failures , 2002, ESOP.

[22]  Jade Alglave,et al.  Synchronising C/C++ and POWER , 2012, PLDI.

[23]  Steve Parker,et al.  Some Testing Tools for TCP Implementors , 1998, RFC.

[24]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[26]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[27]  Emina Torlak,et al.  Synthesizing memory models from framework sketches and Litmus tests , 2017, PLDI 2017.

[28]  Michael Compton,et al.  Stenning's Protocol Implemented in UDP and Verified in Isabelle , 2005, CATS.

[29]  Vern Paxson,et al.  Automated packet trace analysis of TCP implementations , 1997, SIGCOMM '97.

[30]  Jade Alglave,et al.  Understanding POWER multiprocessors , 2011, PLDI '11.

[31]  Tom Ridge,et al.  SibylFS: formal specification and oracle-based testing for POSIX and real-world file systems , 2015, SOSP.

[32]  Tom Ridge,et al.  Rigorous Protocol Design in Practice: An Optical Packet-Switch MAC in HOL , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[33]  Peter Sewell,et al.  Clarifying and compiling C/C++ concurrency: from C++11 to POWER , 2012, POPL '12.

[34]  Robbert Krebbers,et al.  The C standard formalized in Coq , 2015 .

[35]  Peter Sewell,et al.  The UDP Calculus: Rigorous Semantics for Real Networking , 2001, TACS.

[36]  W. Richard Stevens,et al.  TCP/IP illustrated (vol. 2): the implementation , 1995 .

[37]  Randall R. Stewart,et al.  Improving TCP's Robustness to Blind In-Window Attacks , 2010, RFC.

[38]  Bengt Jonsson,et al.  Abstraction of Communication Channels in Promela: A Case Study , 2000, SPIN.

[39]  Jeehoon Kang,et al.  Repairing sequential consistency in C/C++11 , 2017, PLDI.

[40]  Peter Sewell,et al.  Mathematizing C++ concurrency , 2011, POPL '11.

[41]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[42]  M. A. S. Smith Formal Verification of Communication Protocols , 1996, FORTE.

[43]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 2: The Specification , 2005 .

[44]  Peng Li,et al.  Combining events and threads for scalable network services implementation and evaluation of monadic, application-level concurrency primitives , 2007, PLDI '07.

[45]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[46]  Christoph Kreitz,et al.  Building reliable, high-performance networks with the Nuprl proof development system , 2004, Journal of Functional Programming.

[47]  Andreas Terzis,et al.  packetdrill: Scriptable Network Stack Testing, from Sockets to Packets , 2013, USENIX Annual Technical Conference.

[48]  Carl A. Gunter,et al.  Formal verification of standards for distance vector routing protocols , 2002, JACM.

[49]  Corporate Ieee,et al.  Information Technology-Portable Operating System Interface , 1990 .

[50]  Carl A. Gunter,et al.  What packets may come: automata for network monitoring , 2001, POPL '01.

[51]  Francesco Zappa Nardelli,et al.  Compiler testing via a theory of sound optimisations in the C11/C++11 memory model , 2013, PLDI.

[52]  Peng Li,et al.  Programmable concurrency in a pure and lazy language , 2008 .

[53]  Anthony C. J. Fox Directions in ISA Specification , 2012, ITP.

[54]  Jonathan Billington,et al.  On Defining the Service Provided by TCP , 2003, ACSC.

[55]  Tom Ridge,et al.  TCP, UDP, and Sockets: Volume 3: The Service-level Specification , 2009 .

[56]  Jonathan Bruce Postel A graph-model analysis of computer communications protocols. , 1974 .

[57]  Walid Dabbous,et al.  Generating efficient protocol code from an abstract specification , 1996, SIGCOMM '96.

[58]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[59]  Michael Norrish C formalised in HOL , 1998 .

[60]  Margaret Martonosi,et al.  Counterexamples and Proof Loophole for the C/C++ to POWER and ARMv7 Trailing-Sync Compiler Mappings , 2016, ArXiv.

[61]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[62]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[63]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[64]  K. K. Ramakrishnan,et al.  Formal specification and verification of safety and performance of TCP selective acknowledgment , 2002, TNET.

[65]  Peter Sewell,et al.  Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation , 2015, USENIX Security Symposium.

[66]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 1: The Protocols , 1994 .

[67]  Nikolaos Papaspyrou,et al.  A Formal Semantics for the C Programming Language , 2000 .

[68]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[69]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 1: Overview , 2005 .

[70]  Michael Norrish,et al.  Rigour is good for you and feasible: reflections on formal treatments of C and UDP sockets , 2002, EW 10.

[71]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[72]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[73]  Nancy A. Lynch,et al.  Specifications and Proofs for Ensemble Layers , 1999, TACAS.

[74]  Jade Alglave,et al.  Fences and Synchronisation Idioms in Weak Memory Models , 2009 .

[75]  Sandra L. Murphy,et al.  Service specification and protocol construction for the transport layer , 1988, SIGCOMM '88.

[76]  Scott Shenker,et al.  Design guidelines for robust Internet protocols , 2003, CCRV.

[77]  Wang Yi,et al.  CCS + Time = An Interleaving Model for Real Time Systems , 1991, ICALP.

[78]  Tom Ridge,et al.  A Rigorous Approach to Networking: TCP, from Implementation to Protocol to Service , 2008, FM.

[79]  Jonathan Billington,et al.  Discovering Chatter and Incompleteness in the Datagram Congestion Control Protocol , 2005, FORTE.

[80]  Erik P. de Vink,et al.  Verification and Improvement of the Sliding Window Protocol , 2003, TACAS.

[81]  Alberto Valderruten,et al.  A high performance Erlang Tcp/Ip stack , 2005, ERLANG '05.

[82]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[83]  George A. Constantinides,et al.  Automatically comparing memory consistency models , 2017, POPL.

[84]  John Wickerson,et al.  Overhauling SC atomics in C11 and OpenCL , 2016, POPL.

[85]  Tom Ridge Verifying distributed systems: the operational approach , 2009, POPL '09.

[86]  Francesco Zappa Nardelli,et al.  x86-TSO , 2010, Commun. ACM.

[87]  Gabriel Kerneis,et al.  An integrated concurrency and core-ISA architectural envelope definition, and test oracle, for IBM POWER multiprocessors , 2015, 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[88]  Jonathan Billington,et al.  Closed Form Expressions for the State Space of TCP's Data Transfer Service Operating over Unbounded Channels , 2004, ACSC.