Role-Based Symmetry Reduction of Fault-Tolerant Distributed Protocols with Language Support
Fault-tolerant (FT) distributed protocols (such as group membership, consensus, etc.) represent fundamental building blocks for many practical systems, e.g., the Google File System. Not only does one desire rigor in the protocol design but especially in its verification given the complexity and fallibility of manual proofs. The application of model checking (MC) for protocol verification is attractive with its full automation and rich property language. However, being an exhaustive exploration method, its scalable use is very much constrained by the overall number of different system states. We observe that, although FT distributed protocols usually display a very high degree of symmetry which stems from permuting different processes, MC efforts targeting their automated verification often disregard this symmetry. Therefore, we propose to leverage the framework of symmetry reduction and improve on existing applications of it by specifying so called role-based symmetries. Our secondary contribution is to define a high-level description language called FTDP to ease the symmetry aware specification of FT distributed protocols. FTDP supports synchronous as well as asynchronous protocols, a variety of fault types, and the specification of safety and liveness properties. Specifications written in FTDP can directly be analyzed by tools supporting symmetry reduction. We demonstrate the benefit of our approach using the example of well-known and complex distributed FT protocols, specifically Paxos and the Byzantine Generals.
KeywordsModel Check Symmetric State Symmetry Reduction Liveness Property Computation Tree Logic
Unable to display preview. Download preview PDF.
- 2.Benzel, T., et al.: Design, deployment, and use of the deter testbed. In: DETER Community Workshop on Cyber Security Experimentation and Test (2007)Google Scholar
- 3.Bokor, P., Serafini, M., Suri, N., Veith, H.: Role-based symmetry reduction of fault-tolerant distributed protocols with language support. TR-TUD-DEEDS-04-04-2009 (2009), http://www.deeds.informatik.tu-darmstadt.de/peter/FTDP_SR.pdf
- 4.Bokor, P., Serafini, M., Suri, N., Veith, H.: Brief announcement: Practical symmetry reduction of fault-tolerant distributed protocols. DISC (to appear, 2009)Google Scholar
- 6.Castro, M., Liskov, B.: Practical Byz. fault tolerance. In: Proc. OSDI, pp. 173–186 (1999)Google Scholar
- 7.Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (2000)Google Scholar
- 9.Dill, D.L., Drexler, A.J., Hu, A.J., Yang, C.H.: Protocol verification as a hardware design aid. In: Proc. ICCD: Int. Conf. on Computer Design on VLSI in Computer & Processors, pp. 522–525 (1992)Google Scholar
- 12.Lamport, L.: Paxos made simple. ACM SIGACT News 32(4), 18–25 (2001)Google Scholar
- 13.Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co., Inc., Amsterdam (2002)Google Scholar
- 18.Serafini, M., Suri, N., et al.: A tunable add-on diagnostic protocol for time-triggered systems. In: Proc. DSN, pp. 164–174 (2007)Google Scholar
- 21.Steiner, W., et al.: Model checking a fault-tolerant startup algorithm: from design exploration to exhaustive fault simulation. In: Proc. DSN, pp. 189–198 (2004)Google Scholar
- 23.Tsuchiya, T., Schiper, A.: Model checking of consensus algorithms. In: Proc. SRDS, pp. 137–148 (2007)Google Scholar
- 25.Zielinski, P.: Automatic verification and discovery of byzantine consensus protocols. In: Proc. DSN, pp. 72–81 (2007)Google Scholar