SPLAT: A Tool for Model-Checking and Dynamically-Enforcing Abstractions

Conventional software model-checking involves (i) creating an abstract model of a complex application; (ii) validating this model against the application; and (iii) checking safety properties against the abstract model. To non-experts, steps (i) and (ii) are often the most daunting. Firstly how does one decide which aspects of the application to include in the abstract model? Secondly, how does one determine whether the abstraction inadvertently “hides” critical bugs? Similarly, if a counter-example is found, how does one determine whether this is a genuine bug or just a modelling artifact? Splat attempts to simplify the model specification and validation tasks with a view to making model checking more accessible to regular programmers. We provide a high-level modelling language, SPL, which enables developers to specify models in terms of allowable program events (e.g. valid sequences of received network packets). We have implemented a compiler that translates SPL into both Promela and a number of general purpose programming languages (e.g. C, OCaml, Java). The generated Promela can be used with SPIN [4] in order to check static properties of the model. The generated code provides an executable model in the form of a safety monitor : a program which dynamically checks whether the application’s behaviour deviates from the specified model. A developer can link this safety monitor against their application in order to dynamically ensure that the application’s behaviour does not deviate from the model. If the safety monitor detects that the application has violated the model then it logs this event and terminates the application. Although this technique simplifies model specification and validation it is, of course, not appropriate for all systems. For example, dynamically shutting down a fly-by-wire control system when a model violation is detected is not an option. However, we observe that there are a large class of applications where dynamic termination, while not desirable, is preferable to (say) a security breach. It is these areas in which we believe Splat can deliver real benefits. Our work currently focusses on implementing servers for common Internet protocols securely and correctly. None of the major industrial implementations of protocols such as HTTP (Apache), SMTP (Sendmail/Postfix), or DNS (BIND)