synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more

Browse Source
This commit is contained in:
Your Name
2025-02-23 17:28:08 -05:00
parent cc322832e2
commit 965446ee62
20 changed files with 6464 additions and 10312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
main.bib
View File

@@ -118,3 +118,32 @@ concurrent finite-state programs.}, publisher={IEEE Computer Society}, author={V
@inproceedings{Narayana_Chen_Zhao_Chen_Fu_Zhou_2006, title={Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+}, url={https://ieeexplore.ieee.org/document/4110436/?arnumber=4110436}, DOI={10.1109/NPSEC.2006.320346}, abstractNote={Vulnerability analysis is indispensably the first step towards securing a network protocol, but currently remains mostly a best effort manual process with no completeness guarantee. Formal methods are proposed for vulnerability analysis and most existing work focus on security properties such as perfect forwarding secrecy and correctness of authentication. However, it remains unclear how to apply these methods to analyze more subtle vulnerabilities such as denial-of-service (DoS) attacks. To address this challenge, in this paper, we propose use of TLA+ to automatically check DoS vulnerability of network protocols with completeness guarantee. In particular, we develop new schemes to avoid state space explosion in property checking and to model attackers capabilities for finding realistic attacks. As a case study, we successfully identify threats to IEEE 802.16 air interface protocols.}, booktitle={2006 2nd IEEE Workshop on Secure Network Protocols}, author={Narayana, Prasad and Chen, Ruiming and Zhao, Yao and Chen, Yan and Fu, Zhi and Zhou, Hai}, year={2006}, month=nov, pages={4449} }
@article{Delzanno_Tatarek_Traverso_2014, title={Model Checking Paxos in Spin}, volume={161}, ISSN={2075-2180}, DOI={10.4204/EPTCS.161.13}, journal={Electronic Proceedings in Theoretical Computer Science}, author={Delzanno, Giorgio and Tatarek, Michele and Traverso, Riccardo}, year={2014}, month=aug, pages={131146}, language={en} }
@article{Sergey_Wilcox_Tatlock_2018, title={Programming and proving with distributed protocols}, volume={2}, ISSN={2475-1421}, DOI={10.1145/3158116}, abstractNote={Distributed systems play a crucial role in modern infrastructure, but are notoriously difficult to implement correctly. This difficulty arises from two main challenges: (a) correctly implementing core system components (e.g., two-phase commit), so all their internal invariants hold, and (b) correctly composing standalone system components into functioning trustworthy applications (e.g., persistent storage built on top of a two-phase commit instance). Recent work has developed several approaches for addressing (a) by means of mechanically verifying implementations of core distributed components, but no methodology exists to address (b) by composing such verified components into larger verified applications. As a result, expensive verification efforts for key system components are not easily reusable, which hinders further verification efforts. In this paper, we present Disel, the first framework for implementation and compositional verification of distributed systems and their clients, all within the mechanized, foundational context of the Coq proof assistant. In Disel, users implement distributed systems using a domain specific language shallowly embedded in Coq and providing both high-level programming constructs as well as low-level communication primitives. Components of composite systems are specified in Disel as protocols, which capture system-specific logic and disentangle system definitions from implementation details. By virtue of Disels dependent type system, well-typed implementations always satisfy their protocols invariants and never go wrong, allowing users to verify system implementations interactively using Disels Hoare-style program logic, which extends state-of-the-art techniques for concurrency verification to the distributed setting. By virtue of the substitution principle and frame rule provided by Disels logic, system components can be composed leading to modular, reusable verified distributed systems. We describe Disel, illustrate its use with a series of examples, outline its logic and metatheory, and report on our experience using it as a framework for implementing, specifying, and verifying distributed systems.}, number={POPL}, journal={Proceedings of the ACM on Programming Languages}, author={Sergey, Ilya and Wilcox, James R. and Tatlock, Zachary}, year={2018}, month=jan, pages={130}, language={en} }
@inproceedings{ironfleet, address={Monterey California}, title={IronFleet: proving practical distributed systems correct}, ISBN={978-1-4503-3834-9}, url={https://dl.acm.org/doi/10.1145/2815400.2815428}, DOI={10.1145/2815400.2815428}, abstractNote={Distributed systems are notorious for harboring subtle bugs. Verification can, in principle, eliminate these bugs a priori, but verification has historically been difficult to apply at fullprogram scale, much less distributed-system scale.}, booktitle={Proceedings of the 25th Symposium on Operating Systems Principles}, publisher={ACM}, author={Hawblitzel, Chris and Howell, Jon and Kapritsos, Manos and Lorch, Jacob R. and Parno, Bryan and Roberts, Michael L. and Setty, Srinath and Zill, Brian}, year={2015}, month=oct, pages={117}, language={en} }
@inbook{Rahli_Vukotic_Völp_Esteves-Verissimo_2018, address={Cham}, series={Lecture Notes in Computer Science}, title={Velisarios: Byzantine Fault-Tolerant Protocols Powered by Coq}, volume={10801}, ISBN={978-3-319-89883-4}, url={http://link.springer.com/10.1007/978-3-319-89884-1_22}, DOI={10.1007/978-3-319-89884-1_22}, abstractNote={Our increasing dependence on complex and critical information infrastructures and the emerging threat of sophisticated attacks, ask for extended efforts to ensure the correctness and security of these systems. Byzantine fault-tolerant state-machine replication (BFT-SMR) provides a way to harden such systems. It ensures that they maintain correctness and availability in an application-agnostic way, provided that the replication protocol is correct and at least n f out of n replicas survive arbitrary faults. This paper presents Velisarios, a logic-of-events based framework implemented in Coq, which we developed to implement and reason about BFT-SMR protocols. As a case study, we present the first machine-checked proof of a crucial safety property of an implementation of the areas reference protocol: PBFT.}, booktitle={Programming Languages and Systems}, publisher={Springer International Publishing}, author={Rahli, Vincent and Vukotic, Ivana and Völp, Marcus and Esteves-Verissimo, Paulo}, editor={Ahmed, Amal}, year={2018}, pages={619650}, collection={Lecture Notes in Computer Science}, language={en} }
@article{Ongaro_Ousterhout, title={In Search of an Understandable Consensus Algorithm}, abstractNote={Raft is a consensus algorithm for managing a replicated log. It produces a result equivalent to (multi-)Paxos, and it is as efficient as Paxos, but its structure is different from Paxos; this makes Raft more understandable than Paxos and also provides a better foundation for building practical systems. In order to enhance understandability, Raft separates the key elements of consensus, such as leader election, log replication, and safety, and it enforces a stronger degree of coherency to reduce the number of states that must be considered. Results from a user study demonstrate that Raft is easier for students to learn than Paxos. Raft also includes a new mechanism for changing the cluster membership, which uses overlapping majorities to guarantee safety.}, author={Ongaro, Diego and Ousterhout, John}, language={en} }
@inproceedings{Arun_Arashloo_Saeed_Alizadeh_Balakrishnan_2021, address={Virtual Event USA}, title={Toward formally verifying congestion control behavior}, ISBN={978-1-4503-8383-7}, url={https://dl.acm.org/doi/10.1145/3452296.3472912}, DOI={10.1145/3452296.3472912}, abstractNote={The diversity of paths on the Internet makes it difficult for designers and operators to confidently deploy new congestion control algorithms (CCAs) without extensive real-world experiments, but such capabilities are not available to most of the networking community. And even when they are available, understanding why a CCA under-performs by trawling through massive amounts of statistical data from network connections is challenging. The history of congestion control is replete with many examples of surprising and unanticipated behaviors unseen in simulation but observed on realworld paths. In this paper, we propose initial steps toward modeling and improving our confidence in a CCAs behavior. We have developed Congestion Control Anxiety Controller (CCAC),1 a tool that uses formal verification to establish certain properties of CCAs. It is able to prove hypotheses about CCAs or generate counterexamples for invalid hypotheses. With CCAC, a designer can not only gain greater confidence prior to deployment to avoid unpleasant surprises, but can also use the counterexamples to iteratively improve their algorithm. We have modeled additive-increase/multiplicativedecrease (AIMD), Copa, and BBR with CCAC, and describe some surprising results from the exercise.}, booktitle={Proceedings of the 2021 ACM SIGCOMM 2021 Conference}, publisher={ACM}, author={Arun, Venkat and Arashloo, Mina Tahmasbi and Saeed, Ahmed and Alizadeh, Mohammad and Balakrishnan, Hari}, year={2021}, month=aug, pages={116}, language={en} }
@article{Beurdouche, title={Formal Verification for High Assurance Security Software in FStar}, author={Beurdouche, Benjamin}, language={en} }
@inbook{Hsieh_Mitra_2019, address={Cham}, series={Lecture Notes in Computer Science}, title={Dione: A Protocol Verification System Built with Dafny for I/O Automata}, volume={11918}, ISBN={978-3-030-34967-7}, url={http://link.springer.com/10.1007/978-3-030-34968-4_13}, DOI={10.1007/978-3-030-34968-4_13}, abstractNote={Input/Output Automata (IOA) is an expressive specification framework with built-in properties for compositional reasoning. It has been shown to be effective in specifying and analyzing distributed and networked systems. The available verification engines for IOA are based on interactive theorem provers such as Isabelle, Larch, PVS, and Coq, and are expressive but require heavy human interaction. Motivated by the advances in SMT solvers, in this work we explore a different expressivity-automation tradeoff for IOA. We present Dione, the first IOA analysis system built with Dafny and its SMT-powered toolchain and demonstrate its effectiveness on four distributed applications. Our translator tool converts Python-esque Dione language specification of IOA and their properties to parameterized Dafny modules. Dione automatically generates the relevant compatibility and composition lemmas for the IOA specifications, which can then be checked with Dafny on a per module-basis. We ensure that all resulting formulas are expressed mostly in fragments solvable by SMT solvers and hence enables Bounded Model Checking and k-induction-based invariant checking using Z3. We present successful applications of Dione in verification of an asynchronous leader election algorithm, two self-stabilizing mutual exclusion algorithms, and CAN bus Arbitration. We automatically prove key invariants of all four protocols; for the last three this involves reasoning about arbitrary number of participants. These analyses are largely automatic with minimal manual inputs needed, and they demonstrate the effectiveness of this approach in analyzing networked and distributed systems.}, booktitle={Integrated Formal Methods}, publisher={Springer International Publishing}, author={Hsieh, Chiao and Mitra, Sayan}, editor={Ahrendt, Wolfgang and Tapia Tarifa, Silvia Lizeth}, year={2019}, pages={227245}, collection={Lecture Notes in Computer Science}, language={en} }
@misc{message_queues_TLA, title={TLA+ Message Passing}, author={Hillel Wayne}, url={https://www.hillelwayne.com/post/tla-messages/}, abstractNote={I recently did a corporate TLA+ workshop and some people asked what TLA+ specs look like in practice. If you looked at the most common public examples, youd probably come away thinking that people only used it for critical consensus algorithms. This is a problem for two reasons: first, it makes it harder to learn TLA+, as there arent simpler examples to experiment with. Second, it makes it hard for people to see how TLA+ is useful for them.}, journal={Hillel Wayne}, year={2018}, month=oct, language={en} }
@inbook{TLSMIN, address={Berlin, Heidelberg}, series={Lecture Notes in Computer Science}, title={LTSmin: High-Performance Language-Independent Model Checking}, volume={9035}, rights={http://www.springer.com/tdm}, ISBN={978-3-662-46680-3}, url={http://link.springer.com/10.1007/978-3-662-46681-0_61}, DOI={10.1007/978-3-662-46681-0_61}, abstractNote={In recent years, the LTSmin model checker has been extended with support for several new modelling languages, including probabilistic (Mapa) and timed systems (Uppaal). Also, connecting additional language front-ends or ad-hoc state-space generators to LTSmin was simplified using custom C-code. From symbolic and distributed reachability analysis and minimisation, LTSmins functionality has developed into a model checker with multi-core algorithms for on-the-fly LTL checking with partial-order reduction, and multi-core symbolic checking for the modal µ-calculus, based on the multi-core decision diagram package Sylvan.}, booktitle={Tools and Algorithms for the Construction and Analysis of Systems}, publisher={Springer Berlin Heidelberg}, author={Kant, Gijs and Laarman, Alfons and Meijer, Jeroen and Van De Pol, Jaco and Blom, Stefan and Van Dijk, Tom}, editor={Baier, Christel and Tinelli, Cesare}, year={2015}, pages={692707}, collection={Lecture Notes in Computer Science}, language={en} }
@inbook{mCRL2, address={Cham}, series={Lecture Notes in Computer Science}, title={The mCRL2 Toolset for Analysing Concurrent Systems: Improvements in Expressivity and Usability}, volume={11428}, ISBN={978-3-030-17464-4}, url={http://link.springer.com/10.1007/978-3-030-17465-1_2}, DOI={10.1007/978-3-030-17465-1_2}, abstractNote={Reasoning about the correctness of parallel and distributed systems requires automated tools. By now, the mCRL2 toolset and language have been developed over a course of more than fifteen years. In this paper, we report on the progress and advancements over the past six years. Firstly, the mCRL2 language has been extended to support the modelling of probabilistic behaviour. Furthermore, the usability has been improved with the addition of refinement checking, counterexample generation and a user-friendly GUI. Finally, several performance improvements have been made in the treatment of behavioural equivalences. Besides the changes to the toolset itself, we cover recent applications of mCRL2 in software product line engineering and the use of domain specific languages (DSLs).}, booktitle={Tools and Algorithms for the Construction and Analysis of Systems}, publisher={Springer International Publishing}, author={Bunte, Olav and Groote, Jan Friso and Keiren, Jeroen J. A. and Laveaux, Maurice and Neele, Thomas and De Vink, Erik P. and Wesselink, Wieger and Wijs, Anton and Willemse, Tim A. C.}, editor={Vojnar, Tomáš and Zhang, Lijun}, year={2019}, pages={2139}, collection={Lecture Notes in Computer Science}, language={en} }
@article{Ginesin2024, title={A Formal Analysis of SCTP: Attack Synthesis and Patch Verification}, url={http://arxiv.org/abs/2403.05663}, abstractNote={SCTP is a transport protocol offering features such as multi-homing, multi-streaming, and message-oriented delivery. Its two main implementations were subjected to conformance tests using the PacketDrill tool. Conformance testing is not exhaustive and a recent vulnerability (CVE-2021-3772) showed SCTP is not immune to attacks. Changes addressing the vulnerability were implemented, but the question remains whether other flaws might persist in the protocol design. We study the security of the SCTP design, taking a rigorous approach rooted in formal methods. We create a formal Promela model of SCTP, and define 10 properties capturing the essential protocol functionality based on its RFC specification and consultation with the lead RFC author. Then we show using the Spin model checker that our model satisfies these properties. We define 4 attacker models - Off-Path, where the attacker is an outsider that can spoof the port and IP of a peer; Evil-Server, where the attacker is a malicious peer; Replay, where an attacker can capture and replay, but not modify, packets; and On-Path, where the attacker controls the channel between peers. We modify an attack synthesis tool designed for transport protocols, Korg, to support our SCTP model and four attacker models. We synthesize 14 unique attacks using the attacker models - including the CVE vulnerability in the Off-Path attacker model, 4 attacks in the Evil-Server attacker model, an opportunistic ABORT attack in the Replay attacker model, and eight connection manipulation attacks in the On-Path attacker model. We show that the proposed patch eliminates the vulnerability and does not introduce new ones according to our model and protocol properties. Finally, we identify and analyze an ambiguity in the RFC, which we show can be interpreted insecurely. We propose an erratum and show that it eliminates the ambiguity.}, note={arXiv:2403.05663 [cs]}, number={arXiv:2403.05663}, publisher={arXiv}, author={Ginesin, Jacob and von Hippel, Max and Defloor, Evan and Nita-Rotaru, Cristina and Tüxen, Michael}, year={2024}, month=mar }