ABSTRACT
The TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15,000--20,000 lines of C in the BSD implementation. Dealing rigorously with the behaviour of such bodies of code is challenging.We have recently developed a post-hoc specification of TCP, UDP, and Sockets that is rigorous, detailed, readable, has broad coverage, and is remarkably accurate. In this paper we describe the novel techniques that were required.Working within a general-purpose proof assistant (HOL), we developed language idioms (within higher-order logic) in which to write the specification: operational semantics with nondeterminism, time, system calls, monadic relational programming, etc. We followed an experimental semantics approach, validating the specification against several thousand traces captured from three implementations (FreeBSD, Linux, and WinXP). Many differences between these were identified, and a number of bugs. Validation was done using a special-purpose symbolic model checker programmed above HOL.We suggest that similar logic engineering techniques could be applied to future critical software infrastructure at design time, leading to cleaner designs and (via specification-based testing using a similar checker) more predictable implementations.
- R. Alur and B.-Y. Wang. Verifying network protocol implementations by symbolic refinement checking. In Proc. CAV '01, LNCS 2102, pages 169--181, 2001.]] Google Scholar
Digital Library
- K. Bhargavan, S. Chandra, P. J. McCann, and C. A. Gunter. What packets may come: automata for network monitoring. In Proc. POPL, pages 206--219, 2001.]] Google Scholar
Digital Library
- K. Bhargavan, D. Obradovic, and C. A. Gunter. Formal verification of standards for distance vector routing protocols. J. ACM, 49(4):538--576, 2002.]] Google Scholar
Digital Library
- E. Biagioni. A structured TCP in Standard ML. In Proc. SIGCOMM '94, pages 36--45, 1994.]] Google Scholar
Digital Library
- S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and Sockets. In Proc. SIGCOMM 2005 (Philadelphia), Aug. 2005.]] Google Scholar
Digital Library
- S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 1: Overview. Technical Report UCAM-CL-TR-624, Computer Laboratory, University of Cambridge, Mar. 2005. 88pp. Available at http://www.cl.cam.ac.uk/users/pes20/Netsem/.]]Google Scholar
- S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 2: The specification. Technical Report UCAM-CL-TR-625, Computer Laboratory, University of Cambridge, Mar. 2005. 386pp. Available at http://www.cl.cam.ac.uk/users/pes20/Netsem/.]]Google Scholar
- C. Castelluccia, W. Dabbous, and S. O'Malley. Generating efficient protocol code from an abstract specification. IEEE/ACM Trans. Netw., 5(4):514--524, 1997. Full version of a paper in SIGCOMM '96.]] Google Scholar
Digital Library
- M. Compton. Stenning's protocol implemented in UDP and verified in Isabelle. In Proc. 11th CATS, Computing: The Australasian Theory Symposium, pages 21--30, 2005.]] Google Scholar
Digital Library
- M. Gordon, R. Milner, and C. P. Wadsworth. Edinburgh LCF, LNCS 78. 1979.]]Google Scholar
- M. J. C. Gordon and T. Melham, editors. Introduction to HOL: a theorem proving environment. Cambridge University Press, 1993.]] Google Scholar
Digital Library
- The HOL 4 system, Kananaskis-3 release. hol.sourceforge.net.]]Google Scholar
- IEEE and The Open Group. IEEE Std 1003.1™-2001 Standard for Information Technology --- Portable Operating System Interface (POSIX®). Dec. 2001. Issue 6. Available http://www.opengroup.org/onlinepubs/007904975/toc.htm.]]Google Scholar
- The Isabelle proof assistant. http://isabelle.in.tum.de/.]]Google Scholar
- E. Kohler, M. F. Kaashoek, and D. R. Montgomery. A readable TCP in the Prolac protocol language. In Proc. SIGGCOMM '99, pages 3--13, August 1999.]] Google Scholar
Digital Library
- N. Lynch and F. Vaandrager. Forward and backward simulations -- Part II: Timing-based systems. Information and Computation, 128(1):1--25, July 1996.]] Google Scholar
Digital Library
- M. Musuvathi and D. Engler. Model checking large network protocol implementations. In Proc.NSDI: 1st Symposium on Networked Systems Design and Implementation, pages 155--168, 2004.]] Google Scholar
Digital Library
- M. Norrish, P. Sewell, and K. Wansbrough. Rigour is good for you, and feasible: reflections on formal treatments of C and UDP sockets. In Proceedings of the 10th ACM SIGOPS European Workshop (Saint-Emilion), pages 49--53, Sept. 2002.]] Google Scholar
Digital Library
- V. Paxson. Automated packet trace analysis of TCP implementations. In Proc. SIGCOMM '97, pages 167--179, 1997.]] Google Scholar
Digital Library
- A. Serjantov, P. Sewell, and K. Wansbrough. The UDP calculus: Rigorous semantics for real networking. Technical Report 515, Computer Laboratory, University of Cambridge, July 2001.]]Google Scholar
Cross Ref
- A. Serjantov, P. Sewell, and K. Wansbrough. The UDP calculus: Rigorous semantics for real networking. In Proc. TACS 2001: Fourth International Symposium on Theoretical Aspects of Computer Software, Tohoku University, Sendai, Oct. 2001.]] Google Scholar
Digital Library
- M. A. Smith and K. K. Ramakrishnan. Formal specification and verification of safety and performance of TCP selective acknowledgment. IEEE/ACM Trans. Netw., 10(2):193--207, 2002.]] Google Scholar
Digital Library
- M. A. S. Smith. Formal verification of communication protocols. In Proc. FORTE IX/PSTV XVI, pages 129--144, 1996.]] Google Scholar
Digital Library
- W. R. Stevens. TCP/IP Illustrated Vol. 1: The Protocols. 1994.]] Google Scholar
Digital Library
- W. R. Stevens. UNIX Network Programming Vol. 1: Networking APIs: Sockets and XTI. Second edition, 1998.]] Google Scholar
Digital Library
- K. Wansbrough, M. Norrish, P. Sewell, and A. Serjantov. Timing UDP: mechanized semantics for sockets, threads and failures. In Proc. ESOP, LNCS 2305, pages 278--294, Apr. 2002.]] Google Scholar
Digital Library
- G. K. Wright and W. R. Stevens. TCP state transition diagram. InphTCP/IP Illustrated, Volume 2: The Implementation http://www.kohala.com/start/pocketguide1.ps.]] Google Scholar
Digital Library
- G. R. Wright and W. R. Stevens. TCP/IP Illustrated Vol. 2: The Implementation. 1995.]] Google Scholar
Digital Library
- W. Yi. CCS + time = an interleaving model for real time systems. In Proc. ICALP, pages 217--228, 1991.]] Google Scholar
Digital Library
Index Terms
Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations
Recommendations
Engineering with Logic: Rigorous Test-Oracle Specification and Validation for TCP/IP and the Sockets API
Conventional computer engineering relies on test-and-debug development processes, with the behavior of common interfaces described (at best) with prose specification documents. But prose specifications cannot be used in test-and-debug development in any ...
Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets
SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communicationsNetwork protocols are hard to implement correctly. Despite the existence of RFCs and other standards, implementations often have subtle differences and bugs. One reason for this is that the specifications are typically informal, and hence inevitably ...
Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations
Proceedings of the 2006 POPL ConferenceThe TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15,000--...







Comments