Design and Validation of Computer Protocols

<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#330088" ALINK="#FF0044"> <title>Gerard J. Holzmann, Abstracts</title> <center><h3>Abstracts, Gerard J. Holzmann</h3></center> <p><img src="/cm/share/paper.gif" alt="----------"><p> <h3>Software Model Checking: Extracting verification models from source code</h3> Invited Paper. <i>Proc. PSTV/FORTE99</i> Publ. Kluwer, Oct. 1999, Beijing China. <i><a href="gz/fortepstv99.ps.gz">(Postscript)</a></i> <p>(with Margaret H. Smith) <p> To formally verify a large software application, the standard method is to invest a considerable amount of time and expertise into the manual construction of an abstract model, which is then analyzed for its properties by either a mechanized or by a human prover. There are two main problems with this approach. The first problem is that this verification method can be no more reliable than the humans that perform the manual steps. if rate of error for human work is a function of problem size, this holds not only for the construction of the original application but also for the construction of the model. This means that the verification process tends to become unreliable for larger applications. The second problem is one of timing and relevance. Software applications built by teams of programmers can change rapidly, often daily. Manually constructing a faithful abstraction of any one version of the application, though, can take weeks or months. The results of a verification, then, can quickly become irrelevant to an ongoing desing effort. In this paper we sketch a verification method that aims to avoid these problems. This method, based on automated model extraction from C code, was first applied in the verification of the call processing software for a new Lucent Technologies' system called PathStar(r). <p> <h3>A Practical Method for Verifying Event-Driven Software</h3> Invited Paper. <i>Proc. ICSE99, International Conference on Software Engineering.</i> Publ. IEEE/ACM. May 1999, Los Angeles. <i><a href="gz/icse_99.ps.gz">(Postscript)</a></i> <p>(with Margaret H. Smith) <p> Formal verification methods are used only sparingly in software development. The most successful methods to date are based on the use of model checking tools. To use such tools, the user defines a faithful abstraction of the application (the model), defines how the application interacts with its environment, and formulates the properties that it should satisfy. Each step in this process can become an obstacle, and, generally, to complete the entire verification process successfully often requires specialized knowledge of verification techniques and a considerable investment of time. <br> In this paper we describe a verification method that requires little or no specialized knowledge in model construction. It allows us to extract a model mechanically from the source of an application. Interface definitions and property specifications have meaningful defaults that can get the user started quickly with a verification effort. The defaults can be adjusted when desired. All checks can be executed mechanically, even when the application itself continues to evolve. Compared to conventional software testing, the thoroughness of a check of this type is unprecedented. <h3>On Checking Model Checkers</h3> Invited Paper. <i>Proc. CAV98, Vancouver, June 1998, LNCS 1427, pp. 61-70.</i> <i><a href="gz/cav98.ps.gz">(Postscript)</a></i> <p> It has become a good practice to expect authors of new algorithms for model checking applications to provide not only rigorous evidence of an algorithm's correctness, but also evidence of its practical significance. Though the rules for determining what is and what is not a good proof of correctness are clear, no comparable rules are usually enforced for determining the soundness of the data that the author provides to support a claim to practical value. We consider here how we can flag the more common types of omission. <h3>Interval Reduction through Requirements Analysis</h3> <i>Bell Labs Technical Journal, Vol. 3, No. 2, 1998, pp. 22-31.</i> <i><a href="gz/bltj98.ps.gz">(Postscript)</a></i> <p>(with Margaret H. Smith) <p> A notable part of the delays that can be encountered in system design projects are caused by logical inconsistencies that are often inadvertently inserted in the early phases of software design. <br> Many of these inconsistencies are ultimately caught in design and code reviews, or in systems testing. In the current design process, though, these errors are rarely caught {\em before} the implementation of the system nears completion. <br> We show that modeling and verifying the requirements separately, before system design proper begins, can help to intercept the ambiguities and inconsistencies that may otherwise not be caught until testing or field use. By doing so, one can prevent a class of errors from entering the development phase, and thereby reduce time to market, while at the same time improving overall design quality. <br> We demonstrate this approach with an example where we use the LTL model checking system {\sc Spin}, developed at Bell Labs, to mechanically verify the logical consistency of a high level design for one of Lucent's new products. It is estimated that interval reductions of 10 to 20 percent can be achieved by applying early fault detection techniques of this type. <h3>Designing executable abstractions</h3> Keynote address. <i>Proc. Formal Methods in Software Practice, March 1998</i> <i><a href="gz/fmsp98.ps.gz">(Postscript)</a></i> <p> It is well-known that in general the problem of deciding whether a program halts (or can deadlock) is undecidable. Model checkers, therefore, cannot be applied to arbitrary programs, but work with well-defined abstractions of programs. The feasibility of a verification often depends on the type of abstraction that is made. Abstraction is indeed the most powerful tool that the user of a model checking tool can apply, yet it is often perceived as a temporary inconvenience. <h3>Validating Requirements for Fault Tolerant Systems using Model Checking</h3> <i>Proc. ICRE98, International Conference on Requirements Engineering, April 1998</i> <i><a href="gz/nasa98.ps.gz">(Postscript)</a></i> <p>(with F. Schneider, S.M. Easterbrook, J.R. Callahan) <p> Model checking is shown to be an effective tool in validating the behavior of a fault tolerant embedded spacecraft controller. The case study presented here shows that by judiciously abstracting away extraneous complexity, the state space of the model could be exhaustively searched allowing critical functional requirements to be validated down to the design level. Abstracting away detail not germane to the problem of interest leaves by definition a partial specification. The success of this procedure shows that it is feasible to effectively validate a partial specification with this technique. Three anomalies were found in the system. One was an error in the detailed requirements, and the other two were missing/ambiguous requirements. Because the method allows validation of partial specifications, it is also an effective approach for maintaining fidelity between a co-evolving specification and an implementation. <h3>A Minimized Automaton Representation of Reachable States</h3> <i>June 1997, to appear in STTT (Software Tools for Technology Transfer, Springer Verlag)</i> <i><a href="gz/sttt98.ps.gz">(Postscript)</a></i> <p>(with Anuj Puri) <p> We consider the problem of storing a set of states S as a deterministic finite automaton (DFA). We show that inserting or deleting states can be done in expected time linear in the length of the state descriptor. The insertions and deletions preserve the minimality of the DFA. We discuss an application of this work to the reduction of the mem