A Formally Verified NAT

We present a Network Address Translator (NAT) written in C and proven to be semantically correct according to RFC 3022, as well as crash-free and memory-safe. There exists a lot of recent work on network verification, but it mostly assumes models of network functions and proves properties specific to network configuration, such as reachability and absence of loops. Our proof applies directly to the C code of a network function, and it demonstrates the absence of implementation bugs. Prior work argued that this is not feasible (i.e., that verifying a real, stateful network function written in C does not scale) but we demonstrate otherwise: NAT is one of the most popular network functions and maintains per-flow state that needs to be properly updated and expired, which is a typical source of verification challenges. We tackle the scalability challenge with a new combination of symbolic execution and proof checking using separation logic; this combination matches well the typical structure of a network function. We then demonstrate that formally proven correctness in this case does not come at the cost of performance. The NAT code, proof toolchain, and proofs are available at [58].

[1]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[2]  C. V. Ramamoorthy,et al.  On the Automated Generation of Program Test Data , 1976, IEEE Transactions on Software Engineering.

[3]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[4]  Lori A. Clarke,et al.  A program testing system , 1976, ACM '76.

[5]  William E. Howden,et al.  Symbolic Testing and the DISSECT Symbolic Evaluation System , 1977, IEEE Transactions on Software Engineering.

[6]  Jon Postel,et al.  Discard Protocol , 1983, RFC.

[7]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[8]  Scott O. Bradner,et al.  Benchmarking Methodology for Network Interconnect Devices , 1999, RFC.

[9]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[10]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[11]  Pyda Srisuresh,et al.  Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[12]  Beum-Seuk Lee,et al.  Automated conversion from requirements documentation to an object-oriented formal specification language , 2002, SAC '02.

[13]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[14]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[15]  Michael D. Ernst,et al.  Efficient incremental algorithms for dynamic detection of likely invariants , 2004, SIGSOFT '04/FSE-12.

[16]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[17]  J. Kadlecsik,et al.  Netfilter Performance Testing , 2004 .

[18]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[19]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[20]  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM.

[21]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[22]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[23]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[24]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[25]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[26]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[27]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[28]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[29]  Tobias Nipkow,et al.  Automatic Proof and Disproof in Isabelle/HOL , 2011, FroCoS.

[30]  Ole Tange,et al.  GNU Parallel: The Command-Line Power Tool , 2011, login Usenix Mag..

[31]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[32]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[33]  Marco Canini,et al.  A SOFT way for openflow switch interoperability testing , 2012, CoNEXT '12.

[34]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[35]  Magnus Boye,et al.  Netfilter Connection Tracking and NAT Implementation , 2012 .

[36]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[37]  J. Jim'enez,et al.  Stability of Horndeski vector-tensor interactions , 2013, 1308.1867.

[38]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[39]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[40]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[41]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[42]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[43]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[44]  George Varghese,et al.  Checking Beliefs in Dynamic Networks , 2015, NSDI.

[45]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.

[46]  Tianlong Yu,et al.  BUZZ: Testing Context-Dependent Policies in Stateful Networks , 2016, NSDI.

[47]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[48]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[49]  Todd D. Millstein,et al.  Data-driven precondition inference with learned features , 2016, PLDI.

[50]  Jean-Baptiste Jeannin,et al.  Correct by Construction Networks Using Stepwise Refinement , 2017, NSDI.

[51]  Katerina J. Argyraki,et al.  How to Measure the Killer Microsecond , 2017, CCRV.

[52]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.