Table Of ContentCreating High-Performance
Statically Type-Safe
Network Applications
Anil Madhavapeddy Venkata Sesha
Robinson College
This dissertation is submitted for the degree of
Doctor of Philosophy
at the
University of Cambridge
Copyright(cid:13)c April2006AnilMadhavapeddyVenkataSesha
Declaration
The dissertation is not substantially the same as any I have submitted for a degree or
diploma or any other qualification at any other university. Further, no part of the disser-
tation has already been or is being concurrently submitted for any such degree, diploma
orotherqualification.
Thisdissertationistheresultofmyownworkandincludesnothingwhichistheoutcome
ofworkdoneincollaborationexceptwherespecificallyindicatedinthetext. Thesection
“Author Publications” lists all publications sharing ideas with this thesis along with au-
thorship. This dissertation contains less than 45,000 words including appendices, tables,
footnotes,equationsandbibliography. Itcontains45figures.
This work was supported by financial grants from Network Appliance, Inc. and Intel
ResearchCambridge.
AnilMadhavapeddyVenkataSesha,April2006.
i
Author Publications
The research presented in this thesis has also been published in the following peer-
reviewedpapers(inreversechronologicalorder):
ANIL MADHAVAPEDDY, ALEX HO, TIM DEEGAN, DAVID SCOTT AND RIPDUMAN
SOHAN. Melange: Creating a “Functional” Internet, in the European Conference on
ComputerSystems(EuroSys),March2007. ReceivedBestStudentPaperaward.
ANIL MADHAVAPEDDY AND DAVID SCOTT AND RICHARD SHARP. SPLAT: A Tool
for Model-Checking and Dynamically-Enforcing Abstractions, in the 12th International
SPINWorkshopontheModelCheckingofSoftware,LectureNotesonComputerScience
(vol.3639),2005,page277–282,Springer.
ANIL MADHAVAPEDDY AND DAVID SCOTT. On the Challenge of Delivering High-
Performance, Dependable, Model-Checked Internet Servers, in the First Workshop on
HotTopicsinSystemDependability(HotDep)(2005),IEEE.
ANIL MADHAVAPEDDY, ALAN MYCROFT, DAVID SCOTT AND RICHARD SHARP. The
Case for Abstracting Security Policies, in the International Conference on Security and
Management(SAM),June2003.
OtherselectedworkpublishedduringthecourseofthePhDresearchincludes:
ELEANOR TOYE, RICHARD SHARP, ANIL MADHAVAPEDDY, DAVID SCOTT, EBEN
UPTON AND ALAN BLACKWELL. Interacting with Mobile Services: An Evaluation of
Camera-PhonesandVisualTags,inPersonalandUbiquitousComputingJournal,vol.10
(2006).
ANIL MADHAVAPEDDY AND ALASTAIR TSE. A Study of Bluetooth Propagation Us-
ii
ing Accurate Indoor Location Mapping, in 7th International Conference on Ubiquitous
Computing (UbiComp), Lecture Notes on Computer Science vol. 3660, page 105–122,
Springer.
ELEANOR TOYE, RICHARD SHARP, ANIL MADHAVAPEDDY AND DAVID SCOTT. Us-
ing Smart Phones to Access Site-Specific Services, in IEEE Pervasive Computing vol.
4(2),pages60–66,April2005.
DAVID SCOTT, RICHARD SHARP, ANIL MADHAVAPEDDY AND EBEN UPTON. Using
Visual Tags to Bypass Bluetooth Device Discovery, in ACM Mobile Computer Commu-
nicationsReviewvol.9(1),pages41–53,January2005.
ANILMADHAVAPEDDY, RICHARDSHARP, DAVIDSCOTTANDALASTAIRTSE. Audio
Networking: The Forgotten Wireless Technology, in IEEE Pervasive 4(3), page 55–60,
2005.
KIERAN MANSLEY, DAVID SCOTT, ALASTAIR TSE AND ANIL MADHAVAPEDDY.
Feedback, Latency, Accuracy: Exploring Tradeoffs in Location-aware Gaming, in pro-
ceedings of the 3rd ACM SIGCOMM Workshop on Network and System Support for
Games(NetGames),pages93–97,2004.
ANIL MADHAVAPEDDY, RICHARD SHARP AND DAVID SCOTT. Context-Aware Com-
putingwithSound,intheFifthInternationalConferenceonUbiquitousComputing(Ubi-
Comp),LectureNotesonComputerScience(vol.2864),page315–332,Springer.
iii
Abstract
AtypicalInternetserverfindsitselfinthemiddleofavirtualbattleground,underconstant
threat from worms, viruses and other malware seeking to subvert the original intentions
of the programmer. In particular, critical Internet servers such as OpenSSH, BIND and
Sendmail have had numerous security issues ranging from low-level buffer overflows to
subtleprotocollogicerrors. Theseproblemshavecostbillionsofdollarsasthegrowthof
theInternetexposesincreasingnumbersofcomputerstoelectronicmalware. Despitethe
decades of research on techniques such as model-checking, type-safety and other forms
of formal analysis, the vast majority of server implementations continue to be written
unsafelyandinformallyinC/C++.
In this dissertation we propose an architecture for constructing new implementa-
tions of standard Internet protocols which integrates mature formal methods not cur-
rently used in deployed servers: (i) static type systems from the ML family of functional
languages; (ii) model checking to verify safety properties exhaustively about aspects of
the servers; and (iii) generative meta-programming to express high-level constraints for
the domain-specific tasks of packet parsing and constructing non-deterministic state ma-
chines. Our architecture—dubbed MELANGE—is based on Objective Caml and con-
tributes two domain-specific languages: (i) the Meta Packet Language (MPL), a data
description language used to describe the wire format of a protocol and output statically
type-safe code to handle network traffic using high-level functional data structures; and
(ii) the Statecall Policy Language (SPL) for constructing non-deterministic finite state
automata which are embedded into applications and dynamically enforced, or translated
into PROMELA andstaticallymodel-checked.
Ourresearchemphasisestheimportanceofdeliveringefficient,portablecodewhichis
feasibletodeployacrosstheInternet. Weimplementedtwocomplexprotocols—SSHand
DNS—to verify our claims, and our evaluation shows that they perform faster than their
standard counterparts OpenSSH and BIND, in addition to providing static guarantees
againstsomeclassesoferrorsthatarecurrentlyamajorsourceofsecurityproblems.
iv
Acknowledgements
Mostoftheideasinthisdissertationcanbetracedbacktoasteamingcupofcoffeeinthe
famous“collaborationcorner”intheComputerLab,somanythankstoAndyHopperfor
creatingsuchagreatenvironment. TheideaofwritinganSSHserverinOCamlemerged
after a particularly long session of procrastination with David Scott in early 2004, and I
amgratefultohimforsubsequentadviceandevangelismofthe“OCamlway”eversince!
I was privileged to have the best office in Cambridge, shared with Evangelia Kaly-
vianaki, Alex Ho and Christian Kreibich, the bust of Volta and an inflatable green alien.
Thanks to them and regular visitors Andrew Warfield, Euan Harris and Jon Crowcroft
for making it such wacky fun. Upstairs in the LCE, I owe a great debt to Kieran Mans-
ley, Alastair Beresford, David Scott, Alastair Tse, Ripduman Sohan and Andrew Rice
forprovidingmewitheasyQuaketargetpractice,andRichardSharpandRobEnnalsfor
their contribution to the quest for free Intel-cinos. Away from the lab, Nick Ludlam and
Subhashis and Sheree Biswas always provided a sympathetic ear from the mysterious
“realworld”.
I have had several supervisors through my research, and I am very grateful to Ian
Pratt, Tim Harris, Andy Hopper, Alan Mycroft, Steven Hand, Jon Crowcroft and Derek
Macauley for their valuable time and conversations. David Greaves drove me to the
PhD finish line, and his advice and guidance (notably on what the word “thesis” meant)
has been invaluable in delivering this weighty tome. Tim Deegan, Sriram Srinivasan,
Jon Crowcroft, David Scott and Richard Sharp also proof-read it and patched up my
“international” use of language. I am also grateful to Nawaf Bitar and Nick Thurlow
from Network Appliance who gave me the initial funding and encouragement to return
toacademia,andDerekMacauleyfromIntelResearchwhofundedthefinalyears.
This dissertation is dedicated to my parents, my brother Naganand and sister-in-law
Jyothsna, who supported me throughout the roller-coaster ride and continue to do so.
Thanks!
v
CONTENTS
Contents
1 Introduction 1
1.1 InternetGrowth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 SecurityandReliabilityConcerns . . . . . . . . . . . . . . . . . 3
1.1.2 FirewallsProveInsufficient . . . . . . . . . . . . . . . . . . . . 3
1.1.3 TheInternetServerMonoculture . . . . . . . . . . . . . . . . . . 4
1.2 MotivationforRewritingInternetServers . . . . . . . . . . . . . . . . . 5
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Background 9
2.1 InternetSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 LanguageIssues . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.3 TheRiseoftheWorm . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.4 DefencesAgainstInternetAttacks . . . . . . . . . . . . . . . . . 16
2.2 FunctionalProgramming . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.2 TypeSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.3 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.4 Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3 ObjectiveCaml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.1 StrongAbstraction . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.2 PolymorphicVariants . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.3 MutableDataandReferences . . . . . . . . . . . . . . . . . . . 32
2.3.4 BoundsChecking . . . . . . . . . . . . . . . . . . . . . . . . . . 33
vi
CONTENTS
2.4 ModelChecking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4.1 SPIN and PROMELA . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.2 SystemVerificationusing SPIN . . . . . . . . . . . . . . . . . . 38
2.4.3 ModelCreationandExtraction . . . . . . . . . . . . . . . . . . . 40
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3 RelatedWork 42
3.1 ControlPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.1.1 FormalModelsofConcurrency . . . . . . . . . . . . . . . . . . 44
3.1.2 ModelExtraction . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.1.3 DynamicEnforcementandInstrumentation . . . . . . . . . . . . 47
3.2 DataPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.1 DataDescriptionLanguages . . . . . . . . . . . . . . . . . . . . 48
3.2.2 ActiveNetworks . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.3 TheView-UpdateProblem . . . . . . . . . . . . . . . . . . . . . 52
3.3 GeneralPurposeLanguages . . . . . . . . . . . . . . . . . . . . . . . . 53
3.3.1 SoftwareEngineering . . . . . . . . . . . . . . . . . . . . . . . . 53
3.3.2 Meta-Programming . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3.3 FunctionalLanguagesforNetworking . . . . . . . . . . . . . . . 55
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4 Architecture 58
4.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.1.1 DataAbstractions . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.1.2 LanguageSupport . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2 The MELANGE Architecture . . . . . . . . . . . . . . . . . . . . . . . . 64
4.2.1 MetaPacketLanguage(MPL) . . . . . . . . . . . . . . . . . . . 64
4.2.2 StatecallSpecificationLanguage(SPL) . . . . . . . . . . . . . . 65
4.3 ThreatModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5 MetaPacketLanguage 72
5.1 Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.1.1 ParsingIPv4: AnExample . . . . . . . . . . . . . . . . . . . . . 74
5.1.2 TheoreticalSpace . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.1.3 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
vii
CONTENTS
5.1.4 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.2 BasisLibrary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.2.1 PacketEnvironments . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2.2 BasicTypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.2.3 CustomTypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3 OCamlInterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3.1 PacketSinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3.2 PacketSources . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.3.3 PacketProxies . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.4.1 ExperimentalSetup . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.4.2 ExperimentsandResults . . . . . . . . . . . . . . . . . . . . . . 98
5.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6 StatecallPolicyLanguage 102
6.1 StatecallPolicyLanguage . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.1.1 ACaseStudyusingping . . . . . . . . . . . . . . . . . . . . . . 104
6.1.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.1.3 TypingRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.2 IntermediateRepresentation . . . . . . . . . . . . . . . . . . . . . . . . 112
6.2.1 ControlFlowAutomaton . . . . . . . . . . . . . . . . . . . . . . 112
6.2.2 MultipleAutomata . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.2.3 Optimisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.3 Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.3.1 OCaml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.3.2 PROMELA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3.3 HTMLandJavascript . . . . . . . . . . . . . . . . . . . . . . . . 124
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
7 CaseStudies 127
7.1 SecureShell(SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.1.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.1.2 SSHPacketFormat . . . . . . . . . . . . . . . . . . . . . . . . . 135
7.1.3 SSHStateMachines . . . . . . . . . . . . . . . . . . . . . . . . 136
viii
CONTENTS
7.1.4 AJAXDebugger . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.1.5 ModelChecking . . . . . . . . . . . . . . . . . . . . . . . . . . 138
7.2 DomainNameSystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
7.2.1 DNSPacketFormat . . . . . . . . . . . . . . . . . . . . . . . . 143
7.2.2 AnAuthoritativeDeensServer . . . . . . . . . . . . . . . . . . . 146
7.2.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
7.3 CodeSize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
8 Conclusions 152
8.1 FutureWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
A SampleApplication: ping 189
B MPLUserManual 193
B.1 Well-FormedSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . 193
B.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
C MPLProtocolListings 199
C.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
C.2 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
C.3 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
C.4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
C.5 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
D SPLSpecifications 207
D.1 SSHTransportandAuthentication . . . . . . . . . . . . . . . . . . . . . 207
D.2 SSHChannels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
ix
Description:rently used in deployed servers: (i) static type systems from the ML family of functional tributes two domain-specific languages: (i) the Meta Packet Language (MPL), a data description language used to describe the wire format of a protocol and .. of cryptography were introduced in 1994 to en
