The role of automatic formal protocol verification in hardware design is considered. Principles are identified that maximize the benefits of protocol verification while minimizing the labor and computation required. A new protocol description language and verifier (both called Mur') are described, along with experiences in applying them to two industrial protocols that were developed as part of hardware designs.

Communication protocols are the rules that govern the communication between the different components within a distributed computer system. Since protocols are implemented in software and/or hardware, the question arises whether the existing hardware and software testing methods would be adequate for the testing of communication protocols. The purpose of this paper is to explain in which way the problem of testing protocol implementations is different from the usual problem of software testing. We review the major results in the area of protocol testing and discuss in which way these methods may also be relevant in the more general context of software testing. 1.

Here, the method proposed in [13] for constructing minimal-length checking sequences based on distinguishing sequences is improved. The improvement is based on optimizations of the state recognition sequences and their use in constructing test segments. It is shown that the proposed improvement further reduces the length of checking sequences produced from minimal, completely specified, and deterministic finite state machines. Index Terms---Finite state machine, checking sequence, test minimization, distinguishing sequence. # 1

The Shield project relied on application protocol analyzers to detect potential exploits of application vulnerabilities. We present the design of a second-generation generic application-level protocol analyzer (GAPA) that encompasses a domain-specific language and the associated run-time. We designed GAPA to satisfy three important goals: safety, real-time analysis and response, and rapid development of analyzers. We have found that these goals are relevant for many network monitors that implement protocol analysis. Therefore, we built GAPA to be readily integrated into tools such as Ethereal as well as Shield. GAPA preserves safety through the use of a memorysafe language for both message parsing and analysis, and through various techniques to reduce the amount of state maintained in order to avoid denial-of-service attacks. To support online analysis, the GAPA runtime uses a streamprocessing model with incremental parsing. In order to speed protocol development, GAPA uses a syntax similar to many protocol RFCs and other specifications, and incorporates many common protocol analysis tasks as built-in abstractions. We have specified 10 commonly used protocols in the GAPA language and found it expressive and easy to use. We measured our GAPA prototype and found that it can handle an enterprise client HTTP workload at up to 60 Mbps, sufficient performance for many end-host firewall/IDS scenarios. At the same time, the trusted code base of GAPA is an order of magnitude smaller than Ethereal. 1

In this paper we demonstrate that data flow analysis is an effective approach for verifying requirements of communication protocols. Communication protocols are responsible for establishing the communication patterns between different processes within a distributed computer system. Data flow analysis is a static analysis method for increasing confidence in the correctness of software systems by automatically verifying that a given software artifact (e.g., design or code) must behave consistently with a specified requirement. In this case study, we apply the FLAVERS data flow analysis tool to pseudocode designs of the three way handshake connection establishment protocol and of the alternating bit protocol and prove that the behavior of the pseudocode is consistent with protocol behavioral requirement specifications. In addition, we show how assumptions about the environment in which a software system is executed can be incorporated into the analysis, using message losses as an...

Formal methods are necessary in achieving correct software: that is, software that can be proven to fulfil its requirements. Formal specifications are unambiguous and analysable. Building a formal model improves understanding. The modelling of nondeterminism, and its subsequent removal in formal steps, allows design and implementation decisions to be made when most suitable. Formal models are amenable to mathematical manipulation and reasoning, and facilitate rigorous testing procedures. However, formal methods are not widely used in software development. In most cases, this is because they are not suitably supported with development tools. Further, many software developers do not recognise the need for rigour. Object oriented techniques are successful in the production of large, complex software systems. The methods are based on simple mathematical models of abstraction and classification. Further, the object oriented approach offers a conceptual consistency across all stages of soft...

In order to test the control portion of communication software, specifications are usually first abstracted to state machines, then test cases are generated from the resulting machines. The state machines obtained from the specification are often both partially-specified and nondeterministic. We come out with a method of generating test suites for the software that is modeled by partially-specified nondeterministic finite state machines (PNFSMs). On the basis of intuitive notions, a conformance relation, called quasi-equivalence, is introduced for such machines, which serves as a guide to test generation. Our method is also applicable to completely-specified deterministic machines, partially-specified deterministic machines, and completely-specified nondeterministic machines, which are typical classes of PNFSMs. When applied to such classes of machines, this method usually yields smaller test suites with full fault coverage for each class of machines than the existing methods for the ...

The well-known problem of leader election in distributed systems is considered in a dynamic context where processes may participate and crash spontaneously. Processes communicate by means of buffered broadcasting as opposed to usual point-to-point communication. In this paper we design a leader election protocol in such a dynamic system. As the problem at hand is considerably complex we adopt a step-wise refinement design method starting from a simple leader election protocol. In a first refinement a symmetric solution is obtained and eventually a fault-tolerant protocol is constructed. This gives rise to three protocols. The worst case message complexity of all protocols is analyzed. A formal approach to the verification of the leader election protocols is adopted. The requirements are specified in a property-oriented way and the protocols are denoted by means of extended finite state machines. It is proven using linear-time temporal logic that the protocols satisfy their requirements...

The field of distributed systems is now entering a stage of maturity with work focusing on standards for Open Distributed Processing (ODP). However, it is still important that standardisation remains responsive to new technological demands such as the emergence of distributed multimedia computing. This paper focuses on the likely impact of multimedia computing on formal description within ODP. In particular, a specification architecture is proposed for the formal specification and verification of quality of service and more general real-time concerns in distributed multimedia systems. This specification architecture exhibits a separation of concerns between the specification of behaviour and requirements and also between the specification of abstract behaviour and real-time concerns. The architecture also supports refinement to the computational language defined by the ODP standard. It is important to stress that the architecture does not prescribe the use of specific formal notations ...

This paper presents a success story of specifying a complex real-life protocol (MIL-STD 188-220) in Estelle and generating test sequences from the formal specification. 188-220 is being developed in the US Army, Navy and Marine Corps systems for mobile combat network radios. A key factor in this success story has been the collaboration among the researchers of the University of Delaware and the City College of the City University of New York, the developers of the US Army CommunicationsElectronics Command (CECOM), and the protocol designers in the Joint Combat Net Radio Working Group. Based on the research results, 188-220 test sequences are realizable without timer interruptions while providing a 200% increase in test coverage.