more

2025-03-08 22:17:39 -05:00
parent d5f7fff2a7
commit 679c21f082
10 changed files with 1995 additions and 1994 deletions
--- a/.latexrun.db
+++ b/.latexrun.db
--- a/main.aux
+++ b/main.aux
@@ -43,14 +43,13 @@
 \newlabel{lst:korg_replay}{{6}{4}{Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{figure.caption.6}{}}
 \@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{5}{figure.caption.7}\protected@file@percent }
 \newlabel{lst:korg_reordering}{{7}{5}{Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{figure.caption.7}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Usage}{5}{subsection.3.3}\protected@file@percent }
 \newlabel{sub:Usage}{{3.3}{5}{Usage}{subsection.3.3}{}}
 \citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022}
 \citation{Pacheco2022}
 \citation{Pacheco2022}
-\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro}
+\citation{Ginesin2024}
-\citation{Ongaro}
+\citation{rfc9260}
-\citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Usage}{6}{subsection.3.3}\protected@file@percent }
 \newlabel{sub:Usage}{{3.3}{6}{Usage}{subsection.3.3}{}}
 \newlabel{lst:abp}{{2}{6}{Example (simplified) \promela model of the alternating bit protocol}{lstlisting.2}{}}
 \@writefile{lol}{\contentsline {lstlisting}{\numberline {2}{\ignorespaces Example (simplified) \textsc  {Promela}\xspace  model of the alternating bit protocol.}}{6}{lstlisting.2}\protected@file@percent }
 \newlabel{lst:korg-shell}{{3.3}{6}{}{lstlisting.-5}{}}
@@ -58,26 +57,25 @@
 \newlabel{sec:case_studies}{{4}{6}{Case Studies}{section.4}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.1}TCP}{6}{subsection.4.1}\protected@file@percent }
 \newlabel{sub:TCP}{{4.1}{6}{TCP}{subsection.4.1}{}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Raft}{6}{subsection.4.2}\protected@file@percent }
+\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro}
-\newlabel{sub:Raft}{{4.2}{6}{Raft}{subsection.4.2}{}}
+\citation{Ongaro}
 \citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}
 \citation{Ongaro}
 \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
-\citation{Ginesin2024}
+\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 28}}{7}{TCP}{figure.caption.8}{}}
-\citation{rfc9260}
+\@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc  {Panda}\xspace  proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{7}{figure.caption.8}\protected@file@percent }
 \newlabel{res:tcp-table}{{8}{7}{Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact}{figure.caption.8}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.2}SCTP}{7}{subsection.4.2}\protected@file@percent }
 \newlabel{sub:SCTP}{{4.2}{7}{SCTP}{subsection.4.2}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Raft}{7}{subsection.4.3}\protected@file@percent }
 \newlabel{sub:Raft}{{4.3}{7}{Raft}{subsection.4.3}{}}
 \newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 95}}{7}{Raft}{figure.caption.9}{}}
 \@writefile{lof}{\contentsline {figure}{\numberline {9}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc  {Panda}\xspace  against our buggy Raft \textsc  {Promela}\xspace  model, \texttt  {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \textsc  {Panda}\xspace  synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{7}{figure.caption.9}\protected@file@percent }
 \newlabel{res:raft_table}{{9}{7}{Breakdown of the attacker scenarios assessed with \korg against our buggy Raft \promela model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact}{figure.caption.9}{}}
 \citation{Kobeissi_Nicolas_Tiwari,Proverif,Tamarin,Cremers}
 \citation{Blanchet_Jacomme,Pereira}
 \citation{ParnoSOK,Basin_Cremers_Meadows_2018}
 \citation{Khan_Mukund_Suresh_2005,Clarke_Wang,wayne_adversaries,Narayana_Chen_Zhao_Chen_Fu_Zhou_2006,Delzanno_Tatarek_Traverso_2014}
 \newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 28}}{7}{TCP}{figure.caption.8}{}}
 \@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc  {Panda}\xspace  proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{7}{figure.caption.8}\protected@file@percent }
 \newlabel{res:tcp-table}{{8}{7}{Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact}{figure.caption.8}{}}
 \newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 91}}{7}{Raft}{figure.caption.9}{}}
 \@writefile{lof}{\contentsline {figure}{\numberline {9}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc  {Panda}\xspace  against our buggy Raft \textsc  {Promela}\xspace  model, \texttt  {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \textsc  {Panda}\xspace  synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{7}{figure.caption.9}\protected@file@percent }
 \newlabel{res:raft_table}{{9}{7}{Breakdown of the attacker scenarios assessed with \korg against our buggy Raft \promela model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact}{figure.caption.9}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.3}SCTP}{7}{subsection.4.3}\protected@file@percent }
 \newlabel{sub:SCTP}{{4.3}{7}{SCTP}{subsection.4.3}{}}
 \@writefile{toc}{\contentsline {section}{\numberline {5}Related Work}{7}{section.5}\protected@file@percent }
 \newlabel{sec:Related Work}{{5}{7}{Related Work}{section.5}{}}
 \citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Castro_Liskov_2002,Delzanno_Tatarek_Traverso_2014}
 \citation{Henda}
 \citation{Ginesin}
@@ -100,10 +98,12 @@
 \bibcite{Cremers}{13}
 \bibcite{Delzanno_Tatarek_Traverso_2014}{14}
 \bibcite{Ginesin2024}{15}
-\bibcite{Ginesin}{16}
+\@writefile{toc}{\contentsline {section}{\numberline {5}Related Work}{8}{section.5}\protected@file@percent }
-\bibcite{ironfleet}{17}
+\newlabel{sec:Related Work}{{5}{8}{Related Work}{section.5}{}}
 \@writefile{toc}{\contentsline {section}{\numberline {6}Conclusion}{8}{section.6}\protected@file@percent }
 \newlabel{sec:conclusion}{{6}{8}{Conclusion}{section.6}{}}
 \bibcite{Ginesin}{16}
 \bibcite{ironfleet}{17}
 \bibcite{Holzmann_2014}{18}
 \bibcite{Holzmann_Smith_2000}{19}
 \bibcite{Holzmann_1997}{20}
@@ -142,5 +142,5 @@
 \citation{Hippel2022}
 \citation{Kozen_1977}
 \@writefile{toc}{\contentsline {subsection}{\numberline {7.3}Priorities \& On-the-fly B\"uchi Automata Composition}{11}{subsection.7.3}\protected@file@percent }
-\newlabel{sub:Priority \& On-the-fly B\"uchi Automata Composition}{{7.3}{11}{Priorities \& On-the-fly B\"uchi Automata Composition}{subsection.7.3}{}}
+\newlabel{sub:Priority}{{7.3}{11}{Priorities \& On-the-fly B\"uchi Automata Composition}{subsection.7.3}{}}
 \gdef \@abspage@last{11}
--- a/main.fls
+++ b/main.fls
@@ -661,11 +661,6 @@ INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/zptmcmr.vf
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/zptmcmr.vf
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr8t.vf
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/zptmcmrm.vf
@@ -676,6 +671,11 @@ INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/zptmcmr.vf
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/symbol/psyr.tfm
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
 INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr10.tfm
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/related_work.tex
 INPUT ./sections/conclusion.tex
 INPUT ./sections/conclusion.tex
 INPUT ./sections/conclusion.tex
--- a/main.log
+++ b/main.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  4 MAR 2025 16:22
+This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  8 MAR 2025 22:16
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1474,13 +1474,20 @@ nput line 78.
 LaTeX Warning: `h' float specifier changed to `ht'.
 LaTeX Warning: Reference `Priority' on page 4 undefined on input line 192.
 Underfull \vbox (badness 10000) has occurred while \output is active []
 [4]
 LaTeX Warning: `h' float specifier changed to `ht'.
-[5] Excluding 'comment' comment.) (./sections/case_studies.tex
+
 Underfull \vbox (badness 10000) has occurred while \output is active []
 [5]
 Excluding 'comment' comment.) (./sections/case_studies.tex
 Underfull \hbox (badness 10000) in paragraph at lines 19--19
 []\T1/pcr/m/n/10 SYN_RECEIVED \T1/ptm/m/n/10 (+20) is even-tu-ally fol-lowed by
@@ -1507,15 +1514,15 @@ Underfull \hbox (badness 10000) in paragraph at lines 19--19
 LaTeX Warning: `!h' float specifier changed to `!ht'.
 Excluding 'comment' comment. [6]
-Underfull \hbox (badness 1043) in paragraph at lines 107--107
+Underfull \vbox (badness 1584) has occurred while \output is active []
 Underfull \hbox (badness 1043) in paragraph at lines 111--111
 \T1/ptm/m/n/10 (+20) with \T1/ptm/m/sc/10 (+20) Panda \T1/ptm/m/n/10 (+20) agai
 nst our buggy Raft \T1/ptm/m/sc/10 (+20) Promela \T1/ptm/m/n/10 (+20) model,
 []
-
+) [7] (./sections/related_work.tex) (./sections/conclusion.tex) (./main.bbl
 LaTeX Warning: `!h' float specifier changed to `!ht'.
 ) (./sections/related_work.tex [7]) (./sections/conclusion.tex) (./main.bbl
 Underfull \hbox (badness 2126) in paragraph at lines 79--83
 []\T1/ptm/m/n/10 (+20) Giorgio Delzanno, Michele Tatarek, and Ric-cardo
 []
@@ -1525,7 +1532,7 @@ Underfull \hbox (badness 1810) in paragraph at lines 198--202
 []\T1/ptm/m/n/10 (+20) M. T<>xen, R. Stew-art, K. Nielsen, R. Je-sup, and
 []
-) (./sections/appendix-revised.tex [9]
+[9]) (./sections/appendix-revised.tex
 Underfull \hbox (badness 4467) in paragraph at lines 33--34
 [][]\T1/ptm/b/n/10 (+20) Definition 2 \T1/ptm/m/n/10 (+20) (Pro-cess)\T1/ptm/b/
 n/10 (+20) . []\T1/ptm/m/it/10 (+20) A \T1/ptm/m/n/10 (+20) Pro-cess \T1/ptm/m/
@@ -1575,35 +1582,29 @@ braces don't get unbalanced. Otherwise just proceed.
 Acceptable delimiters are characters whose \delcode is
 nonnegative, or you can use `\delimiter <delimiter code>'.
-) [11] (./main.aux
+) [11] (./main.aux)
 ! Missing \endcsname inserted.
 <to be read again> 
                   \&
 l.145 ... Automata Composition}{subsection.7.3}{}}
 The control sequence marked <to be read again> should
 not appear between \csname and \endcsname.
 )
 ***********
 LaTeX2e <2023-11-01> patch level 1
 L3 programming layer <2024-02-20>
 ***********
 LaTeX Warning: There were undefined references.
 LaTeX Warning: There were multiply-defined labels.
 Package rerunfilecheck Info: File `main.out' has not changed.
-(rerunfilecheck)             Checksum: 211FF4D7E8372196F5FA1B23FB434BB5;2271.
+(rerunfilecheck)             Checksum: 02165AE5DA70DF70CA626F2A3483E8B8;2271.
 ) 
 Here is how much of TeX's memory you used:
- 43583 strings out of 476076
+ 43585 strings out of 476076
- 947496 string characters out of 5793776
+ 947520 string characters out of 5793776
- 2121187 words of memory out of 5000000
+ 2123187 words of memory out of 5000000
- 64119 multiletter control sequences out of 15000+600000
+ 64121 multiletter control sequences out of 15000+600000
 696072 words of font info for 510 fonts, out of 8000000 for 9000
 14 hyphenation exceptions out of 8191
- 102i,11n,117p,1636b,1244s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 102i,11n,117p,1748b,1244s stack positions out of 10000i,1000n,20000p,200000b,200000s
 pdfTeX warning (dest): name{Hfootnote.1} has been referenced but does not exist
 , replaced by a fixed one
@@ -1616,7 +1617,7 @@ lic/amsfonts/cm/cmr10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm
 re/texmf-dist/fonts/type1/urw/symbol/usyr.pfb></usr/share/texmf-dist/fonts/type
 1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb>
 </usr/share/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
-Output written on ./main.pdf (11 pages, 259218 bytes).
+Output written on ./main.pdf (11 pages, 259691 bytes).
 PDF statistics:
 527 PDF objects out of 1000 (max. 8388607)
 488 compressed objects within 5 object streams
--- a/main.out
+++ b/main.out
@@ -6,8 +6,8 @@
 \BOOKMARK [2][-]{subsection.3.3}{\376\377\000U\000s\000a\000g\000e}{section.3}% 6
 \BOOKMARK [1][-]{section.4}{\376\377\000C\000a\000s\000e\000\040\000S\000t\000u\000d\000i\000e\000s}{}% 7
 \BOOKMARK [2][-]{subsection.4.1}{\376\377\000T\000C\000P}{section.4}% 8
-\BOOKMARK [2][-]{subsection.4.2}{\376\377\000R\000a\000f\000t}{section.4}% 9
+\BOOKMARK [2][-]{subsection.4.2}{\376\377\000S\000C\000T\000P}{section.4}% 9
-\BOOKMARK [2][-]{subsection.4.3}{\376\377\000S\000C\000T\000P}{section.4}% 10
+\BOOKMARK [2][-]{subsection.4.3}{\376\377\000R\000a\000f\000t}{section.4}% 10
 \BOOKMARK [1][-]{section.5}{\376\377\000R\000e\000l\000a\000t\000e\000d\000\040\000W\000o\000r\000k}{}% 11
 \BOOKMARK [1][-]{section.6}{\376\377\000C\000o\000n\000c\000l\000u\000s\000i\000o\000n}{}% 12
 \BOOKMARK [1][-]{section.7}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x}{}% 13
--- a/main.pdf
+++ b/main.pdf
--- a/sections/abstract.tex
+++ b/sections/abstract.tex
@@ -2,8 +2,8 @@ Distributed protocols are the lynchpin of the modern internet,
 underpinning every internet service. 
 This has in turn motivated a massive amount of research ensuring the security, 
 reliability, and performance of distributed protocols. 
-A wide-ranging assumption in these works is assuming distributed
+In these works, a wide-ranging assumption is that distributed
-protocols operate over \textit{faulty} or 
+protocols operate over \textit{imperfect} or 
 \textit{attacker-controlled} channels, where messages can be arbitrarily 
 inserted, dropped, replayed, or reordered. 
 Formal methods work formally verifying distributed protocols 
--- a/sections/appendix-revised.tex
+++ b/sections/appendix-revised.tex
@@ -129,7 +129,7 @@ By the previous argument the $\exists$ASP problem corresponds to \ba language in
 \end{proof}
 \subsection{Priorities \& On-the-fly B\"uchi Automata Composition}%
-\label{sub:Priority \& On-the-fly B\"uchi Automata Composition}
+\label{sub:Priority}
 As described in Appendix Section \ref{sub:Proofs of Soundness and Completeness}, \spin reduces verification problems to deciding B\"uchi Automata intersection emptiness. That is, given $n$ B\"uchi Automata programs $P_1,\ldots.,P_n$, \spin decides:
 \[
--- a/sections/case_studies.tex
+++ b/sections/case_studies.tex
@@ -1,6 +1,6 @@
 %!TEX root = ../main.tex
-In this section we describe two case studies: the Transmission Control Protocol (TCP), a data transfer protocol, and Raft, a state machine replication protocol.
+In this section we describe three case studies: the Transmission Control Protocol (TCP), a data transfer protocol, SCTP, another data transfer protocol, and Raft, a state machine replication protocol.
 \subsection{TCP}%
 \label{sub:TCP}
@@ -69,6 +69,10 @@ $\phi_4$ & \rule{0pt}{8pt} x & & & & & & x & & \\
 \end{comment}
 \subsection{SCTP}%
 \label{sub:SCTP}
 SCTP is a transport-layer protocol proposed as an alternative to TCP, featuring a four-way handshake, multi-homing, and multi-streaming. Among other use cases, SCTP is the data transfer protocol for various telecoms signaling protocols as well as WebRTC. For our analysis, we borrow the ten LTL properties and \promela models derived from the SCTP RFCs as described in \cite{Ginesin2024}. We evaluated the SCTP \promela model against \korg's drop, replay, and reordering attacker models on a single uni-directional communication channel. The drop attacker model was specified to max out at three dropped packets, while the replay and reordering attacker model was specified to max out at two packets. SCTP is designed to resist drop, replay, and reordering attackers \cite{rfc9260}, and we employ \korg to exhaustively demonstrate this is the case.
 \subsection{Raft}%
 \label{sub:Raft}
 Raft is a consensus algorithm designed to replicate a state machine across distributed peers, and sees broad usage in distributed databases, key-value stores, distributed file systems, distributed load-balancers, and container orchestration. Historically, verification efforts of Raft using both constructive, mechanized proving techniques \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016, Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson, Ongaro} and automated verification \cite{Ongaro} have reasoned about the protocol under certain assumptions about the stability of the communication channels. Previously, Raft has been proven to maintain properties of interest with respect volatile, attacker-controlled channels constructively using Rocq\footnote{Previously known as Coq} \cite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}. However, no previous approach to Raft verification has reasoned explicitly about a coordinated, arbitrary on-channel attacker \textit{external} to the protocol itself. Uniquely, \korg enables us to study Raft in this context.
@@ -109,10 +113,6 @@ Dropping AppendEntryResponse messages & no \\
 \end{figure}
 In our experiments, we found just one attack on our \texttt{raft-bug.pml} \promela model, violating election safety in particular. In this scenario, peer A and peer B are candidates for election. Peer A receives three votes, one from itself and two from other peers, and Peer B receives two votes, one from itself and one from another peer. The replay attacker simply replays the vote sent to peer B. Then, both Peer A and Peer B are convinced they won the election and change their state to leader. Following this, leader completeness is also naturally violated. In this scenario, \korg demonstrates its ability to discover subtle bugs in protocol logic, exploiting the buggy Raft implementation. 
 \subsection{SCTP}%
 \label{sub:SCTP}
 SCTP is a transport-layer protocol proposed as an alternative to TCP, featuring a four-way handshake, multi-homing, and multi-streaming. Among other use cases, SCTP is the data transfer protocol for various telecoms signaling protocols as well as WebRTC. For our analysis, we borrow the ten LTL properties and \promela models derived from the SCTP RFCs as described in \cite{Ginesin2024}. We evaluated the SCTP \promela model against \korg's drop, replay, and reordering attacker models on a single uni-directional communication channel. The drop attacker model was specified to max out at three dropped packets, while the replay and reordering attacker model was specified to max out at two packets. SCTP is designed to resist drop, replay, and reordering attackers \cite{rfc9260}, and we employ \korg to exhaustively demonstrate this is the case.
 % these attacker models, and we employ \korg to exhaustively demonstrate this is the case.
 %our Raft model satisfies $\phi_1$-$\phi_5$ assuming perfect channels, and \korg allowed us to reason precisely about the effect of imperfect, vulnerable channels.
--- a/sections/design.tex
+++ b/sections/design.tex
@@ -189,7 +189,7 @@ BREAK: }
 \end{figure}
 \textbf{Reorder Attacker Gadget Implementation}.
-The final and most complex gadget \korg implements is an attacker that can \textit{reorder} messages on a channel. The gadget works as follows. The attacker model gadget comes with a pre-defined message limit value \texttt{lim}, which defines the length of the gadget storage FIFO buffer \texttt{gadget\_mem}. The gadget also has the highest \textit{execution priority} in the system, which ensures the gadget can always reorder messages on the victim channel without other processes interfering. The gadget first enters the \texttt{INIT} state --- in this state, the gadget non-deterministically chooses to pass messages on the victim channel, or transition to the \texttt{CONSUME} state. In the \texttt{CONSUME} state, the gadget consumes each message it sees and stores them in \texttt{gadget\_mem}, a FIFO buffer. Upon consuming each message from the victim channel, \texttt{lim} is decremented. Once \texttt{lim=0}, the gadget transitions to \texttt{REPLAY}. Then, messages are randomly selected from \texttt{gadget\_mem} to be replayed back onto the channel. Note, because \texttt{gadget\_mem} is a FIFO buffer, we must rotate messages within the channel in order to randomly select a value from it. Additionally, messages can also be nondeterministically removed from \texttt{gadget\_mem}, as all messages do not necessarily need to be replayed. Once \texttt{gadget\_mem} is empty, the gadget transitions to the \texttt{BREAK} state. An example gadget automatically synthesized with \korg against the channel \texttt{cn} is shown in figure \ref{lst:korg_reordering}.
+The final and most complex gadget \korg implements is an attacker that can \textit{reorder} messages on a channel. The gadget works as follows. The attacker model gadget comes with a pre-defined message limit value \texttt{lim}, which defines the length of the gadget storage FIFO buffer \texttt{gadget\_mem}. The gadget also has the highest \textit{execution priority} in the system, which ensures the gadget can always reorder messages on the victim channel without other processes interfering. Further details describing how \spin handles execution priority is provided in Appendix section \ref{Priority}. The gadget first enters the \texttt{INIT} state --- in this state, the gadget non-deterministically chooses to pass messages on the victim channel, or transition to the \texttt{CONSUME} state. In the \texttt{CONSUME} state, the gadget consumes each message it sees and stores them in \texttt{gadget\_mem}, a FIFO buffer. Upon consuming each message from the victim channel, \texttt{lim} is decremented. Once \texttt{lim=0}, the gadget transitions to \texttt{REPLAY}. Then, messages are randomly selected from \texttt{gadget\_mem} to be replayed back onto the channel. Note, because \texttt{gadget\_mem} is a FIFO buffer, we must rotate messages within the channel in order to randomly select a value from it. Additionally, messages can also be nondeterministically removed from \texttt{gadget\_mem}, as all messages do not necessarily need to be replayed. Once \texttt{gadget\_mem} is empty, the gadget transitions to the \texttt{BREAK} state. An example gadget automatically synthesized with \korg against the channel \texttt{cn} is shown in figure \ref{lst:korg_reordering}.
 % The attacker model gadget comes with a pre-defined message limit value \texttt{lim}, which defines the length of the gadget storage FIFO buffer \texttt{gadget\_mem}. Then, the gadget enters the \texttt{CONSUME} state and nondeterministically chooses messages on the channel \texttt{cn} to copy into \texttt{gadget\_mem}. Once \texttt{lim=0}, the gadget transitions into the state \texttt{REPLAY}, where items are randomly selected from \texttt{gadget\_mem} to be replayed back onto the channel. Note, because \texttt{gadget\_mem} is a FIFO buffer, we must rotate messages within the channel in order to randomly select a value from it. Additionally, messages can also be nondeterministically removed from \texttt{gadget\_mem}, as all messages do not necessarily need to be replayed. Once \texttt{gadget\_mem} is empty, the gadget transitions to the \texttt{BREAK} state.