## Section: New Results

### Formal Methods for Developing and Analyzing Algorithms and Systems

Participants : Marie Duflot-Kremer, Yann Duplouy, Margaux Duroeulx, Souad Kherroubi, Igor Konnov, Dominique Méry, Stephan Merz, Axel Palaude, Nicolas Schnepf, Christoph Weidenbach.

#### Parameterized Verification of Threshold-Guarded Fault-Tolerant Distributed Algorithms

Joint work with Nathalie Bertrand (Inria Rennes, SUMO project team) and Jure Kukovec, Marijana Lazić, Ilina Stoilkovska, Josef Widder, Florian Zuleger (TU Wien).

Many fault-tolerant distributed algorithms use threshold guards: processes broadcast messages and count the number of messages that they receive from their peers. Based on the total number $n$ of processes and an upper bound on the number $t$ of faulty processes, a correct process tolerates faults by receiving “sufficiently many” messages. For instance, when a correct process has received $t+1$ messages from distinct processes, at least one of these messages must originate from a non-faulty process. The main challenge is to verify such algorithms for all combinations of parameters $n$ and $t$ that satisfy a resilience condition, e.g., $n>3t$.

In earlier work, we introduced threshold automata for representing processes in such algorithms and showed that systems of threshold automata have bounded diameters that do not depend on the parameters such as $n$ and $t$, provided that a single-step acceleration is allowed [66]. In the contribution [27] to CONCUR'18, we reported on various extensions of this result to less restrictive forms of automata: the guards can be non-linear, shared variables can be incremented and decremented, non-trivial loops are allowed, and more general forms of acceleration are used. In the contribution [26] to ISOLA'18, we presented a parallel extension of our tool Byzantine Model Checker (ByMC), which allows one to distribute the verification queries across the computation nodes in an MPI cluster.

Our previous results apply to asynchronous algorithms. It is well-known that distributed consensus cannot be solved in purely asynchronous systems [64]. However, when an algorithm is provided with a random coin, consensus becomes solvable [56]. In [44], we introduced an approach to parameterized verification of randomized threshold-guarded distributed algorithms, which proceed in an unbounded number of rounds and toss a coin to break symmetries. This approach integrates two levels of reasoning: (1) proving safety and liveness of a single round system with ByMC by replacing randomization with non-determinism, (2) showing almost-sure termination of an algorithm by using the verification results for the non-deterministic system. To show soundness, we proved several theorems that reduce reasoning about multiple rounds to reasoning about a single round. We verified five prominent algorithms, including Ben-Or's randomized consensus [56] and randomized one-step consensus (RS-BOSCO [70]). The verification of the latter algorithm required us to run experiments in Grid5000. A paper describing these results is under review at TACAS 2019.

Another way of making consensus solvable is to impose synchrony on the executions of a distributed system. In [48] we introduced synchronous threshold automata, which execute in lock-step and count the number of processes in given local states. In general, we showed that even reachability of a parameterized set of global states in such a distributed system is undecidable. However, we proved that systems of automata with monotonic guards have bounded diameters, which allows us to use SMT-based bounded model checking as a complete parameterized verification technique. We introduced a procedure for computing the diameter of a counter system of synchronous threshold automata, applied it to the counter systems of 8 distributed algorithms from the literature, and found that their diameters are tiny (from 1 to 4). This makes our approach practically feasible, despite undecidability in general. A paper about this work is under review at TACAS 2019.

#### Symbolic Model Checking of TLA^{+} Specifications

Joint work with Jure Kukovec, Thanh Hai Tran, Josef Widder (TU Wien).

TLA^{+} is a general language introduced by Leslie Lamport for
specifying temporal behavior of computer systems [67].
The tool set for TLA^{+}
includes an explicit-state model checker tlc . As explicit state model
checkers do not scale to large verification problems, we started the project
APALACHE (WWTF project APALACHE (ICT15-103):
https://forsyte.at/research/apalache/) on developing a symbolic model
checker for TLA^{+} in 2016.

In the contribution [28] to ABZ'18, we addressed the
first principal challenge towards developing the symbolic model checker. We
introduced a technique for identifying assignments in TLA^{+}
specifications and decomposing a monolithic TLA^{+} specification into a
set of symbolic transitions. At the TLA^{+} community meeting 2018, we
presented a prototype solution [46] to a second
challenge. We have developed an SMT encoding of TLA^{+} expressions for
model checking purposes. We presented the first version of a symbolic model
checker for TLA^{+} specifications that works under the same assumptions as
TLC: the input parameters are fixed and finite structures, and the reachable
states are finite structures. The experimental results are encouraging, and we
are thus preparing a conference submission. Finally, in a contribution to the DSN
Workshop on Byzantine Consensus and Resilient Blockchains
[47], we considered challenges for automatic
verification techniques for Blockchain protocols.

#### Making Explicit Domain Knowledge in Formal System Development

Joint work with partners of the IMPEX project.

The IMPEX project (cf. section 8.1) advocates that formal modeling languages should explicitly represent the knowledge resulting from an analysis of the application domain, and that ontologies are good candidates for handling explicit domain knowledge. We strive at offering rigorous mechanisms for handling domain knowledge in design models. The main results of the project are summarized in [18] and show the importance of three operations over models, namely annotation, dependency, and refactoring [38].

#### Incremental Development of Systems and Algorithms

Joint work with Manamiary Bruno Andriamiarina, Neeraj Kumar Singh (IRIT, Toulouse), Rosemary Monahan (NUI Maynooth, Ireland), Zheng Cheng (LINA, Nantes), and Mohammed Mosbah (LaBRI, Bordeaux).

The development of distributed algorithms and, more generally, of distributed systems, is a complex, delicate, and challenging process. The approach based on refinement applies a design methodology that starts from the most abstract model and leads, in an incremental way, to a distributed solution. The use of a proof assistant gives a formal guarantee about the conformance of each refinement with the model preceding it. Our main result during 2018 is the development of patterns for different kinds of paradigms including the iterative pattern, the recursive pattern, and the distributed pattern [30].

#### Synthesis of Security Chains for Software Defined Networks

Joint work with Rémi Badonnel and Abdelkader Lahmadi of the Resist team of Inria Nancy – Grand Est.

The PhD work of Nicolas Schnepf focuses on applying formal methods techniques in the area of network communications, and in particular for the construction, analysis, and optimization of security functions in the setting of software-defined networks (SDN). In previous work, we defined an extension of the Pyretic language [65] for representing both the control and the data planes of SDN controllers and implemented a translation of that extension to the input languages of the nuXmv model checker and of SMT solvers.

This year, our work focused on synthesizing security chains for Android applications based on their observed communications. The first step consists in inferring probabilistic finite-state automata models that represent network flows generated by Android applications. Comparing our models with automata produced by the state-of-the-art tools Invarimint and Synoptic, we obtain representations that are significantly smaller than those generated by Synoptic and as succinct as those inferred by Invarimint, but that include information about transition probability, unlike Invarimint. This work was presented at NOMS 2018 [35], [37]. In a second step, we encode security policies defined by network administrators in a rule-based program that is then used to generate a high-level representation of a security chain for the application, which is then translated to Pyretic. For example, an application that contacts different ports at the same IP address in rapid succession could be qualified as performing a port scanning attack, and these connections could then be blocked. This work was presented at AVoCS 2018 [36]. The third step consists in factorizing the chains generated for different applications in order to reduce the size of the overall chain that must be deployed in a network. A paper describing appropriate algorithms for that purpose will be presented at IM 2019.

#### Satisfiability Techniques for Reliability Assessment

Joint work with Nicolae Brînzei at *Centre de Recherche en
Automatique de Nancy*.

The reliability of complex systems is typically assessed using probabilistic
methods, based on the probabilities of failures of individual components,
relying on graphical representations such as fault trees or reliability block
diagrams. Mathematically, the dependency of the overall system on the working
status of its components is described by its Boolean-valued *structure
function*, and binary decision diagrams (BDDs) have traditionally been used
to construct a succinct representation of that function. We explore the use of
modern satisfiability techniques as an alternative to BDD-based algorithms. In
2018, our work focused on the encoding of dynamic fault trees whose structure
function needs to take into account the order in which components fail.