Counter Attack on Byzantine Generals: Parameterized Model Checking of Fault-tolerant Distributed Algorithms

We introduce an automated parameterized verification method for fault-tolerant distributed algorithms (FTDA). FTDAs are parameterized by both the number of processes and the assumed maximum number of Byzantine faulty processes. At the center of our technique is a parametric interval abstraction (PIA) where the interval boundaries are arithmetic expressions over parameters. Using PIA for both data abstraction and a new form of counter abstraction, we reduce the parameterized problem to finite-state model checking. We demonstrate the practical feasibility of our method by verifying several variants of the well-known distributed algorithm by Srikanth and Toueg. Our semi-decision procedures are complemented and motivated by an undecidability proof for FTDA verification which holds even in the absence of interprocess communication. To the best of our knowledge, this is the first paper to achieve parameterized automated verification of Byzantine FTDA.

[1]  Marcos K. Aguilera,et al.  Consensus with Byzantine Failures and Little System Synchrony , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[2]  Daniel Kroening,et al.  Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs , 2011, CAV.

[3]  Sam Toueg,et al.  A Modular Approach to Fault-Tolerant Broadcasts and Related Problems , 1994 .

[4]  Achour Mostéfaoui,et al.  Evaluating the condition-based approach to solve consensus , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[5]  Zachary Kincaid,et al.  Verification of parameterized concurrent programs by modular reasoning about data and control , 2012, POPL '12.

[6]  Javier Esparza,et al.  Decidability of model checking for infinite-state concurrent systems , 1997, Acta Informatica.

[7]  Maria Sorea,et al.  Model checking a fault-tolerant startup algorithm: from design exploration to exhaustive fault simulation , 2004, International Conference on Dependable Systems and Networks, 2004.

[8]  Helmut Veith,et al.  Who is afraid of Model Checking Distributed Algorithms , 2012 .

[9]  Ichiro Suzuki,et al.  Proving Properties of a Ring of Finite-State Machines , 1988, Inf. Process. Lett..

[10]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[11]  Michael K. Reiter,et al.  On k-set consensus problems in asynchronous systems , 1999, PODC '99.

[12]  Parosh Aziz Abdulla,et al.  Verifying Programs with Unreliable Channels , 1996, Inf. Comput..

[13]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[14]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[15]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[16]  Richard Mayr,et al.  Undecidable problems in unreliable computations , 2000, Theor. Comput. Sci..

[17]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[18]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[19]  Andrei Voronkov,et al.  The design and implementation of VAMPIRE , 2002, AI Commun..

[20]  Martin Biely,et al.  Consensus in the presence of mortal Byzantine faulty processes , 2011, Distributed Computing.

[21]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[22]  Hermann Kopetz,et al.  Real-time systems , 2018, CSC '73.

[23]  Krzysztof R. Apt,et al.  Limits for Automatic Verification of Finite-State Concurrent Systems , 1986, Inf. Process. Lett..

[24]  Vineet Kahlon,et al.  Reducing Model Checking of the Many to the Few , 2000, CADE.

[25]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[26]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[27]  Stephan Merz,et al.  Formal Verification of a Consensus Algorithm in the Heard-Of Model , 2009, Int. J. Softw. Informatics.

[28]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[29]  Sam Toueg,et al.  Unreliable failure detectors for reliable distributed systems , 1996, JACM.

[30]  Kedar S. Namjoshi,et al.  Reasoning about rings , 1995, POPL '95.

[31]  Sam Toueg,et al.  Fault-tolerant broadcasts and related problems , 1993 .

[32]  Martin Biely,et al.  Synchronous consensus under hybrid process and link failures , 2011, Theor. Comput. Sci..

[33]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[34]  Leslie Lamport,et al.  The PlusCal Algorithm Language , 2009, ICTAC.

[35]  Masahiro Fujita,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, DAC '99.

[36]  Wolfgang Thomas,et al.  Model checking synchronized products of infinite transition systems , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[37]  Victoria Allen,et al.  All for one. , 2013, Journal of obstetrics and gynaecology Canada : JOGC = Journal d'obstetrique et gynecologie du Canada : JOGC.

[38]  Kenneth L. McMillan,et al.  Verification of an Implementation of Tomasulo's Algorithm by Compositional Model Checking , 1998, CAV.

[39]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[40]  Sam Toueg,et al.  Asynchronous consensus and broadcast protocols , 1985, JACM.

[41]  Nancy A. Lynch,et al.  Reaching approximate agreement in the presence of faults , 1986, JACM.

[42]  Amir Pnueli,et al.  Control and data abstraction: the cornerstones of practical formal verification , 2000, International Journal on Software Tools for Technology Transfer.

[43]  Antti Valmari,et al.  Stubborn sets for reduced state space generation , 1991, Applications and Theory of Petri Nets.

[44]  Sriram Sankaranarayanan,et al.  Program Analysis Using Symbolic Ranges , 2007, SAS.

[45]  Helmut Veith,et al.  Verification by Network Decomposition , 2004, CONCUR.

[46]  Sam Toueg,et al.  Optimal clock synchronization , 1985, PODC '85.

[47]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[48]  Nicola Santoro,et al.  Time is Not a Healer , 1989, STACS.

[49]  Parosh Aziz Abdulla,et al.  Regular model checking for LTL(MSO) , 2004, International Journal on Software Tools for Technology Transfer.

[50]  Helmut Veith,et al.  Environment Abstraction for Parameterized Verification , 2006, VMCAI.

[51]  Daniel Kroening,et al.  Symbolic Counter Abstraction for Concurrent Software , 2009, CAV.

[52]  Michael K. Reiter,et al.  On k-Set Consensus Problems in Asynchronous Systems , 2001, IEEE Trans. Parallel Distributed Syst..

[53]  Nancy A. Lynch,et al.  The Theory of Timed I/O Automata (Synthesis Lectures in Computer Science) , 2006 .

[54]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[55]  Stephan Merz,et al.  Formal Verification of Consensus Algorithms Tolerating Malicious Faults , 2011, SSS.

[56]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murϕ , 1999, Formal Methods Syst. Des..

[57]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[58]  Edmund M. Clarke,et al.  Reasoning about networks with many identical finite-state processes , 1986, PODC '86.

[59]  Helmut Veith,et al.  Proving Ptolemy Right: The Environment Abstraction Framework for Model Checking Concurrent Systems , 2008, TACAS.

[60]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[61]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[62]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.

[63]  Ulrich Schmid,et al.  Formally verified Byzantine agreement in presence of link faults , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[64]  Seungjoon Park,et al.  A Simple Method for Parameterized Verification of Cache Coherence Protocols , 2004, FMCAD.

[65]  Fuad Abujarad,et al.  Symbolic synthesis of masking fault-tolerant distributed programs , 2012, Distributed Computing.

[66]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[67]  Patrice Godefroid Using Partial Orders to Improve Automatic Verification Methods , 1990, CAV.

[68]  Patrick Lincoln,et al.  A formally verified algorithm for interactive consistency under a hybrid fault model , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[69]  André Schiper,et al.  Tolerating corrupted communication , 2007, PODC '07.

[70]  Nancy A. Lynch,et al.  Proving Approximate Implementations for Probabilistic I/O Automata , 2007, PDPAR/PaUL@FLoC.

[71]  Leslie Lamport,et al.  Byzantizing Paxos by Refinement , 2011, DISC.

[72]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[73]  Vineet Kahlon,et al.  Exact and Efficient Verification of Parameterized Cache Coherence Protocols , 2003, CHARME.

[74]  J. S. Moore,et al.  Proof-Checking, Theorem Proving, and Program Verification. , 1983 .

[75]  Daniel Kroening,et al.  Dynamic Cutoff Detection in Parameterized Concurrent Programs , 2010, CAV.

[76]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[77]  Kenneth L. McMillan,et al.  Parameterized Verification of the FLASH Cache Coherence Protocol by Compositional Model Checking , 2001, CHARME.

[78]  Helmut Veith,et al.  Tutorial on Parameterized Model Checking of Fault-Tolerant Distributed Algorithms , 2014, SFM.

[79]  Dana Fisman,et al.  On Verifying Fault Tolerance of Distributed Protocols , 2008, TACAS.

[80]  Tobias Nipkow,et al.  Isabelle-91 , 1992, CADE.

[81]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[82]  Somesh Jha,et al.  Veryfying Parameterized Networks using Abstraction and Regular Languages , 1995, CONCUR.

[83]  Cesare Tinelli,et al.  Handbook of Satisfiability , 2021, Handbook of Satisfiability.

[84]  Sam Toueg,et al.  Simulating authenticated broadcasts to derive simple fault-tolerant algorithms , 1987, Distributed Computing.

[85]  Helmut Veith,et al.  Starting a Dialog between Model Checking and Fault-tolerant Distributed Algorithms , 2012, ArXiv.

[86]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[87]  Matthias Függer,et al.  Fault-Tolerant Distributed Clock Generation in VLSI Systems-on-Chip , 2006, 2006 Sixth European Dependable Computing Conference.

[88]  Mark R. Tuttle,et al.  Going with the Flow: Parameterized Verification Using Message Flows , 2008, 2008 Formal Methods in Computer-Aided Design.

[89]  Philippe Schnoebelen,et al.  Mixing Lossy and Perfect Fifo Channels , 2008, CONCUR.

[90]  Alain Finkel,et al.  On the verification of broadcast protocols , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[91]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[92]  Amir Pnueli,et al.  Liveness with (0, 1, ∞)-counter abstraction , 2002 .

[93]  Tatsuhiro Tsuchiya,et al.  Verification of consensus algorithms using satisfiability solving , 2011, Distributed Computing.

[94]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[95]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[96]  Ulrich Schmid,et al.  Booting clock synchronization in partially synchronous systems with hybrid process and link failures , 2007, Distributed Computing.

[97]  Vineet Kahlon,et al.  Parameterized Model Checking of Ring-Based Message Passing Systems , 2004, CSL.

[98]  Helmut Veith,et al.  Parameterized model checking of fault-tolerant distributed algorithms by abstraction , 2013, 2013 Formal Methods in Computer-Aided Design.

[99]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murphi , 1996, CAV.

[100]  Helmut Veith,et al.  Towards Modeling and Model Checking Fault-Tolerant Distributed Algorithms , 2013, SPIN.