Do Formal Methodists have Bell-Shaped Heads? (Invited Paper) 0 Timothy G. Gri n Computer Laboratory University of Cambridge

Data networking has not been kind to formal methods. The Internet's birth gave rise to an intense culture war between the bell-heads and the net-heads, which the net-heads have largely won. In this area formal methodists have long been seen as the humourless enforcers of the defeated bell-heads. The result: formal methods are not a part of the mainstream of data networking and are largely relegated to the the thankless task of reverse engineering (security-related protocols are perhaps the rare exception). If we want to move beyond this situation we must build tools that enhance the ability to engage in the Internet culture | tools that encourage community-based development of open-source systems and embrace the open-ended exploration of design spaces that are only partially understood.

 -

2

 Satis ed with Reverse-Engineering?

If Internet protocols are not developed from formal speci cations it may still be worthwhile to reverse engineer existing protocols. I've done a lot of reverse engineering with routing protocols. I think it can be very fruitful, especially if we can come away with general principles that have applicability beyond protocol-speci c details. This last point is very important | your results must be interesting to a larger community because you can't expect the networking community to care. By the time you have gured something out, they will have moved on to a new set of problems. 3

 Change of Thinking?

Given the cultural constraints, perhaps reverse engineering is the best we can do. Attempts have been made to lower the cost of formal methods, see the work on lightweight formal methods [ 1, 6 ]. I think that it is a very worthwhile e ort, but one that is useful in all areas where formal methods are applied. Is there an approach that fully embraces the community-based open-ended nature of Internet-related systems work?

I'll suggest one answer | domain-speci c languages (DSLs). It seems to me that DSLs allow us to raise the level of abstraction in which problems are solved. I will discuss only three examples | the Statecall Policy Language (SPL) [ 8 ], Ynot [ 3 ], and Idris [ 2 ].

I've had fun discussing this topic with Anil Madhavapeddy, Jon Crowcroft, and Boon Thau Loo. I hope this short talk will stimulate further discussion at the ATE workshop.

 [1] S. Agerholm and P. G. Larsen . A lightweight approach to formal methods . Proceedings of the International Workshop on Current Trends in Applied Formal Methods , 1998 . [2] E. Brady . Idris - systems programming meets full dependent types . In PLPV 2011 , 2011 . [3] A. Chlipala , G. Malecha, G. Morrisett , A. Shinnar , and R. Wisnesky . E ective interactive proofs for higher-order imperative programs . In Proceedings of ICFP'09 , 2009 . [4] J. Day . Patterns in Network Architectures : A return to fundamentals . Prentice Hall , 2008 . [5] M. G. Gouda . Elements of Network Protocol Design . Wiley, 1998 . [6] D. Jackson . Alloy: A lightweight object modelling notation . ACM Transactions on Software Engineering and Methodology (TOSEM) , 11 ( 2 ): 256 { 290 , 2002 . [7] L. Lamport . State the problem before describing the solution . ACM SIGSOFT Software Engineering Notes , 3 ( 1 ): 26 , 1978 . [8] A. Madhavapeddy . Combining static model checking with dynamic enforcement using the statecall policy language . In International Conference on Formal Engineering Methods (ICFEM) , 2009 .