TCP, UDP, and Sockets: Volume 3: The Service-level Specification

Despite more than 30 years of research on protocol specification, the major protocols deployed in the Internet, such as TCP, are described only in informal prose RFCs and executable code. In part this is because the scale and complexity of these protocols makes them challenging targets for formal descriptions, and because techniques for mathematically rigorous (but appropriately loose) specification are not in common use. In this work we show how these difficulties can be addressed. We develop a high-level specification for TCP and the Sockets API, describing the byte-stream service that TCP provides to users, expressed in the formalised mathematics of the HOL proof assistant. This complements our previous low-level specification of the protocol internals, and makes it possible for the first time to state what it means for TCP to be correct: that the protocol implements the service. We define a precise abstraction function between the models and validate it by testing, using verified testing infrastructure within HOL. Some errors may remain, of course, especially as our resources for testing were limited, but it would be straightforward to use the method on a larger scale. This is a pragmatic alternative to full proof, providing reasonable confidence at a relatively low entry cost. Together with our previous validation of the low-level model, this shows how one can rigorously tie together concrete implementations, low-level protocol models, and specifications of the services they claim to provide, dealing with the complexity of real-world protocols throughout. Similar techniques should be applicable, and even more valuable, in the design of new protocols (as we illustrated elsewhere, for a MAC protocol for the SWIFT optically switched network). For TCP and Sockets, our specifications had to capture the historical complexities, whereas for a new protocol design, such specification and testing can identify unintended complexities at an early point in the design.

[1]  Tom Ridge,et al.  Rigorous Protocol Design in Practice: An Optical Packet-Switch MAC in HOL , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[2]  Michael Compton,et al.  Stenning's Protocol Implemented in UDP and Verified in Isabelle , 2005, CATS.

[3]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[4]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[5]  S. L. Murphy,et al.  A verified connection management protocol for the transport layer , 1987, SIGCOMM '87.

[6]  Walid Dabbous,et al.  Generating efficient protocol code from an abstract specification , 1997, TNET.

[7]  Tom Ridge Verifying distributed systems: the operational approach , 2009, POPL '09.

[8]  Bengt Jonsson,et al.  Abstraction of Communication Channels in Promela: A Case Study , 2000, SPIN.

[9]  S. L. Murphy,et al.  Service specification and protocol construction for the transport layer , 1988, SIGCOMM 1988.

[10]  Eddie Kohler,et al.  A readable TCP in the Prolac protocol language , 1999, SIGCOMM '99.

[11]  Rajeev Alur,et al.  Verifying Network Protocol Implementations by Symbolic Refinement Checking , 2001, CAV.

[12]  Edoardo Biagioni A structured TCP in standard ML. , 1994, SIGCOMM 1994.

[13]  Richard Hofmann,et al.  Specification-driven monitoring of TCP/IP , 2000, Proceedings 8th Euromicro Workshop on Parallel and Distributed Processing.

[14]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 2: The Specification , 2005 .

[15]  K. K. Ramakrishnan,et al.  Formal specification and verification of safety and performance of TCP selective acknowledgment , 2002, TNET.

[16]  Michael Norrish,et al.  TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification : Volume 1: Overview , 2005 .

[17]  Michael Norrish,et al.  Rigour is good for you and feasible: reflections on formal treatments of C and UDP sockets , 2002, EW 10.

[18]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[19]  Peter Sewell,et al.  The UDP Calculus: Rigorous Semantics for Real Networking , 2001, TACS.

[20]  M. A. S. Smith Formal Verification of Communication Protocols , 1996, FORTE.

[21]  Jonathan Bruce Postel A graph-model analysis of computer communications protocols. , 1974 .

[22]  Peng Li,et al.  Combining events and threads for scalable network services implementation and evaluation of monadic, application-level concurrency primitives , 2007, PLDI '07.

[23]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[24]  Jonathan Billington,et al.  On Defining the Service Provided by TCP , 2003, ACSC.

[25]  Michael Norrish,et al.  Timing UDP: Mechanized Semantics for Sockets, Threads, and Failures , 2002, ESOP.

[26]  Peng Li,et al.  Programmable concurrency in a pure and lazy language , 2008 .

[27]  Erik P. de Vink,et al.  Verification and Improvement of the Sliding Window Protocol , 2003, TACAS.