Formal Verification of an IntrusionTolerant Group Membership Protocol

SUMMARY The traditional approach for establishing the correctness of group communication protocols is through rigorous arguments. While this is a valid approach, the likelihood of subtle errors in the design and implementation of such complex distributed protocols is not negligible. The use of formal veriflcation methods has been widely advocated to instill confldence in the correctness of protocols. In this paper, we describe how we used the SPIN model checker to formally verify a group membership protocol that is part of an intrusion-tolerant group communication system. We describe how we successfully tackled the state-space explosion problem by determining the right abstraction level for formally specifying the protocol. The veriflcation exercise not only formally showed that the protocol satisfles its correctness claims, but also provided information that will help us make the protocol more e‐cient without violating correctness.

[1]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[2]  William H. Sanders,et al.  Quantifying the cost of providing intrusion tolerance in group communication systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Michael K. Reiter A Secure Group Membership Protocol , 1996, IEEE Trans. Software Eng..

[4]  Louise E. Moser,et al.  The SecureRing protocols for securing group communication , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[5]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[6]  Flaviu Cristian,et al.  The Timed Asynchronous Distributed System Model , 1998, IEEE Trans. Parallel Distributed Syst..

[7]  B SchneiderFred Implementing fault-tolerant services using the state machine approach: a tutorial , 1990 .

[8]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[9]  Prashant Pandey,et al.  Reliable Delivery and Ordering Mechanisms for an Intrusion-Tolerant Group Communication System , 2001 .

[10]  William H. Sanders,et al.  Intrusion Tolerance Approaches in ITUA , 2001 .

[11]  William H. Sanders,et al.  Formal specification and verification of a group membership protocol for an intrusion-tolerant group communication system , 2002, 2002 Pacific Rim International Symposium on Dependable Computing, 2002. Proceedings..

[12]  Theodorus Cornelis Ruys,et al.  Towards effective model checking , 2001 .

[13]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[14]  William H. Sanders,et al.  Formal specification and verification of a group membership protocol for an intrusion-tolerant group communication system , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].