Specification, composition, and automated verification of layered communication protocols

Horus is a general-purpose layered message-passing system for distributed programming. A programmer of a distributed application can select protocol layers from among those provided by Horus and arrange these in a stack, thereby creating a custom-built message-passing protocol with strong (or not so strong) properties underneath the application. For the full value of Horus's modularity to be exploited, an application programmer must be able to choose just the layers and stacking order that will provide the desired properties. A programmer who is limited to only a few "tried-and-true" alternatives may end up paying a performance cost (such as excessive synchronization messages) for unnecessary properties, simply because he or she cannot confidently build a less costly stack underneath a given application. This dissertation describes a formal method that supports the engineering of new Horus protocol stacks by precisely specifying and mechanically verifying communication properties of these stacks. Various communication properties can be described in English, but are also described succinctly in a mathematical model (the Temporal Logic of Actions) that supports sound reasoning about whether the properties are satisfied by an implementation. Each protocol layer guarantees various properties at its interfaces, depending on what assumed properties its neighbors provide to it. Relatively straightforward formal reasoning can then show that certain properties will be provided to the applications at the top of the stack. This method of reasoning about protocol stacks can efficiently be automated so that it can be used by practitioners. A prototype of the verifier has been implemented in Java and published on the World Wide Web.