Experiments in theorem proving and model checking for protocol verification

  • Klaus Havelund
  • Natarajan Shankar
Session 11: Model Checking (2)
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1051)


Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking.

Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the Murø state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized protocol illustrates the difficulty of using theorem proving to verify infinite-state protocols. Some of this difficulty can be overcome by extracting a finite-state abstraction of the protocol that preserves the property of interest while being amenable to model checking. We compare the performance of Murø, SMV, and the PVS model checkers on this reduced protocol.


Model Check Theorem Prove Transition Rule Reachable State Proof Obligation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    K. A. Bartlett, R. A. Scantlebury, and P. T. Wilkinson. A note on reliable full-duplex transmission over half-duplex links. Communications of the ACM, 12(5):260, 261, May 1969.Google Scholar
  2. 2.
    Rachel Mary Cardell-Oliver. The formal verification of hard real-time systems. Technical Report 255, University of Cambridge Computer Laboratory, 1992.Google Scholar
  3. 3.
    K.M. Chandy and J. Misra. Parallel Program Design: A Foundation. Addison Wesley, 1988.Google Scholar
  4. 4.
    E.M. Clark, O. Grumberg, and D.E. Long. Model checking and abstraction. ACM Transactions on Programming Languages and Systems, 16(5):1512–1542, September 1994.Google Scholar
  5. 5.
    C. Comes, J. Courant, J.C. Filliatre, G. Huet, P. Manoury, C Paulin-Mohring, C. Munoz, C. Murthy, C. Parent, A. Saibi, and B. Werner. The Coq proof assistant reference manual, version 5.10. Technical report, INRIA, Rocquencourt, Prance, February 1995. This version is newer than the version used to verify the BRP-protocol in [10].Google Scholar
  6. 6.
    D. Cyrluk, S. Rajan, N. Shankar, and M. K. Srivas. Effective theorem proving for hardware verification. In Ramayya Kumar and Thomas Kropf, editors, Theorem Provers in Circuit Design (TPCD '94), volume 910 of Lecture Notes in Computer Science, pages 203–222, Bad Herrenalb, Germany, September 1994. Springer-Verlag.Google Scholar
  7. 7.
    Dennis Dams, Orna Grumberg, and Rob Gerth. Abstract interpretation of reactive systems: Abstractions preserving ∀CTL*, ∃CTL* and CTL*. In Ernst-Rüdiger Olderog, editor, Programming Concepts, Methods and Calculi (PROCOMET '94), pages 561–581, 1994.Google Scholar
  8. 8.
    M. J. C. Gordon. HOL: A proof generating system for higher-order logic. In G. Birtwistle and P. A. Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, pages 73–128. Kluwer, Dordrecht, The Netherlands, 1988.Google Scholar
  9. 9.
    J. F. Groote and J. C. van de Pol. A bounded retransmission protocol for large packets. A case study in computer checked verification. Logic Group Preprint Series 100, Utrecht University, 1993.Google Scholar
  10. 10.
    L. Helmink, M.P.A. Sellink, and F.W. Vaandrager. Proof-checking a data link protocol. Technical Report CS-R9420, Centrum voor Wiskunde en Informatica (CWI), Computer Science/Department of Software Technology, March 1994.Google Scholar
  11. 11.
    G. J. Holzmann. Design and Validation of Computer Protocols. Prentice-Hall, 1991.Google Scholar
  12. 12.
    G. Janssen. ROBDD software. Department of Electrical Engineering, Eindhoven University of Technology, October 1993.Google Scholar
  13. 13.
    Simon S. Lam and A. Udaya Shankar. Protocol verification via projections. IEEE Trans. on S.W. Engg, SE-10(4):325–342, July 1984.Google Scholar
  14. 14.
    L. Lamport. The Temporal Logic of Actions. Technical report, Digital Equipment Corporation (DEC) Systems Research Center, Palo Alto, California, USA, April 1994.Google Scholar
  15. 15.
    C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving abstractions for the verification of concurrent systems. Formal Methods in System Design, 6:11–44, 1995.Google Scholar
  16. 16.
    N.A. Lynch and M.R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the sixth Annual Symposium on Principles of Distributed Computing, New York, pages 137–151. ACM Press, 1987.Google Scholar
  17. 17.
    K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, Boston, 1993.Google Scholar
  18. 18.
    R. Melton, D.L. Dill, and C. Norris Ip. Murphi annotated reference manual, version 2.6. Technical report, Stanford University, Palo Alto, California, USA, November 1993. Written by C. Norris Ip.Google Scholar
  19. 19.
    O. Müller and T. Nipkow. Combining model checking and deduction for i/o-automata. Technical University of Munich. Draft manuscript, 1995.Google Scholar
  20. 20.
    S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107–125, February 1995.Google Scholar
  21. 21.
    S. Rajan, N. Shankar, and M.K. Srivas. An integration of model-checking with automated proof checking. In Computer-Aided Verification (CAV) 1995, Liege, Belgium, Lecture Notes in Computer Science, Volume 939, pages 84–97. Springer Verlag, July 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Klaus Havelund
    • 1
  • Natarajan Shankar
    • 2
  1. 1.Institut Biaise PascalLITPParisFrance
  2. 2.Computer Science LaboratorySRI InternationalMenlo ParkUSA

Personalised recommendations