EDIC RESEARCH PROPOSAL

Automated Verication of Distributed Algorithms

Giuliano Losa LARA and LPD, I&C, EPFL

AbstractByzantine Fault Tolerant (BFT) protocols are the basic building blocks of reliable distributed services [4]. Despite the important demand for reliability in the area of cloud computing, BFT protocols are not used in practice because they are too complex to devise and implement. On top of this, current BFT protocols achieve acceptable performance only under specic operating conditions. I propose to make BFT usable in practice by creating a framework for the design of BFT protocols. It will allow to create highly efcient BFT protocols modularly and incrementally, and to prove them correct automatically. This will provide performance and reliability at low cost. I will build on the Abstract framework [13] to build efcient BFT protocols modularly and I will explore the combination of ideas from distributed algorithms theory with ideas from parameterized systems verication to devise a practical automated verication technique. Index TermsVerication, Distributed Algorithms, Fault Tolerance, BFT

examine past research and propose a research agenda toward this goal. Reliable systems can be built from error prone or even malicious components using Byzantine Fault Tolerant consensus protocols (called BFT protocols in this paper) and state machine replication [4]. For any service, given its correct sequential implementation and a correct BFT protocol, we can automatically generate a correct fault tolerant distributed implementation. We will thus focus on the verication of BFT protocols from now on. The power of BFT protocols make them very hard to design and prove correct. There are two reasons for this: 1) The interaction between processes is very intricate. It makes reasoning about such protocols unreliable without extremely rigorous formal tools. Even then, it is very tedious to carry out proofs. As an example, even researchers like Lamport or Dijkstra published incorrect algorithms with (incorrect) formal proofs [19]. 2) Achieving acceptable performance requires adapting very complex protocols to particular operating conditions. For now, this cannot be done in practice without very deep changes, making previous tests and proofs useless. In consequence, the practical use of BFT protocols is nearly impossible. To change the situation, BFT protocols should be designed modularly and their verication should be done with automated formal tools. I propose in Section 3 to devise a framework achieving these goals. In general, BFT protocols are composed of an arbitrary number of innite state processes communicating by asynchronous message passing. Several characteristics make them hard to verify:

I. I NTRODUCTION

HE growing popularity of cloud computing demonstrates the performance and cost benets of distributed infrastructures shared by many services. However, according to [2], unreliability of service is the biggest obstacle to the adoption of cloud computing. Thus, solving this problem is likely to enable signicant economic benets. In this paper, we will Proposal submitted to committee: May 6th, 2010; Candidacy exam date: May 11th, 2010; Candidacy exam committee: Prof. Jean-Yves Le Boudec, Prof. Viktor Kuncak, Prof. Rachid Guerraoui, Prof. Andr Schiper

This research plan has been approved: Date:

Doctoral candidate:
(Giuliano Losa) (name and signature)

Thesis director:
(Viktor Kuncak)

(name and signature)

Thesis co-director:
(Rachid Guerraoui) (name and signature)

Doct. prog. director:

(R. Urbanke) (signature)

EDIC-ru/05.05.2009

Their state space is innite in several dimensions: Individual processes may have an innite number of possible states. For example, processes might use unbounded counters. They are parameterized by the number of executing processes. As we want to prove a protocol correct regardless of the nmber of processes, we have to verify an innite family of innite instances. Message queues of individual processes are usually unbounded. They are highly non-deterministic because the network is asynchronous and some processes behave arbitrarily. The safety properties are mostly the same for every algorithm.

However, other particularities may ease the verication task:

EDIC RESEARCH PROPOSAL

The code of BFT protocols is very simple and do not involve complex operations. BFT protocols have been extensively studied in the distributed algorithms community and models that simplify their analysis exist.

II. BACKGROUND I will build on two different elds of research: distributed algorithms and parameterized systems verication. The following section will rst review the main ideas in those elds. Then I will present three recent papers exemplifying the ideas I would like to improve upon. A. Byzantine Fault Tolerance A distributed system tolerates Byzantine faults when it can operate according to its specication despite some of its components behaving arbitrarily. The state machine replication (SMR) technique was invented to allow the byzantine fault tolerant implementation of any sequential state machine, as long as less than a third of processes behave arbitrarily. Informally, BFT protocols allow their clients to propose values and get back a unique response chosen among the proposals. In SMR, processes propose the next transition they want to take to the consensus object. A unique proposal is chosen and every correct process executes it, guaranteeing a consistent state across correct processes. One may also require liveness properties like any proposed value will eventually be chosen. BFT protocols are thus a key to the reliable implementation of distributed services. Many BFT protocols have been proposed, for example PBFT [4], HQ [7], and Zyzzyva [17]. These protocols are extremely complex. For example, after several years, some people still question the correctness of Zyzzyva and there is no correct implementation. Moreover, in practice, SMR should achieve at least the same performance as a non-replicated service in fault-free cases and perform well in common-cases. However, the denition of common-case may greatly vary from application to application. Unfortunately, a particular protocol is good only in few specic cases [24]. On top of this, adapting a protocol to specic conditions usually involves very deep changes. In consequence, reliably achieving acceptable performance requires using one different and very complex protocol for each particular operating condition. And each of these protocols needs to be proved from scratch. Because of this, BFT protocols are not yet usable in practice. These problems were addressed in the distributed algorithms community in two different ways. Computation models like the Heard-Of Model [5] simplify reasoning about BFT protocols by abstracting the computation model. It provides abstractions that are simpler to reason about than pure asynchronous message passing and faults. Other researchers built frameworks like OTC [26] and Abstract [13]. These do not modify much the underlying computation model but allow to build BFT protocols modularly. This greatly reduces their complexity and enables re-usability across protocols. Proofs no longer have to be carried out from scratch. In particular, Abstract allows to choose which module to run as a function of current conditions. In consequence, optimizing a protocol is now just a matter of creating a module which is safe and performs well only under particular conditions, disregarding what happens under other conditions. We will examine the Abstract framework in detail in Subsection C. I plan to use it

Past approaches (Section 2) are either mostly manual, verify only specic instances, or are incomplete. Traditionally, safety verication has been done by manually proving that usersupplied invariants are inductive. For liveness, the method of temporal deduction is used [21]. These methods can be partly automated using theorem provers but require much user ingenuity to come up with appropriate invariants. Recent techniques build on two main ideas:

Using properties particular to BFT protocols to simplify reasoning about them. Then use traditional verication tools on the simplied models. For example, [27] uses the OTC model to dramatically reduce the state space of a protocol. [25] uses the HO model and the notion of univalent conguration to reduce the verication task to bounded model checking. These methods have only been applied to particular instances, not to the parameterized problem. Adapting recent parameterized systems verication techniques. [12] extends regular model checking to take faults into account. [3] uses the symmetry of fault tolerant protocols to reduce their state space. The rst method is incomplete and requires much user ingenuity. The second applies only to particular instances.

None of the existing methods provide a working technique to automatically and fully verify BFT protocols. To improve the situation, I would like to explore methods used in general parameterized systems verication in conjunction with ideas from distributed computing to devise practical automated verication techniques. I propose using the Abstract framework [13] to decompose BFT protocols into independent and simpler parts (Abstract instances) that can be reused across protocols. I will then explore two techniques to verify these parts. First, the inductive invariants technique [8] used in conjunction with automated provers could provide a good tradeoff between automation and completeness. It will also allow me to understand BFT protocols very well and nd properties that will enable their fully automated verication. Then, I will investigate abstraction techniques. Temporal abstraction [16] could yield a fully automated method if adapted to our setting. Abstracting to parameterized networks of nite state processes could also be interesting. I will explain my ideas in more detail in Section 3. In Section 2, we will briey surveying BFT and parameterized systems verication. Consequently, I will present three papers providing the basis for new verication techniques. First we will look at how the Abstract framework deconstructs BFT protocols into manageable independent modules. Then we will examine how the OTC framework enables efcient verication of particular instances of BFT protocols. After this, we will analyze the temporal abstraction technique. Finally, I will present my research plan in Section 4 and conclude.

EDIC RESEARCH PROPOSAL

to dramatically reduce the complexity of BFT protocols before applying verication techniques. B. Verication of parameterized and innite state systems Systems dened with respect to an unspecied parameter can naturally model distributed systems where the number of participating processes is unknown. Lets review some classes of techniques that I nd promising for the automated verication of BFT protocols: Variants of the Owicki and Gries Method [22]. The Owicki and Gries method allows one to verify the safety of a distributed algorithm by proving valid a number of proof obligations polynomial in the number of control locations in the algorithm. It requires usersupplied inductive invariants which can be very tricky to come up with and has not been successfully automated. However, once the invariants found, the resulting proof obligations can be discharged to an automated theorem prover, making the method partially automated. In practice, the usability of this method highly depends on whether automated provers can prove the proof obligations. There is good hope in this direction because individual actions of BFT protocols are very simple, making the use of efcient SMT solvers or specialized decision procedures possible. Networks of Finite State Processes. Given a value for the parameter, some systems are nite state. Even in this case, the verication of the innite family induced is undecidable [1]. However the subject as been extensively studied and more restricted classes of parameterized systems have been showed to be veriable (clients communicating through a control process [9], rings of processes [11], shared variables with isomorphic processes [15]). Algorithms for checking safety and restricted liveness properties of these classes exist, as well as incomplete algorithms applying to even broader classes [14]. In particular, networks of nite state isomorphic processes may be veried by reduction to Petri Nets or using a cutoff method [15]. The latter often try to nd a particular value of the parameter such that successful verication for this value implies correctness of the whole family. Using cutoffs, verifying networks of nite state processes seems feasible for realistic cases [15]. These techniques enable the use of abstractions mapping BFT protocols to networks of nite state processes. Temporal Abstraction. Following the success of techniques like abstract interpretation or predicate abstraction, we can try to abstract parameterized systems to nite state ones and use techniques applying to nite state systems to solve the resulting verication problem. [16] proposes a sound and complete abstraction technique. However it requires as much user ingenuity as the Owicki and Gries method. Here, instead of proposing invariants, the user proposes abstraction functions that will preserve good properties of the system. As we will see in detail with [6], heuristics can be developed to nd good abstraction functions

automatically. Another idea is to abstract to networks of nite state processes in the hope of obtaining ner abstractions. This is supported by the observations made in the preceding bullet: the resulting abstract systems can be veried. Let us now examine in detail three papers selected to exemplify the ideas I will build upon in the future. C. The Next 700 BFT Protocols [13] This paper presents and evaluates the Abstract framework, making the following contributions: It allows building BFT protocols out of independent modules, dramatically reducing the complexity of reasoning about them. It provides a way to adapt any BFT protocol to any environment condition by adding an independent module which is live only under the considered condition. It demonstrates in practice the ability of Abstract to cut development time and to create high performance protocols. With some simplications, an Abstract instance is a protocol exporting one operation, Invoke(request, history), and returning two indications, Commit(request, response) and Abort(request, history). An Abstract instance can commit requests, as a full BFT protocol would, or abort if it is operating under conditions it wasnt designed for. In case of an abort, a new instance will be started by the clients. Using the history received from the abort, the new instance will be initialized to preserve the order of already committed requests. Abstract instances can be combined in this way to yield a new abstract instance. Composition is idempotent, thus we can compose arbitrary many Abstract instances. A BFT protocol is obtained by building an Abstract instance (maybe through composition) that never aborts. Abstract can be used to easily obtain very efcient BFT protocols out of legacy BFT protocols. As an example, the authors propose to rebuild Zyzzyva [17] out of PBFT [4]. They observe that Zyzzyva was built by optimizing the PBFT protocol for the cases where there are no byzantine processes. It took very important modications to achieve this goal and the resulting protocol has low similarity to PBFT. Because of this, most correctness arguments and analysis where lost and the protocol is to be proved from scratch. With Abstract, PBFT is used with a thin wrapper as an Abstract instance. Being a full BFT protocol, PBFT may never abort, thus composing it with any other Abstract instance will yield a BFT protocol. To obtain a protocol like Zyzzyva, PBFT is composed with an Abstract instance called ZLight. This instance mimics the behavior of Zyzzyva in cases where Zyzzyva uses its optimistic path (absence of Byzantine failures). This instance is much simpler than Zyzzyva: given the same languages, its specication length is nine times smaller and its code length is less than one fourth of Zyzzyvas. Moreover, the combination of PBFT and ZLight performs as well as Zyzzyva when there are no Byzantine failures. It could not be compared in other conditions because the implementation of Zyzzyva is buggy (this may hint at its high complexity compared to ZLight).

EDIC RESEARCH PROPOSAL

The paper proceeds by describing two new Abstract instances that give the resulting BFT protocol the best known latency and throughput. In conclusion, Abstract succeeds at transforming complex monolithic protocols prohibiting reuse of code or analysis into modular protocols that can be optimized by the addition of simple modules. Moreover, it is used to create a BFT protocol outperforming all known protocols in practice. A verication framework built on Abstract will thus greatly simplify the verication and provide protocols efcient in practice. However, the verication of Abstract instances is still a challenge, as they are still innite in many dimensions and highly non-deterministic. D. Automatic Verication and Discovery of Byzantine Consensus Protocols [28] The paper proposes a method for creating low latency BFT protocols and verifying them automatically. More precisely the technique presented allows the following: Automatically generate consensus algorithms under some conditions: Given as input a target latency, a number of processes, a subset of correct processes, and a subset of processes proposing the same value, generate a consensus algorithm that terminates after given latency if processes are as specied, and otherwise remains safe. Automatically verify that the generated algorithms meet their specication. Note that the verication algorithm is specic to BFT protocols generated in this paper. Automatically discover new BFT protocols by enumerating inputs to the generating procedure and ltering them with the verication procedure. The author uses the Optimistically Terminating Consensus (OTC) framework [26]. It provides a high level algorithm which uses an OTC abstraction and a failure detector as black boxes to implement a BFT protocol. By changing the implementation of the OTC abstraction used by this algorithm, one can obtain a wide variety of BFT protocols. The high level algorithm evolves in rounds where a coordinator tries to impose a decision by instructing processes to propose the same value to the OTC. The properties of OTC guarantee that the protocol is always safe. However, its liveness depends on the OTC implementations it uses. Lets examine how the protocol works. The OTC abstraction exports two actions, propose(x) and stop, and three predicates, valid(x) and possible(x) and decision(x). These predicates can be consulted locally by processes. Note that any two processes may see different values. Processes in the high level algorithm evolve in rounds in which a coordinator tries to impose a decision. If it fails, a new round is eventually started with another coordinator. Coordinators ask all processes to invoke propose(v) on the OTC. After proposing a value, each process monitors OTC predicates valid(x), possible(x), and decision(x). If decision(v) becomes true at a process, it decides v and exits. Else, it waits until it suspects the coordinator to be faulty and switches to the next round. However, our process could have missed a decision made by another process in the previous round. It uses predicates

possible(x) and valid(x) to ensure that any further decision will match any decision possibly made in the previous round. Intuitively, processes wait until possible(v) valid(v) holds for at most one v. This ensures safety. Liveness is guaranteed only under specic conditions. Indeed, an OTC instance has parameters X, C, and k. It is required to terminate in k communication steps if X C and all processes in X propose the same value and all processes in C are correct. The properties informally stated above constitute the OTC abstraction properties that any OTC instance has to satisfy. The combination of several ideas and simplications reduce the construction and verication of low latency BFT algorithms in the OTC framework to nite state verication.

Once we veried the high level algorithm, verifying BFT protocols obtained from it reduces to verifying the OTC instances used. Generate and verify only one OTC. As the rst round determines the best case latency, only the rst round OTC is examined. Indeed, low latency BFT protocols can be obtained by combining an efcient rst round OTC with a general purpose OTC for later rounds. Use a simple state representation and communication protocol. As processes make decisions based on their knowledge of what other processes proposed, the author employs a full information approach where processes state are events of the form < v : pi : pj : pk >, meaning pk claims that pj claims that pi proposed v. Processes initialy send < v, pi >, meaning I propose v. Then, processes forward each new information they receive, appending their id to it. Make the verication problem nite state by construction. A single OTC is innite state as there is no bound on its running time. However, since latency is the most important factor, generated OTC algorithms satisfying the following additional property: If no value satises possible(x) or decided(x) after the target latency, then no value can ever satisfy those predicates in this OTC. In this case the protocol is always safe and the next OTC can be started with any value. Thus, we need only analyze an OTC instance up to a given number of communication steps. This makes the problem nite state.

In this context, one algorithm is generated per OTC parameter tuple (X, C, and k). Note that because we xed the communication protocol and state representation, an OTC algorithm is just an implementation of its predicates. possible(x) and decision(x) are implemented such that they satisfy the above additional property. This is easy in our full information approach. For example, possible(x) holds if appending to the state an event making decision(x) true leads to a consistent state. A state is consistent if chains of claims (i.e. subsequences of events) without Byzantine processes ids are consistent. Predicate valid(x) can also be implemented in the same way. Then, in order to verify generated OTC protocols, ensure that no unsafe state is reachable in less than a number of communication steps equal to the specied latency. This can be done by enumerating all possible states. But the author

EDIC RESEARCH PROPOSAL

observes that the sets of states violating the OTC specication are included in the least set satisfy an equation of the form (S) S where is increasing. By Tarskis x-point theorem, one can thus compute this set by iterating applications of starting with an empty set and until we reach a x-point. This is exponentially more efcient than exploring the whole state space. The discovery procedure was ran given as input numbers of processes less than ve and a maximum of two crash-stop failures for the OTC to terminate. It found new low latency algorithms and explored up to 32 million algorithms in few seconds. With ve processes and one byzantine failure, six algorithms were found and 11 billion explored in about 40 hours. The approach thus effectively discovered and proved new low-latency BFT protocols. However, it has some drawbacks. First, it is very specic: The verication method can only be applied to algorithms generated in a particular way. Moreover, it doesnt seem to be extensible to high throughput algorithms. Second, it cannot address the parameterized problem at all and experimental results suggest it will hardly scale beyond 10 processes. However, it shows that insights from distributed systems theory can dramatically simplify the verication of BFT protocols and it suggests looking for new ideas in this direction.

E. Environment Abstraction for Parameterized Verication [6] This paper presents environment abstraction, a technique for the automated and sound abstraction of parameterized systems, inspired by temporal abstraction [16]. The following contributions are made:

The paper presents a fully automated and sound verication technique for innite state parameterized systems. The abstraction technique used matches a kind of reasoning used in protocol design and could therefore provide a good degree of completeness. Experimental evidence shows that the technique is able to efciently prove properties of two benchmark protocols.

Temporal abstraction is a technique reducing the temporal verication of an innite state transition system to the temporal verication of a nite state one. Consider an innite state transition system D and its correctness conditions , expressed in some temporal logic. Dene an abstraction mapping mapping states of D to elements of a nite set A . Dene a progress monitor M that exhibits a function over a well founded domain that is monotonically decreasing with the transition relation. Given and M , the temporal abstraction technique abstracts D to D,M , a transition systems over A , and to , an LTL formula over computations of D,M . The abstraction is such that D,M |= D |= . The method is proved sound and complete in [16]. It is complete because for a given correct system, one can always nd an abstraction mapping and a progress monitor such that the abstract system is correct. However, it is observed in [16] that nding the abstraction mapping and the progress monitor requires much user ingenuity.

Environment abstraction addresses this problem by proposing a recipe for creating abstraction functions and adding liveness conditions meant to replace the progress monitor. This can be seen as some kind of heuristic. It comes at the cost of incompleteness and narrower applicability. The method presented in the paper applies to programs constructed from conditional jumps and data updates, both guarded by two index assertions where the rst index is the process that executes. For example, if pi is executing, such a two index assertion might be expressing process pj s counter is greater than process pi s counter. The abstraction mapping used relates a reference process pref to its environment. The mapping is automatically generated from the guards appearing in the program text and is similar in spirit to counter abstraction. For each control location L and two index predicate P (x, y), the abstraction tracks the existence of a process p in the environment such that pref and p satisfy the two index predicate (P (pref , p) = ). The abstract state thus summarizes the environment of the reference process. For example, suppose pi is the reference process and the system state is such that process pj is at control location 2 and satises predicate P1 (pi , pj ). Then the abstract state will contain the tuple (P1 , 2), which tells us that there exists at least one process p at location 2 such that P1 (pref , p). Finally, abstraction can also introduce infeasible innite paths that falsify liveness conditions. Consider for example two states s1 and s2 mapped to the same abstract state S12 and such that there is a transition between s1 and s2 . In this case, even very reasonable abstraction functions may produce an abstract transition relation including a self loop on S12 . To eliminate such loops, the abstract state is augmented with booleans f romPi and toPi which track how predicates changed during the last transition. Spurious loops can then be ltered by adding an adequate compassion requirement. Fairness constraints should also be abstracted in order not to include spurious path in the abstract system. For fairness constraints of the form pc = L, some spurious path can also be eliminate with an appropriate abstract fairness constraint on f romPi and toPi . These techniques allow to eliminate some spurious innite path that appear in the abstracted system. However not all can be remove and we can only hope that they will not falsify the liveness properties of the system. In conclusion, the technique has two problems:

Such an abstraction obviously looses some information and makes the method incomplete, both for safety and liveness properties. However, it is argued in the paper that viewing a system in terms of a reference process relating to its environment is common when designing distributed protocols. But does this give us any assurance about the abstractions completeness in practice? What happens with protocols not designed with this view? Computing the abstract transition relation is not trivial. If the assertion language is too complex, it becomes undecidable.

Despite those issues, adapting the technique to the verication of BFT protocols seems promising for two reasons:

BFT protocols have specic correctness properties for

EDIC RESEARCH PROPOSAL

which a good abstraction (in terms of completeness) might be devised. They use only simple operations on integers, lists, and sets such as integer incrementation and comparison, adding an element to a set, comparing cardinalities of sets. . . There is good hope that recently developed decision procedures could handle this [18]. III. R ESEARCH P ROPOSAL

and complete algorithms for proving properties of networks of nite state processes. From there on, two cases are possible. If I have a working automated verication technique for BFT protocols, I will start investigating porting it to other classes of distributed or concurrent algorithms. Otherwise, I will continue investigating the use of other techniques like model checking techniques for innite state systems [10] or ideas from shape analysis [23]. R EFERENCES
[1] Krzysztof R. Apt and Dexter Kozen. Limits for automatic verication of nite-state concurrent systems. Inf. Process. Lett., 22(6):307309, 1986. [2] Michael Armbrust, Armando Fox, Rean Grifth, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia. Above the clouds: A berkeley view of cloud computing. Technical Report UCB/EECS-200928, EECS Department, University of California, Berkeley, Feb 2009. [3] Pter Bokor, Marco Serani, Neeraj Suri, and Helmut Veith. Role-based symmetry reduction of fault-tolerant distributed protocols with language support. Formal Methods and Software Engineering, pages 147166, 2009. [4] Miguel Castro and Barbara Liskov. Practical Byzantine fault tolerance. In OSDI, 1999. [5] Bernadette Charron-Bost and Andre Schiper. The heard-of model: computing in distributed systems with benign faults. Distributed Computing, 22(1):4971, April 2009. [6] Edmund M. Clarke, Muralidhar Talupur, and Helmut Veith. Environment abstraction for parameterized verication. In VMCAI, pages 126141. Springer, 2006. [7] James Cowling, Daniel Myers, Barbara Liskov, Rodrigo Rodrigues, and Liuba Shrira. HQ replication: A hybrid quorum protocol for Byzantine fault tolerance. In OSDI, 2006. [8] Willem-Paul de Roever, Frank de Boer, Ulrich Hanneman, Jozef Hooman, Yassine Lakhnech, Mannes Poel, and Job Zwiers. Concurrency verication: introduction to compositional and noncompositional methods. Cambridge University Press, 2001. [9] E. Emerson and Vineet Kahlon. Reducing model checking of the many to the few. Automated Deduction - CADE-17, pages 236254, 2000. [10] E. A. Emerson and K. S. Namjoshi. On model checking for nondeterministic innite-state systems. In LICS 98: Proceedings of the 13th Annual IEEE Symposium on Logic in Computer Science, page 70, Washington, DC, USA, 1998. IEEE Computer Society. [11] E. Allen Emerson and Kedar S. Namjoshi. Reasoning about rings. In POPL, pages 8594, New York, NY, USA, 1995. [12] Dana Fisman and Orna Kupferman Yoad Lustig. On verifying fault tolerance of distributed protocols. In TACAS, volume 4963 of Lecture Notes in Computer Science, pages 315331. Springer, 2008. [13] Rachid Guerraoui, Nikola Knezevic, Vivien Quema, and Marko Vukolic. The Next 700 BFT Protocols. In Proceedings of the 5th ACM European conference on Computer systems, 2010. [14] Youssef Hanna, Samik Basu, and Hridesh Rajan. Behavioral automata composition for automatic topology independent verication of parameterized systems. In ESEC/SIGSOFT FSE, pages 325334, New York, NY, USA, 2009. ACM. [15] Alexander Kaiser, Daniel Kroening, and Thomas Wahl. Dynamic cutoff detection in parameterized concurrent programs. In Proceedings of CAV. Springer, 2010. To appear. [16] Yonit Kesten and Amir Pnueli. Verication by augmented nitary abstraction. Information and Computation, 163:2000, 1999. [17] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. Zyzzyva: speculative Byzantine fault tolerance. In SOSP, 2007. [18] Viktor Kuncak, Ruzica Piskac, Philippe Suter, and Thomas Wies. Building a calculus of data structures. In Verication, Model Checking, and Abstract Interpretation (VMCAI), 2010. [19] Leslie Lamport. The writings of leslie lamport. http://research.microsoft.com/en-us/um/people/lamport/pubs/pubs.html. [20] Leslie Lamport. Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, 2002. [21] Zohar Manna and Amir Pnueli. Completing the temporal picture, 1991. [22] Susan Owicki and David Gries. An axiomatic proof technique for parallel programs i. Acta Informatica, 6(4):319340, dec 1976.

We have seen that frameworks developed in the distributed algorithms community to ease human understanding of BFT protocols can dramatically simplify them and ease their verication (Section 2.C and 2.D). Moreover, we have identied environment abstraction as a promising candidate to the automated verication of BFT protocols (2.E). We also briey talked about the Owicki and Gries method, and parameterized systems of nite state processes. All these techniques could potentially be adapted to automatically verify BFT protocols. I will use the Abstract framework to decompose BFT protocols into simple modules and to allow the verication of many different protocols by just verifying a small number of new modules. I have already started verifying BFT protocols in the Abstract framework using the Isabelle interactive theorem prover. I have formalized two Abstract instances, Quorum and Chain, and I veried safety properties of Quorum using the Owicki and Gries method. This paves the ground for more automated techniques because the Isabelle theorem prover provides a rich environment, from which many reasoning tools can be called, and it allows combining arbitrary reasoners while guaranteeing soundness. My plan is to rst explore simple techniques like variants of the Owicki and Gries method using automated theorem provers. Because operations performed by BFT protocols are simple, a combination of specialized decision procedures may allow to automatically prove arising obligations. Thus this method is likely to yield a semi-automated technique where users propose protocol invariants which are proved or disproved automatically. Making the process interactive could provide a practical verication technique. The development of this method should take only a few months and will greatly improve my understanding of BFT protocols and of what properties could ease their verication. As a side topic, I discovered in my experiments that writing formal specications is also hard. Testing tools like TLC [20] exist but they are of no use to test the effect of Byzantine behavior. I plan to explore testing specications with symbolic state to exercise Byzantine paths. With the insights acquired in the previous step, I will adapt environment abstraction to build a fully automated technique with high degree of completeness. It should allow the automated verication of most of the BFT protocols. Because temporal abstraction is complete, manual tweaking could allow proofs to be carried out in the cases where the automated method fails. In parallel, I will consider abstracting BFT protocols to parameterized networks of nite state processes. This may allow using a ner abstraction while preserving the feasibility of the abstract problem. Indeed, there are sound

EDIC RESEARCH PROPOSAL

[23] Andreas Podelski and Thomas Wies. Counterexample-guided focus. In POPL, pages 249260, 2010. [24] Atul Singh, Tathagata Das, Petros Maniatis, Peter Druschel, and Timothy Roscoe. BFT protocols under re. In NSDI, 2008. [25] Tatsuhiro Tsuchiya and Andr Schiper. Using Bounded Model Checking to Verify Consensus Algorithms. Technical report, 2008. [26] Piotr Zielinski. Optimistically terminating consensus: All asynchronous consensus protocols in one framework. In ISPDC, pages 2433. IEEE Computer Society, 2006. [27] Piotr Zielinski. Automatic verication and discovery of byzantine consensus protocols. In DSN, pages 7281. IEEE Computer Society, 2007. [28] Piotr Zielinski. Automatic verication and discovery of byzantine consensus protocols. In DSN 07: Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pages 7281. IEEE Computer Society, 2007.