Verification of Clock Synchronization Algorithms: Experiments on a Combination of Deductive Tools

We report on an experiment in combining the theorem prover Isabelle with automatic first-order arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider's generalized clock synchronization protocol [Schneider, F. B., Understanding protocols for Byzantine clock synchronization, Technical Report TR 87-859, Cornell University (1987). URL citeseer.ist.psu.edu/schneider87understanding.html] in Isabelle/HOL. Then, we verify that the convergence functions used in two clock synchronization algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [Lamport, L. and P. M. Melliar-Smith, Synchronizing clocks in the presence of faults, J. ACM 32 (1985), pp. 52-78] and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch [Lundelius, J. and N. Lynch, A new fault-tolerant algorithm for clock synchronization, in: Proceedings of PODC '84 (1984), pp. 75-88], satisfy Schneider's general conditions for correctness. The proofs are completely formalized in Isabelle/HOL. We identify the parts of the proofs which are not fully automatically proven by Isabelle built-in tactics and show that these proofs can be handled by automatic first-order provers with support for arithmetic like ICS and CVC Lite.

[1]  Bertrand Tavernier Calife: A Generic Graphical User Interface for Automata Tools , 2004, Electron. Notes Theor. Comput. Sci..

[2]  Alwen Tiu A Formalization of a Generalized Clock Synchronization Protocol in Isabelle/HOL , 2005 .

[3]  Natarajan Shankar Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization , 1992, FTRTFT.

[4]  Michael Norrish,et al.  Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations , 2006, POPL '06.

[5]  Nancy A. Lynch,et al.  A new fault-tolerant algorithm for clock synchronization , 1984, PODC '84.

[6]  Maria Spichkova,et al.  Towards verified automotive software , 2005, ACM SIGSOFT Softw. Eng. Notes.

[7]  Volker Sorge,et al.  Proof Development with OMEGA , 2002, CADE.

[8]  Lawrence C. Paulson,et al.  Experiments on Supporting Interactive Proof Using Resolution , 2004, IJCAR.

[9]  Maria Spichkova,et al.  FlexRay und FTCom: Formale Spezifikation in Focus , 2006 .

[10]  Clark W. Barrett,et al.  Cooperating Theorem Provers: A Case Study Combining HOL-Light and CVC Lite , 2006, Electron. Notes Theor. Comput. Sci..

[11]  Fred B. Schneider,et al.  Understanding Protocols for Byzantine Clock Synchronization , 1987 .

[12]  Damián Barsotti Instances of Schneider's generalized protocol of clock synchronization , 2006, Arch. Formal Proofs.

[13]  Stephan Merz,et al.  Expressiveness + Automation + Soundness: Towards Combining SMT Solvers and Interactive Proof Assistants , 2006, TACAS.

[14]  Luc Moreau,et al.  A construction of distributed reference counting , 2001, Acta Informatica.

[15]  Tobias Nipkow,et al.  Structured Proofs in Isar/HOL , 2002, TYPES.

[16]  S Miner Paul,et al.  Verification of Fault-Tolerant Clock Synchronization Systems , 2003 .

[17]  Tjark Weber,et al.  Integrating a SAT Solver with an LCF-style Theorem Prover , 2005, PDPAR@CAV.

[18]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[19]  Leslie Lamport,et al.  Disk Paxos , 2003, Distributed Computing.

[20]  Friedrich W. von Henke,et al.  Mechanical Verification of Clock Synchronization Algorithms , 1998, FTRTFT.

[21]  Richard J. Boulton,et al.  The PROSPER Toolkit , 2000, TACAS.

[22]  Geoff Sutcliffe,et al.  The TPTP Problem Library , 1994, Journal of Automated Reasoning.