Experiments in Theorem Proving and Model Checking for Protocol Verification

Communication protocols pose interesting and diicult challenges for veriication technologies. The state spaces of interesting protocols are either innnite or too large for nite-state veriication techniques like model checking and state exploration. Theorem proving is also not eeective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol veriication experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be veriied using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Mur state exploration tool as a debugging aid and then translated into the PVS speciication language. The PVS veriication of the generalized protocol illustrates the diiculty of using theorem proving to verify innnite-state protocols. Some of this diiculty can be overcome by extracting a nite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Mur, SMV, and the PVS model checkers on this reduced protocol. ? Sam Owre (SRI) has assisted with the use of PVS and suggested several improvements to the paper. Sreeranga Rajan (SRI) was instrumental in integrating the mu-calculus model checker (built by Geert Janssen of Eindhoven University of Technology) into PVS. SeungJoon Park of Stanford University implemented the Mur-to-PVS translator. David Cyrluk (SRI and Stanford University) sped up parts of the PVS equality decision procedure. Ken McMillan (Cadence Labs) suggested that we examine forward reachability as a way of obtaining eeciency from the PVS model checker. We are also grateful to John Rushby (SRI) for facilitating Klaus Havelund's visit to SRI, and to Therese Hardin (LITP) for providing a stimulating environment at LITP in Paris. ?? Supported by a European Community HCM grant, with origin institution being