Docstoc

Sewell

Document Sample
Sewell Powered By Docstoc
					             Engineering with Logic:
  Taming Systems Monsters with Proof Assistants
                   2000–2007
                              Peter Sewell1
Adam Biltcliffe1    Steve Bishop1      Michael Dales2    Matthew Fairbairn1
   Sam Jansen2      Michael Norrish3    Scott Owens1      Gilles Peskine1
  Tom Ridge1      Susmit Sarkar1     Andrei Serjantov1    Michael Smith1
     Rok Strniˇa1
              s      Keith Wansbrough1       Francesco Zappa Nardelli4

                1                             2
                 University of Cambridge        Intel Research
               3                       4
                 NICTA, Canberra         INRIA Rocquencourt


         Types 2007, 2-5 May 2007, Cividale del Friuli (Udine), Italy
             Key Infrastructure: Articulation Points

                        Application Software
               ML, Java, C , ...       APIs for high-level communication




                  JVM, CLR         TCP, UDP, and Sockets


                                      IP

                x86, PPC, ARM         Ethernet (or SWIFT)
                          Hardware


• Rather stable abstractions, about which other software changes
• But complex — hard to work with accurately using informal tools
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                                     The Internet
                     Distributed
                     libraries and
                     applications
                                      ...   Distributed
                                            libraries and
                                            applications

                                                             Sockets API
                    TCP     UDP
                               ICMP
                                            TCP     UDP
                                                      ICMP

                          IP                   IP
                                                             Wire interface
                               msg
                    msg




                               IP network


IP: unreliable asynchronous small messages, routed to IP addresses
e.g. 128.34.1.14.
TCP: duplex byte streams, with retransmission, flow control, congestion
control, DoS protection, MTU estimation, etc. Between IP/Port pairs,
e.g. 128.34.1.14:80.
                                   What is TCP?
1: Defined by standards:
RFC793 TRANSMISSION CONTROL PROTOCOL, Sept. 1981
(and RFC 1122, 1323, 2414, 2581, 2582, 2988, 3522, 3782, ...)
             0                   1                   2                    3
             0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |           Source Port          |       Destination Port         |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                         Sequence Number                         |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                     Acknowledgment Number                       |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           | Data |             |U|A|P|R|S|F|                                |
           | Offset| Reserved |R|C|S|S|Y|I|               Window            |
           |        |           |G|K|H|T|N|N|                                |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |            Checksum            |          Urgent Pointer        |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                     Options                     |    Padding    |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           |                              data                               |
           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



and the behaviour of endpoints?
                      What is TCP, really ?
2: Defined by the common implementations: BSD, MS, Linux, ...
They differ in many ways, but mostly interop ok.
This de facto standard is ultimately the code:
 • C
 • around 15 000 lines in BSD
 • multi-threaded, time-dependent, entangled with OS
 • optimised for performance, tweaked over time
No clear relationship between code and RFCs.
                          Our Goals
Specific:
1. Characterise precisely this de facto standard — what the
   behaviour of (some of) the deployed implementations really
   is, especially the failure semantics.
General:
2. Understand how to deal rigorously with the behaviour of
   complex critical infrastructure, both post-hoc and at
   design-time.
                        Difficulties

• Ubiquitous implementations
• Nondeterminism
• Scale
• Rich properties
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                       What we’ve done
Take de facto standard seriously: pick 3 common impls
(FreeBSD 4.6–RELEASE, Linux 2.4.20–8, WinXP SP1).
Developed a post-hoc specification of the behaviour of TCP,
UDP, relevant parts of ICMP, and the Sockets API that is:
 • mathematically rigorous – in the HOL proof assistant
 • detailed and with broad coverage – many modelling choices
 • readable – careful structuring, much annotation
 • accurate – will come back to this
                                             The Specification
The main part of the spec is the host labelled transition system
          lbl
           →
(LTS) h − h modelling a single endpoint, at a segment level of
abstraction.

                                                  ...   Distributed
                                                        libraries and
                                                        applications
       tid·bind(fd, is 1 , ps 1 )         tid·v
                                                                            Sockets API
                           TCP       UDP                TCP        UDP
                                        ICMP                         ICMP

                                    IP                        IP
                                                                            Wire interface
      Host LTS spec
                                          msg
                         msg




                                         IP network




with internal (τ ) and time passage (dur ) transitions
              The Specification: Overall Structure

 • Preamble, defining types and auxiliaries
   (host states, TCP segments,...). 125pp.
 • Host transition rules:
    – Sockets API rules (148). 160pp.
    – Message processing rules (46). 75pp.
Somewhat shorter than the C code – but organised for clarity...
               The Specification: a Part of the Host State

– protocol-specific information for a TCP socket :
tcp socket
 = [ st : tcpstate;(* LISTEN, ESTABLISHED, TIME WAIT, etc.*)
     cb : tcpcb;(* the ‘TCP control block’, a 44-field record of timers, *)
                  (* sequence numbers, the reassembly segment queue, etc. *)
      lis : socket listen option; (* data for listening socket*)
      sndq : byte list;(* send queue *)
      sndurp : num option; (* send urgent pointer *)
      rcvq : byte list; (* receive queue *)
      rcvurp : num option; (* receive urgent pointer *)
      iobc : iobc(* out-of-band data and status *)
  ]
                  The Specification: A Simple Sample Rule
bind 5      rp all: fast fail Fail with EINVAL: the socket is already bound to
an address and does not support rebinding; or socket has been shutdown for
writing on FreeBSD

                         h [ts := ts ⊕ (tid → (Run)d )]
tid·bind(fd,is1 ,ps1 )
−−−−−−
−− − − − −→              h [ts := ts ⊕ (tid → (Ret(FAIL EINVAL)) sched   timer )]




fd ∈ dom(h.fds) ∧ fid = h.fds[fd ] ∧
h.files[fid ] = File(FT Socket(sid ), ff ) ∧
h.socks[sid ] = sock ∧
(sock .ps1 = ∗∨
(bsd arch h.arch ∧ sock .pr = TCP PROTO(tcp sock ) ∧ ...))
                        The Specification: A Less Simple Sample Rule
deliver in 1     tcp: network nonurgent
                 Passive open: receive SYN, send SYN,ACK                       (* socket is correctly specified (note BSD listen bug) *)                         (* record that this segment is being timed *)

    h [socks := socks ⊕ [(sid , sock )]; (* listening socket *)                ((is 2 = ∗ ∧ ps 2 = ∗) ∨                                                         (let t rttseg = ↑(ticks of h.ticks, cb.snd nxt) in
                                                                               (bsd arch h.arch ∧ is 2 = ↑ i2 ∧ ps 2 = ↑ p2 )) ∧
        iq := iq; (* input queue *)
                                                                               (case is 1 of ↑ i1 → i1 = i1 ∗ → T) ∧                                            (* choose initial sequence number *)
        oq := oq] (* output queue *)                                           ¬(i1 = i2 ∧ p1 = p2 ) ∧                                                          iss ∈ {n | T} ∧
τ
→
−
    h [socks := socks ⊕                                                        (* (elided: special handling for TIME WAIT state, 10 lines) *)                   (* acknowledge the incoming SYN *)
                                                                                                                                                                let ack = seq + 1 in
           (* listening socket *)
                                                                               (* place new socket on listen queue *)
          [(sid , Sock(↑ fid , sf , is 1 , ↑ p1 , is 2 , ps 2 , es, csm, crm,   accept incoming q0 lis T ∧                                                       (* update TCP control block parameters *)
            TCP Sock(LISTEN, cb, ↑ lis , [ ], ∗, [ ], ∗, NO OOB)));            (* (elided: if drop from q0, drop a random socket yielding q0’) *)               cb =
           (* new connecting socket *)                                         lis = lis [ q0 := sid :: q0 ] ∧                                                    cb [ tt keep := ↑((())slow timer TCPTV KEEP IDLE );
          (sid , Sock(∗, sf , ↑ i1 , ↑ p1 , ↑ i2 , ↑ p2 , ∗, csm, crm,                                                                                                 tt rexmt := start tt rexmt h.arch 0 F cb.t rttinf ;
                                                                               (* choose MSS and whether to advertise it or not *)                                     iss := iss; irs := seq;
            TCP Sock(SYN RCVD, cb , ∗, [ ], ∗, [ ], ∗, NO OOB)))];
                                                                               advmss ∈ {n | n ≥ 1 ∧ n ≤ (65535 − 40)} ∧                                               rcv wnd := rcv window ; tf rxwin0sent :=(rcv window =0);
        iq := iq ;                                                             advmss ∈ {∗; ↑ advmss} ∧                                                                rcv adv := ack + rcv window ; rcv nxt := ack ;
        oq := oq ]                                                                                                                                                     snd una := iss; snd max := iss + 1; snd nxt := iss + 1;
                                                                               (* choose whether this host wants timestamping; negotiate with other side *)            snd cwnd := snd cwnd ; rcv up := seq + 1;
(* check first segment matches desired pattern; unpack fields *)                 tf rcvd tstmp = is some ts ∧                                                            t maxseg := t maxseg ; tadvmss := advmss ;
dequeue iq(iq, iq , ↑(TCP seg)) ∧                                              (choose want tstmp :: {F; T}.                                                           rcv scale := rcv scale ; snd scale := snd scale ;
(∃win ws mss PSH URG FIN urp data ack .                                        tf doing tstmp = (tf rcvd tstmp ∧ want tstmp)) ∧                                        tf doing ws := tf doing ws ;
  seg =                                                                                                                                                                ts recent := case ts of
     [ is 1 := ↑ i2 ; is 2 := ↑ i1 ; ps 1 := ↑ p2 ; ps 2 := ↑ p1 ;             (* calculate buffer size and related parameters *)                                                        ∗ → cb.ts recent
                                                                                                                                                                                                                       TimeWindow
       seq := tcp seq flip sense(seq : tcp seq foreign);                        (rcvbufsize , sndbufsize , t maxseg , snd cwnd ) =                                                       ↑(ts val , ts ecr ) → (ts val )kern timer dtsinval ;
       ack := tcp seq flip sense(ack : tcp seq local);                          calculate buf sizes advmss mss ∗ (is localnet h.ifds i2 )                               last ack sent := ack ;
       URG := URG; ACK := F; PSH := PSH ;                                         (sf .n(SO RCVBUF))(sf .n(SO SNDBUF))                                                 t rttseg := t rttseg ;
       RST := F; SYN := T; FIN := FIN ;                                           tf doing tstmp h.arch ∧                                                              tf req tstmp := tf doing tstmp ;
       win := win ; ws := ws ; urp := urp; mss := mss ; ts := ts;              sf = sf [ n := funupd list sf .n[(SO RCVBUF, rcvbufsize );                              tf doing tstmp := tf doing tstmp
       data := data                                                                                             (SO SNDBUF, sndbufsize )]] ∧                         ])∧
    ] ∧
w2n win = win∧ (* type-cast from word to integer *)                            (* choose whether this host wants window scaling; negotiate with other side *)   (* generate outgoing segment *)
option map ord ws = ws ∧                                                       req ws ∈ {F; T} ∧                                                                choose seg :: make syn ack segment cb
option map w2n mss = mss) ∧                                                    tf doing ws = (req ws ∧ is some ws) ∧                                                               (i1 , i2 , p1 , p2 )(ticks of h.ticks).
                                                                               (if tf doing ws then
(* IP addresses are valid for one of our interfaces *)                            rcv scale ∈ {n | n ≥ 0 ∧ n ≤ TCP MAXWINSCALE} ∧                               (* attempt to enqueue segment; roll back specified fields on failure *)
i1 ∈ local ips h.ifds ∧                                                           snd scale = option case 0 I ws                                                enqueue or fail T h.arch h.rttab h.ifds[TCP seg ]oq
¬(is broadormulticast h.ifds i1 ) ∧ ¬(is broadormulticast h.ifds i2 ) ∧         else                                                                              (cb
                                                                                  rcv scale = 0 ∧ snd scale = 0) ∧                                                   [ snd nxt := iss;
(* sockets distinct; segment matches this socket; unpack fields of socket *)                                                                                            snd max := iss;
sid ∈ (dom(socks)) ∧ sid ∈ (dom(socks)) ∧ sid = sid ∧
     /                           /                                             (* choose initial window *)                                                             t maxseg := t maxseg ;
tcp socket best match socks(sid , sock )seg h.arch ∧                           rcv window ∈ {n | n ≥ 0 ∧                                                               last ack sent := tcp seq foreign 0w;
sock = Sock(↑ fid , sf , is 1 , ↑ p1 , is 2 , ps 2 , es, csm, crm,                                 n ≤ TCP MAXWIN ∧                                                     rcv adv := tcp seq foreign 0w
           TCP Sock(LISTEN, cb, ↑ lis, [ ], ∗, [ ], ∗, NO OOB)) ∧                                 n ≤ sf .n(SO RCVBUF)} ∧                                           ] )cb (cb , oq )
The TCP state diagram – as per Stevens
                                                              starting point
                                                                CLOSED



                                         appl: passive open
                                           send: <nothing>




                                                                                       ap sen
                                                                                         pl
 timeout




                                                                                           : a : SY
                                                                                              cti
    send: RST                                                   LISTEN
                                                       CK




                                                                                                 d
                                                                                                  ve N
                                                 A             passive open
                                              N,




                                                                                                    op
                                                                                   ap
                                           Y




                                                                                                       en
                                         :S                                           pl
                                    nd                                             se : se
                                 se               ST                                 nd nd
                            ;                                                           :S d
                           N                 :R                                           YN ata
                        SY           rec
                                         v
                     v:
                 rec
                                                               recv: SYN                                                    appl: close
       SYN_RCVD                                                                                             SYN_SENT
                                                            send: SYN, ACK                                                  or timeout
                                                            simultaneous open                               active open
                                se rec                                                        CK
                                  nd v                                                     ,A
                                    :< :A                                               Y N CK
                                      no CK                                           :S :A
                                        th                                          cv d
                                           in
                                              g>                                  re sen

       appl: close                                                                  recv: FIN
                                                            ESTABLISHED                                 CLOSE_WAIT
       send: FIN                                                                   send: ACK
                                                            data transfer state
                                           e
                                        os
                                         :   cl
                                            IN                                                              appl: close
                                      pl :F                                                                 send: FIN
                                   ap nd
                                     se
                                                            simultaneous close
                         recv: FIN                                                                                           recv: ACK
      FIN_WAIT_1                                               CLOSING                                      LAST_ACK
                       send: ACK                                                                                          send: <nothing>
                        re
                          cv                                                                            passive close
                       se : FIN
        recv: ACK         nd                                   recv: ACK
       send: <nothing>       :A ,A                            send: <nothing>
                               CK CK


                                   recv: FIN
      FIN_WAIT_2                                              TIME_WAIT
                                  send: ACK
                                                             2MSL timeout
                                    active close

                               normal transitions for client
                               normal transitions for server
                appl:          state transitions taken when application issues operation
                recv:          state transitions taken when segment received
                send:          what is sent for this transition



                                                   TCP state transition diagram.




                                   Reprinted from TCP/IP Illustrated, Volume 2: The Implementation
                                            by Gary R. Wright and W. Richard Stevens,
                                  The TCP state diagram – a slightly better approximation
                                                                                                                                                                                                                                                                                                                                                           close_8
                                                                                                                                                                                                                                                                                                                                                           close())
                                                                                                                                                                                                                                                                                                                                                            recv:
                                                                                                                                                                                                                                                                                                                                                            send:




                                                                                                                                                                                                                                                                                          shutdown_1

                                                                                                                                                                                                                                                           LISTEN                                                                                                            NONEXIST
                                                                                                                                                                                                                                                                                                            deliver_in_1b          deliver_in_7b
                                                                                                                                                                                                                                                                                          shutdown()
                                                                                                                                                                                                                                                                                                                recv: r               recv: R
                                                                                                                                                                                                                                                                                             recv:
                                                                                                                                                                                                                                                                                                              send: Rs                 send:
                                                                                                                                                                                                                                                                                            send:
                                                                                                                                                                                                                                                                                                          bad recv segment




                                                                                                                                                                                                                                                                                   close_7                                                                                                      close_7                       close_8
                                                                                                                                                                                                                                                                                                                                                              deliver_in_1
                                                                                                                                                                                                                                                                                   close()                                                                                                      close()                       close()
                                                                                                                                                                                                                                                                                                                                                                recv: arS
                                                                                                                                                                                                                                                                                    recv:                                                                                                        recv:                         recv:
                                                                                                                                                                                                                                                                                                                                                               send: ArSf
                                                                                                                                                                                                                                                                                    send:                                                                                                        send:                         send:
                                                                                                                                                                                                                                                                                                                                                there is another socket in state LISTEN
                                                                                                                                                                                                                                                                                                                                                                                                            states on the incomplete connection queue




                                                                                                                                                                                                                                                                                                                deliver_in_2
                                                                                                                                                                                                                                                                                                                  recv: arS
                                                                                                                                                                                                                                                                                                                 send: ArSf




                                                                                                                                                                                                                                                                                                                                   close_8

                                                                                                                                     SYN_SENT                                                                                                                                                                                                                                     SYN_RECEIVED
                                                                                                                                                                         connect_4         deliver_in_2a       deliver_in_7c       deliver_out_1   deliver_out_1    timer_tt_rexmtsyn_1                                                                                                                                                          deliver_in_3c              deliver_in_8     deliver_out_1     deliver_out_1       timer_tt_rexmt_1
                                                                                                                                                                                                                                                                                                                                    close()
                                                                                                                                                                           recv:               recv: r            recv: R              recv:           recv:                recv:                                                                                                                                                                   recv: A                   recv: rS           recv:             recv:                 recv:
                                                                                                                                                                                                                                                                                                                                     recv:
                                                                                                                                                                           send:             send: Rs              send:             send: rsf       send: rsF           send: arSf                                                                                                                                                                send: Rs                  send: ARs         send: rsf         send: rsF            send: ArSf
                                                                                                                                                                                                                                                                                                                                  send: ARs
                                                                                                                                                                                         bad recv segment                                                                                                                                                                                                                                  stupid ack, or LAND DoS
                                                                                                                                                                                                                                                                                                                  states on the complete connection queue




                                                                                                                                                                                     deliver_in_2                                                                                                                                                                             deliver_in_3
                                                                                                                                                                                      recv: ArS                                                                                                                                                                                 recv: rf
                                                                                                                                                                                      send: Ars                                                                                                                                                                               send: di3out




                                                                                                                                                                                                ESTABLISHED
                                                                                                                            deliver_in_2       deliver_in_2             deliver_in_3                                                                deliver_in_3    deliver_in_8     deliver_out_1     timer_tt_rexmt_1         timer_tt_persist_1      timer_tt_keep_1     timer_tt_delack_1                    deliver_in_2              deliver_in_3
                                                                                                                             recv: ArS           recv: arS                recv: rF                                                                    recv: rf        recv: rS           recv:               recv:                    recv:                  recv:                recv:                           recv: ArS                  recv: rf
                                                                                                                             send: Ars          send: ArSf              send: di3out                                                                send: di3out     send: ARs         send: rsf          send: arSf               send: TODO              send: Arsf          send: TODO                         send: Ars                send: di3out
                                                                                                                                                                                                                                                                                                                                      TODO                   TODO                 TODO




listenclose_7   socket_1
 listenclose()   socket()
  recv:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          recv:      recv:
  sendsend:     send:




                                                                                                                                                                                                                                                                                                                                                                                                                            connect_1
                                                                                                       deliver_in_2                                                           deliver_in_3                 deliver_in_2                                        deliver_out_1                                                                                                                                                                                 deliver_in_3
                                                                                                                                                                                                                                                                                                                                                                                                                            connect())
                                                                                                        recv: ArS                                                               recv: rF                    recv: ArS                                              recv:                                                                                                                                                                                       recv: rf
                                                                                                                                                                                                                                                                                                                                                                                                                              recv:
                                                                                                        send: Ars                                                             send: di3out                  send: Ars                                            send: rsF                                                                                                                                                                                   send: di3out
                                                                                                                                                                                                                                                                                                                                                                                                                            send: arSf




            connect_1
                         timer_tt_conn_est_1   connect_4    deliver_in_7d    timer_tt_rexmtsyn_1                                                                                                                                                                                                                                                                                                                            deliver_in_3                                                                                                                                                     timer_tt_rexmt_1   deliver_in_7a
            connect())
                                 recv:           recv:        recv: AR               recv:                                                                                                                                                                                                                                                                                                                                    recv: rF                                                                                                                                                             recv:           recv: R
              recv:
                              send: ARs          send:          send:               send:                                                                                                                                                                                                                                                                                                                                   send: di3out                                                                                                                                                          send:             send:
            send: arSf
                                TODO                       except on WinXP




                                                                                                     CLOSE_WAIT                                                                                                                                     FIN_WAIT_1                                                                                                                                                                                     CLOSING
                                                                                                                                                     deliver_in_3    deliver_in_3      deliver_in_8   deliver_out_1                                                                             deliver_in_3      deliver_in_8       deliver_out_1      deliver_out_1     timer_tt_rexmt_1                                                                                                  deliver_in_3     deliver_in_3      deliver_in_8    deliver_out_1   deliver_out_1   timer_tt_rexmt_1
                                                                                                                                                       recv: rf        recv: rF          recv: rS         recv:                                                                                   recv: rf          recv: rS             recv:              recv:               recv:                                                                                                         recv: rf         recv: rF          recv: rS          recv:           recv:             recv:
                                                                                                                                                     send: di3out    send: di3out       send: ARs       send: rsf                                                                               send: di3out       send: ARs           send: rsf          send: rsF          send: arSf                                                                                                     send: di3out     send: di3out       send: ARs        send: rsf       send: rsF        send: arSf




                                                                                                                                                                                                                                                                                                                                                                                                            close_3
                                                                                                                                                                                                                    deliver_in_7        timer_tt_rexmt_1                                                                                                                               timer_tt_2msl_1
                                                                                                                                                                                                                                                                                                                                                                                                             close()
                                                                                                                                                                                                                      recv: R                 recv:                                                                                                                                         recv:
                                                                                                                                                                                                                                                                                                                                                                                                              recv:
                                                                                                                                                                                                                       send:                 send:                                                                                                                                          send:
                                                                                                                                                                                                                                                                                                                                                                                                           send: ARs
                                                                                                                                                                                                                                                                                                                                                                                            TODO




                                                                                                   deliver_out_1                                                                                                                                                                                                               deliver_in_3                                 deliver_in_3                                           deliver_in_3           deliver_in_3
                                                                                                       recv:                                                                                                                                                                                                                     recv: rf                                     recv: rF                                               recv: rf               recv: rF
                                                                                                     send: rsF                                                                                                                                                                                                                 send: di3out                                 send: di3out                                           send: di3out           send: di3out




                                                                                                                                                                                              close_3                                                                                                                                                    close_3                                                                                                                                                             close_3
                                                                                                                                                                                                                deliver_in_7                          deliver_in_3b        deliver_in_7        timer_tt_rexmt_1                                                                        deliver_in_3                                                                                                                                              deliver_in_3b        deliver_in_7      timer_tt_rexmt_1
                                                                                                                                                                                               close()                                                                                                                                                    close()                                                                                                                                                             close()
                                                                                                                                                                                                                  recv: R                                recv: rs            recv: R                 recv:                                                                               recv: rF                                                                                                                                                   recv: rs            recv: R               recv:
                                                                                                                                                                                                recv:                                                                                                                                                      recv:                                                                                                                                                               recv:
                                                                                                                                                                                                                   send:                                send: Rs              send:                 send:                                                                              send: di3out                                                                                                                                                send: Rs              send:               send:
                                                                                                                                                                                             send: ARs                                                                                                                                                  send: ARs                                                                                                                                                           send: ARs
                                                                                                                                                                                                                                                   process gone away                                                                                                                                                                                                                                                                          process gone away




                                                                              LAST_ACK                                                                                                                                                                                 FIN_WAIT_2                                                                                                                             TIME_WAIT
                                                                                                                      deliver_in_3   deliver_in_8   deliver_out_1    deliver_out_1      timer_tt_rexmt_1                                                                                                              deliver_in_3       deliver_in_8     deliver_out_1                                                                                     deliver_in_3     deliver_in_3      deliver_in_7c        deliver_in_9         deliver_out_1
                                                                                                                        recv: rf       recv: rS         recv:            recv:                recv:                                                                                                                     recv: rf           recv: rS           recv:                                                                                           recv: rf         recv: rF           recv: R               recv: rS             recv:
                                                                                                                      send: di3out    send: ARs       send: rsf        send: rsF           send: arSf                                                                                                                 send: di3out        send: ARs         send: rsf                                                                                       send: di3out     send: di3out          send:               send: Rs            send: rsf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 no listening socket




                                                                                                                             close_3                                                                                                                                                                                                                         close_3                                                        close_3                 connect_1
                                                                                              timer_tt_rexmt_1                                 deliver_in_3            deliver_in_3b                  deliver_in_7                                                     deliver_in_3b          deliver_in_7              timer_tt_fin_wait_2_1                                                        deliver_in_3b                                                                deliver_in_1
                                                                                                                              close()                                                                                                                                                                                                                         close()                                                        close()                 connect()
                                                                                                    recv:                                        recv: rF                 recv: rs                      recv: R                                                           recv: rs              recv: R                         recv:                                                                   recv: rs                                                                    recv: arS
                                                                                                                               recv:                                                                                                                                                                                                                           recv:                                                          recv:                    recv:
                                                                                                   send:                                       send: di3out              send: Rs                        send:                                                           send: Rs                send:                          send:                                                                  send: Rs                                                                    send: ArSf
                                                                                                                            send: ARs                                                                                                                                                                                                                       send: ARs                                                      send: ARs                  send:
                                                                                                                                                                    process gone away                                                                               process gone away                                           TODO                                                              process gone away                                                           segments for new conn
                                                                                                                                                                                                                                                                                                                                                                                                                                              if the enqueue failed




                                                                                                                                                                                                                                                                                                             connect_1

                                                                                                                                                                                                                                                                   CLOSED
                                                                                                                                                                                                                                                                                                                                       deliver_in_6
                                                                                                                                                                                                                                                                                                              connect()
                                                                                                                                                                                                                                                                                                                                   recv: unconstrained
                                                                                                                                                                                                                                                                                                                recv:
                                                                                                                                                                                                                                                                                                                                          send:
                                                                                                                                                                                                                                                                                                               send:
                                                                                                                                                                                                                                                                                                       if the enqueue failed
                      Language Idioms

• much relational ‘programming’ (specification)
• relational monad, where state changes must be explicit
• time
• framing
• atomicity
                      Experimental Semantics
Q: How could we ever have confidence such a thing does describe
the behaviour of the impls?
A: experimental (forensic?) semantics:
1. write draft spec
2. generate 3000+ implementation traces on a small network
3. test that those implementation traces are allowed by the spec,
   using a special-purpose symbolic model checker, within HOL
4. goto 1
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                Trace generation infrastructure

                          autotest


                          tthee


                          libd
                          ocamllib

                          nssock

merger   holtcpcb-v8
                         TCP          ICMP UDP



                                 IP
                slurp                            injector
                  The Model-Checking Problem
Given:
 • an initial host h0
 • an experimentally-observed trace l1 . . . ln
   (of Socket API and wire-interface events, and time passage)
                                                       l
 • the spec (a HOL definition of the transition relation →)

decide whether exists h such that in the spec
          l1      l2         ln
   h0     →      →...       →h
                     The Model-Checking Problem
Given:
 • an initial host h0
 • an experimentally-observed trace l1 . . . ln
   (of Socket API and wire-interface events, and time passage)
                                                       l
 • the spec (a HOL definition of the transition relation →)

decide whether exists h such that in the spec
         τ ∗ l1   τ ∗ l2    τ ∗ ln
   h0 → → → → . . . → → h
Nondeterminism: Loose Constraints and Symbolic Model Checking
Some parts of a host state may be only loosely constrained by a
rule, e.g. after a particular connect 1 transition we know:
advmss <= 65495
1024 <= n <= 5000
case ws of NONE -> T || SOME v1 ->        v1 <= TCP_MAXWINSCALE

Instead of proving ground transitions
        l1              l2                             ln
     h0 → h1         h1 → h2        ...         hn−1 → hn

we have to maintain a symbolic state, finding theorems
         l1                    l2                               ln
Γ0    h0 → h1    Γ0 ∧ Γ 1    h1 → h2      ...   ∧n−1
                                                 i=0   Γi   hn−1 → hn

where the Γi are HOL formulae constraining the host states.
As sets of constraints evolve, they are repeatedly tested for
satisfiability (otherwise we’ve found a dead-end in the tree).
Satisfiability checking uses simplification, theorems for datatypes,
decision procedures for Presburger over R and N, extensions for
mod-32 arithmetic,...
New constraints come from the action of new rules, in
conjunction with data in labels. For example, choice of socket
fds on Windows is non-deterministic, and the fd variable is
unconstrained initially. But when return label is seen, exact value
for that fd is known.
                     Nondeterminism – Branching
More than one rule might be applicable (often a visible-label and
a τ rule). Use backtracking search:
                                      3
                                  2
                 τ                           The X indicates a state
        1                                    from which no τ or 3
                                      3
                          X           τ
                                             transition is possible.
h0                2
                              τ              Backtracking is required
        1
                                             from such a state.
                     2
                              3




Split also on big disjunctive constraints.
            Model translation – general and ad-hoc
Not all mathematical idioms suit symbolic execution



But (nonetheless) we write the spec in the clearest mathematical
idiom we can – then prove (in HOL) equivalent formulations that
work better in the tool:
 • some are one-offs
 • some are mechanical translations with wide applicability
   (prenexing, handling non-injective pattern forms)
                          Correctness
This is not a complete decision algorithm (HOL!).
But we prove machine-checked theorems for each transition, so
(per LCF) soundness depends only on the small HOL kernel and
type soundness of the underlying ML implementation.
                     Checking Infrastructure
Checking is computationally intensive, but each trace is
independent – so distribute over workstations and server rack
(50 hours on 100 processors per TCP run).
Tools for visualising the results
(HTML interface, automatic typesetting,...)
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                         Does it work?

UDP: 2526 of 2603 traces succeed (97.04%)
(BSD, Linux, and WinXP).

TCP: 1004 of 1095 traces succeed (91.7%)
(BSD – other OSs partially modelled, but deferred for now)

Numbers only meaningful if coverage good. Of 194 rules:
142 covered, 32 resource limit, 20 not tested or not succeeded.
                       Did we find bugs?
Not really the point.
But: Spec OS-dependent on 260 lines, and 30 anomalies, e.g.
 • urgent pointer not updated in fastpath (so after 2GB, won’t
   work for 2GB)
                         Goals, revisited

1. “Characterise precisely this de facto standard.”
Done (though not perfect, and overly BSD-specific)
2. “Understand how to deal rigorously with the behaviour of
   complex critical infrastructure”
 • specification idioms let us describe a complex system clearly
   and rigorously
 • automated testing established reasonable confidence that it
   and the impls match (though the tools were bespoke)
It scales.
                       Scale and Expertise
UDP (2000–2001): 2 man-years over 10 months (4 people)
    (TACS’01, ESOP’02, SIGOPS EW’02)
TCP (2002–2005): 7 man-years over 30 months (6 people)
    (SIGCOMM’05, POPL’06)
Result is 350 pages typeset (cf code size).
Not that much. Contrast with the accumulated user investment
in protocol and sockets API...
Expertise with HOL not a problem for specifiers (days only).
Taste and good idioms more important. Expertise is required for
developing symbolic evaluator.
That was a segment-level spec.
(what a protocol implementation should do)
In progress: a more abstract stream-level spec.
(what an application can rely on from the API)
— with a defined (and tested!) abstraction relation
Closer to being able to state correctness properties.




But what about new protocols? Turn to design-time work...
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                      Optical networks

• Optical networks for high-capacity end-to-end data paths.
• Optically switched networks remove the need to process data
  on the network electronically, leading to much greater
  performance.
                       SWIFT network
• Developed by Dales et al. at Intel Research.
• Real hardware (FPGAs), Semiconductor optical amplifiers,
  Wavelength division multiplexing, Wavelength striping,
  TCP/IP.
       SWIFT network

Host                            Host




           Arbiter/
           Switch




Host                            Host

        Data path (end to end light path via switch)
        Control path between host and arbiter
        SWIFT protocol messages

                   Device
                                  H2D RECV(data)
D2H SEND(mac, data)
                                  H2D WEDGED
D2H INVALIDATE MY MAC
                                  H2D I AM(mac option)

                                      H2S DATA(data)


                      Host               Channel         Switch
                                      S2H DATA(data)




                                                              A Fabric(fabric state)
                        Channel
H2A DATA REQUEST(mac)              A2H DATA GRANT(mac)
H2A PONG(pingid)                   A2H PING(pingid)
H2A MAC REQUEST                    A2H MAC GRANT(mac)
H2A WHO IS MASTER                  A2H MASTER IS(mac)




                   Arbiter
RFC-style protocol specification

               Discuss
               during
  RFC-style    design
                         Implementation
    spec




  ?
                         Test end result

 Ad-hoc test
   harness
              Our approach to SWIFT
                            Discuss                ns2
                            during              VHDL
           Formal           design
                                        Implementation
            spec




Proof and                                            Instrument and run
code extraction                                      on test cases


                         Check traces
                         with oracle
           Verified
                                            Traces
        testing oracle
                      Implementations

• Two implementations by two different authors.
• VHDL implementation c. 8600 lines, realised as FPGAs in the
  test network
• NS-2 implementation c. 5000 lines
• (compared to 650 lines for HOL specification)
• Implementations instrumented to produce traces of events.
            Example VHDL/NS2 trace (HOL format)

–:
example trace = [N Dur(10 ∗ USEC),
N A2CA(n2w 0, A2H PING(n2w 901), 84 ∗ NSEC),
N Dur(10 ∗ USEC),
N A2CA(n2w 0, A2H PING(n2w 902), 84 ∗ NSEC),
N Dur(85 ∗ NSEC),
N CA2H(n2w 0, A2H PING(n2w 902)),
N H2CA(n2w 0, H2A PONG(n2w 902), 84 ∗ NSEC),
N H2CA(n2w 0, H2A MAC REQUEST, 84 ∗ NSEC),
N Dur(85 ∗ NSEC),
N CA2A(n2w 0, H2A PONG(n2w 902)),
N Dur(80 ∗ NSEC),
N CA2A(n2w 0, H2A MAC REQUEST),
N A2CA(n2w 0, A2H MAC GRANT(n2w 50), 84 ∗ NSEC)]
                   Experimental validation

• Aim: check implementation traces directly against spec.
• How: use proof and then HOL code extraction to produce an
  ML testing oracle directly from the spec which can be used to
  check traces.
• Reasonably quick (about a week) to extract a provably
  correct testing oracle from the specification, but does require
  HOL expertise.
• Changes to the spec quickly (few hours) incorporated into
  oracle.
• Oracle validates 18 properties of a trace. Workload
  distributed over network of machines.
                            Results
• Process extremely lightweight, requiring little effort beyond
  that of an informal spec.
• Network experts don’t need to be HOL experts (they can read
  the spec easily enough)
• Errors discovered both during spec writing and testing, in
  implementations, specification, and logging machinery.
• e.g. a subtle timing error in the host logic was found which
  meant that hosts reissued requests slightly earlier than was
  legal according to the specification.
• Eventually all 18 properties shown to hold for all 574 traces
  observed of implementations.
• Usual caveat that effectiveness of testing relies on good
Correctness proofs? (both SWIFT and TCP)


Takeup of methods in systems community?
   Computer science lacks . . . a sound, rigorous design
   methodology. . .
   — Wei Zhao, ICNP (Int. Conf. on Network Protocols)’06
   Keynote speech
          Engineering with Logic

TCP (post-hoc protocol specification)
     Part 1: The Problem
     Part 2: Our Specification
     Part 3: Checking Technology
     Part 4: Results
SWIFT (design-time protocol specification)
Ott (programming language semantics)
                                   Problem
Semantic definitions of programming languages are:
(a) vitally necessary (just as for key protocols)
(b) (i) rather easy, for a little calculus (e.g. untyped λ)
   (ii) for a full-scale programming language, rather tricky.
        Almost no full-scale languages have complete definitions, still!


        Standard ML (1990)
        Java? C ? Haskell? OCaml?
Why? Partly because the metalanguages we have for writing semantics make
it much harder than necessary.
For protocols, HOL was nicely expressive. But for programming languages:


Strachey, Proc. 1st IFIP Working Conference, Formal Language Description
Languages (1964):
        A programming language is a rather large body of new and
     somewhat arbitrary mathematical notation introduced in the hope
     of making the problem of controlling computing machines somewhat
     simpler.


(my emphasis)
                         Available metalanguages
Option 1: LTEX, the (usual) metalanguage of choice for informal maths
          A

 √
    production-quality typesetting


but, at this scale (100s of pages or 10 000 lines of definition):
 × syntactic overhead of LTEX markup — prohibitive obfuscation
                         A


 × no automatic checking of sanity properties
 × no support for conformance checking
 × informal proof is unreliable and hard to maintain


(we tried this for Acute — an 80 page defn — with rudimentary tool support)
             Standard practice, circa 2005   (185 \{} )

\begin{lemma}[Inversion -- expressions]
~\\ \vspace*{-3ex}
\begin{enumerate}[1.]
\item If $\Actx{\AntConSet_0}{\Gamma}
           \vdash_\updVar \Lrecord{\Llabel{l}_1=e_1,\dots,\Llabe
           : \Atype{\Lrecord{\Llabel{l}_1:\tau_1,\dots,\Llabel{l
       then
    $\exists \tau_1’,\ldots,\tau_n’,\AntConSet_1’,\dots,\AntConS
    $\forall i \in 1..n$ we have $\Gamma \vdash \tau_i’ <: \tau_
    $\Actx{\AntConSet_{i-1}’}{\Gamma}
    \vdash_\updVar e_i
    : \Atype{\tau_i’}{\AntConSet_i’}$
\item If $\Actx{\AntConSet_0}{\Gamma} \vdash_\updVar e_1 \; e_2
      then $\exists \tau_2’, \AntConSet_1,\AntConSet_2,\hat{\Ant
      $\Actx{\AntConSet_0}{\Gamma} \vdash_\updVar e_1 : \Atype{\
                         Available metalanguages
Option 1: LTEX, the (usual) metalanguage of choice for informal maths
          A

 √
    production-quality typesetting


but, at this scale (100s of pages or 10 000 lines of definition):
 × syntactic overhead of LTEX markup — prohibitive obfuscation
                         A


 × no automatic checking of sanity properties
 × no support for conformance checking
 × informal proof is unreliable and hard to maintain


(we tried this for Acute — an 80 page defn — with rudimentary tool support)
                       Available metalanguages
Option 2: Coq/HOL/Isabelle/Twelf/..., for formal mathematics.
 √
    automatic checking of sanity properties, and of proofs
but
 × limited typesetting (maintain both in sync?)
 × syntactic noise (hard to read & edit the sources)
 × nontrivial encodings (subgrammars, binding, limited inductive defns,...)
 × steep learning curves
 × community partition
Both make it hard to re-use definitions, or compose from fragments.
                              Our Solution
A metalanguage specifically designed for writing semantic definitions, and a
tool, ott that:
 • takes an ASCII definition of a language syntax and semantics,
   supporting good concise notation — close to what we would write in
   informal mathematics;
 • compiles it into LTEX, Coq, HOL, and Isabelle/HOL versions of the
                    A

   definition, and OCaml boilerplate code (a Twelf backend is under
   development);
 • builds a parser and pretty-printer (into L/C/H/I) for symbolic and
   concrete terms of the defined language.
 • supports an expressive (but still simple and intuitive) language for
   specifying binding structures.
             A typical example rule, from Not-so-mini-Caml
What you get:

 E    e 1 : t1   ...   E     e n : tn
 E    field name1 : t → t1          ...   E   field namen : t → tn
 t = ( t1 , ... , tl ) typeconstr name
 E    typeconstr name            typeconstr name : kind { field name1 ; ... ; field namem }
 field name1 ... field namen PERMUTES field name1 ... field namem
 length ( e1 ) ... ( en ) ≥ 1
                  E        { field name1 = e1 ; ... ; field namen = en } : t

and Coq, HOL, and Isabelle/HOL rules.
                 A typical example rule, from Not-so-mini-Caml
What you write:
• context free productions for language, metalanguage, and judgement syntax
• rules, just:

 E |- e1 : t1 ... E |- en : tn
 E |- field name1 : t->t1 ... E |- field namen : t->tn
 t = (t1’, ..., tl’) typeconstr name
 E |- typeconstr name gives typeconstr name:kind {field name1’; ...; field name
 field name1...field namen PERMUTES field name1’...field namem’
 length (e1)...(en)>=1
 -------------------------------------------------------------------------
 E |- {field name1=e1; ...; field namen=en} : t
                                            Examples
System                         rules LTEX
                                     A        Coq         HOL                Isabelle
                                         defn mt        defn       mt      defn     mt
                                       √    √              √                  √
untyped CBV lambda (Fig. ??)      3
                                       √      √     √     √          √         √         √
simply typed CBV lambda           6
                                       √      √           √                    √
ML polymorphism                 22
                                       √      √     √     √          √         √         √
TAPL full simple                63
                                       √
POPLmark F<: with records       48
                                       √                  √
Leroy JFP96 module system       67
                                       √      √     √
RG-Sep language                 22
                                       √                                       √        √2
Mini-Ott-in-Ott                 55
                                       √                                       √
LJ: Lightweight Java            34                                                  (3)
                                       √                                       √
LJAM: Java Module System       140
                                       √      √           √         √1         √
OCaml fragment                 271
      1   one hand-proved lemma remaining to mechanize.        2   hand proofs.    3    in progress.
                          The End
                Engineering with Logic
            TCP (post-hoc protocol specification)
                  Part 1: The Problem
                  Part 2: Our Specification
                  Part 3: Checking Technology
                  Part 4: Results
            SWIFT (design-time protocol specification)
            Ott (programming language semantics)


Specs and papers available online:
     http://www.cl.cam.ac.uk/users/pes20/Netsem
     http://www.cl.cam.ac.uk/users/pes20/ott
                  The Specification: Host State Type
host = [ arch : arch; (* OS version *)
         privs : bool; (* whether process has privilege *)
         ifds : ifid → ifd; (* network interfaces *)
         rttab : routing table; (* routing table *)
         ts : tid → hostThreadState timed; (* host view of each thread state *)
         files : fid → file; (* open file descriptions *)
         socks : sid → socket;(* sockets *)
         listen : sid list; (* list of listening sockets *)
         bound : sid list; (* bound sockets in order *)
         iq : msg list timed;(* input queue *)
         oq : msg list timed;(* output queue *)
         bndlm : bandlim state; (* bandlimiting *)
         ticks : ticker; (* kernel timer *)
          fds : fd → fid (* process file descriptors *)]
                                                            lbl
                                                  →
         The Specification: Sample rules defining h − h
(roughly 148 for Sockets, 46 for message processing)

 accept 1    Return new connection; either immediately or from a blocked
             state.
 accept 2    Block waiting for connection
 accept 3    Fail with EAGAIN: no pending connections and non-blocking
             semantics set
 accept 4    Fail with ECONNABORTED: the listening socket has
             cantsndmore set or has become CLOSED. Returns either im-
             mediately or from a blocked state.
 accept 5    Fail with EINVAL: socket not in LISTEN state
 accept 6    Fail with EMFILE: out of file descriptors
 accept 7    Fail with EOPNOTSUPP or EINVAL: accept() called on a
             UDP socket
                    Rules used for sample checked trace
                Rules                                          Observed labels in trace (omitting time passage data and thread ids)
                                                  s connect(FD 8, IP 192 168 0 14, SOME(Port 3333))
                            −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−




                                                                                                                                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
                             −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−




                                                                                                                                   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
              connect 1
               epsilon 1
                                              s− −
                                                                   TCP 26 34140288:0 (0
                                                                                           :0) UAPRSF
          deliver out 99                      −−−                  192.168.0.12
                                                                                :3333→192.1
                                                                  win=57344 w                  68.0.14:3333
                                                                                 s=0   urp=0 mss=
               epsilon 1                                          ts=57264169
                                                                                7
                                                                                                    1460                −−−−−−
                                                                                                                         −−−−−−     →
                                                                                  ,0 len=0
                                                                                                                                      s
                                                                                                                          PRSF
                                                                                                             289 (0:1) UA                   −
                                                                                                 823:2634140               win=5792
           deliver in 99                                                            TCP 260964                68.0.12:3333
                                                                                                 :3333→192.1               72641697
                                                  −−−−−−−
                                                  −−−−−−−                           192.168.0.14               =78216088,5
                                                          −
                                                          →                                       mss=1460 ts
 epsilon 1 ; deliver in 2                                                           ws=0 urp=0
                                              s− −
                                                                   TCP 263414 len=0
                                                                                0289:260964
          deliver out 99                                                                      824 (1:1) UA
                                              −−−                  192.168.0 .12:3333→19                    PRSF
                                                                  win=57920 w              2.168.0.14:33
                                                                                                         33
                                                                                 s=* urp=   0 mss=*
   connect 2 ; epsilon 1                                          ts= 572641697,7                                       −−−−−−
                                                                                                                         −−−−−−     →
                                                                                    8216088 len=
                                                  s OK()
                                                                                                   0
                return 1
               epsilon 1
                 send 1                           s send(FD 8, NONE, ”Hello!”, [])
epsilon 1 ; deliver out 1
                                                                  TCP 263414
                                                                             0289:2
                            Did we find bugs?
Not really the point. But: Spec OS-dependent on 260 lines; 30 anomalies:
 1. urgent pointer not updated in fastpath (so after 2GB, won’t work for
    2GB)
 2. incorrect RTT estimate after repeated retransmission timeouts
 3. TCPSHAVERCVDFIN wrong — so can SIGURG a closed connection
 4. initial retransmit timer miscalculation
 5. simultaneous open responds with ACK instead of SYN,ACK
 6. receive window updated even for bad segment
 7. shutdown state changes in pre-established states
 8. (Linux) UDP connect with wildcard port
 9. (Linux) sending options in a SYN,ACK that were not received in SYN
                   How the spec can be used
In different ways by different communities:
1. as reference documentation (right now)
2. for high-quality automated conformance testing of other
   protocol stacks (with more work);
3. for describing proposed changes to the protocols; and
4. as a basis for proof about executable descriptions of higher
   layers.
               On the design of new protocols
• design for test: protocol specifications should be written so
  that implementations can be tested directly against them.
• exposing internal nondeterminism would simplify testing
• specifying may reveal conceptual (un)clarity
• nail down the abstraction relation between the real system
  and the spec
• specify the API behaviour in addition to the wire behaviour
• modularise the spec (to ease future changes). NB: spec
  modularity does not have to force the same decomposition on
  the implementations
• design for refinement of the spec to an executable prototype

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:10/25/2012
language:English
pages:64