Creating High-Performance Statically Type-Safe Network Applications Anil Madhavapeddy Venkata Sesha Robinson College This dissertation is submitted for the degree of Doctor of Philosophy at the University of Cambridge Copyright(cid:13)c April2006AnilMadhavapeddyVenkataSesha Declaration The dissertation is not substantially the same as any I have submitted for a degree or diploma or any other qualification at any other university. Further, no part of the disser- tation has already been or is being concurrently submitted for any such degree, diploma orotherqualification. Thisdissertationistheresultofmyownworkandincludesnothingwhichistheoutcome ofworkdoneincollaborationexceptwherespecificallyindicatedinthetext. Thesection “Author Publications” lists all publications sharing ideas with this thesis along with au- thorship. This dissertation contains less than 45,000 words including appendices, tables, footnotes,equationsandbibliography. Itcontains45figures. This work was supported by financial grants from Network Appliance, Inc. and Intel ResearchCambridge. AnilMadhavapeddyVenkataSesha,April2006. i Author Publications The research presented in this thesis has also been published in the following peer- reviewedpapers(inreversechronologicalorder): ANIL MADHAVAPEDDY, ALEX HO, TIM DEEGAN, DAVID SCOTT AND RIPDUMAN SOHAN. Melange: Creating a “Functional” Internet, in the European Conference on ComputerSystems(EuroSys),March2007. ReceivedBestStudentPaperaward. ANIL MADHAVAPEDDY AND DAVID SCOTT AND RICHARD SHARP. SPLAT: A Tool for Model-Checking and Dynamically-Enforcing Abstractions, in the 12th International SPINWorkshopontheModelCheckingofSoftware,LectureNotesonComputerScience (vol.3639),2005,page277–282,Springer. ANIL MADHAVAPEDDY AND DAVID SCOTT. On the Challenge of Delivering High- Performance, Dependable, Model-Checked Internet Servers, in the First Workshop on HotTopicsinSystemDependability(HotDep)(2005),IEEE. ANIL MADHAVAPEDDY, ALAN MYCROFT, DAVID SCOTT AND RICHARD SHARP. The Case for Abstracting Security Policies, in the International Conference on Security and Management(SAM),June2003. OtherselectedworkpublishedduringthecourseofthePhDresearchincludes: ELEANOR TOYE, RICHARD SHARP, ANIL MADHAVAPEDDY, DAVID SCOTT, EBEN UPTON AND ALAN BLACKWELL. Interacting with Mobile Services: An Evaluation of Camera-PhonesandVisualTags,inPersonalandUbiquitousComputingJournal,vol.10 (2006). ANIL MADHAVAPEDDY AND ALASTAIR TSE. A Study of Bluetooth Propagation Us- ii ing Accurate Indoor Location Mapping, in 7th International Conference on Ubiquitous Computing (UbiComp), Lecture Notes on Computer Science vol. 3660, page 105–122, Springer. ELEANOR TOYE, RICHARD SHARP, ANIL MADHAVAPEDDY AND DAVID SCOTT. Us- ing Smart Phones to Access Site-Specific Services, in IEEE Pervasive Computing vol. 4(2),pages60–66,April2005. DAVID SCOTT, RICHARD SHARP, ANIL MADHAVAPEDDY AND EBEN UPTON. Using Visual Tags to Bypass Bluetooth Device Discovery, in ACM Mobile Computer Commu- nicationsReviewvol.9(1),pages41–53,January2005. ANILMADHAVAPEDDY, RICHARDSHARP, DAVIDSCOTTANDALASTAIRTSE. Audio Networking: The Forgotten Wireless Technology, in IEEE Pervasive 4(3), page 55–60, 2005. KIERAN MANSLEY, DAVID SCOTT, ALASTAIR TSE AND ANIL MADHAVAPEDDY. Feedback, Latency, Accuracy: Exploring Tradeoffs in Location-aware Gaming, in pro- ceedings of the 3rd ACM SIGCOMM Workshop on Network and System Support for Games(NetGames),pages93–97,2004. ANIL MADHAVAPEDDY, RICHARD SHARP AND DAVID SCOTT. Context-Aware Com- putingwithSound,intheFifthInternationalConferenceonUbiquitousComputing(Ubi- Comp),LectureNotesonComputerScience(vol.2864),page315–332,Springer. iii Abstract AtypicalInternetserverfindsitselfinthemiddleofavirtualbattleground,underconstant threat from worms, viruses and other malware seeking to subvert the original intentions of the programmer. In particular, critical Internet servers such as OpenSSH, BIND and Sendmail have had numerous security issues ranging from low-level buffer overflows to subtleprotocollogicerrors. Theseproblemshavecostbillionsofdollarsasthegrowthof theInternetexposesincreasingnumbersofcomputerstoelectronicmalware. Despitethe decades of research on techniques such as model-checking, type-safety and other forms of formal analysis, the vast majority of server implementations continue to be written unsafelyandinformallyinC/C++. In this dissertation we propose an architecture for constructing new implementa- tions of standard Internet protocols which integrates mature formal methods not cur- rently used in deployed servers: (i) static type systems from the ML family of functional languages; (ii) model checking to verify safety properties exhaustively about aspects of the servers; and (iii) generative meta-programming to express high-level constraints for the domain-specific tasks of packet parsing and constructing non-deterministic state ma- chines. Our architecture—dubbed MELANGE—is based on Objective Caml and con- tributes two domain-specific languages: (i) the Meta Packet Language (MPL), a data description language used to describe the wire format of a protocol and output statically type-safe code to handle network traffic using high-level functional data structures; and (ii) the Statecall Policy Language (SPL) for constructing non-deterministic finite state automata which are embedded into applications and dynamically enforced, or translated into PROMELA andstaticallymodel-checked. Ourresearchemphasisestheimportanceofdeliveringefficient,portablecodewhichis feasibletodeployacrosstheInternet. Weimplementedtwocomplexprotocols—SSHand DNS—to verify our claims, and our evaluation shows that they perform faster than their standard counterparts OpenSSH and BIND, in addition to providing static guarantees againstsomeclassesoferrorsthatarecurrentlyamajorsourceofsecurityproblems. iv Acknowledgements Mostoftheideasinthisdissertationcanbetracedbacktoasteamingcupofcoffeeinthe famous“collaborationcorner”intheComputerLab,somanythankstoAndyHopperfor creatingsuchagreatenvironment. TheideaofwritinganSSHserverinOCamlemerged after a particularly long session of procrastination with David Scott in early 2004, and I amgratefultohimforsubsequentadviceandevangelismofthe“OCamlway”eversince! I was privileged to have the best office in Cambridge, shared with Evangelia Kaly- vianaki, Alex Ho and Christian Kreibich, the bust of Volta and an inflatable green alien. Thanks to them and regular visitors Andrew Warfield, Euan Harris and Jon Crowcroft for making it such wacky fun. Upstairs in the LCE, I owe a great debt to Kieran Mans- ley, Alastair Beresford, David Scott, Alastair Tse, Ripduman Sohan and Andrew Rice forprovidingmewitheasyQuaketargetpractice,andRichardSharpandRobEnnalsfor their contribution to the quest for free Intel-cinos. Away from the lab, Nick Ludlam and Subhashis and Sheree Biswas always provided a sympathetic ear from the mysterious “realworld”. I have had several supervisors through my research, and I am very grateful to Ian Pratt, Tim Harris, Andy Hopper, Alan Mycroft, Steven Hand, Jon Crowcroft and Derek Macauley for their valuable time and conversations. David Greaves drove me to the PhD finish line, and his advice and guidance (notably on what the word “thesis” meant) has been invaluable in delivering this weighty tome. Tim Deegan, Sriram Srinivasan, Jon Crowcroft, David Scott and Richard Sharp also proof-read it and patched up my “international” use of language. I am also grateful to Nawaf Bitar and Nick Thurlow from Network Appliance who gave me the initial funding and encouragement to return toacademia,andDerekMacauleyfromIntelResearchwhofundedthefinalyears. This dissertation is dedicated to my parents, my brother Naganand and sister-in-law Jyothsna, who supported me throughout the roller-coaster ride and continue to do so. Thanks! v CONTENTS Contents 1 Introduction 1 1.1 InternetGrowth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 SecurityandReliabilityConcerns . . . . . . . . . . . . . . . . . 3 1.1.2 FirewallsProveInsufficient . . . . . . . . . . . . . . . . . . . . 3 1.1.3 TheInternetServerMonoculture . . . . . . . . . . . . . . . . . . 4 1.2 MotivationforRewritingInternetServers . . . . . . . . . . . . . . . . . 5 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 Background 9 2.1 InternetSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 LanguageIssues . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.3 TheRiseoftheWorm . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.4 DefencesAgainstInternetAttacks . . . . . . . . . . . . . . . . . 16 2.2 FunctionalProgramming . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.2 TypeSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2.3 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2.4 Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3 ObjectiveCaml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.3.1 StrongAbstraction . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.3.2 PolymorphicVariants . . . . . . . . . . . . . . . . . . . . . . . . 30 2.3.3 MutableDataandReferences . . . . . . . . . . . . . . . . . . . 32 2.3.4 BoundsChecking . . . . . . . . . . . . . . . . . . . . . . . . . . 33 vi CONTENTS 2.4 ModelChecking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.4.1 SPIN and PROMELA . . . . . . . . . . . . . . . . . . . . . . . . 35 2.4.2 SystemVerificationusing SPIN . . . . . . . . . . . . . . . . . . 38 2.4.3 ModelCreationandExtraction . . . . . . . . . . . . . . . . . . . 40 2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3 RelatedWork 42 3.1 ControlPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.1.1 FormalModelsofConcurrency . . . . . . . . . . . . . . . . . . 44 3.1.2 ModelExtraction . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.1.3 DynamicEnforcementandInstrumentation . . . . . . . . . . . . 47 3.2 DataPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2.1 DataDescriptionLanguages . . . . . . . . . . . . . . . . . . . . 48 3.2.2 ActiveNetworks . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.2.3 TheView-UpdateProblem . . . . . . . . . . . . . . . . . . . . . 52 3.3 GeneralPurposeLanguages . . . . . . . . . . . . . . . . . . . . . . . . 53 3.3.1 SoftwareEngineering . . . . . . . . . . . . . . . . . . . . . . . . 53 3.3.2 Meta-Programming . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.3.3 FunctionalLanguagesforNetworking . . . . . . . . . . . . . . . 55 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 Architecture 58 4.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 4.1.1 DataAbstractions . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4.1.2 LanguageSupport . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.2 The MELANGE Architecture . . . . . . . . . . . . . . . . . . . . . . . . 64 4.2.1 MetaPacketLanguage(MPL) . . . . . . . . . . . . . . . . . . . 64 4.2.2 StatecallSpecificationLanguage(SPL) . . . . . . . . . . . . . . 65 4.3 ThreatModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5 MetaPacketLanguage 72 5.1 Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 5.1.1 ParsingIPv4: AnExample . . . . . . . . . . . . . . . . . . . . . 74 5.1.2 TheoreticalSpace . . . . . . . . . . . . . . . . . . . . . . . . . . 79 5.1.3 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 vii CONTENTS 5.1.4 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 5.2 BasisLibrary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.2.1 PacketEnvironments . . . . . . . . . . . . . . . . . . . . . . . . 86 5.2.2 BasicTypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.2.3 CustomTypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.3 OCamlInterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 5.3.1 PacketSinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.3.2 PacketSources . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.3.3 PacketProxies . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 5.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.4.1 ExperimentalSetup . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.4.2 ExperimentsandResults . . . . . . . . . . . . . . . . . . . . . . 98 5.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 6 StatecallPolicyLanguage 102 6.1 StatecallPolicyLanguage . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.1.1 ACaseStudyusingping . . . . . . . . . . . . . . . . . . . . . . 104 6.1.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 6.1.3 TypingRules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 6.2 IntermediateRepresentation . . . . . . . . . . . . . . . . . . . . . . . . 112 6.2.1 ControlFlowAutomaton . . . . . . . . . . . . . . . . . . . . . . 112 6.2.2 MultipleAutomata . . . . . . . . . . . . . . . . . . . . . . . . . 114 6.2.3 Optimisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.3 Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.3.1 OCaml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 6.3.2 PROMELA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 6.3.3 HTMLandJavascript . . . . . . . . . . . . . . . . . . . . . . . . 124 6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 7 CaseStudies 127 7.1 SecureShell(SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.1.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.1.2 SSHPacketFormat . . . . . . . . . . . . . . . . . . . . . . . . . 135 7.1.3 SSHStateMachines . . . . . . . . . . . . . . . . . . . . . . . . 136 viii CONTENTS 7.1.4 AJAXDebugger . . . . . . . . . . . . . . . . . . . . . . . . . . 137 7.1.5 ModelChecking . . . . . . . . . . . . . . . . . . . . . . . . . . 138 7.2 DomainNameSystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 7.2.1 DNSPacketFormat . . . . . . . . . . . . . . . . . . . . . . . . 143 7.2.2 AnAuthoritativeDeensServer . . . . . . . . . . . . . . . . . . . 146 7.2.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 7.3 CodeSize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 8 Conclusions 152 8.1 FutureWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 A SampleApplication: ping 189 B MPLUserManual 193 B.1 Well-FormedSpecifications . . . . . . . . . . . . . . . . . . . . . . . . . 193 B.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 C MPLProtocolListings 199 C.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 C.2 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 C.3 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 C.4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 C.5 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 D SPLSpecifications 207 D.1 SSHTransportandAuthentication . . . . . . . . . . . . . . . . . . . . . 207 D.2 SSHChannels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 ix