On using SMT-solvers for Modeling and Verifying Dynamic Network
  Emulators by Petersen, Erick et al.
ar
X
iv
:2
00
9.
10
05
1v
2 
 [c
s.S
E]
  1
3 O
ct 
20
20
On using SMT-solvers for Modeling and Verifying
Dynamic Network Emulators
(Work in Progress)
Erick Petersen1,2, Jorge Lo´pez1, Natalia Kushik2, Claude Poletti1, and Djamal Zeghlache2
1 Airbus Defence and Space, E´lancourt, France
2 Te´le´com SudParis, Institut Polytechnique de Paris, Palaiseau, France
Abstract—A novel model-based approach to verify dynamic
networks is proposed; the approach consists in formally describ-
ing the network topology and dynamic link parameters. A many
sorted first order logic formula is constructed to check the model
with respect to a set of properties. The network consistency is
verified using an SMT-solver, and the formula is used for the run-
time network verification when a given static network instance
is implemented. The z3 solver is used for this purpose and cor-
responding preliminary experiments showcase the expressiveness
and current limitations of the proposed approach.
Index Terms—Network emulator, Modeling, Verification, Many
sorted first order logic formula, SMT-solver
I. INTRODUCTION
As dynamic networks progress rapidly, novel solutions
emerge. Testing and evaluating network components in a well
emulated environment [1] is necessary to reduce risks and save
time at the final deployment. We focus on dynamic networks
whose parameters change, e.g., the bandwidth and delay of
wireless links may change due to external interference. De-
pending on the desired network to emulate, the link parameters
vary according to properties that are to be respected by the
emulators (e.g., large delays on distant objects).
This paper is devoted to the problem of adequate emulation
of such networks. We propose to rely on model checking and
run-time verification techniques that under certain assumptions
allow checking that the emulator is adequate for a given
context and is designed correctly. The novelty of the proposed
approach for the emulator design and verification relies on
the use of Many Sorted First Order Logic (MSFOL) for
describing the dynamic network characteristics. The latter
allows to automatically validate if the network description is
consistent, and after the network is implemented, to verify at
run-time that it behaves as requested. Both tasks can be effec-
tively implemented through the use of a Satisfiability Modulo
Theories (SMT) solver. Note that existing network simulators
and emulators (e.g., [2]) provide a solid background, however
the authors are not aware of any works related to model-based
dynamic network verification. We also note that the network
description for a network emulator is another challenging
issue. Existing solutions can provide convenient interfaces [3]
for network description or allow specific scenario files (e.g.,
[4]). However, such descriptions remain rather informal and
do not facilitate further verification.
We propose to utilize a formal network description that
contains both, the properties of the network topology as well
as various network parameters. As mentioned before, such
description is provided in terms of a MSFOL formula to be
verified by an SMT-solver; in this paper, the z3 solver [5]
is used. Preliminary experiments showcase the flexibility pro-
vided by this approach. Likewise, we explore the performance
for large network instances and discuss the current limitations
of the formal verification for dynamic networks.
II. MODELING NETWORKS USING MSFOL
Dynamic networks. A static network is a computer network
where each link has a set of parameters that do not change, for
example bandwidth (capacity) or delay. Differently from static
networks, the parameters of the links may change in dynamic
networks (in the scope of our current work, we assume the
network topology does not change); such change can be the
consequence of the physical medium (e.g., in wireless / radio
frequency networks) or due to logical changes (e.g., rate
limiting the capacity of a given link). Static networks can
be modeled as (directed) weighted graphs (V,E, p1, . . . , pk),
where V is a set of nodes, E ⊆ V × V is a set of directed
edges, and pi is a link parameter function pi : E → N, for
i ∈ {1, . . . , k}; without loss of generality, we assume that the
parameter functions map to non-negative integers (denoted by
N) or related values can be encoded with them. Similarly,
dynamic networks can be modeled as such graphs, however,
pi maps an edge to a non-empty set of integer values, i.e.,
pi : E → 2
N \ ∅, where 2N denotes the power-set of N. As
an example, consider the dynamic network depicted in Fig. 1,
and its model N = (V,E, p1(e), p2(e)), where:
V = {1, 2, 3, 4}
E = {(1, 2), (2, 1), (1, 3), (3, 1), (1, 4), (4, 1), (2, 4), (4, 2), (3, 4)(4, 3)}
p1(e) = b((s, d)) =
{
{4, 5, 6}, if d = 2
{2, 3, 4}, otherwise
p2(e) = d((s, d)) =
{
{1, 2}, if d = 2
{9, 10}, otherwise
.
Semantically, this model represents a dynamic network in
which the link’s available bandwidth can vary according to
the function b (for bandwidth), and the link’s delay can vary
according to the function d (for delay). Note that a dynamic
network snapshot, at a given time instance, is a static network,
and thus, we use both terms interchangeably.
Satisfiability Modulo Theories (SMT). SMT is concerned
with the satisfiability of formulas with respect to some back-
1 2
3 4
b(e) = {4, 5, 6}, d(e) = {1, 2}
b
(e
)
=
{
2
,
3
,
4
}
,
d
(e
)
=
{
9
,
1
0
} b(e)
=
{2, 3, 4}, d(e)
=
{9, 10}
b(e) = {2, 3, 4}, d(e) = {9, 10}
b
(e
)
=
{
2
,
3
,
4
}
,
d
(e
)
=
{
9
,
1
0
}
b(e
)
=
{
2
,
3
,
4
}
,
d
(e
)
=
{
9
,
1
0
}
b(e) = {2, 3, 4}, d(e) = {9, 10}
b(e)
=
{2, 3, 4}, d(e)
=
{9, 10}
b(e
)
=
{
4
,
5
,
6
}
,
d
(e
)
=
{
1
,
2
}
b(e) = {2, 3, 4}, d(e) = {9, 10}
Fig. 1. Example dynamic network
ground theory [6]. SMT usually works with a typed version of
first order logic, particularly MSFOL. The syntax for MSFOL
formulas is standard (see [6]), however, in our work, we use
x : σ to indicate that x is of sort (type) σ (e.g., in quantified
formulas ∀x : σ φ). We denote as f : σ1×σ2× . . .×σn → σ
that function f is declared of sort σ.
Modeling dynamic networks using MSFOL formulas.
It is desirable that our model uses sorts of theories which
are available in SMT solvers and ideally those which are
decidable. For that reason, (finite) sets are encoded as objects
of array sort (denoted A), e.g., the set V = {1, 2, 3, 4} is
encoded as φV = (V : AZ,Z) ∧ (V [1] = 1) ∧ (V [2] =
2) ∧ (V [3] = 3) ∧ (V [4] = 4) ∧ (|V | = 4). For conve-
nience, we specify that the sort of V is an array whose
indices and values are integers; likewise, we also include
the cardinality of V . Directed edges are nothing more than
records (tuples with sorts), particularly, pairs of integers. Thus,
following our encoding, φE = (E : AZ,Z×Z) ∧ (E[1] = (1,
2)) ∧ . . . ∧ (E[10] = (4, 3)) ∧ (|E| = 10). In order to model
the bandwidth of an edge (b(e)) and the delay of an edge
(d(e)) according to the given functions, we use the formula
φp = (b : Z × Z → Z) ∧ (d : Z × Z → Z) ∧ ∀x :
Z (((x ≥ 1) ∧ (x ≤ |E|)) =⇒ (((dst(E[x]) = 2) =⇒
((b(E[x]) ≥ 4) ∧ (b(E[x]) ≤ 6) ∧ (d(E[x]) ≥ 1) ∧ (d(E[x] ≤
2)))) ∧ ((dst(E[x]) 6= 2) =⇒ ((b(E[x]) ≥ 2) ∧ (b(E[x]) ≤
4) ∧ (d(E[x]) ≥ 9) ∧ (d(E[x] ≤ 10)))))). The complete
model is the conjunction of the three previous formulas, i.e.,
φN = φV ∧φE∧φp. This simple example showcases very little
of the flexibility provided by describing dynamic networks
as MSFOL formulas, however very complex models can be
described with such formalism.
III. MODEL CHECKING & RUN-TIME VERIFICATION FOR
DYNAMIC NETWORK EMULATORS
Model checking. Once the model of a dynamic network
is built, a set of properties of interest can be verified. For
example, checking that the values of the parameters are not
negative can be easily expressed with the MSFOL formula:
pi> = ∀x : Z (((x ≥ 1) ∧ (x ≤ |E|)) =⇒ ((b(e) ≥
0) ∧ (d(e) ≥ 0))). Likewise, checking that all nodes have
at least one incoming and one outgoing edge can be easily
expressed as: pi↓↑ = ∀x : Z (((x ≥ 1)∧ (x ≤ |V |)) =⇒ ∃y,
z : Z ((y 6= z) ∧ (y ≥ 1) ∧ (y ≤ |E|) ∧ (z ≥ 1) ∧ (z ≤
|E|) ∧ (src(E[y]) = V [x]) ∧ (dst(E[z]) = V [x]))).
Having the properties to be checked, piC as a conjunction
of them (in our previous example piC = pi> ∧ pi↓↑), and
the model representing the dynamic network φN , the model
checking process is quite straightforward. First, we check that
both φN and piC are satisfiable; otherwise, either the model
(whose verification can be performed beforehand as well) or
the properties have inconsistencies. Further, if the formula
φN ∧ piC is satisfiable, then we conclude that the properties
piC are held for the model φN . If the formula is not satisfiable
it implies that there does not exist a satisfiable interpretation
for both formulas at the same time, i.e., that there is a conflict
between φN and piC .
As an example, consider the formula φN associated with
the dynamic network shown in Figure 1, additionally, consider
the property pid>2 = ∀x : Z (((x ≥ 1) ∧ (x ≤ |E|)) =⇒
((d(e) > 2))) stating that the delay must be at least equal to
three. φN ∧ pid<2 is not satisfiable, as the model states that
the delay of certain edges is either one or two, and thus, there
is no satisfiable interpretation for the conjunction of formulas
(even if there are satisfiable interpretations for each of them).
On the contrary, φN ∧ pi> ∧ pi↓↑ is satisfiable.
Run-time verification. Once a dynamic network emulator
is implemented, it can be continuously verified that the pro-
duced static instances do not violate the description of N .
In this case, we consider a conformance relation  which is
similar to a reduction, i.e., a static network NS  N if the
topology (V,E) of NS is exactly the same of that one of N ,
and for each i ∈ {1, . . . , k} piNS (e) ∈ piN (e).
In order to verify this relation  at run-time, the behavior of
the emulator can be monitored for checking that each link (va,
vb) ∈ V ×V is implemented correctly, and that each value of
the i-th parameter belongs to the set piN ((va, vb)). We assume
that the points of observation in this case can be placed at
each node v ∈ V and each link (va, vb), correspondingly.
We propose to iteratively check the implementation of each
link verifying that the value of piNS ((va, vb)) does not violate
the description of the dynamic network N . The latter can
be performed through a call to an SMT-solver and when-
ever the corresponding formula is not satisfiable, an alert is
produced. When alerting, relevant information for debugging
can be shown, i.e., the link (v1, v2) itself as well as the i-th
parameter which was wrongly assigned when implementing
the static instance NS . The corresponding procedure is shown
in Algorithm 1.
Preliminary experiments. In order to showcase the expres-
siveness of the proposed method, and to assess its limitations,
a preliminary experimental evaluation has been conducted.
From the model checking point of view, the properties pi>
and pi↓↑, as previously described, have been tested alongside
the properties listed in Table I; specific functions to compute
Algorithm 1: Run-time verification of a dynamic
network emulator
input : A formula φN specifying the dynamic network N
output: Alert for a static network violating ; a link and a
parameter ‘responsible’ for the violation
while true do
Get the dynamic network instance (static network) NS ;
foreach link (va, vb) do
create a formula
φ = ∃x : Z ((x ≥ 1)∧ (x ≤ |E|)∧ (E[x] = (va, vb)));
if φN ∧ φ is UNSAT then
alert((va, vb));
φN = φN ∧ φ;
foreach i ∈ {1, . . . , k} do
create a formula
φi = (piN ((va, vb)) = piNS
((va, vb)));
if φN ∧ φi is UNSAT then
alert(i, (va, vb));
the bandwidth (in, out, and bw) are not described in order
to avoid overloading the formulas. The properties have been
coded in SMT-LIB and the z3 solver has been used to check
their satisfiability in randomly generated graphs. The running
time for networks ranging from one to 30 nodes is shown in
Fig. 2; note that large instances can require long verification
time. We then conclude that such method can be rather
inefficient for run-time verification when the whole network is
verified at once. For a large network of 50 nodes, a somewhat
complex property as piIO can be verified in approximately 12
minutes. If verifying a simple edge conformance as proposed
in Algorithm 1, the time decreases to five minutes; this is
one of the reasons why we propose such an incremental
approach. However, the best results have been obtained when
a backtracking of the variable of interest is done, and only the
relevant variables that are involved in the property are kept.
Even for a large network of 50 nodes, the verification time
per edge is around 0.069s. For this work in progress, this
process has been manually performed; an automated process
is envisioned for future work. Note that all z3 code, graphs
and properties can be found in our repository [7].
IV. CONCLUSION
We discussed the use of SMT-solvers for verifying dynamic
network emulators described as many sorted first order logic
formulas whose consistency can be checked using one of
such solvers; in our work, we used z3. Once a network is
implemented, its static instance can be verified at run-time.
We discussed a possible verification solution and proposed
an algorithm for checking that the instance does not violate
the initial formula. Experimental results confirmed that the
verification is the most efficient in an incremental link-by-
link way. For future work, we consider studying formula
optimization techniques for decreasing the verification time.
We plan to consider more dynamic network parameters and
the dependencies between them. We expect that such depen-
dencies can be also verified using the proposed approach.
Description Formula
The links are symmetric (for any
link a return link exists)
pi→← = ∀x : Z (((x ≥ 1) ∧ (x ≤
|E|)) =⇒ ∃y : Z ((y ≥ 1) ∧ (y ≤
|E|) ∧ (src(E[x]) = dst(E[y])) ∧
(dst(E[x]) = src(E[y])))
The edges in the edge array are
composed of nodes in the node
array
pieV = ∀i : Z (((i ≥ 1) ∧ (i ≤
|E|)) =⇒ (∃j, k : Z ((src(E[i]) =
V [j]) ∧ (dst(E[i]) = V [k]))))
The delay of all links is always less
or equal to a given constant D
piD = ∀i : Z (((i ≥ 1) ∧ (i ≤
|E|)) =⇒ (d(E[i]) ≤ D))
The bandwidth of all links is
greater or equal to the threshold B
piB = ∀i : Z (((i ≥ 1) ∧ (i ≤
|E|)) =⇒ (b(E[i]) ≥ B))
The network topology density is at
least δ
piδ = (|E|/(|V | ∗ (|V | − 1))) ≥ δ
The network topology cannot be
full mesh
piM = (|E|/(|V | ∗ (|V | − 1))) 6= 1
The incoming bandwidth of all
nodes is strictly less than C times
the outgoing bandwidth capacity
piIO = (in : Z → Z) ∧ (out :
Z → Z) ∧ (∀i : Z (((i ≥ 1) ∧
(i ≤ |V |)) =⇒ (in(V [i]) <
C ∗ out(V [i])))
The sum of the bandwidth of all
links cannot exceed the threshold
B
pi+ = (bw : AZ,Z → Z)∧ (bw(E) ≤
B)
TABLE I
NETWORK PROPERTIES OF INTEREST
0 5 10 15 20 25 30
0
200
400
600
|V |
T
im
e(
s)
pi>
pi↓↑
pi→←
pieV
piD
piB
piδ
piM
piIO
pi+
Fig. 2. Time evaluation of emulator verification
REFERENCES
[1] J. Lai, J. Tian, K. Zhang, Z. Yang, and D. Jiang, “Network emulation as
a service (neaas): Towards a cloud-based network emulation platform,”
Mobile Networks and Applications, pp. 1–15, 2020.
[2] R. Priyadarshi, B. Gupta, and A. Anurag, “Deployment techniques in
wireless sensor networks: a survey, classification, challenges, and future
research issues,” The Journal of Supercomputing, pp. 1–41, 2020.
[3] A. Varga, “Discrete event simulation system,” in Proc. of the European
Simulation Multiconference (ESM’2001), 2001, pp. 1–7.
[4] G. F. Riley and T. R. Henderson, “The ns-3 network simulator,” in
Modeling and tools for network simulation, 2010, pp. 15–34.
[5] L. De Moura and N. Bjørner, “Z3: An efficient smt solver,” in Inter-
national conference on Tools and Algorithms for the Construction and
Analysis of Systems. Springer, 2008, pp. 337–340.
[6] C. Barrett and C. Tinelli, “Satisfiability modulo theories,” in Handbook
of Model Checking. Springer, 2018, pp. 305–343.
[7] E. Petersen, J. Lo´pez, N. Kushik, C. Poletti, and D. Zeghlache, “SMT ver-
ification of network emulators,” https://github.com/ptrsen/SMTEmVerif,
2020.
