Formal Verification of AODV Protocol using Cadence SMV - PowerPoint PPT Presentation

Loading...

PPT – Formal Verification of AODV Protocol using Cadence SMV PowerPoint presentation | free to download - id: 678b3f-OTViO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Formal Verification of AODV Protocol using Cadence SMV

Description:

Formal Verification of AODV Protocol using Cadence SMV (CPSC513 Course Project) Xin Liu and Jun Wang liu_at_cs.ubc.ca, jwang_at_cs.ubc.ca Outline Motivation AODV ... – PowerPoint PPT presentation

Number of Views:7
Avg rating:3.0/5.0
Date added: 10 March 2020
Slides: 29
Provided by: Xin54
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Formal Verification of AODV Protocol using Cadence SMV


1
Formal Verification of AODV Protocol using
Cadence SMV
(CPSC513 Course Project)
  • Xin Liu and Jun Wang
  • liu_at_cs.ubc.ca, jwang_at_cs.ubc.ca


2
Outline
  • Motivation
  • AODV Introduction
  • Building Model
  • Conclusion

3
Motivation
  • Find an appropriate approach to use Cadence SMV
    verifying real-life software communication
    protocols, such as AODV. The emphasis is on how
    to build the model.
  • Find some bugs in AODV protocol (RFC3561)? Hope
    we can

4
AODV Introduction
  • AODV (Ad hoc On-demand Distance Vector) Protocol
  • a reactive routing protocol for ad hoc mobile
    networks.
  • IETF standardizing for MANET.
  • 13 Internet drafts, 1 experimental RFC3561 (July
    2003)
  • Important property Loop free

5
AODV Introduction (cont.)
  • Example

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq Next Hop Hop count
- - -
C
destination
Seq 0
RREQ -
RREQ -
Dest Seq Next Hop Hop count
- - -
RREP 0, 0
B
Dest Seq Next Hop Hop count
- - -
intermediator
6
AODV Introduction (cont.)
  • Example

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq Next Hop Hop count
- - -
C
destination
Seq 0
Dest Seq Next Hop Hop count
- - -
RREP 0, 1
B
Dest Seq Next Hop Hop count
0 C 1
intermediator
7
AODV Introduction (cont.)
  • Example

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq Next Hop Hop count
0 B 2
C
destination
Seq 0
Dest Seq Next Hop Hop count
- - -
B
Dest Seq Next Hop Hop count
0 C 1
intermediator
8
Building Model
  • We have built 4 versions of models.
  • Some tricks in modeling (included in all the
    models)
  • How to model node we do not model node as a
    module, instead, we model each operation of nodes
    as a module, such as route discovery, receive a
    RREP, etc.
  • Timeout nondeterminism or counter.
  • Sequence Number its too expensive to model it
    as infinite or 32 bits long. Solution is using
    small number (lt3) and a boundary value.
  • Periodical Hello message its very hard to model
    periodical message in SMV, so the solution is not
    to model it directly. Instead, we model link
    break as a process, which has the same effect as
    not receiving periodical hello message.
  • Message Loss easy to model, but hard to be fair.
    Solution is to use fairness constraints if the
    property we are verifying is reachability. For
    Loop-free property, nondeterminism is fine.

9
Building Model 1st Model
  • 1st Model(Naïve approach)
  • Try to build a complete and general model.
  • Results
  • 2 nodes model can work, but it consumes 300 400
    MB memory.
  • 3 nodes model state explosion! ?

10
Building Model 2nd Model
  • 2nd Model
  • Every node has a specific role originator,
    intermediator, or destination. Only originator
    can initiate route discovery. Each node only
    maintains data which is related to its role.
  • Enumerate possible network topology, model
    separately for each meaningful topology.

11
Building Model 2nd Model
  • 3 nodes possible network topology

originator
originator
intermediator
destination
(a) Linear Topology
destination
intermediator
(b) Triangle Topology
12
Building Model 2nd Model
  • Result
  • The result is Great!, we found 2 bugs, one is
    found by Linear model, the other is found by
    Triangle model.
  • Table
  • Are they really bugs?
  • No, we found that we increased destination
    sequence number incorrectly in some situation. ?
  • We should be more careful to model the protocol,
    but we think that RFC3561 is not organized very
    well, and it is not written clearly.

Variables Memory Running Time
Linear Model 48 114 MB 4 minutes
Triangle Model 88 130 MB 4.5 minutes
13
Building Model 3rd Model
  • 3rd Model
  • First, fix the mistakes in the 2nd Model.
  • Minimize the number of variables further. We get
    rid of the variables which can be derived by
    other variables.
  • Besides considering 3 nodes, also consider 4
    nodes possible network topology, model the
    meaningful topology separately.

14
Building Model 3rd Model
  • 4 nodes possible network topology

Star Topology
Umbrella Topology
Linear Topology
Diamond Topology
Complete Topology
Camel Topology
15
Building Model 3rd Model
  • We modeled the star and umbrella topology for 4
    nodes.
  • Result
  • 3 nodes models can work.
  • 4 nodes star topology can work, it has 98
    variables, consumes 45 MB memory, and runs for 2
    minutes.
  • But 4 nodes umbrella topology can not work, it
    does not state explosion, instead, whenever it
    consumes 600MB memory, SMV crash! ?
  • The verification result
  • Loop free

16
Building Model 4th Model
  • Is AODV really loop free? What else can we do?
  • During model construction, we did abstractions,
    lots of details are not considered and modeled.
  • Look at RFC3561 more carefully, we found this
    sentence
  • A node initiates a RERR message in three
    situations
  • (i)
  • (ii) if it gets a data packet destined to a
    node for which it does not have an active
    route
  • (iii)
  • We decide to add the data packet into our model.

17
Building Model 4th Model
  • 4th Model
  • Add the data packet into the model.
  • Results
  • 3 nodes triangle model found a bug, Great!!!
  • We double checked the RFC3561, we think that it
    is a real bug!
  • ?

18
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq flag Next Hop Hop count
0 valid B 2
C
destination
Seq 0
RREQ 1 (loss)
X Link break
Repair
B
Dest Seq flag Next Hop Hop count
0 valid C 1
intermediator
19
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq flag Next Hop Hop count
0 valid B 2
C
destination
Seq 0
X Link break
RERR 0 (loss)
Repair timeout
B
Dest Seq flag Next Hop Hop count
1 invalid - -
intermediator
20
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
RREQ 1
A
Dest Seq flag Next Hop Hop count
0 valid B 2
C
destination
Seq 0
RREQ 1
X Link break
B
Dest Seq flag Next Hop Hop count
1 invalid - -
intermediator
21
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
RREP 1, 0
A
Dest Seq flag Next Hop Hop count
0 valid B 2
C
destination
Seq 1
Data packet
X Link break
B
Dest Seq flag Next Hop Hop count
1 invalid - -
intermediator
22
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq flag Next Hop Hop count
1 valid C 1
C
destination
Seq 1
RREP 1, 1
X Link break
RERR 1
B
Dest Seq flag Next Hop Hop count
1 invalid - -
intermediator
23
Building Model 4th Model
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
Dest Seq flag Next Hop Hop count
1 invalid - -
C
destination
Seq 1
X Link break
B
Dest Seq flag Next Hop Hop count
1 valid A 2
intermediator
24
Building Model 4th Model
  • The bug we found
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
X Link break
Dest Seq flag Next Hop Hop count
1 invalid - -
C
destination
Seq 1
RREQ 1
X Link break
RREP 1, 2
B
Dest Seq flag Next Hop Hop count
1 valid A 2
intermediator
25
Building Model 4th Model
  • The bug we found
  • The bug we found

RREQ dest_seq RREP dest_seq, hop_count RERR
dest_seq
originator
A
X Link break
Dest Seq flag Next Hop Hop count
1 valid B 3
C
destination
Seq 1
X Link break
B
Dest Seq flag Next Hop Hop count
1 valid A 2
intermediator
26
Conclusion
  • We find an appropriate approach to use SMV
    verifying AODV protocol, that is, model
    separately for each role and for each possible
    network topology.
  • We find a bug in current AODV protocol.
  • We think SMV is not a suitable tools for
    verifying communication protocols, it is more
    suitable for verifying hardware systems.
  • To verify real-life communication protocols, you
    need a very powerful machine, our suggestion is
    try to find a Mainframe ?

27
References
  1. RFC3561 http//www.faqs.org/rfcs/rfc3561.html
  2. Cadence SMV documentation
  3. K. Bhargavan, D. Obradovic, C. A. Gunter, Formal
    Verification of Standards for Distance Vector
    Routing Protocols, JACM, Volume 49 , Issue 4,
    July 2002.
  4. Sibusisiwe Chiyangwa, Marta Kwiatkowska, Modeling
    Ad hoc On-demand Distance Vector (AODV) Protocol
    with Time Automata, in  Proc, Third Workshop on
    Automated verification of Critical Systems
    (AVoCS'03), Southampton April 2003

28
Formal Verification of AODV Protocol using
Cadence SMV

  • Thanks!

Created by Xin Liu and Jun Wang, April 3, 2004
About PowerShow.com