Prognosis: Closed-Box Analysis of Network Protocol Implementations

TL;DR

Prognosis is a flexible framework that automatically learns models of network protocol implementations at various abstraction levels, enabling comprehensive analysis, bug detection, and comparison across different protocols like TCP and QUIC.

Contribution

It introduces a modular, adaptable approach for automated closed-box modeling of network protocols, facilitating diverse analyses and bug discovery.

Findings

Learned models of three QUIC implementations revealing design differences.

Identified and reported critical bugs acknowledged by developers.

Demonstrated the framework's effectiveness across multiple protocols.

Abstract

We present Prognosis, a framework offering automated closed-box learning and analysis of models of network protocol implementations. Prognosis can learn models that vary in abstraction level from simple deterministic automata to models containing data operations, such as register updates, and can be used to unlock a variety of analysis techniques -- model checking temporal properties, computing differences between models of two implementations of the same protocol, or improving testing via model-based test generation. Prognosis is modular and easily adaptable to different protocols (e.g., TCP and QUIC) and their implementations. We use Prognosis to learn models of (parts of) three QUIC implementations -- Quiche (Cloudflare), Google QUIC, and Facebook mvfst -- and use these models to analyze the differences between the various implementations. Our analysis provides insights into different design choices and uncovers potential bugs. Concretely, we have found critical bugs in multiple QUIC implementations, which have been acknowledged by the developers.