validating formal descriptions of tcp ip
play

Validating Formal Descriptions of TCP/IP Introduction Beginning a - PowerPoint PPT Presentation

Validating Formal Descriptions of TCP/IP Michael Norrish Validating Formal Descriptions of TCP/IP Introduction Beginning a TCP Experimental Formal Semantics Specification The Segment Level Specification Use of HOL Michael Norrish


  1. Validating Formal Descriptions of TCP/IP Michael Norrish Validating Formal Descriptions of TCP/IP Introduction Beginning a TCP Experimental Formal Semantics Specification The Segment Level Specification Use of HOL Michael Norrish Specification Validation Michael.Norrish@nicta.com.au As a Theorem Proving Problem The High Level NICTA Specification Conclusion September 2007

  2. Validating Formal Background Descriptions of TCP/IP Michael Norrish Introduction • This is joint work with Peter Sewell, Keith Wansbrough, Beginning a TCP Specification Tom Ridge, Steve Bishop, Andrei Serjantov, Michael The Segment Level Specification Fairbairn and Michael Smith (all at University of Use of HOL Cambridge). Specification Validation • Project began in 2001(?), with work on UDP by Sewell, As a Theorem Proving Problem Serjantov and Wansbrough. The High Level Specification • UDP is a simple protocol, but work on a detailed Conclusion semantics became overwhelming for pen-and-paper techniques. • I joined the project to see if mechanical support might be helpful (hence the choice of HOL4...)

  3. Validating Formal Work on UDP Descriptions of TCP/IP Michael Norrish Introduction Beginning a TCP Specification • The mechanised semantics for UDP was not too large: The Segment Level Specification I proved a simple safety property in HOL. Use of HOL Specification Validation • By hand, we also proved As a Theorem Proving Problem • a timing property The High Level Specification • correctness properties for a heart-beat program built Conclusion using the sockets interface to UDP • Next step was clear: move to TCP.

  4. Validating Formal Descriptions of TCP/IP Michael Norrish 1 Introduction Beginning a TCP Specification Introduction Beginning a TCP Specification The Segment Level 2 The Segment Level Specification Specification Use of HOL Use of HOL Specification Validation As a Theorem Proving Problem 3 Specification Validation The High Level Specification As a Theorem Proving Problem Conclusion 4 The High Level Specification 5 Conclusion

  5. Validating Formal Motivation Descriptions of TCP/IP TCP is critical Internet infrastructure. Michael Norrish Introduction Time spent specifying it is time well-spent: Beginning a TCP Specification • Users of the API know what to expect The Segment Level Specification • Future implementors have a better idea of what they Use of HOL have to do Specification Validation • It can be studied mathematically, not just empirically. As a Theorem Proving Problem The High Level Specification Conclusion ...implementing TCP correctly is very difficult —Vern Paxson (SIGCOMM’97) To which we add: Using TCP and the Sockets API correctly is also difficult

  6. Validating Formal Networking: The TCP/IP Protocols Descriptions of TCP/IP Michael Norrish sockets interface (C) Introduction TCP ICMP UDP Beginning a TCP Specification The Segment Level IP Specification Use of HOL Specification Validation As a Theorem Proving Problem The High Level IP (Internet Protocol): unreliable asynchronous small Specification messages, delivered to IP addresses such as Conclusion 128.34.1.14. UDP (User Datagram Protocol): as above, but delivered to IP address/Port pairs. TCP (Transmission Control Protocol): duplex streams, with retransmission, flow control, congestion control, etc. Messages between IP/Port pairs.

  7. Validating Formal Networking: The Sockets API Descriptions of TCP/IP Michael Norrish Introduction Beginning a TCP Specification The Sockets API gives programmers levers with which to The Segment Level control of the various internet protocols: Specification Use of HOL • Expression in C is ghastly ( ntohs , Specification Validation struct inaddr * . . . ) As a Theorem Proving Problem • Even stripped of C-isms, there are a plethora of The High Level Specification confusing entry-points (bind, listen, accept, connect, Conclusion close, socket, dupfd. . . ) • Specified in POSIX and the various implementations (including Windows)

  8. Validating Formal Post Hoc Specification Descriptions of TCP/IP Michael Norrish Introduction Beginning a TCP Specification We cannot tell the world’s TCP and OS implementors what The Segment Level Specification to do. Use of HOL Specification Validation Our specification must reflect not only the existing As a Theorem Proving Problem “specifications”: The High Level Specification • RFCs, POSIX, . . . Conclusion But also current practice, as enshrined in representative implementations: Windows, BSD and Linux.

  9. Validating Formal Writing a Huge Specification Descriptions of TCP/IP Michael Norrish This project was a test of theoretical machinery: Introduction Beginning a TCP • An operational semantics with almost 200 reduction Specification The Segment Level rules (no recursion though) Specification Use of HOL Specification • Handling of non-determinism Validation • timing: modelling the interleaving of asynchronous and As a Theorem Proving Problem synchronous system calls, as well as packet arrival and The High Level Specification dispatch • choices of values: under-specified behaviours cause Conclusion semantic states to take on constrained values for attributes • Quantified time: TCP is full of timed quantities, and counters representing the passage of time.

  10. Validating Formal Writing a Huge Specification Descriptions of TCP/IP Michael Norrish Introduction Beginning a TCP Specification In addition to “inherent complexities”, we contended with The Segment Level Specification 20–30 years of haphazard code evolution, resulting in Use of HOL Specification Validation • the warped sockets API; As a Theorem Proving Problem The High Level Specification • specifications allowing a great deal of implementation Conclusion latitude; • numerous ugly corner cases

  11. Validating Formal Specification: Where to Cut? Descriptions of TCP/IP Michael Norrish Global Application Global Application Introduction Beginning a TCP Dist. Libraries Dist. Libraries Specification The Segment Level Specification Prog. Language Prog. Language Use of HOL Specification Sockets API Validation TCP TCP ICMPUDP ICMPUDP As a Theorem Proving Problem IP IP The High Level Specification Conclusion IP network

  12. Validating Formal Specification: Where to Cut? Descriptions of TCP/IP Michael Norrish tid · bind ( fd , is ′ 1 , ps ′ 1 ) tid · v Introduction Beginning a TCP Sockets API Specification 8 The Segment Level > TCP ICMP UDP > Specification < h Use of HOL Specification > > IP Validation : Wire interface As a Theorem Proving Problem The High Level msg msg Specification Conclusion The specification describes the evolution of hosts , which are involved in six sorts of behaviours: system calls in ; syscall returns out ; messages in ; messages out ; time elapsing; internal/unobservable state-changes.

  13. Validating Formal Specification Language Descriptions of TCP/IP Michael Norrish The specification is written in higher-order logic. Introduction Beginning a TCP Specification The Segment Level Expressive: Specification Use of HOL • Supports natural, mathematical idiom Specification • Rich types (lists, sets, finite-maps, N , R ) Validation As a Theorem • + user defined types (records, algebraic types) Proving Problem The High Level • Captures non-determinism and under-specification easily Specification Conclusion Clear: • Has well-defined semantics • Easy to write (non-expert CS people picked it up in a week or so)

  14. Validating Formal The Segment Level Specification Descriptions of TCP/IP Michael Norrish Introduction Our segment level specification (the “low level spec”) Beginning a TCP Specification describes The Segment Level Specification Use of HOL • the “on the wire” behaviour of hosts: the packets they Specification emit Validation As a Theorem Proving Problem • what programmers using the sockets API can expect The High Level Specification • the internal (hidden) state of hosts supporting the above Conclusion

  15. Validating Formal The Segment Level Specification Descriptions of TCP/IP Michael Norrish Introduction Our segment level specification (the “low level spec”) Beginning a TCP Specification describes The Segment Level Specification Use of HOL • the “on the wire” behaviour of hosts: the packets they Specification emit Validation As a Theorem Proving Problem • what programmers using the sockets API can expect The High Level Specification • the internal (hidden) state of hosts supporting the above Conclusion We have • validated the specification against real implementations • found bugs in the implementations

  16. Validating Formal Important Types: Segments Descriptions of TCP/IP Michael Norrish Introduction tcpSegment = � Beginning a TCP Specification is1 : ip option ; (* source IP *) The Segment Level Specification is2 : ip option ; (* destination IP *) Use of HOL ps1 : port option ; (* source port *) Specification Validation ps2 : port option ; (* destination port *) As a Theorem Proving Problem seq : tcp seq local ; (* sequence number *) The High Level Specification URG , ACK : bool ; Conclusion PSH , RST : bool ; SYN , FIN : bool ; win : word16 ; (* window size (unsigned) *) mss : word16 option ; (* maximum segment size *) · · · �

Recommend


More recommend