Dione: A Protocol Verification System Built with Dafny for I/O Automata

  • Chiao HsiehEmail author
  • Sayan Mitra
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11918)


Input/Output Automata (IOA) is an expressive specification framework with built-in properties for compositional reasoning. It has been shown to be effective in specifying and analyzing distributed and networked systems. The available verification engines for IOA are based on interactive theorem provers such as Isabelle, Larch, PVS, and Coq, and are expressive but require heavy human interaction. Motivated by the advances in SMT solvers, in this work we explore a different expressivity-automation tradeoff for IOA. We present Dione, the first IOA analysis system built with Dafny and its SMT-powered toolchain and demonstrate its effectiveness on four distributed applications. Our translator tool converts Python-esque Dione language specification of IOA and their properties to parameterized Dafny modules. Dione automatically generates the relevant compatibility and composition lemmas for the IOA specifications,which can then be checked with Dafny on a per module-basis. We ensure that all resulting formulas are expressed mostly in fragments solvable by SMT solvers and hence enables Bounded Model Checking and k-induction-based invariant checking using Z3. We present successful applications of Dione in verification of an asynchronous leader election algorithm, two self-stabilizing mutual exclusion algorithms, and CAN bus Arbitration. We automatically prove key invariants of all four protocols; for the last three this involves reasoning about arbitrary number of participants. These analyses are largely automatic with minimal manual inputs needed, and they demonstrate the effectiveness of this approach in analyzing networked and distributed systems.



The authors were supported in part by research grants from the National Science Foundation under the Cyber-Physical Systems (CPS) program (award number 1544901 and 1739966).


  1. 1.
    Athalye, A.A.R.: CoqIOA: a formalization of IO automata in the Coq proof assistant. Thesis, Massachusetts Institute of Technology (2017)Google Scholar
  2. 2.
    Bhargavan, K., Bond, B., et al.: Everest: towards a verified, drop-in replacement of HTTPS. In: SNAPL 2017, vol. 71, pp. 1:1–1:12. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2017)Google Scholar
  3. 3.
    Bogdanov, A.: Formal verification of simulations between I/O automata. Thesis, Massachusetts Institute of Technology (2001)Google Scholar
  4. 4.
    Chockler, G., Lynch, N., Mitra, S., Tauber, J.: Proving atomicity: an assertional approach. In: Fraigniaud, P. (ed.) DISC 2005. LNCS, vol. 3724, pp. 152–168. Springer, Heidelberg (2005). Scholar
  5. 5.
    Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. In: ASE 2009, pp. 137–148, November 2009Google Scholar
  6. 6.
    Fekete, A., Kaashoek, M.F., Lynch, N.A.: Implementing sequentially consistent shared objects using broadcast and point-to-point communication. J. ACM 45(1), 35–69 (1998)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Fekete, A., Lynch, N.A., Shvartsman, A.A.: Specifying and using a partitionable group communication service. ACM Trans. Comput. Syst. 19(2), 171–216 (2001)CrossRefGoogle Scholar
  8. 8.
    Garland, S.J., Lynch, N.A., et al.: IOA user guide and reference manual (2003)Google Scholar
  9. 9.
    Ghosh, S.: Distributed Systems: An Algorithmic Approach, 2nd Edition, 2nd edn. Chapman & Hall/CRC, Boca Raton (2014)Google Scholar
  10. 10.
    Gurfinkel, A., Shoham, S., Meshman, Y.: SMT-based verification of parameterized systems. In: FSE 2016, pp. 338–348. ACM (2016)Google Scholar
  11. 11.
    Hawblitzel, C., Howell, J., et al.: IronFleet: proving practical distributed systems correct. In: SOSP 2015, pp. 1–17. ACM (2015)Google Scholar
  12. 12.
    Hsieh, C., Mitra, S.: Dione (2019).
  13. 13.
    ISO: Road vehicles-Controller area network (CAN) - Part 1: Data link layer and physical signalling. Standard, International Organization for Standardization, December 2003Google Scholar
  14. 14.
    Kaynar, D.K., Lynch, N., et al.: Timed I/O automata: a mathematical framework for modeling and analyzing real-time systems. In: RTSS 2003, p. 166. IEEE Computer Society (2003)Google Scholar
  15. 15.
    Komuravelli, A., Gurfinkel, A., Chaki, S.: SMT-based model checking for recursive programs. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 17–34. Springer, Cham (2014). Scholar
  16. 16.
    Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). Scholar
  17. 17.
    Leino, K.R.M.: Automating theorem proving with SMT. In: Blazy, S., Paulin-Mohring, C., Pichardie, D. (eds.) ITP 2013. LNCS, vol. 7998, pp. 2–16. Springer, Heidelberg (2013). Scholar
  18. 18.
    Lesani, M., Bell, C.J., Chlipala, A.: Chapar: certified causally consistent distributed key-value stores. In: POPL 2016, pp. 357–370. ACM (2016)CrossRefGoogle Scholar
  19. 19.
    Lim, H., Kaynar, D., Lynch, N., Mitra, S.: Translating timed I/O automata specifications for theorem proving in PVS. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 17–31. Springer, Heidelberg (2005). Scholar
  20. 20.
    Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann Publishers Inc., San Francisco (1996)zbMATHGoogle Scholar
  21. 21.
    Nipkow, T., Slind, K.: I/O automata in Isabelle/HOL. In: Dybjer, P., Nordström, B., Smith, J. (eds.) TYPES 1994. LNCS, vol. 996, pp. 101–119. Springer, Heidelberg (1995). Scholar
  22. 22.
    O’Hearn, P.W.: Continuous reasoning: scaling the impact of formal methods. In: LICS 2018, pp. 13–25. ACM (2018)Google Scholar
  23. 23.
    Padon, O., McMillan, K.L., et al.: Ivy: safety verification by interactive generalization. In: PLDI 2016, pp. 614–630. ACM (2016)CrossRefGoogle Scholar
  24. 24.
    Pnueli, A., Rodeh, Y., et al.: The small model property: how small can it be? Inf. Comput. 178(1), 279–293 (2002)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Smith, M.A.S.: Formal verification of TCP and T/TCP. Ph.D. thesis (1997)Google Scholar
  26. 26.
    Tuttle, M.R., Goel, A.: Protocol proof checking simplified with SMT. In: NCA 2012, pp. 195–202, August 2012Google Scholar
  27. 27.
    Wilcox, J.R., Woos, D., et al.: Verdi: a framework for implementing and formally verifying distributed systems. In: PLDI 2015, pp. 357–368. ACM (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of Illinois at Urbana-ChampaignChampaignUSA

Personalised recommendations