An Automated Blackbox Noncompliance Checker for QUIC Server Implementations
Kian Kai Ang, Guy Farrelly, Cheryl Pope, Damith C. Ranasinghe
TL;DR
QUICtester addresses the gap in open-source conformance testing for ratified QUIC (RFC 9000/9001) by combining active automata learning with a protocol-specific test harness and automated cross-implementation analysis. It learns time-aware behavior models under multiple security configurations, then uses pairwise differential analysis to detect deviations without requiring formal reference models. Across 19 QUIC implementations and 186 learned models, it uncovers 55 faults, including 44 spec violations, memory-corruption bugs, and logical flaws, with several issues prompting CVEs and bug bounties and revealing a DoS vulnerability tied to specification ambiguity. The framework is modular, extensible, and open-source, offering practitioners a scalable method to verify security promises and interoperability in QUIC servers while guiding RFC improvements.
Abstract
We develop QUICtester, an automated approach for uncovering non-compliant behaviors in the ratified QUIC protocol implementations (RFC 9000/9001). QUICtester leverages active automata learning to abstract the behavior of a QUIC implementation into a finite state machine (FSM) representation. Unlike prior noncompliance checking methods, to help uncover state dependencies on event timing, QUICtester introduces the idea of state learning with event timing variations, adopting both valid and invalid input configurations, and combinations of security and transport layer parameters during learning. We use pairwise differential analysis of learned behaviour models of tested QUIC implementations to identify non-compliance instances as behaviour deviations in a property-agnostic way. This exploits the existence of the many different QUIC implementations, removing the need for validated, formal models. The diverse implementations act as cross-checking test oracles to discover non-compliance. We used QUICtester to analyze analyze 186 learned models from 19 QUIC implementations under the five security settings and discovered 55 implementation errors. Significantly, the tool uncovered a QUIC specification ambiguity resulting in an easily exploitable DoS vulnerability, led to 5 CVE assignments from developers, and two bug bounties thus far.
