Skip to content
/ klint Public
forked from dslab-epfl/klint

Repository for the "Automated Verification of Network Function Binaries" paper (NSDI'22).

License

MIT license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kylerky/klint

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

889 Commits
benchmarking
benchmarking
 
 
env
env
 
 
experiments
experiments
 
 
nf
nf
 
 
tool
tool
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
License.md
License.md
 
 
Makefile
Makefile
 
 
Makefile.base
Makefile.base
 
 
ReadMe.md
ReadMe.md
 
 

Repository files navigation

This is the artifact for the paper "Automated Verification of Network Function Binaries" presented at NSDI'22.

Repository structure

  • benchmarking contains the scripts for benchmarks (building upon those from the TinyNF artifact)
  • experiments contains the scripts to reproduce the results in the paper
  • nf contains the network functions we wrote or adapted
  • env contains the environment abstractions for network functions and implementations of these abstractions
  • tool contains the Klint tool
  • Makefile contains some end-to-end targets, see below
  • Makefile.base is the common Makefile for all C code

Network functions get compiled in two steps. First, compiling the network function code against the environment interface leads to a static or dynamic library. This library can be verified with Klint, even without debugging symbols, since it must export symbols for linking with the environment. Second, compiling the library along with the environment implementation leads to a binary that can be run. Part of this binary can also be verified with Klint for "full-stack" verification, specifically the driver and the network function, if it is compiled in such a way that these symbols still exist.

An example of end-to-end usage is Makefile, which can compile-X (compile just nf/X), build-X (compile nf/X and link it with a compiled environment), verify-X (using nf/X/spec.py), and benchmark-X (basic benchmark of nf/X) for an NF X in nf/ such as firewall. There's also compile-all to just compile all NFs, useful when making changes to the environment interface or the build infrastructure.

Reproducing paper results

Please see the experiments folder readme.

Writing and verifying your own network function

Start from a copy of nf/nop, which is a no-op network function. Use the existing nf/* functions as inspiration. All environment interactions must use the abstractions in env/, especially memory allocations.

To verify it, compile it as documented in nf/ and use Klint on it as documented in tool/.

To write a spec, look at the the documentation in tool/, and at existing specs in nf/ folders.

If you need new data structures, add them in env/include/structs, env/src/structs. Then add Klint contracts in tool/klint/externals and add them to the *_externals dictionaries in tool/klint/executor.py.

About

Repository for the "Automated Verification of Network Function Binaries" paper (NSDI'22).

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 79.7%
  • Python 17.4%
  • Shell 1.1%
  • Lua 1.0%
  • Rust 0.4%
  • Click 0.2%
  • Other 0.2%