formal verification of aodv protocol using cadence smv xin liu and jun wang...
Post on 20-Jan-2016
223 views
TRANSCRIPT
Formal Verification of AODV Protocolusing Cadence SMV
Xin Liu and Jun [email protected], [email protected]
(CPSC513 Course Project)
Motivation
Find an appropriate approach to use Cadence SMV verifying real-life software communication protocols, such as AODV. The emphasis is on how to build the model.
Find some bugs in AODV protocol (RFC3561)? Hope we can…
AODV Introduction
AODV (Ad hoc On-demand Distance Vector) Protocol
a reactive routing protocol for ad hoc mobile networks.
IETF standardizing for MANET.
13 Internet drafts, 1 experimental RFC3561 (July 2003)
Important property: Loop free
AODV Introduction (cont.)
Example:
B
A
C
originator
intermediator
destination
Dest Seq Next Hop Hop count
- - -
Dest Seq Next Hop Hop count
- - -
Dest Seq Next Hop Hop count
- - -
Seq: 0
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
RREQ: -RREQ: -
RREP: 0, 0
AODV Introduction (cont.)
Example:
B
A
C
originator
intermediator
destination
Dest Seq Next Hop Hop count
- - -
Dest Seq Next Hop Hop count
0 C 1
Dest Seq Next Hop Hop count
- - -
Seq: 0
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
RREP: 0, 1
AODV Introduction (cont.)
Example:
B
A
C
originator
intermediator
destination
Dest Seq Next Hop Hop count
0 B 2
Dest Seq Next Hop Hop count
0 C 1
Dest Seq Next Hop Hop count
- - -
Seq: 0
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
Building Model
We have built 4 versions of models.
Some tricks in modeling: (included in all the models) How to model node: we do not model node as a module,
instead, we model each operation of nodes as a module, such as route discovery, receive a RREP, etc.
Timeout: nondeterminism or counter.
Sequence Number: it’s too expensive to model it as infinite or 32 bits long. Solution is using small number (<3) and a boundary value.
Periodical Hello message: it’s very hard to model periodical message in SMV, so the solution is not to model it directly. Instead, we model link break as a process, which has the same effect as not receiving periodical hello message.
Message Loss: easy to model, but hard to be fair. Solution is to use fairness constraints if the property we are verifying is reachability. For Loop-free property, nondeterminism is fine.
Building Model – 1st Model
1st Model(Naïve approach): Try to build a complete and general model.
Results: 2 nodes model can work, but it consumes 300
~ 400 MB memory.
3 nodes model state explosion!
Building Model – 2nd Model
2nd Model:
Every node has a specific role: originator, intermediator, or destination. Only originator can initiate route discovery. Each node only maintains data which is related to its role.
Enumerate possible network topology, model separately for each meaningful topology.
Building Model – 2nd Model
3 nodes possible network topology:
originator intermediator destination
intermediator
originator
destination
(a) Linear Topology
(b) Triangle Topology
Building Model – 2nd Model
Result: The result is “Great!”, we found 2 “bugs”, one is found by
Linear model, the other is found by Triangle model.
Table
Are they really bugs? No, we found that we increased destination sequence
number incorrectly in some situation. We should be more careful to model the protocol, but we
think that RFC3561 is not organized very well, and it is not written clearly.
Variables Memory Running Time
Linear Model 48 114 MB 4 minutes
Triangle Model 88 130 MB 4.5 minutes
Building Model – 3rd Model
3rd Model:
First, fix the mistakes in the 2nd Model.
Minimize the number of variables further. We get rid of the variables which can be derived by other variables.
Besides considering 3 nodes, also consider 4 nodes possible network topology, model the meaningful topology separately.
Building Model – 3rd Model
4 nodes possible network topology:
Star Topology Umbrella Topology Linear Topology
Diamond Topology Complete TopologyCamel Topology
Building Model – 3rd Model
We modeled the star and umbrella topology for 4 nodes.
Result: 3 nodes models can work. 4 nodes star topology can work, it has 98 variables,
consumes 45 MB memory, and runs for 2 minutes. But 4 nodes umbrella topology can not work, it does not
state explosion, instead, whenever it consumes 600+MB memory, SMV crash!
The verification result: “Loop free”
Building Model – 4th Model
Is AODV really loop free? What else can we do?
During model construction, we did abstractions, lots of details are not considered and modeled.
Look at RFC3561 more carefully, we found this sentence:
“A node initiates a RERR message in three situations: (i)… (ii) if it gets a data packet destined to a node for which it
does not have an active route… (iii)…”
We decide to add the data packet into our model.
Building Model – 4th Model
4th Model: Add the data packet into the model.
Results: 3 nodes triangle model found a bug, Great!!! We double checked the RFC3561, we think that it is a real
bug!
Building Model – 4th Model The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
0 valid B 2
Seq: 0
X Link break
RREQ: 1 (loss)
Dest Seq flag Next Hop Hop count
0 valid C 1
Repair
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
Building Model – 4th Model The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
0 valid B 2
Seq: 0
X Link break
Repair timeout
Dest Seq flag Next Hop Hop count
1 invalid - -
RERR: 0 (loss)
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
0 valid B 2
Seq: 0
X Link break
Dest Seq flag Next Hop Hop count
1 invalid - -
Building Model – 4th Model
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
RREQ: 1
RREQ: 1
The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
0 valid B 2
Seq: 1
X Link break
Dest Seq flag Next Hop Hop count
1 invalid - -
Building Model – 4th Model
Data packet
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seqRREP: 1, 0
The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
1 valid C 1
Seq: 1
X Link break
Dest Seq flag Next Hop Hop count
1 invalid - -
Building Model – 4th Model
RERR: 1
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
RREP: 1, 1
The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
1 invalid - -
Seq: 1
X Link break
Dest Seq flag Next Hop Hop count
1 valid A 2
Building Model – 4th Model
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
The bug we found:
Building Model – 4th Model The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
1 invalid - -
Seq: 1
X Link break
Dest Seq flag Next Hop Hop count
1 valid A 2
X Link break
RREQ: 1
RREP: 1, 2
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
The bug we found:
Building Model – 4th Model The bug we found:
B
A
C
originator
intermediator
destination
Dest Seq flag Next Hop Hop count
1 valid B 3
Seq: 1
X Link break
Dest Seq flag Next Hop Hop count
1 valid A 2
X Link break
RREQ: dest_seq
RREP: dest_seq, hop_count
RERR: dest_seq
Conclusion
We find an appropriate approach to use SMV verifying AODV protocol, that is, model separately for each role and for each possible network topology.
We find a bug in current AODV protocol.
We think SMV is not a suitable tools for verifying communication protocols, it is more suitable for verifying hardware systems.
To verify real-life communication protocols, you need a very powerful machine, our suggestion is try to find a Mainframe…
References
1. RFC3561 http://www.faqs.org/rfcs/rfc3561.html
2. Cadence SMV documentation
3. K. Bhargavan, D. Obradovic, C. A. Gunter, Formal Verification of Standards for Distance Vector Routing Protocols, JACM, Volume 49 , Issue 4, July 2002.
4. Sibusisiwe Chiyangwa, Marta Kwiatkowska, Modeling Ad hoc On-demand Distance Vector (AODV) Protocol with Time Automata, in Proc, Third Workshop on Automated verification of Critical Systems (AVoCS'03), Southampton April 2003
5. …