Model Checking Paxos in Spin

We present a formal model of a distributed consensus algorithm in the executable specification language Promela extended with a new type of guards, called counting guards, needed to implement transitions that depend on majority voting. Our formalization exploits abstractions that follow from reduction theorems applied to the specific case-study. We apply the model checker Spin to automatically validate finite instances of the model and to extract preconditions on the size of quorums used in the election phases of the protocol.Comment: In Proceedings GandALF 2014, arXiv:1408.556

Parameterized Verification of Graph Transformation Systems with Whole Neighbourhood Operations

We introduce a new class of graph transformation systems in which rewrite rules can be guarded by universally quantified conditions on the neighbourhood of nodes. These conditions are defined via special graph patterns which may be transformed by the rule as well. For the new class for graph rewrite rules, we provide a symbolic procedure working on minimal representations of upward closed sets of configurations. We prove correctness and effectiveness of the procedure by a categorical presentation of rewrite rules as well as the involved order, and using results for well-structured transition systems. We apply the resulting procedure to the analysis of the Distributed Dining Philosophers protocol on an arbitrary network structure.Comment: Extended version of a submittion accepted at RP'14 Worksho

Abstract Interpretation of Stateful Networks

Modern networks achieve robustness and scalability by maintaining states on their nodes. These nodes are referred to as middleboxes and are essential for network functionality. However, the presence of middleboxes drastically complicates the task of network verification. Previous work showed that the problem is undecidable in general and EXPSPACE-complete when abstracting away the order of packet arrival. We describe a new algorithm for conservatively checking isolation properties of stateful networks. The asymptotic complexity of the algorithm is polynomial in the size of the network, albeit being exponential in the maximal number of queries of the local state that a middlebox can do, which is often small. Our algorithm is sound, i.e., it can never miss a violation of safety but may fail to verify some properties. The algorithm performs on-the fly abstract interpretation by (1) abstracting away the order of packet processing and the number of times each packet arrives, (2) abstracting away correlations between states of different middleboxes and channel contents, and (3) representing middlebox states by their effect on each packet separately, rather than taking into account the entire state space. We show that the abstractions do not lose precision when middleboxes may reset in any state. This is encouraging since many real middleboxes reset, e.g., after some session timeout is reached or due to hardware failure

Verifying Mutable Systems

Model checking has had much success in the verification of single-process and multi-process programs. However, model checkers assume an immutable topology which limits the verification in several areas. Consider the security domain, model checkers have had success in the verification of unicast structurally static protocols, but struggle to verify dynamic multicast cryptographic protocols. We give a formulation of dynamic model checking which extends traditional model checking by allowing structural changes, mutations, to the topology of multi-process network models. We introduce new mutation models when the structural mutations take either a primitive, non-primitive, or a non-deterministic form, and analyze the general complexities of each. This extends traditional model checking and allows analysis in new areas. We provide a set of proof rules to verify safety properties on dynamic models and outline its automizability. We relate dynamic models to compositional reasoning, dynamic cutoffs, parametrized analysis, and previously established parametric assertions.We provide a proof of concept by analyzing a dynamic mutual exclusion protocol and a multicast cryptography protocol