Exploiting Symmetry of Distributed FT Protocols To Ease Model Checking∗

Model checking is a formal verification technique used to prove that a system satisfies its specification. The system is described by a state transition system (called Kripke structure) and the specification of the system is defined via properties written in temporal logic. The model checking problem consists of exploring every possible state of the Kripke structure and checking if the properties hold along all explorations [1]. If the number of reachable states exceeds a certain limit, the model checking problem becomes infeasible and is usually referred to as state space explosion. If the system model and its temporal properties are specificable, the model checking (i.e., state exploration) problem can be automated. Distributed fault-tolerant (FT) distributed protocols comprise an arena with subtle protocol operations and fault semantics, where informal reasoning often leads to errors. Hence computer-aided correctness techniques are desired [3]. The model checking of such protocols often yields state space explosion, mainly due to the modeling of faults. In order to prove that the specification cannot be compromised in any case, all possible fault effects must be considered. Every fault effect possibly initiates a new branch of exploration, thus the size of the overall state space is very much affected by faults. Restrictive fault models yield a more compact state space, however, optimistic fault assumptions are often not realistic. If malicious faults are also assumed (e.g., [3]) the size of the state space can be exponential in the number of system components. Abstraction is a general approach used to address the complexity of model checking. The main idea is to identify “unnecessary” information which can be omitted in the system model. The primary challenge of abstraction is to accurately relate the original problem (non-abstract model) to the abstracted problem (abstract model). The abstraction process is sound if verifying the correctness of the abstract model implies the correctness of the non-abstract one. Usu-