Reactive system validation using automated reasoning over a fragment library

Abstract

While a user might be able to confidently validate a generalized fragment by inspection, since calling an off-hook user should result in a busy signal (when the system only has one line per user), more complex behavior can be impractical to validate by inspection. This is particularly true when the fragment describes an intermediate protocol step, for example, because correctness is often stated in terms of all possible protocol outcomes. The paper illustrates this problem with a fragment describing a step in the CS-NC protocol used by the personal channel agent (PCA), the paper's primary case study. An example correctness property proved in the paper is Property V: given two properly initialized PCAs, CS-NC correctly transmits the new channel from one to the other, and an eavesdropper's action(s) will be detected by at least one of the PCAs, assuming (1) every protocol message sent is eventually received, and (2) only an eavesdropper can discover keys or channel identifiers (with significant probability).