Formal Specification and Verification of a Communication Protocol

1
Formal Specification and Verification of a
Communication Protocol

• Ho Jung Bang
• Sung Deok Cha

2
System Overview

• The Requirements Specification of a system air
  conditioner
• Natural language specification with MSC-like
  diagrams
• About 210-page long
• Complicated initialization scenario and 14 basic
  scenarios
• 1-to-many and parallel communication

3
Approach Overview

• Comparison to the existing techniques
• Informal techniques such as interview and
  inspections
• Verification principles
• Completeness explicitly consider all possible
  inputs in all possible situations
• Consistency avoid unexpected situations
• Used model checking techniques to track subtle
  errors
• checked if erroneous scenarios are indeed possible

4
Three Phases
Modeling Validation Verification
4 man-months 1 man-months 5 man-month
Techniques used Interviews Inspections Errors found in the phase Ambiguity 3 Inconsistency 2 Incorrectness 12 Other errors 17 Tools used State/Event Table to check completeness SDL Simulator to check all the behaviors in the specification are also possible in the model SDL Validator to check basic properties, such as dead-locks and live-locks. Validation results Infinite loops are found Tools used sdl2spin in-house tool for translating SDL to Promela timeline editor SPIN Properties to check All scenarios are still possible? All processes eventually go to a responsible state? Are there minimal environmental conditions for scenarios to success? Are these errors possible in the model?
5
Results and Experience
Verification Results Experience (Lessons learned)
Facts of properties 102 runs of verification 204 (2 for each) of counter-examples 136 Average time elapsed 46 min. Average length of CE 114,234 steps We found numbers of errors during inspecting the specifications and creating the SDL model Some subtle errors found by the verification resulted from confusion of message IDs, lack of session management, and arrival of messages after timeout In spite of aggressive abstraction, partial verification had to be used for some properties. Proving safety properties was impossible using exhaustive verification Instead, bit-states reduction, which is not safe, was used Counter-examples were too long for manual examination Finding the shortest one is time-consuming task Iterative search by increasing bounds would help Tailoring environment to guide model checking is useful for disproving safety properties (that is, in finding errors) It greatly reduced time needed Not helpful for proving safety properties