TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 1: Overview

We have developed a mathematically rigorous and experimentally-validated post-hoc specification of the behaviour of TCP, UDP, and the Sockets API. It characterises the API and network-interface interactions of a host, using operational semantics in the higher-order logic of the HOL automated proof assistant. The specification is detailed, covering almost all the information of the real-world communications: it is in terms of individual TCP segments and UDP datagrams, though it abstracts from the internals of IP. It has broad coverage, dealing with arbitrary API call sequences and incoming messages, not just some well-behaved usage. It is also accurate, closely based on the de facto standard of (three of) the widelydeployed implementations. To ensure this we have adopted a novel experimental semantics approach, developing test generation tools and symbolic higher-order-logic model checking techniques that let us validate the specification directly against several thousand traces captured from the implementations. The resulting specification, which is annotated for the non-HOL-specialist reader, may be useful as an informal reference for TCP/IP stack implementors and Sockets API users, supplementing the existing informal standards and texts. It can also provide a basis for high-fidelity automated testing of future implementations, and a basis for design and formal proof of higher-level communication layers. More generally, the work demonstrates that it is feasible to carry out similar rigorous specification work at design-time for new protocols. We discuss how such a design-for-test approach should influence protocol development, leading to protocol specifications that are both unambiguous and clear, and to high-quality implementations that can be tested directly against those specifications. This document gives an overview of the project, discussing the goals and techniques and giving an introduction to the specification. The specification itself is given in the companion volume: TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 2: The Specification. Steven Bishop, Matthew Fairbairn, Michael Norrish, Peter Sewell, Michael Smith, and Keith Wansbrough. xxiv+359pp. [BFN05] which is automatically typeset from the (extensively annotated) HOL source. As far as possible we have tried to make the work accessible to four groups of intended readers: workers in networking (implementors of TCP/IP stacks, and designers of new protocols); in distributed systems (implementors of software above the Sockets API); in distributed algorithms (for whom this may make it possible to prove properties about executable implementations of those algorithms); and in semantics and automated reasoning.

[1]  Carl A. Gunter,et al.  What packets may come: automata for network monitoring , 2001, POPL '01.

[2]  Michael Norrish C formalised in HOL , 1998 .

[3]  Wang Yi,et al.  CCS + Time = An Interleaving Model for Real Time Systems , 1991, ICALP.

[4]  Benjamin C. Pierce,et al.  Location-Independent Communication for Mobile Agents: A Two-Level Architecture , 1998, ICCL Workshop: Internet Programming Languages.

[5]  Erik P. de Vink,et al.  Verification and Improvement of the Sliding Window Protocol , 2003, TACAS.

[6]  Christoph Kreitz,et al.  Building reliable, high-performance networks with the Nuprl proof development system , 2004, Journal of Functional Programming.

[7]  Bengt Jonsson,et al.  Abstraction of Communication Channels in Promela: A Case Study , 2000, SPIN.

[8]  Carl A. Gunter,et al.  Formal verification of standards for distance vector routing protocols , 2002, JACM.

[9]  S. L. Murphy,et al.  Service specification and protocol construction for the transport layer , 1988, SIGCOMM 1988.

[10]  Douglas E. Comer,et al.  Internetworking with TCP/IP, Volume 1: Principles, Protocols, and Architectures, Fourth Edition , 2000 .

[11]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[12]  Steve A. Schneider,et al.  Concurrent and Real-time Systems: The CSP Approach , 1999 .

[13]  Bill Fenner,et al.  UNIX Network Programming, Vol. 1 , 2003 .

[14]  W. Richard Stevens Networking APIs : sockets and XTI , 1998 .

[15]  Eddie Kohler,et al.  A readable TCP in the Prolac protocol language , 1999, SIGCOMM '99.

[16]  Peter Sewell,et al.  The UDP Calculus: Rigorous Semantics for Real Networking , 2001, TACS.

[17]  David Lee,et al.  A formal approach for passive testing of protocol data portions , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[18]  Peter Sewell,et al.  Nomadic pict: correct communication infrastructure for mobile computation , 2001, POPL '01.

[19]  Michael Norrish,et al.  Timing UDP: Mechanized Semantics for Sockets, Threads, and Failures , 2002, ESOP.

[20]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[21]  Walid Dabbous,et al.  Generating efficient protocol code from an abstract specification , 1997, TNET.

[22]  Jonathan Billington,et al.  Closed Form Expressions for the State Space of TCP's Data Transfer Service Operating over Unbounded Channels , 2004, ACSC.

[23]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[24]  Douglas Comer,et al.  Internetworking with TCP/IP vol. III: client-server programming and applications , 1993 .

[25]  Richard Hofmann,et al.  Specification-driven monitoring of TCP/IP , 2000, Proceedings 8th Euromicro Workshop on Parallel and Distributed Processing.

[26]  Michael Norrish,et al.  Rigour is good for you and feasible: reflections on formal treatments of C and UDP sockets , 2002, EW 10.

[27]  Mario Tokoro,et al.  An Object Calculus for Asynchronous Communication , 1991, ECOOP.

[28]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[29]  K. K. Ramakrishnan,et al.  Formal specification and verification of safety and performance of TCP selective acknowledgment , 2002, TNET.

[30]  Michael Norrish,et al.  Deterministic Expressions in C , 1999, ESOP.

[31]  Jonathan Billington,et al.  On Defining the Service Provided by TCP , 2003, ACSC.

[32]  Edoardo Biagioni A structured TCP in standard ML. , 1994, SIGCOMM 1994.

[33]  Steve Parker,et al.  Some Testing Tools for TCP Implementors , 1998, RFC.

[34]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1991, Inf. Comput..

[35]  Michael Compton,et al.  Stenning's Protocol Implemented in UDP and Verified in Isabelle , 2005, CATS.

[36]  Vern Paxson,et al.  Automated packet trace analysis of TCP implementations , 1997, SIGCOMM '97.

[37]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[38]  Nancy A. Lynch,et al.  Liveness in Timed and Untimed Systems , 1998, Inf. Comput..

[39]  Nancy A. Lynch,et al.  Specifications and Proofs for Ensemble Layers , 1999, TACAS.

[40]  Sandra L. Murphy,et al.  A verified connection management protocol for the transport layer , 1987, Computer Communication Review.

[41]  Scott Shenker,et al.  Design guidelines for robust Internet protocols , 2003, CCRV.

[42]  Jonathan Bruce Postel A graph-model analysis of computer communications protocols. , 1974 .

[43]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.