Survey of Protocol Defin ition and Verification Techniques Carl A. Sunshine
1. Introduction
The Rand Corporation, Santa Monica, California, USA
In an earlier survey of this area written some 18 months ago [18], the author was forced to conclude that the verification of communication protocols for computer networks was an "arcane art" with few successes. While this remains true for the computer communication community at large, several research groups have now succeeded in analyzing the correctness of sophisticated real world protocols such as HDLC, X.25, and Cyclades TS, and in discovering errors that were u n k n o w n to the designers of these protocols. This paper was written as an introduction to a session on Protoocl Definition and Verification at the Symposium on Computer Network Protocols, Liege, Belgium, February 1978. The five other papers of this session document much of the recent work in this area. Our main purpose is to identify the features of recent techniques that have allowed greater seccess, and to show that while successful techniques differ in many details, they also share some common features.
Techniques for definition and verification of computer network protocols have progressed significantly in the past two years to the point where complex real world protocols such as HDLC, X.25, and Cyclades TS can now be analyzed. This success is largely due to the combination of two apparently divergent approaches- state transitions, and assertion proofs- and to the greater automation of the verification process. This paper summarizes and compares some of the more recent work in this field, emphasizing the common underlying principals of different techniques. Keywords: Protocol specification, protocol definition, protocol verification, reliability, correctness, validation, formal modelling, assertion proof, state transition. Carl Sunshine received a PhD in computer science from Stanford University in 1975 where he worked on analysis, design, and implementation of communication protocols for computer networks. Since 1975 he has been with the Rand Corporation, where he is involved in research on computer network protocols, network interconnection, network planning, and operating systems. Dr. Sunshine is active in IFIP TC6.1, the Internetwork Working Group.
We first provide some background on the problem of protocol verification and earlier efforts, and then focus on more recent work. A final section compares several features of recent work, with some comments on their similarities. We regret the inevitable omissions and oversimplifications inherent in such a brief summary. A complete bibliography on the subject has been prepared by IFIP TC6.1 SG C, and appears elsewhere in the Proceedings of this Conference. References cited here were chosen for their easy availability and relevance.
2. Background Protocol verification presupposes a clear definition of protocol performance goals or the capabilities to be provided by the protocol to its users. Typical computer communication protocols perform both data transfer and control functions [16]. For data transfer, performance goals include avoiding loss, duplication, or damage of messages transmitted, and
1 This paper has been presented at the Computer Network Protocols Symposium, held in Liege (Belgium) in February 1978 and organized by the University of Liege. The permission to reprint this paper is gratefully acknowledged. © North-Holland Publishing Company Computer Networks 2 (1978) 346-350 346
C.A. Sunshine/Protocol definition and verification techniques delivering them in the proper sequence. For control functions, reliability goals involve the proper initialization and synchronization of control information on both sides of a connection. The possibility of deadlock and the consequences of protocol failures (usually the result of system crashes) must also be considered in assessing protocol reliability. Liveness (eventual termination or "progress") is also an important concern. Transmission medium characteristics provide another important imput to the protocol verification task. Packet switching networks typically allow occasional loss, duplication, damage, or reordering of messages transmitted, with widely varying transmission delays in contrast with the relatively simple failure modes of point-to-point lines. The operation of a communication protocol can be modelled by two automata connected by a transmission medium (e.g., a data link or packet switching network). The automata receive commands or events from their respective users, and from each other via the transmission medium (which may introduce errors). Protocol verification consists of demonstrating constraints on the operation of the composite system which reflect the reliability performance goals. Typically there are several layers of protocol on each side of the transmission medium. The protocols considered in this session fall mainly at the line control and transport protocol levels. Such protocols often perform an additional multiplexing function which allows their multiple users to share the transmission medium. A common step in protocol analysis is to focus on a single protocol layer and to remove the multiplexing function for separate treatment. A number of formalisms have been used to specify the remaining protocol, including flow charts, programming languages, state diagrams, state transition matrixes, Petri nets, UCLA graphs, and prose. Protocol specifications must ultimately serve several purposes including definition, verification, simulation, analysis, implementation, and documentation of the algorithms involved [1,6]. We shall concentrate on verification aspects since that is emphasized by the papers of this session.
3. Earlier work In our earlier survey [18], we noted that there were two main approaches to protocol verification:
347
those based on some form of state description of each protocol machine followed by a reachability analysis, and those based on an algorithmic description of each protocol machine followed by assertion proofs. Postel [14] and Merlin [13] provide good examples of the former, while Stenning [16] and Bochmann [11 demonstrate the latter. Further references may be found in [ 18] . The state models were able to model control aspects of protocols well, but suffered from state explosion when realistic transmission media or large sequence number spaces were introduced. To alleviate this problem, a small number of "basic" states were defined, each augmented with "context" information or variables [7,20]. The state transition and output functions included procedures using these variables. This reduced the number of states, but it then became difficult to employ the analysis procedures applicable to the "pure" state models. Assertion methods were more successful with data transfer aspects of protocols since they could represent whole classes of sequence number in single symbolic assertions. But their application to the inherently state-oriented connection management features (opening, closing, resetting links) was more difficult. Several major simulation efforts were also undertaken, with the results manually inspected for anomalous behavior. Although complete testing is normally impossible through simulation, some interesting errors were identified. The process of trying to rigorously specify the protocol in preparation for simulation also revealed incomplete or ambiguous elements of the protocol [6,12,17].
4. Current work Recent work by several researchers has developed a synthesis of both approaches. Modelling the basic states of each protocol machine followed by some form of teachability analysis forms the basis for verifying control aspects and freedom from deadlocks or looping conditions. The state of both protocol machines and the transmission medium together form a composite or global state, whose transitions can be explored. Data transfer features and more complex synchronization features are modelled by including additional context information in each protocol machine that keeps track of sequence numbers, timers, and other information that is undesirable to
C.A. Sunshine/Protocol definition and verification techniques
348
reflect in the basic states. Assertions are developed about b o t h the basic states and the values o f context information that are attainable during operation o f the composite system. These assertions may be checked with a combination o f state reachability analysis b y running the composite FSA, and of logical proofs on the assertions involving context information. As noted by Bochmann [4], the amount o f state information and context information can be traded off to some extent. More states with less context information require less proofs, but generate larger state spaces to be explored, and vice versa. The type o f conditions checked b y the state analysis are deadlocks (composite states with no exits), looping or t e m p o blocking (cycles o f states with no useful progress), completeness (all possible inputs handled), proper termination (correct final
state), and in some cases liveness. Although some o f these conditions are direct consequences o f the graph structure o f the composite state space, others require careful formulation o f assertions to be checked (e.g. proper termination, or progress). Other performance goals such as proper delivery o f all data messages, constraints on timing or sequence number usage, and flow control properties are checked b y formulating and proving appropriate assertions. Although the above discussion summarizes the c o m m o n elements in current work, different researchers have approached this shema from different directions. The models used to specify the interacting machines still reflect a d i c h o t o m y between direct state representations such as state machines and Petri nets, and algorithmic or programming language specifications. Composite state
Table 1 Comparison of protocol verification techniques Principal authors
Modelling formalism
Analysis technique
Focus
Protocols analyzed
Conditions checked
Hard Steps
Additional work needed
Danthine Bremer
Partitioned FSA (plus algorithms)
Compatible paths
Control
Cyclades TS EDF-GDF
Deadlock
Define FSA
Data transfer looping assymmetry
Brand Joyner
Algorithms
Symbolic execution assertions
Data xfer
micro I/0 ARQ
Deadlock looping data xfer
Define assertions
Initialization complex media user commands
Rudin West Zafiropulo
FSA
Compatible paths composite FSA
Control
X.21
Deadlock completeness
Define FSA, assertions
Complex media looping data transfer
Bochmann
FSA with variables, algorithms
Composite FSA assertions adjoint states
Both
X.25 ARQ HDLC
Deadlock looping liveness
Define FSA Prove assertions
Automation Complex media
Harangozo
Formal grammars
Both
HDLC
Define grammar
Flow control user commands verification
Hajek
Algorithms
Composite FSA
Both
ARQ ARPA TCP
Deadlock looping termination
Define algorithm, assertions
Complex media state explosion
Symons
FSA augmented Petri nets
Composite Petri Net simulation
Both
ARQ ARPA NCP
User provided
Define FSA, assertions
Automation assertions
Gouda
FSA
Composite FSA compatible paths
Control
ARQ
Deadlock boundedness
Define FSA Form proof
Complex media, protocols automation
C.A. Sunshine / Protocol definition and verification techniques analysis of the tbrmer is straightforward, while in the latter, the stopping places (program counter) within each program serve as states in building the composite state graph. This invloves interpretive or symbolic execution of the programs. The assertion proofs which must accompany state analysis appear more feasible with algorithmic specifications. The difficult steps in protocol analysis are similar for all models. First the protocol must be modelled, then assertions must be developed for b o t h the state teachability analysis and any additonal proofs, and finally the composite state space must be generated and checked, and proofs performed. Difficulties with assertions or proofs may require a change in the model (e.g. addition of variables to facilitate proofs, or reduction of states to reduce the state space), making the process cyclic. Part of the increased success o f recent efforts has involved the ability to automate some steps of this process, particularly the elaboration and checking of the composite state space. Hajek [10], West [15], Bochmann [2], and Brand [5] have developed programs which iteratively generate and check all reachable composite states from an initial start state of the system. Danthine [7] generates all paths (if any) leading to potential deadlock states. Although this paper has emphasized the common elements o f current approaches toward protocol verification, different researchers have developed a wide variety of useful techniques for the representation and analysis of the interactions between protocol machines. The details of these innovations must be left to the following papers. As a final point, Table 1 presents a comparison o f different appraoches to the major elements o f protocol analysis discussed above.
5. Conclusions Analysis o f the correctness of computer communication protocols has advanced significantly in the past two years to the point where p r o t o t y p e systems now exist that can analyze sophisticated real-world protocols and find errors unknown tho the protocol designers. The success o f these techniques rests largely on a synthesis o f state analysis and assertion p r o o f techniques, and on the partial automation of the analysis process to make handling realistically complex protocols and transmission media feasible. Nevertheless, a great deal o f work remains to be done in expanding these p r o t o t y p e systems to handle
349
the full range of correctness questions and types of protocols, and in simplifying and clarifying the techniques to facilitate their wider use. The vast majority of communication protocols are still designed " b y the seat of the pants," and at best rigorously analyzed afterwards. Verification must be integrated into the design and implementation process in order to obtain maximum benefit, and hopefully we may look forward to papers detailing complete design systems such as [8] in future conferences.
References [l] G.V. Boctrmann, Logical Verification and Implementation of Protocols, Proceedings of the Fourth Data Communications Syrup., Quebec City, Canada, October 1975, pp. 7/15-20. (IEEE) [2] G.V. Bochmann, Finite State Description of Communication Protocols, Comp. Networks 2 (1978) 361--372. [3] G.V. Bochmann, R.J. Chung, A. Formalized Specification of tfDLC Classes of Procedures, Proc. National Telecommunications Conf., Los Angeles, December 1977, pp. 3A2/1-11. (IEEE) [4] G.V. Bochmann, J. Gecsei, A Unified Method for the Specification and Verification of Protocols, Proc. of IFIP Congress, Toronto, Canada, August 1977, pp. 229234. [5] D. Brand, and W.H. Joyner, Verification of Protocols Using Symbolic Execution, Comp Networks 2 (1978) 351-360. [6] A. Danthine, J. Bremer, An Axiomatic Description of the Transport Protocol of CYCLADES, Professional Conference on Computer Networks and Teleprocessing, Aachen, 1976, pp. 259-273. (Springer-Verlag) [7] A. Danthine, J. Bremer, Modelling and Verification of End-to-End Transport Protocols, Comp. Networks 2 (1978) 381 395. [8] Good, I. Donald, Constructing Verified and Reliable Communications Processing Systems, ACM SIGSOFT Software Engineering Notes 2, 5, October 1977, pp. 8-13. [9] Gouda, G. Mohamed, Manning, G. Eric, On the Modelling, Analysis, and Design of Protocols--A Special Class of Software Structures, Proc. 2nd Int. Conf. on Software Engineering, October 1976, pp. 256-262. [10] Hajek, Jan, Automatically Verified Data Transfer Protocols, Eindhoven Univeristy of Technology, Eindhoven, The Netherlands, November 1977. [11] J. Harangozo, Protocol Definition with Formal Grammars, Proceedings of the Symposium on Computer Network Protocols, Liege, Belgium, (Feb. 1978), A. Danthine, Ed. [12] G. LeLann and H. Le Goff, Verification and Evaluation of Communication Protocols, Computer Networks, 2 (1978) 50-69. [13] P.M. Merlin, A Methodology for the Design and lmple-
350
[14]
[15]
[16] [17]
C.A. Sunshine / Protocol definition and verification techniques mentation of Communication Protocols, IEEE Trans. Comm. COM-24, 6, June 1976, pp. 614-621. J.B. Postel, D. Farber, Graph Modeling of Computer Communications Protocols, Proc. 5th Texas Conf. on Computing Systems, Austin, Texas, October 1976, pp. 66-77. H. Rudin, C.H. West, and Zafiropula, P., Automated Protocol Validation: one Chain of Development, Computer Networks 2 (1978) 373-380 (this issue). N.V. Stenning, A Data Transfer Protocol, Computer Networks, 1 (1976) 99-110. R.J. Sundstrom, Formal Definition of IBM's System Network Architcture, Proc. National Telecommunica-
tions Conf., Los Angeles, California, December 1977. (IEEE) [18]C.A. Sunshine, Survey of Communication Protocol Verification Techniques, Proc. Symp. Computer Networks, NBS, Gaithersburg, Maryland, November 1976, pp. 24-26. (IEEE) [191 F.J.W. Symons, The Application of Numerical Petri Nets to the Analysis of Comminication Protocols and Singnalling Systems, Telecomm. Group Report 141, Dept. of EE, Univ. of Essex, England, May 1977. [20] C.A. Sunshine and Y.K. Dalai, Connection Management in Transport Protocols, to be published in Computer Networks.