It Takes a Village: Bridging the Gaps between Current and Formal Specifications for Protocols

Specifications in the networking community.  Today, networking protocols are defined by standards bodies such as the IETF, IEEE, and 3GPP. The “specifications” they develop usually consist of prose documents, annotated with pseudocode, header descriptions, state machines, message sequence charts, and so on. Often the specifications are accompanied by a reference implementation, which can be used to test for interoperability. When flaws or inconsistencies are detected during testing, the specification and/or reference implementation is fixed. In practice, reference implementations are updated more often than specifications, so they often serve as de facto specifications of many protocols.

As an example, consider TCP, which is described in IETF RFC 793,²⁸ originally published in 1981. A state machine diagram on page 22 of the RFC shows an ACK message being sent in response to a SYN message when in the SYN-SENT state. Meanwhile, in an examples on page 31, both SYN and ACK are shown as the response, rather that just ACK. A later update in RFC 1122,¹¹ published in 1989 states:

“the arrow from SYN-SENT to SYN-RCVD should be labeled with “snd SYN,ACK”, to agree with […].”

That is, for several years, TCP implementations used a specification that was consistent with an example rather than the protocol’s state-machine diagram given in the RFC. Over time, TCP has continued to be the subject of numerous RFCs—for example, RFC 9293,¹⁴ published in 2022, supposedly corrects all the inconsistencies and bugs discovered in more than four decades of use of TCP.

Of course, RFCs and their accompanying social processes and reference implementations have been extremely successful—they are the key artifacts that have driven the development and evolution of Internet protocols over many decades. Yet, social processes and RFCs often leave ambiguities and gaps in protocol descriptions. These ambiguities and gaps can, in turn, give rise to serious security vulnerabilities, as illustrated by some later examples. The application of formal reasoning can help to discover and resolve such issues. But formal reasoning requires precise definitions of protocols and requirements, both of which are typically unavailable.

IEEE standards, issued by the various working groups under the IEEE Standards Association, are also often used as specifications. Unlike RFCs, which are at most a few hundred pages and coordinated by small groups, IEEE standards are often long and complex—for example, the 802.11 standard for Wi-Fi was developed by a group with more than 300 members and runs to over 3,500 pages. In many standards, aspects are deliberately left vague or deferred to implementations. This is also the case with IETF RFCs, since looser standards generally provide more room for innovation in implementations.

Last but not least are the “specifications” of the cellular protocols and architectures standardized by the 3^rd Generation Partnership Project (3GPP), which is itself an association of seven telecommunications standards development organizations: Association of Radio Industries and Businesses (ARIB), Alliance for Telecommunications Industry Solutions (ATIS), China Communications Standards Association (CCSA), European Telecommunications Standards Institute (ETSI), Telecommunications Standards Development Society, India (TSDSI), Telcommunications Technology Association (TTA), and the Telecommunication Technology Center (TTC). 3GPP standards cover all aspects of cellular telecommunications technologies, including radio access, core network, and service capabilities. The 3GPP specifications also provide hooks for non-radio access to the core network as well as for interworking with non-3GPP networks. As with RFCs and IEEE standards, 3GPP specifications are often intentionally vague and usually do not include reference implementations. While open source cellular platforms do exist, it is usually difficult to obtain high-level specifications from code.

Specifications in the formal methods community.  In the FM community, a specification is usually understood as an unambiguous description of a system and of its desired properties, both with a precise semantics. While the construction of formal specifications for protocols requires effort, this effort often pays off by providing benefits such as:

• The process of formalization brings clarity and understanding to protocol design. It is common for gaps and inconsistencies to be revealed in the process of constructing a formal model.

• A protocol works only under assumptions about its environment, which may include interactions with other protocols. It is common for the process of formalization to lead to a clear understanding of these interactions and to bring hidden assumptions out into the open.

• A specification (even a partial one) can be used to automatically generate tests, which often reveal protocol errors that might not be detected by traditional interoperability testing of implementations.

• A specification may also be used to comprehensively analyze protocol properties, through formal proofs which show that desired protocol properties hold for all scenarios. Such proofs are especially valuable when the properties go beyond functional correctness and capture security, performance, fault-tolerance, and so on.

Many associate formal methods solely with verification. As C.A.R. Hoare once said, “A program that has not been specified cannot be incorrect, it can only be surprising.” Unfortunately, the complete set of properties a protocol is expected to satisfy (also called “intents” or “requirements”), including security and performance properties as well as environmental assumptions, is rarely stated explicitly, making complete formal verification effectively impossible. What is possible is to analyze certain aspects of implementations, although there are still significant challenges. For example, an implementation may deviate from the intent of the protocol designer, or the analysis may require having a specification for the environment. Even so, validating implementations using partial specifications and lightweight FM approaches that only model certain aspects of the environment is often useful.

In principle, formal specifications of networking protocols could be used to prove certain requirements, including relating high-level specifications to low-level implementations. Formal specifications can point to bugs in the implementation as well as inconsistencies or disagreements on what the protocol “is.” When either a protocol or its implementations need to be changed, specifications can help guide refactoring and thus increase agility. In general, formal specifications can be a valuable aid for the social processes used to design protocols.

While formal specifications have many potential benefits, there is a long way to go to make them useful and usable by the networking community. Today, applying FM to real-world protocols requires considerable skill, as well as time and money. For networking researchers it requires specifying protocols in a completely new way, which will likely slow down certain parts of the design process. There are also social issues of network developers resisting change in common practices. Later in this article, we identify barriers that prevent FM from being widely used by the designers of network protocols. But first, we describe a few examples where FM has been applied successfully in networking.

Transport layer security.  One of the success stories in formally analyzing a widely used protocol is the formal analysis conducted on both versions 1.2 and 1.3 of the transport layer security (TLS) protocol. TLS is the main means for securing communications on the Internet. It was originally created by Netscape in 1995 under the name SSL and released as open source under the name TLS 1.0. The protocol went through many changes, with version 1.2 being used for many years. Significant effort went into formally analyzing TLS, as discussed below.

In 2013, Bhargavan et al.⁹ developed a verified reference implementation of TLS 1.2, which follows the RFC specification.³⁰ TLS is a very complex protocol with numerous configuration and deployment options, supporting many ciphers and backward compatibility. The authors had to make decisions about what to support, given that some configurations and some supported ciphers are known to be broken. Their reference implementation included the two main components: the authenticated stream encryption for the record layer and key establishment for the handshake. The verification was done using F*. The authors did not formally account for side-channel attacks based on timing and acknowledge that proving the absence of such attacks would require different tools.

The design of TLS 1.3 represented a big change, and 28 drafts were created until the design was finalized. One of the biggest changes was reducing the latency of the handshake protocol and supporting 0-RTT connection resumption, as well as by default supporting perfect forward secrecy. A modular symbolic model of the TLS 1.3-Draft 21 release candidate, with Tamarin verification of the security requirements claimed in the draft, are in Cremers et al.¹²

The focus of Cremers et al.¹² is the handshake protocol, as it was essential for the overall security of the communication. The analysis revealed an undesired behavior which had an impact on the strong authentication guarantees in some implementations of the protocol. As this work was conducted during the design process of TLS 1.3, it had a strong influence on the final draft.

Around the same time, Bhargavan et al. presented a verified symbolic and computational models of TLS 1.3-Draft 18.⁸ The models were specified using ProVerif and evaluated considering known and previously unpublished vulnerabilities that were considered during the design of TLS 1.3. This work presents the first machine-checked cryptographic proof for a CryptoVerif model of TLS 1.3 Draft-18.

With respect to the TLS 1.3 finalized RFC, the most recent effort¹³ developed and verified a reference implementation of the TLS 1.3 Record Layer protocol and its cryptographic algorithms. The model was specified and verified using F*.

5G Authentication and Key Agreement.  Another important standard is 5G, the current architecture and set of protocols for cellular networks. A key component of the standard is the 5G Authentication and Key Agreement, or 5G-AKA for short, which describes how a user device and a customer’s home network agree on a shared key. This protocol is critical for the security of communication on 5G networks, as other keys are derived from this shared key, which are in turn used to protect user’s data security, the authenticity of messages and calls they receive, the connections they start, and even billing based on usage.

The work in Basin et al.⁵ reports on a formal analysis of the 5G-AKA using Tamarin. The protocol was formalized based on 3GPP’s TS 33.501 document, and the authors had additional access to 5G specialists. The formalization was challenging given the 5G-AKA’s complexity, both due to the specification’s size and its usage in different contexts. For example, when roaming, a user’s device may connect to mobile networks (called serving networks) that are different from the service provider. The protocol then connects three parties, rather than just two, where only two of the parties—the user’s device and home network—share initial secrets. Other complexities arise due to technological constraints and the need for backward compatibility.

The formal analysis started with an in-depth study of the relevant protocol documents, as well as discussions with some experts involved in the standardization. Afterwards, an abstract version of the protocol was formalized in Tamarin. The majority of the effort was the several person-months needed to understand the specification. In contrast, the time needed to subsequently formalize the resulting model was relatively short. Some additional person-months were needed for the verification of the protocol’s security properties, in particular writing proof strategies to help automate the construction of Tamarin proofs.

During verification, several flaws were found, which were reported to the 3GPP. The flaws were subsequently fixed in the standard, with one exception. The exception concerned the privacy of the user’s identity, which may be violated in the 5G-AKA protocol with a fairly simple replay attack that exploits the 5G-AKA’s resynchronization protocol with certain counters. This problem cannot be easily fixed in the current design, but a further iteration could solve this problem by shifting away from counter-based mechanisms.

The most critical vulnerability discovered by this effort was a protocol error that allowed the attacker to induce confusion between users for the home network—that is, the date or time that is used and should be billed to customer $A$ would be incorrectly billed to another customer $B$. The vulnerability was disclosed and fixed. As a result, this verification work was admitted to the “GSMA Mobile Security Research Hall of Fame” as CVD #0012, 2018.

Quick UDP Internet Connection.  Quick UDP Internet Connection (QUIC) is a new Internet secure transport protocol that has gone through more than six years of IETF standardization; its 35^th version was declared as the standard in 2022 (RFC 9000). QUIC is intended as a replacement for the TLS/TCP stack and will be the basis of HTTP/3, the next official version of the hypertext transfer protocol. It already carries a substantial amount of the traffic on the Internet and is expected to carry even more in the future.

QUIC’s pivotal role rendered it a good candidate for the methodology of network-centric compositional testing (NCT), introduced by McMillan and Zuck.^23,24 The term “network-centric” refers to describing a protocol’s behavior as observed on the wire, rather than its abstract implementation. This approach is compositional, in the sense that any assumption made on the input of one process (or component) in the protocol can be treated as a requirement on the output of other processes (or components). Compositionality allows one to infer from the fact that implementations pass all tests they will interoperate correctly when composed. It also enables the discovery of cases where the specification is too strong (rejecting legal protocol behaviors) or too weak (peers misbehave when receiving an input the specification allows).

The work reported in McMillan and Zuck^23,24 developed formal wire specifications for parts of QUIC and tested implementations for compliance using these specifications. The testers take on one of the roles of the protocol. They generate packets that are legal according to the wire specification but may or may not be produced by any existing implementation. This generation can be done, for example, using a modified SMT solver that randomly solves the constraints occurring in specifications, in such a way that every legal packet at a given point in the execution of a protocol has a non-zero probability of being generated.

This approach to testing has several advantages. It makes it possible to resolve ambiguities in informal standards documents using knowledge inherent in the implementations. At the same time, it verifies that the implementations comply with the formal specification as it is developed. It also exposes the implementations of a given protocol role to legal behaviors of the other role that may not be produced by existing implementations but may be produced by future implementations. Thus, it can detect interoperability issues before they occur in the wild.

Finally, the compositional nature of the NCT approach enables detecting cases when the specification is either too weak or too strong, allowing the developer to refine the specification accordingly. Consider a protocol with two roles $X$ and $Y$. When testing an implementation of role $X$, the output of role $Y$ from the specification of role $Y$ is generated. If a response by the implementation of $X$ is not allowed by the specification of role $X$, then either the implementation is not compliant, or the specification of $X$ is too restrictive. On the other hand, if a response is not accepted by the implementation of $X$, then either the implementation of $X$ is not compliant, or the specification of $Y$ that allowed the response is too permissive.

The process of formally specifying QUIC uncovered numerous errors in the reference implementations, as well as some issues in the the draft standards themselves. Examples of such issues include off-path denial of service attacks, one of which was a result of the standard as it appeared then in a draft RFC, and an information leak similar to the “heartbleed” vulnerability in OpenSSL.

NCT was demonstrated on QUIC, but the method is quite general and has also been applied to simpler protocols in classroom settings. The experiments used the IVy tool which in turn relies on the Z3 theorem prover. The size and complexity of QUIC packets presented challenges for efficient automated test generation. To overcome this problem, the specification must be carefully structured, a task that requires expertise on the part of the user.²³

NCT has several features that may make it applicable to other complex protocols:

• It allows testing of partial specifications—that is, one need not specify the whole protocol to enjoy the benefits of testing the parts captured in the formal model.

• The random nature of the generated tests allows testing of corner cases that interoperability testing rarely reveals.

• The randomized tests, while not originally intended as such, turned out to be useful as adversarial inputs, thus allowing detection of security flaws. Applying NCT to QUIC revealed that many security flaws can be detected using randomized testing, similar to how fuzzing has been effective for finding vulnerabilities in general-purpose software.

Chord.  The Chord distributed hash table was first presented in a ACM SIGCOMM paper which garnered its authors the 2011 Test-of-Time Award.¹⁸ An RFC based on Chord has also been developed.²² A Chord instance is a ring-shaped peer-to-peer network, and the papers specify the protocol for maintaining the ring in pseudocode and text. Correctness of this protocol is a form of eventual consistency, meaning the protocol can eventually repair all defects due to failures, so that all live members can continue to reach each other. The SIGCOMM paper states, “Three features that distinguish Chord from many other peer-to-peer lookup protocols are its simplicity, provable correctness, and provable performance.”¹⁸

However, despite these assurances, the work in Zave³⁷ shows that, under the same assumptions made in the Chord papers, the ring-maintenance protocol is not correct, and not one of the seven properties claimed as invariants actually holds. These results were obtained through automated checking of a simple formal model in the Alloy language. Employees at Amazon Web Services (AWS) credit this work for motivating them to start using formal methods.²⁵

Most of the seven claimed invariants are obviously useful and important, either for ring maintenance or for key lookup. By fixing the flaws revealed by formal modeling and analysis, Zave³⁸ shows it is possible to specify the Chord protocol in a way that is both correct and as efficient as the original. The proof of correctness is particularly interesting, because although the specified protocol satisfies the claimed properties, the properties do not resemble the true invariant upon which the proof is based.

Session Initiation Protocol (SIP).  SIP is the dominant signaling protocol for IP-based audio, video, and multimedia communication, and has been standardized by the IETF. The baseline SIP protocol is defined in a 268-page informal document.³² Due to extensions, interoperation with other protocols, and explanatory material, its description as of 2009 consisted of 142 documents totaling tens of thousands of pages.³¹

With a complex protocol specification such as this, it is not surprising that people working with SIP spend many hours trying to answer basic questions such as, “Can a protocol endpoint in state S send a message of type m?” In this context, Zave³⁶ provides a simple formal model in Promela (the language of the model-checker SPIN) that proved to be an invaluable resource for software developers. Model checking with SPIN verified that the model does not deadlock, that it is complete in the sense of including every message that can be received in every state, and that all parts of the model are reachable. The model provides quick and reliable answers to programming questions. It has also been used in Bond et al.¹⁰ to generate automatically a large number of test cases

In addition to these fundamental uses, the model answered several longstanding questions, as discussed below.

Consistency. Regardless of how it is described, a protocol should be internally consistent. SIP experts worry that SIP’s many extensions have introduced inconsistencies, meaning that a new behavior in an extension violates an assertion or constraint in an existing document. These experts are aware that inconsistencies could easily survive the documentation and standardization process and in fact, their fears are well founded. Even two of the earliest extensions were shown to violate fundamental assumptions of the protocol.³⁶

Complexity. A widely used protocol should not be unnecessarily complex. Each capability should be generalized as much as is reasonable and convenient, in preference to adding new capabilities that accomplish similar and overlapping goals. The most important piece of SIP is the invite transaction, a three-way handshake allowing two endpoints to set up and negotiate the parameters of a set of media channels between them. Two early extensions serve the same function as the invite transaction, in different but overlapping circumstances. The cost of these extensions is considerable. They require five new message types, and a simplified model of just one of them requires 11 states and 15 state transitions.³⁶ Yet, with the addition of a single Boolean flag to the messages of the invite transaction, all this additional complexity could be avoided, and all media-control functions could be performed with invite transactions alone.

Race conditions. A race condition occurs when two messages cross in transit, either going the same direction (Figure 1 left) or different directions (Figure 1 right). Either kind of race can happen in SIP, especially when SIP messages are sent via UDP instead of TCP at the transport level (either is allowed).

Many SIP documents use message-sequence charts to show particular common scenarios. These charts are rendered in ASCII by means of IETF macros, and look like Figure 2. (Note that these charts represent message transmission as instantaneous, so that race conditions are impossible.) Not surprisingly, SIP race conditions are not well documented, and their handling is incompletely standardized.

A SIP document¹⁶ many years in the making records seven possible race conditions within the scope of the Promela model.³⁶ The Promela model points to race conditions wherever they show that a message can be received when it is not expected or desired. By examining these places in the model, it is straightforward to find the same seven race conditions and 42 others. Note that later IETF documents, such as Hasebe et al.,¹⁶ show that ASCII art for race conditions has been developed. The first specification of proxy (transparent) behavior for SIP was also based on the formal model.¹⁰

Software-defined networks.  Software-defined networks and programmable networks more generally make it possible to formally specify and verify the low-level implementations of network infrastructure. Given the number of interacting systems, the complexity of the software in network components, and the need for decentralized control, making network infrastructure programmable without also supplying “power tools” from FM is inherently risky. Thus, even the first instances of programmable networking (for example, SwitchWare^1,2 and Active Bridge³) were designed to eliminate large classes of errors by use of strongly typed programming languages, such as Standard ML and OCaml.

The emergence of SDN, which opened up interfaces for programming the network infrastructure, also led to significant interest in applying FM to network infrastructure. Building on early work that used static analysis to analyze router configurations,³⁴ tools such as Veriflow,²⁰ Header Space Analysis,¹⁹ NetKAT,⁴ and Atomic Predicates³⁵ allow operators to specify and verify network-wide data plane properties, such as connectivity, loop freedom, way-pointing, and so on. These early tools often worked with abstract models of network devices, but a number of recent tools have closed the gap with lower-level hardware models^21,33 and also explored applications of runtime verification.²⁹ A complementary line of research extended work on network verification to handle richer models of network functions, such as load balancers, firewalls, content caches, and so on.²⁷ The distinguishing feature of these network functions is they are written in general-purpose languages like C/C++ and typically rely on state—for example, to track flows. Yet another line of work developed techniques for reasoning about conventional control-plane protocols, such as BGP and OSPF.¹⁵