Network protocols are hard to implement correctly. Despite the existence of RFCs and other standards, implementations often have subtle differences and bugs. One reason for this is that the specifications are typically informal, and hence inevitably contain ambiguities. Conformance testing against such specifications is challenging. In this paper we present a practical technique for rigorous protocol specification that supports specificationbased testing. We have applied it to TCP, UDP, and the Sockets API, developing a detailed ‘post-hoc’ specification that accurately reflects the behaviour of several existing implementations (FreeBSD 4.6, Linux 2.4.20-8, and Windows XP SP1). The development process uncovered a number of differences between and infelicities in these implementations. Our experience shows for the first time that rigorous specification is feasible for protocols as complex as TCP. We argue that the technique is also applicable ‘prehoc’, in the design phase of new protocols. We discuss how such a design-for-test approach should influence protocol development, leading to protocol specifications that are both unambiguous and clear, and to high-quality implementations that can be tested directly against those specifications. 1

The TCP/IP protocols and Sockets API underlie much of modern computation, but their semantics have historically been very complex and ill-defined. The real standard is the de facto one of the common implementations, including, for example, the 15 000-- 20 000 lines of C in the BSD implementation. Dealing rigorously with the behaviour of such bodies of code is challenging. We have

A typical Internet server finds itself in the middle of

Abstract not found

rigorous and experimentally-validated behavioural specification

This paper describes ongoing work to establish semantic foundations for real-world distributed computation. We are designing and implementing Acute, an expressive and safe programming language (based on an OCaml core) with features for managing abstraction-safe marshalling, dynamic rebinding, and versioning. These permit user-level communication libraries to be written simply as type-safe Acute code, above TCP/UDP sockets. Further, we are precisely characterizing the properties of TCP and UDP network communication; of particular interest is the semantics of communication failures. Together with the Acute language semantics this constitutes a mathematically precise and executable system for writing distributed communication libraries, P2P algorithms, etc.

This report places the foundational work of PEPITO, the initial work of which was described in Deliverable D1.7 "First Progress Report on Formal Models", in the broad perspective of P2P systems. We begin by recapitulating the characteristics of peer-to-peer systems. We then discuss the nature of foundational work in general, highlighting the different kinds of contribution it can make. The main body of the report, Section 3, discusses the main problem areas in which foundational work is required for systems with the P2P characteristics: techniques for Specification and Correctness of the subtle distributed algorithms that arise in these systems

Despite more than 30 years of research on protocol specification, the major protocols deployed in the Internet, such as TCP, are described only in informal prose RFCs and executable code. In part this is because the scale and complexity of these protocols makes them challenging targets for formal descriptions, and because techniques for mathematically rigorous (but appropriately loose) specification are not in common use. In this work we show how these difficulties can be addressed. We develop a high-level specification for TCP and the Sockets API, describing the byte-stream service that TCP provides to users, expressed in the formalised mathematics of the HOL proof assistant. This complements our previous low-level specification of the protocol internals, and makes it possible for the first time to state what it means for TCP to be correct: that the protocol implements the service. We define a precise abstraction function between the models and validate it by testing, using verified testing infrastructure within HOL. Some errors may remain, of course, especially as our resources for testing were limited, but it would be straightforward to use the method on a larger scale. This is a pragmatic alternative to full proof, providing reasonable confidence at a relatively low entry cost. Together with our previous validation of the low-level model, this shows how one can rigorously

Despite more than 30 years of research on protocol specification, the major protocols deployed in the Internet, such as TCP, are described only in informal prose RFCs and executable code. In part this is because the scale and complexity of these protocols makes them challenging targets for formal descriptions. In this work we show how these difficulties can be addressed. We develop a high-level specification for TCP and the Sockets API, describing the byte-stream service that TCP provides to users, expressed in the formalised mathematics of the HOL proof assistant. This complements our previous low-level specification of the protocol internals, and makes it possible for the first time to state what it means for TCP to be correct: that the protocol implements the service. We define a precise abstraction function between the models and validate it by testing, using verified testing infrastructure within HOL. Some errors may remain, of course, especially as our resources for testing were limited, but it would be straightforward to use the method on a larger scale. This is a pragmatic alternative to full proof, providing reasonable confidence at a relatively low entry cost. Together with our previous validation of the low-level model, this shows how one can rigorously

rigorous approach to networking: