Uncovering Gaps Between RFC Updates and TCP/IP Implementations: LLM-Facilitated Differential Checks on Intermediate Representations
Yifan Wu, Xuewei Feng, Yuxiang Yang, Ke Xu
TL;DR
The paper tackles the problem of inconsistencies between evolving RFC specifications and TCP/IP implementations, which can create security vulnerabilities. It introduces an automated framework that combines large language models, knowledge graphs, and differential analysis on intermediate representations to perform incremental, targeted verification against code. The approach constructs incremental RFC function graphs, aligns specification text with kernel code via a knowledge graph, and uses intermediate representations to bridge semantic gaps, achieving high accuracy (e.g., $0.857$ F1 with GPT-4o) and identifying a set of inconsistencies across multiple RFCs and OS versions. The results demonstrate scalable, low-overhead detection suitable for real-world, multi-version environments, with clear pathways for expansion to multi-protocol analysis and automated repair in future work.
Abstract
As the core of the Internet infrastructure, the TCP/IP protocol stack undertakes the task of network data transmission. However, due to the complexity of the protocol and the uncertainty of cross-layer interaction, there are often inconsistencies between the implementation of the protocol stack code and the RFC standard. This inconsistency may not only lead to differences in protocol functions but also cause serious security vulnerabilities. At present, with the continuous expansion of protocol stack functions and the rapid iteration of RFC documents, it is increasingly important to detect and fix these inconsistencies. With the rise of large language models, researchers have begun to explore how to extract protocol specifications from RFC documents through these models, including protocol stack modeling, state machine extraction, text ambiguity analysis, and other related content. However, existing methods rely on predefined patterns or rule-based approaches that fail to generalize across different protocol specifications. Automated and scalable detection of these inconsistencies remains a significant challenge. In this study, we propose an automated analysis framework based on LLM and differential models. By modeling the iterative relationship of the protocol and based on the iterative update relationship of the RFC standard, we perform incremental code function analysis on different versions of kernel code implementations to automatically perform code detection and vulnerability analysis. We conduct extensive evaluations to validate the effectiveness of our framework, demonstrating its effectiveness in identifying potential vulnerabilities caused by RFC code inconsistencies.