ABSTRACT
Network protocols are hard to implement correctly. Despite the existence of RFCs and other standards, implementations often have subtle differences and bugs. One reason for this is that the specifications are typically informal, and hence inevitably contain ambiguities. Conformance testing against such specifications is challenging.In this paper we present a practical technique for rigorous protocol specification that supports specification-based testing. We have applied it to TCP, UDP, and the Sockets API, developing a detailed 'post-hoc' specification that accurately reflects the behaviour of several existing implementations (FreeBSD 4.6, Linux 2.4.20-8, and Windows XP SP1). The development process uncovered a number of differences between and infelicities in these implementations.Our experience shows for the first time that rigorous specification is feasible for protocols as complex as TCP@. We argue that the technique is also applicable 'pre-hoc', in the design phase of new protocols. We discuss how such a design-for-test approach should influence protocol development, leading to protocol specifications that are both unambiguous and clear, and to high-quality implementations that can be tested directly against those specifications.
- R. Alur and B.-Y. Wang. Verifying network protocol implementations by symbolic refinement checking. In Proc. CAV'01, LNCS 2102, pages 169--181, 2001.]] Google ScholarDigital Library
- T. E. Anderson, S. Shenker, I. Stoica, and D. Wetherall. Design guidelines for robust internet protocols. Computer Communication Review, 33(1):125--130, 2003.]] Google ScholarDigital Library
- K. Bhargavan, S. Chandra, P. J. McCann, and C. A. Gunter. What packets may come: automata for network monitoring. In Proc. POPL, pages 206--219, 2001.]] Google ScholarDigital Library
- K. Bhargavan, D. Obradovic, and C. A. Gunter. Formal verification of standards for distance vector routing protocols. J. ACM, 49(4):538--576, 2002.]] Google ScholarDigital Library
- E. Biagioni. A structured TCP in standard ML. In Proc. SIGCOMM'94, pages 36--45, 1994.]] Google ScholarDigital Library
- J. Billington and B. Han. On defining the service provided by TCP. In Proc. ACSC: 26th Australasian Computer Science Conference, Adelaide, 2003.]] Google ScholarDigital Library
- S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 1: Overview. Technical Report UCAM-CL-TR-624, Computer Laboratory, University of Cambridge, Mar. 2005. 88pp. Available at http://www.cl.cam.ac.uk/users/pes20/Netsem/.]]Google Scholar
- S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. TCP, UDP, and Sockets: rigorous and experimentally-validated behavioural specification. Volume 2: The specification. Technical Report UCAM-CL-TR-625, Computer Laboratory, University of Cambridge, Mar. 2005. 386pp. Available at http://www.cl.cam.ac.uk/users/pes20/Netsem/.]]Google Scholar
- C. Castelluccia, W. Dabbous, and S. O'Malley. Generating efficient protocol code from an abstract specification. IEEE/ACM Trans. Netw., 5(4):514--524, 1997. Full version of a paper in SIGCOMM'96.]] Google ScholarDigital Library
- D. Chkliaev, J. Hooman, and E. de Vink. Verification and improvement of the sliding window protocol. In Proc. TACAS'03, LNCS 2619, pages 113--127, 2003.]]Google ScholarCross Ref
- M. Compton. Stenning's protocol implemented in UDP and verified in Isabelle. In Proc. 11th CATS, Computing: The Australasian Theory Symposium, pages 21--30, 2005.]] Google ScholarDigital Library
- E. Fersman and B. Jonsson. Abstraction of communication channels in Promela: A case study. In Proc. 7th SPIN Workshop, LNCS 1885, pages 187--204, 2000.]] Google ScholarDigital Library
- Fyodor. nmap. http://www.insecure.org/nmap/.]]Google Scholar
- M. J. C. Gordon and T. Melham, editors. Introduction to HOL: a theorem proving environment. Cambridge University Press, 1993.]] Google ScholarDigital Library
- J. Hickey, N. A. Lynch, and R. van Renesse. Specifications and proofs for Ensemble layers. In Proc. TACAS, LNCS 1579, pages 119--133, 1999.]] Google ScholarDigital Library
- R. Hofmann and F. Lemmen. Specification-driven monitoring of TCP/IP. In Proc. 8th Euromicro Workshop on Parallel and Distributed Processing, Jan. 2000.]]Google Scholar
- The HOL 4 system, Kananaskis-2 release. http://hol.sourceforge.net/.]]Google Scholar
- IEEE and The Open Group. IEEE Std 1003.1 TM -2001 Standard for Information Technology - Portable Operating System Interface (POSIX®). Dec. 2001. Issue 6. Available http://www.opengroup.org/onlinepubs/007904975/toc.htm.]]Google Scholar
- The Isabelle proof assistant. http://isabelle.in.tum.de/.]]Google Scholar
- IXIA. IxANVL(™)-automated network validation library, 2005. http://www.ixiacom.com/.]]Google Scholar
- E. Kohler, M. F. Kaashoek, and D. R. Montgomery. A readable TCP in the Prolac protocol language. In Proc. SIGGCOMM'99, pages 3--13, August 1999.]] Google ScholarDigital Library
- C. Kreitz. Building reliable, high-performance networks with the Nuprl proof development system. J. Funct. Program., 14(1):21--68, 2004.]] Google ScholarDigital Library
- X. Leroy et al. The Objective-Caml System, Release 3.08.2. INRIA, Nov. 2004. Available http://caml.inria.fr/.]]Google Scholar
- S. L. Murphy and A. U. Shankar. A verified connection management protocol for the transport layer. In Proc. SIGCOMM, pages 110--125, 1987.]] Google ScholarDigital Library
- S. L. Murphy and A. U. Shankar. Service specification and protocol construction for the transport layer. In Proc. SIGCOMM, pages 88--97, 1988.]] Google ScholarDigital Library
- M. Musuvathi and D. Engler. Model checking large network protocol implementations. In Proc.NSDI: 1st Symposium on Networked Systems Design and Implementation, pages 155--168, 2004.]] Google ScholarDigital Library
- M. Norrish, P. Sewell, and K. Wansbrough. Rigour is good for you, and feasible: reflections on formal treatments of C and UDP sockets. In Proceedings of the 10th ACM SIGOPS European Workshop (Saint-Emilion), pages 49--53, Sept. 2002.]] Google ScholarDigital Library
- J. Padhye and S. Floyd. On inferring TCP behaviour. In Proc. SIGCOMM'01, Aug. 2001.]] Google ScholarDigital Library
- S. Parker and C. Schmechel. RFC2398: Some testing tools for TCP implementors, Aug. 1998.]] Google ScholarDigital Library
- V. Paxson. Automated packet trace analysis of TCP implementations. In Proc. SIGCOMM'97, pages 167--179, 1997.]] Google ScholarDigital Library
- J. Postel. A Graph Model Analysis of Computer Communications Protocols. University of California, Computer Science Department, PhD Thesis, 1974.]] Google ScholarDigital Library
- I. Schieferdecker. Abruptly-terminated connections in TCP -- a verification example. In Proc. COST 247 International Workshop on Applied Formal Methods In System Design, June 1996.]]Google Scholar
- A. Serjantov, P. Sewell, and K. Wansbrough. The UDP calculus: Rigorous semantics for real networking. Technical Report 515, Computer Laboratory, University of Cambridge, July 2001. http://www.cl.cam.ac.uk/users/pes20/Netsem/.]]Google ScholarCross Ref
- A. Serjantov, P. Sewell, and K. Wansbrough. The UDP calculus: Rigorous semantics for real networking. In Proc. TACS 2001: Fourth International Symposium on Theoretical Aspects of Computer Software, Tohoku University, Sendai, Oct. 2001.]] Google ScholarDigital Library
- M. A. Smith and K. K. Ramakrishnan. Formal specification and verification of safety and performance of TCP selective acknowledgment. IEEE/ACM Trans. Netw., 10(2):193--207, 2002.]] Google ScholarDigital Library
- M. A. S. Smith. Formal verification of communication protocols. In Proc. FORTE IX/PSTV XVI, pages 129--144, 1996.]] Google ScholarDigital Library
- W. R. Stevens. TCP/IP Illustrated Vol. 1: The Protocols. 1994.]] Google ScholarDigital Library
- W. R. Stevens. UNIX Network Programming Vol. 1: Networking APIs: Sockets and XTI. Second edition, 1998.]] Google ScholarDigital Library
- K. Wansbrough, M. Norrish, P. Sewell, and A. Serjantov. Timing UDP: mechanized semantics for sockets, threads and failures. In Proceedings of ESOP 2002: the 11th European Symposium on Programming (Grenoble), LNCS 2305, pages 278--294, Apr. 2002.]] Google ScholarDigital Library
- G. R. Wright and W. R. Stevens. TCP/IP Illustrated Vol. 2: The Implementation. 1995.]] Google ScholarDigital Library
Index Terms
- Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets
Recommendations
Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communicationsNetwork protocols are hard to implement correctly. Despite the existence of RFCs and other standards, implementations often have subtle differences and bugs. One reason for this is that the specifications are typically informal, and hence inevitably ...
Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations
POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThe TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15,000--...
Engineering with logic: HOL specification and symbolic-evaluation testing for TCP implementations
Proceedings of the 2006 POPL ConferenceThe TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15,000--...
Comments