Verifying Network Protocol Implementations by Symbolic Refinement Checking

We consider the problem of establishing consistency of code implementing a network protocol with respect to the documentation as a standard RFC. The problem is formulated as a refinement checking between two models, the implementation extracted from code and the specification extracted from RFC. After simplifications based on assume-guarantee reasoning, and automatic construction of witness modules to deal with the hidden specification state, the refinement checking problem reduces to checking transition invariants. The methodology is illustrated on two case-studies involving popular network protocols, namely, PPP (point-to-point protocol for establishing connections remotely) and DHCP (dynamic-host-configuration-protocol for configuration management in mobile networks). We also present a symbolic implementation of a reduction scheme based on compressing internal transitions in a hierarchical manner, and demonstrate the resulting savings for refinement checking in terms of memory size.

[1]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[2]  Eugene W. Stark,et al.  A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.

[3]  Rajeev Alur,et al.  "Next" Heuristic for On-the-Fly Model Checking , 1999, CONCUR.

[4]  Thomas A. Henzinger,et al.  Formal specification and verification of a dataflow processor array , 1999, 1999 IEEE/ACM International Conference on Computer-Aided Design. Digest of Technical Papers (Cat. No.99CH37051).

[5]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[6]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[7]  Gerard J. Holzmann,et al.  SOFTWARE TESTING, VERIFICATION AND RELIABILITY , 2022 .

[8]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[9]  S. Qadeer,et al.  Formal Speciication and Veriication of a Dataaow Processor Array , 1999 .

[10]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[11]  Thomas A. Henzinger,et al.  jMocha: a model checking tool that exploits design structure , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[12]  Kedar S. Namjoshi,et al.  Syntactic Program Transformations for Automatic Abstraction , 2000, CAV.

[13]  Thomas A. Henzinger,et al.  You Assume, We Guarantee: Methodology and Case Studies , 1998, CAV.

[14]  R. P. Kurshan,et al.  Automata-theoretic verification of coordinating processes , 1994 .

[15]  Alain Kerbrat,et al.  CADP - A Protocol Validation and Verification Toolbox , 1996, CAV.

[16]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[17]  Thomas A. Henzinger,et al.  Hybrid Systems: Computation and Control , 1998, Lecture Notes in Computer Science.

[18]  Thomas A. Henzinger,et al.  Reactive Modules , 1999, Formal Methods Syst. Des..

[19]  Rajeev Alur,et al.  \next" Heuristic for On-the--y Model Checking , 1999 .

[20]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[21]  Martín Abadi,et al.  Composing specifications , 1989, TOPL.

[22]  W. Simpson,et al.  The point-to-point protocol , 1993 .

[23]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[24]  Gerard J. Holzmann,et al.  Software Model Checking , 1999, FORTE.

[25]  Rajeev Alur,et al.  Automated Refinement Checking for Asynchronous Processes , 2000, FMCAD.

[26]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[27]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..