Validating Network Protocol Parsers with Traceable RFC Document Interpretation
Mingwei Zheng, Danning Xie, Qingkai Shi, Chengpeng Wang, Xiangyu Zhang
TL;DR
This work tackles the challenge of validating network protocol parsers by addressing both oracle and traceability problems. It introduces ParCleanse, a three-phase framework that (i) extracts complete protocol formats from RFC documents via a divide-and-conquer DocTree, (ii) generates fine-grained test cases through a Format Graph and property-level mutation, and (iii) uses traceability-assisted inconsistency identification to distinguish parser bugs from format extraction errors. Across nine protocols and multiple languages, ParCleanse achieves high precision and recall in format extraction and discovers a large set of bugs, including many new ones, outperforming baselines such as ChatAFL and ParDiff. The results indicate a strong potential for automated software validation driven by natural language specifications, with traceability to RFC sources enabling precise diagnosis and fixes.
Abstract
Validating the correctness of network protocol implementations is highly challenging due to the oracle and traceability problems. The former determines when a protocol implementation can be considered buggy, especially when the bugs do not cause any observable symptoms. The latter allows developers to understand how an implementation violates the protocol specification, thereby facilitating bug fixes. Unlike existing works that rarely take both problems into account, this work considers both and provides an effective solution using recent advances in large language models (LLMs). Our key observation is that network protocols are often released with structured specification documents, a.k.a. RFC documents, which can be systematically translated to formal protocol message specifications via LLMs. Such specifications, which may contain errors due to the hallucination of LLMs, are used as a quasi-oracle to validate protocol parsers, while the validation results in return gradually refine the oracle. Since the oracle is derived from the document, any bugs we find in a protocol implementation can be traced back to the document, thus addressing the traceability problem. We have extensively evaluated our approach using nine network protocols and their implementations written in C, Python, and Go. The results show that our approach outperforms the state-of-the-art and has detected 69 bugs, with 36 confirmed. The project also demonstrates the potential for fully automating software validation based on natural language specifications, a process previously considered predominantly manual due to the need to understand specification documents and derive expected outputs for test inputs.