Model Checking Large Network Protocol Implementations

Network protocols must work. The effects of protocol specification or implementation errors range from reduced performance, to security breaches, to bringing down entire networks. However, network protocols are difficult to test due to the exponential size of the state space they define. Ideally, a protocol implementation must be validated against all possible events (packet arrivals, packet losses, timeouts, etc.) in all possible protocol states. Conventional means of testing can explore only a minute fraction of these possible combinations. This paper focuses on how to effectively find errors in large network protocol implementations using model checking, a formal verification technique. Model checking involves a systematic exploration of the possible states of a system, and is well-suited to finding intricate errors lurking deep in exponential state spaces. Its primary limitation has been the effort needed to use it on software. The primary contribution of this paper are novel techniques that allow us to model check complex, real-world, well-tested protocol implementations with reasonable effort. We have implemented these techniques in CMC, a C model checker [30] and applied the result to the Linux TCP/IP implementation, finding four errors in the protocol implementation.

[1]  Larry L. Peterson,et al.  The x-Kernel: An Architecture for Implementing Network Protocols , 1991, IEEE Trans. Software Eng..

[2]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[3]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[4]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[5]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[6]  Kai-Yeung Siu,et al.  New dynamic SPT algorithm based on a ball-and-string model , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[7]  Boris Beizer,et al.  Software testing techniques (2. ed.) , 1990 .

[8]  David L. Dill,et al.  Automatic verification of the SCI cache coherence protocol , 1995, CHARME.

[9]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[10]  Daniele Frigioni,et al.  Incremental Algorithms for the Single-Source Shortest Path Problem , 1994, FSTTCS.

[11]  Radu Iosif Exploiting heap symmetries in explicit-state model checking of software , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[12]  Vern Paxson,et al.  Automated packet trace analysis of TCP implementations , 1997, SIGCOMM '97.

[13]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[14]  Edoardo Biagioni A Structured TCP in Standard ML , 1994, SIGCOMM.

[15]  Eddie Kohler,et al.  A readable TCP in the Prolac protocol language , 1999, SIGCOMM '99.

[16]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[17]  David L. Dill,et al.  A New Scheme for Memory-Efficient Probabilistic Verification , 1996, FORTE.

[18]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[19]  Douglas Comer,et al.  Probing TCP Implementations , 1994, USENIX Summer.

[20]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[21]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[22]  Charles E. Perkins,et al.  Ad hoc On-Demand Distance Vector (AODV) Routing , 2001, RFC.

[23]  David L. Dill,et al.  CMC: a model checker for network protocol implementations , 2004 .

[24]  John H. Hartman,et al.  Scout: A Communications-Oriented Operating System (Abstract) , 1994, OSDI.

[25]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[26]  Alan L. Cox,et al.  TreadMarks: Distributed Shared Memory on Standard Workstations and Operating Systems , 1994, USENIX Winter.

[27]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[28]  Charles Gregory Nelson,et al.  Techniques for program verification , 1979 .

[29]  Daniele Frigioni,et al.  Incremental algorithms for single-source shortest path trees , 1994 .

[30]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[31]  Boris Beizer,et al.  Software Testing Techniques , 1983 .

[32]  Dawson R. Engler,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Cmc: a Pragmatic Approach to Model Checking Real Code , 2022 .

[33]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[34]  William C. Fenner,et al.  Known TCP Implementation Problems , 1999, RFC.

[35]  Larry L. Peterson,et al.  Experiences with network simulation , 1996, SIGMETRICS '96.

[36]  Frédéric Boussinot,et al.  The ESTEREL language , 1991, Proc. IEEE.

[37]  Farnam Jahanian,et al.  Experiments on six commercial TCP implementations using a software fault injection tool , 1997 .