Today's Internet is a massive, distributed network which continues to explode in size as ecommerce and related activities grow. The heterogeneous and largely unregulated structure of the Internet renders tasks such as dynamic routing, optimized service provision, service level verification, and detection of anomalous/malicious behavior increasingly challenging tasks. The problem is compounded by the fact that one cannot rely on the cooperation of individual servers and routers to aid in the collection of network traffic measurements vital for these tasks. In many ways, network monitoring and inference problems bear a strong resemblance to other "inverse problems" in which key aspects of a system are not directly observable. Familiar signal processing problems such as tomographic image reconstruction, system identification, and array processing all have interesting interpretations in the networking context. This article introduces the new field of network tomography, a field which we believe will benefit greatly from the wealth of signal processing theory and algorithms.

Network protocols are hard to implement correctly. Despite the existence of RFCs and other standards, implementations often have subtle differences and bugs. One reason for this is that the specifications are typically informal, and hence inevitably contain ambiguities. Conformance testing against such specifications is challenging. In this paper we present a practical technique for rigorous protocol specification that supports specificationbased testing. We have applied it to TCP, UDP, and the Sockets API, developing a detailed ‘post-hoc’ specification that accurately reflects the behaviour of several existing implementations (FreeBSD 4.6, Linux 2.4.20-8, and Windows XP SP1). The development process uncovered a number of differences between and infelicities in these implementations. Our experience shows for the first time that rigorous specification is feasible for protocols as complex as TCP. We argue that the technique is also applicable ‘prehoc’, in the design phase of new protocols. We discuss how such a design-for-test approach should influence protocol development, leading to protocol specifications that are both unambiguous and clear, and to high-quality implementations that can be tested directly against those specifications. 1

This paper studies the semantics of failure in distributed programming. We present a semantic model for distributed programs that use the standard sockets interface; it covers message loss, host failure and temporary disconnection, and supports reasoning about distributed infrastructure. We consider interaction via the UDP and ICMP protocols.

The TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15 000-- 20 000 lines of C in the BSD implementation. Dealing rigorously with the behaviour of such bodies of code is challenging. We have

Introduction We summarise two projects that formalised complex real world systems: UDP and its sockets API, and the C programming language. We describe their goals and the techniques used in both. We conclude by discussing how such techniques might be applied to other system software and by describing the benefits this may bring. 2. Specifying UDP and the sockets API We recently formalised a substantial behavioural specification, that for the Internet protocol UDP, as presented to programmers through the sockets interface [12, 10, 1, 5, 11]. Our aim was to make clear the behavioural subtleties of the widely used -- but poorly documented -- sockets API. This clarification of the interface should ease the production of robust software that uses it. The specification was necessarily developed post hoc; we developed it by referring to existing documentation (RFCs and source code, for example), and by experimentally checking existing implementations, using automated tools. We produced th

This paper is about the mechanical verification of UDP based network programs. It uses the UDP portion of a formal model of the Internet protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). The model includes asynchronous message passing, message loss and host failure. The model is based around the sockets library, the primary API used for writing UDP and TCP based applications. This paper demonstrates that formal, machine-checked, proof is possible in the UDP model by presenting the proof of a safety property for an implementation of Stenning’s Protocol. The protocol is implemented in a fragment of the OCaml language, using the sockets library for UDP network communication. The entire development including the safety proof is carried out in the proof assistant Isabelle; this assures soundness. Thus this paper demonstrates that it is possible to machine verify very concrete representations of distributed programs in a detailed semantics that accurately reflects the programs representations of this protocol have been machine verified. The proof, based on an implementation, provides a contrast to other verifications.

rigorous and experimentally-validated behavioural specification

While modern desktop workloads include a substantial multimedia component, virtually no contemporary general purpose operating system provides adequate support for multimedia applications when executed under loaded conditions. Trying to play a DVD movie or participating in a role playing game with significant graphical requirements while running demanding assignments in the background (such as compiling the Linux kernel or contributing to the SETI@home effort) will usually result in poor graphical quality. This happens because general-purpose schedulers prioritize processes mainly based on their CPU consumption, thus failing to distinguish between heavy multimedia applications and other computational tasks. We suggest