|
1 Isabelle Verification of a protocol using IOA. |
|
2 |
|
3 ------------------------------------------------------------------------------ |
|
4 The theory structure looks like this picture: |
|
5 |
|
6 Correctness |
|
7 |
|
8 Impl |
|
9 |
|
10 Sender Receiver Channels Spec |
|
11 |
|
12 Action IOA Multisets |
|
13 |
|
14 Packet List |
|
15 |
|
16 Arith |
|
17 |
|
18 ------------------------------------------------------------------------------ |
|
19 |
|
20 The System. |
|
21 |
|
22 The system being proved correct is a parallel composition of 4 processes: |
|
23 |
|
24 Sender || Schannel || Receiver || Rchannel |
|
25 |
|
26 Accordingly, the system state is a 4-tuple: |
|
27 |
|
28 (Sender_state, Schannel_state, Receiver_state, Rchannel_state) |
|
29 |
|
30 ------------------------------------------------------------------------------ |
|
31 Packets. |
|
32 |
|
33 The objects going over the medium from Sender to Receiver are modelled |
|
34 with the type |
|
35 |
|
36 'm packet = bool * 'm |
|
37 |
|
38 This expresses that messages (modelled by polymorphic type "'m") are |
|
39 sent with a single header bit. Packet fields are accessed by |
|
40 |
|
41 hdr<b,m> = b |
|
42 mesg<b,m> = m |
|
43 ------------------------------------------------------------------------------ |
|
44 |
|
45 The Sender. |
|
46 |
|
47 The state of the process "Sender" is a 5-tuple: |
|
48 |
|
49 1. messages : 'm list (* sq *) |
|
50 2. sent : bool multiset (* ssent *) |
|
51 3. received : bool multiset (* srcvd *) |
|
52 4. header : bool (* sbit *) |
|
53 5. mode : bool (* ssending *) |
|
54 |
|
55 |
|
56 The Receiver. |
|
57 |
|
58 The state of the process "Receiver" is a 5-tuple: |
|
59 |
|
60 1. messages : 'm list (* rq *) |
|
61 2. replies : bool multiset (* rsent *) |
|
62 3. received : 'm packet multiset (* rrcvd *) |
|
63 4. header : bool (* rbit *) |
|
64 5. mode : bool (* rsending *) |
|
65 |
|
66 |
|
67 The Channels. |
|
68 |
|
69 The Sender and Receiver each have a proprietary channel, named |
|
70 "Schannel" and "Rchannel" respectively. The messages sent by the Sender |
|
71 and Receiver are never lost, but the channels may mix them |
|
72 up. Accordingly, multisets are used in modelling the state of the |
|
73 channels. The state of "Schannel" is modelled with the following type: |
|
74 |
|
75 'm packet multiset |
|
76 |
|
77 The state of "Rchannel" is modelled with the following type: |
|
78 |
|
79 bool multiset |
|
80 |
|
81 This expresses that replies from the Receiver are just one bit. |
|
82 |
|
83 Both Channels are instances of an abstract channel, that is modelled with |
|
84 the type |
|
85 |
|
86 'a multiset. |
|
87 |
|
88 ------------------------------------------------------------------------------ |
|
89 |
|
90 The events. |
|
91 |
|
92 An `execution' of the system is modelled by a sequence of |
|
93 |
|
94 <system_state, action, system_state> |
|
95 |
|
96 transitions. The actions, or events, of the system are described by the |
|
97 following ML-style datatype declaration: |
|
98 |
|
99 'm action = S_msg ('m) (* Rqt for Sender to send mesg *) |
|
100 | R_msg ('m) (* Mesg taken from Receiver's queue *) |
|
101 | S_pkt_sr ('m packet) (* Packet arrives in Schannel *) |
|
102 | R_pkt_sr ('m packet) (* Packet leaves Schannel *) |
|
103 | S_pkt_rs (bool) (* Packet arrives in Rchannel *) |
|
104 | R_pkt_rs (bool) (* Packet leaves Rchannel *) |
|
105 | C_m_s (* Change mode in Sender *) |
|
106 | C_m_r (* Change mode in Receiver *) |
|
107 | C_r_s (* Change round in Sender *) |
|
108 | C_r_r ('m) (* Change round in Receiver *) |
|
109 |
|
110 ------------------------------------------------------------------------------ |
|
111 |
|
112 The Specification. |
|
113 |
|
114 The abstract description of system behaviour is given by defining an |
|
115 IO/automaton named "Spec". The state of Spec is a message queue, |
|
116 modelled as an "'m list". The only actions performed in the abstract |
|
117 system are: "S_msg(m)" (putting message "m" at the end of the queue); |
|
118 and "R_msg(m)" (taking message "m" from the head of the queue). |
|
119 |
|
120 |
|
121 ------------------------------------------------------------------------------ |
|
122 |
|
123 The Verification. |
|
124 |
|
125 The verification proceeds by showing that a certain mapping ("hom") from |
|
126 the concrete system state to the abstract system state is a `weak |
|
127 possibilities map` from "Impl" to "Spec". |
|
128 |
|
129 |
|
130 hom : (S_state * Sch_state * R_state * Rch_state) -> queue |
|
131 |
|
132 The verification depends on several system invariants that relate the |
|
133 states of the 4 processes. These invariants must hold in all reachable |
|
134 states of the system. These invariants are difficult to make sense of; |
|
135 however, we attempt to give loose English paraphrases of them. |
|
136 |
|
137 Invariant 1. |
|
138 |
|
139 This expresses that no packets from the Receiver to the Sender are |
|
140 dropped by Rchannel. The analogous statement for Schannel is also true. |
|
141 |
|
142 !b. R.replies b = S.received b + Rch b |
|
143 /\ |
|
144 !pkt. S.sent(hdr(pkt)) = R.received(hdr(b)) + Sch(pkt) |
|
145 |
|
146 |
|
147 Invariant 2. |
|
148 |
|
149 This expresses a complicated relationship about how many messages are |
|
150 sent and header bits. |
|
151 |
|
152 R.header = S.header |
|
153 /\ S.mode = SENDING |
|
154 /\ R.replies (flip S.header) <= S.sent (flip S.header) |
|
155 /\ S.sent (flip S.header) <= R.replies header |
|
156 OR |
|
157 R.header = flip S.header |
|
158 /\ R.mode = SENDING |
|
159 /\ S.sent (flip S.header) <= R.replies S.header |
|
160 /\ R.replies S.header <= S.sent S.header |
|
161 |
|
162 |
|
163 Invariant 3. |
|
164 |
|
165 The number of incoming messages in the Receiver plus the number of those |
|
166 messages in transit (in Schannel) is not greater than the number of |
|
167 replies, provided the message isn't current and the header bits agree. |
|
168 |
|
169 let mesg = <S.header, m> |
|
170 in |
|
171 R.header = S.header |
|
172 ==> |
|
173 !m. (S.messages = [] \/ m ~= hd S.messages) |
|
174 ==> R.received mesg + Sch mesg <= R.replies (flip S.header) |
|
175 |
|
176 |
|
177 Invariant 4. |
|
178 |
|
179 If the headers are opposite, then the Sender queue has a message in it. |
|
180 |
|
181 R.header = flip S.header ==> S.messages ~= [] |
|
182 |