►
From YouTube: Formal Analysis of GossipSub - Ankit Kumar
Description
This talk was given at IPFS Camp 2022 in Lisbon, Portugal.
A
A
So
this
helps
to
disseminate
messages
fast,
while
keeping
a
low
overhead.
It
has
been
claimed
resilient
against
civil
attacks
in
a
previous
work
by
Vizio
at
all.
It
has
been
tested
for
resilience
in
test
ground,
and
the
specification
for
gossip
sub
is
given
in
prose
English.
A
So
in
our
work,
we
implemented
a
full
executable
specification
of
Gossip
Sub
in
acl2s,
which
is
a
very
powerful
first
order,
theorem
proverb
that
has
been
used
quite
quite
a
lot
in
industry
in
the
areas
of
Hardware
verification
and
requirement
analysis.
A
We
can
use
this
executable
spec
to
model
orbit
topology,
which
allows
us
to
have
fine-grained
control
over
events,
messages,
behaviors
parameters
and
weights,
and
it
allows
us
to
try
out
any
configuration
that
could
be
used
on
top
of
Gossip
sub.
We
utilized
this
model
to
sorry.
We
cross
validated
our
model
with
the
original
implementation
of
cursive
sub,
the
specifically
the
golang
implementation.
A
What
we
did
was
we
ran
the
unit
tests
provided
in
the
golang
implementation
in
our
own
model,
as
well,
as
we
type
checked
the
trace
output
by
the
golang
implementation
in
scl2s
to
verify
that
it's
outputting,
the
current
that
to
verify
that
whatever
it
is,
outputting
is
actually
events.
So
in
our
work.
A
An
advantage
of
this
formalization
effort
was
that
several
discrepancies
between
the
implementation
and
the
specification
we
are
clarified.
While
we
were
trying
to
implement
it,
we
had
to
regularly
be
in
contact
with
the
political
Labs
developers,
so
a
lot
of
discrepancies
were
settled.
Another
Advantage
was
that,
while
writing
the
scoring
function,
which
is
used
to
judge
your
neighboring
peers,
whether
they
are
good
or
bad,
we
came
up
with
four
properties
that
were
quite
evident
and
we
included
them
as
we
wrote
Our
code.
A
A
So
we
tested
these
properties
in
context
of
filecoin
and
ethereum
filecoin
certificate
satisfied
all
of
those
properties,
whereas
ethereum
satisfied
only
one
and
based
on
these
properties
and
counter
samples
that
we
came
up
with
we,
we
were
able
to
generate
an
attack
that
expose
certain
vulnerabilities.
A
There
are
three
topics:
blue,
green
and
orange,
and-
and
there
are
two
nodes,
A
and
B
that
are
in
meshes
of
all
three
topics
and
B
is
trying
to
keep
a
score
of
a
let's
say,
is
misbehaving
and
therefore
B
judges
that
the
score
of
a
has
dropped
below
zero
and
therefore,
in
the
next
in
the
next
heartbeat
event,
B
will
prune
a
from
its
mesh,
which
happens
as
is
shown,
and
therefore
B
is
no
longer
in
connection
with
a
so
it's
not
sending
or
receiving
message
or
direct
full
messages
from
a
in
any
topic.
A
Now
how
the
score
is
calculated
is
we
have
certain
parameters,
P1
P2
up
till
P,
seven
that
are
used
to
track
certain
behaviors
of
the
neighbors
P1
is
time
in
mesh.
P2
is
first
number
of
first
message:
delivery
is
sent,
P3
is
number
of
mesh
message.
Deliveries
per
heartbeat
interval,
P3
B,
is
the
same
as
P3,
but
it
is
sticky
that
is,
it
is
remembered,
even
after
a
prune
is
pruned
from
the
mesh.
P4
is
the
number
of
invalid
messages.
A
B5
is
application,
specific
score,
P6
is
IP
collection,
factor
and
p7
is
a
penalty
on
certain
behaviors,
so
the
ones
that
are
coded
as
red
are
bad.
That
is,
we
don't
want
them,
they
indicate
bad
behavior
and
the
ones
in
blue
are
good,
and
since
we
know
these
are
good
and
bad
behaviors,
we
multiply
them
with
corresponding
weights
that
are
either
negative
or
positive
depending
upon
their
behavior.
A
Once
we
have
that
they
are
so
the
topic
wise
parameters
are
multiplied
with
their
weights
and
summed
over
all
topics,
and
then
they
are
added
with
the
global
scores.
The
global
score
contributions
and
the
whole
thing
is
then
capped
using
a
topic
cap
DC.
A
So
this
is
the
scoring
function
that
gossip
sub
utilizes
and
our
work
has
been
to
verify
this
particular
scoring
function
in
regard
with
the
some
of
the
properties.
So
now
we'll
be
talking
about
the
properties,
we
wanted
properties
that
were
hopefully
uncontroversial,
but
it
would
seem
that
any
scoring
function
that
claims
to
be
resilient
against
civil
attacks
should
satisfy
these
properties.
A
So
the
first
property
says
that
if
the
topic
score
is
always
less
than
zero,
then
eventually
the
overall
score
should
be
less
than
zero.
Ethereum
does
not
satisfy
this
property
whereas,
as
whereas
file
coin,
does
the
second
property
says
that
increase
in
bad
performance
counters
should
lead
to
a
decrease
in
the
overall
score,
which
again
ethereum
does
not
satisfy,
but
it
is
Satisfied
by
falcoin.
A
The
third
pair,
the
third
property
states,
that
the
increase
in
good
performance
counters
should
lead
to
an
increase
in
your
overall
score,
which
ethereum
again
does
not
satisfy
and
Falcon
does
satisfy.
Finally,
the
fourth
property
says
that
identical
performance
counters
should
achieve
identical
scores.
A
This
was
trivial
to
prove,
because
we
have
used
sl2s,
which
is
a
functional
programming
language
and
therefore
we
have
referential
transparency
that
allows
us
to
say
that,
because
the
definition
is
same
for
both
the
context,
the
fourth
properties
is
Trivial
to
prove
now
we'll
go
over
each
of
these
topics
and
try
to
reason
why
that
is
the
case.
Yeah
acl2s
I
have
provided
a
link
for
that
in
the
first
slide.
A
Yep
so
so
after
we
have
implemented
the
whole
of
Gossip
sub.
Here
is
our
property.
The
property
says
that
given
a
which
is
appear,
TP,
which
is
a
topic
and
counters,
which
is
a
map
from
a
pair
peer
topic
to
counters
counters,
can
be
considered
as
record
that
keeps
track
of
these
five
counters.
A
We
want
to
prove
that
if
the
topic
score
is
less
than
0,
then
the
overall
score,
then
the
overall
score
is
also
Less
Than
Zero.
So
this
is
the
property
that
we
put
it.
Incl2S
and
sl2s
comes
back
to
us
with
a
initialization
of
counters,
as
shown
for
some
peer,
a
and
the
topics
are
color
coded
for
each
of
the
counters,
so
these
counters
all
are
for
blue,
green
and
orange
yeah.
A
So
since
we
have
implemented
the
scoring
function,
we
do
have
the
computational
power
to
evaluate
these
counters
and
come
up
with
the
score
which
comes
out
to
be
5.,
however,
notice
that
if
we
only
calculate
the
topic
based
scores,
the
blue
topic
has
a
score
of
minus
25.
The
green
one
has
22
and
the
orange
one
has
7.78
note
that
all
the
weights
and
parameters
that
we
are
using
in
this
computation
have
been
derived
from
the
implementation
of
ethereum
in
the
golang
implementation.
So
so
these
are
actual
parameters
and
values
that
we
arrived
at.
A
Based
on
this
data,
we
can
generate
an
attack
in
which,
as
we
as
we
see
if
we
maintain
a
steady
rate
of
message,
delivery
in
orange
and
green
topics,
whereas
if
we
decrease
the
number
of
mesh
messages
in
the
blue
topic
after
certain
time
interval,
then
a
can
be
in
all
the
a
can
maintain
a
positive
overall
score.
While
misbehaving
in
the
blue
topic,
because
it
has
severely
constrained
its
mesh
message,
deliveries
to
B-
and
we
can
do
nothing
about
it
because
a
has
a
positive
score
and
so
a
will
not
be
pruned
out.
A
However,
filecoin
does
satisfy
this
property.
Why
is
that?
This
is
because
they
set
their
weights
such
that
the
the
maximum
positive
score
achievable
by
the
corresponding
weights
assigned
to
positive
parameters
is
less
than
the
penalties
issued
by
the
weights
assigned
for
the
negative
parameters.
So
the
penalties
are
so
high
that,
even
if
you
add
up
the
maximum
positive
score
from
each
of
the
topics,
it
is
less
than
any
single
penalty
you
get
and
that
will
drive
down
your
overall
score
below
zero.
A
Similarly,
for
property,
two,
we
can
see
that
ethereum
has
a
topic
cap.
A
However,
the
sum
of
its
score
contributions
from
each
of
the
topic
can
be
higher
than
topic
cap
and
after
that,
if
some
topic,
if
some,
if
there
is
some
misbehavior
in
some
topic,
it
will
decrease
down
its
score,
but
the
topic
cap
will
keep
it
at
the
same
level
as
it
was
before,
because
it's
not
going
below
the
topic
cap,
whereas
in
file
coin
there
is
no
topic
Gap,
so
any
decrease
in
the
score
will
lead
to
a
decrease
in
the
overall
score
for
property
3.
We
have
the
same
problem.
A
That
is
because
of
the
topic
cap.
Any
increase
in
the
contribution
by
a
certain
topic
will
not
actually
increase
your
overall
overall
score
because
it
is
already
capped.
So,
even
after
the
increase,
your
score
will
be
at
the
maximum
cap
in
case
of
file
coin.
There
is
no
such
cap
and
therefore
it
can
increase.
A
So
we
discussed
all
the
properties
that
we
came
up
with
in
context
of
ethereum
and
filecoin.
A
Now
in
the
future,
what
we
would
like
to
do
is
to
model
the
application
Level
over
our
current
Network
protocol
layer.
That
is
when
we
have
both
the
application
and
the
network
layer
working
together.
Then
we
can
write
properties
about
both
of
them
in
conjunction
and
come
up
with
more
interesting
properties
to
try
and
find
bugs,
and
this
really
emphasizes
the
property
driven
development
approach.
A
So,
while
writing
specification,
if
we
have
a
view
of
the
properties
that
our
specification
would
like
to
satisfy,
then
that
would
help
us
to
really
avoid
those
kinds
of
bugs
that
that
could
arrive
from
if
we
had
not
considered
those
properties
in
advance.
A
So
what
does
the
community
think
about
it?
What
are
your
thoughts?
Should
we
have
more
property,
driven
development
and
formalized
approach
towards
web3
going
forward.
B
A
Is
correct,
so
is,
is
a
third
improver
in
Lambda
Cube
yeah,
significantly
less
descriptive
than
that?
It's
in
first
order
logic.
However,
it's
more
automated
than
that,
because
there
are
quite
a
lot
more
useful
heuristics
that
can
be
utilized
to
quickly
arrive
at
quickly
be
able
to
prove
things
so
so
yeah,
so
that
is
acl2s,
which
is.
B
A
first
order
of
logic:
yes,
okay
and
the
like
the
following
question
is
so
you
have
these
properties
right,
and
these
properties
are
things
that
you'd
like
to
show
that
are
true
or
you.
A
B
A
B
A
Right
yeah,
these
are,
these
are
types
these
are
user
defined
types
we
Define
them
using
Dev
data
and
a
good
thing
about
these
types
is
that
they
are,
they
can
be
defined,
defined
using
any
function
or
recognizer.
So
you
could
have
any
arbitrary
function
that
given
any
object
in
the
universe
of
acl2s,
if
it
returns
true
or
false,
then
it
can
be
used
to
certify
your
type.
B
And
I'm
sorry,
this
might
be
like
super
common
feature
in
Wisp
and
I.
Just
haven't
done
much
less
so
like
is
there
a
type
Checker
that's
running
through
a
compile
time,
or
is
this
something
that's
like
type
checked
at
runtime
or.
A
Yeah,
so
when
you
define
a
type
you
get
an
enumerator
and
a
type
Checker,
and
when
you
are
specifying
the
property,
what
it
tries
to
do
is
to
is
to
come
up
with
witnesses
that
satisfy
those
types
so
but
yeah,
but
lisp
is
an
interpreted
language.
It's
not
compiled
yep.
That
makes
sense.
C
You
said
there
is
an
cap
or
score
for
each
topic,
but
that's
not
in
the
spec.
Oh
is
it
just
so
in
respect
you
have
a
gap
for
each
value,
but
you
don't
have
a
cap
for
the
entire
topic.
A
Yeah
the
cap
is
for
the
entire
score,
it's
not
for
each
topic
and
therefore
we
have
the
problems
with
property.
Two
and
three.
C
Because
I
have
the
specs
of
the
C7
right
here:
I,
don't
see
any
cap
on
this
car,
so
we
can
talk
later
on.
Okay,
yeah.
A
This
is
derived
from
the
English
Pros
specification,
of
course,
itself.
Okay,.
D
Good,
you
might
have
covered
this
already,
but
how
do
you?
How
do
you
know
that
these
properties
add
up
to
several
civil
resistance
or
strictly
imply
civil
resistance.
A
Yeah,
so
so,
for
the
first
attack
that
we
showed
the
neighbor
a
for
B
was
essentially
acting
as
a
symbol.
That
is,
it
worked
for
some
time
passing
messages
at
the
required
delivery
rate
to
gain
some
positive
score
and
after
that
it
dropped
its
message.
Delivery
in
in
a
particular
topic,
while
maintaining
that
positive
score.
So
so
it
was
essentially
acting
as
a
civil.
D
A
Yeah,
so
in
our
proof
we
utilized
a
very
small
scenario
where
we
just
had
three
peers
connected
in
all
topics
with
each
other.
One
of
them
was
The,
Observer
other
was
the
Civil,
but
you
can
extend
it
easily.
You
can
consider
that
b
is
cons
is
covered
all
around
by
symbols
like
a
all
of
them
start
behaving
in
the
same
manner,
and
therefore
that
constitutes
a
flash
attack
against
B
flash
Eclipse
attack.
Sorry
yeah.
E
So
I
have
a
question,
is
it's?
Is
it
possible
to
abstract
away
like
within
a
library
or
something
the
complexity
of
this
formal
verification
and
then
using
some
kind
of
CI
that
could
be
run
automatically
in
the
somewhere?
In
the
repository
that
we
have.
A
Let
me
understand
the
question
correctly:
you
are
saying
to
reuse
the
already
implemented
code
in
ACL
device.
Yes,.
A
So
yeah
he
he
has
worked
on
worked
on
Witness
dating
a
witness,
generating
data
data
types
for
the
purpose
of
integrating
this
with
other
languages.
I,
don't
think
that
would
be
possible
because
we
need
to
reason
about
that
particular
code,
but
Andrew
does
want
to
say
something
a.
F
Couple
a
couple
things:
one
of
them
is
right,
so
this
is
useful
for
validating
implementations,
but
it's
also
useful
at
the
design
stage
of
a
protocol
right
like
that
is
something
where,
when
you
don't
have
any
code,
you
write
a
sort
of
abstract
model
like
what
sort
of
similar
to
what
when
ankit's
done,
and
then
you
can
write
down
these
properties
that
you
might
want
this
protocol
to
satisfy
and
sort
of
tweak
things
add
additional
constraints
or
to
run
the
property
to
make
sure
that
it
actually
satisfies
the
properties
that
you
care
about
like
civil
resistance,
for
example,
yeah.
A
G
Did
this
impact
the
the
English
prose
spec
at
all?
Did
we
make
any
improvements
to
the
spec
as
a
result
of
some
of
the
ambiguities
you
found
well.
A
Yeah
we
we
found
that
some
of
the
portions
of
the
English
Pros
were
out
of
date,
in
which
case
we
then
had
to
look
at
the
implementation,
because
that
was
more
upgraded
with
I
mean
in
those
cases
we
had
to
consider
the
code
as
the
specification
so
but
but
right
now.
What
we
can
claim
is
that
we
have
a
formal
specification
in
in
the
ecl2s
language,
which
is
which
is
much
more
non-ambiguous
than
English,
and
therefore
that
can
be
used
as
a
specification.
A
I
would
like
it
that
the
that
the
formalized
model
be
linked.
We
are,
we
are
working
on
adding
it
to
the
community
books
of
acl2s.
So
if
you
will
just
download
a
sales
you,
you
can
find
that
code
in
their
books
as
well.
Thank
you.