Automated Verification of an In-Production DNS Authoritative Engine
Authors: 
Naiqian Zheng, Mengqi Liu, Yuxing Xiang, Linjian Song, Dong Li, Feng Han, Nan Wang, Yong Ma, Zhuo Liang, Dennis Cai, Ennan Zhai, 
Xuanzhe Liu, Xin JinAuthors Info & Claims
Pages 80 - 95
Abstract
This paper presents DNS-V, a verification framework for our in-production DNS authoritative engine, which is the core of our DNS service. The key idea for automated verification in general is based on the layered verification principle. However, we face the challenge that our in-production DNS authoritative engine lacks modularity, more specifically, as can be seen with unclean interfaces and poor data structure encapsulation. This makes the layered verification hard to apply. To address this challenge, we propose a summarization approach that performs full-path symbolic execution to accumulate all path conditions and computation effects, and then represents a module's behavior in an abstract form as a set of input-effect pairs. In addition, for portability to future iterated versions of our DNS authoritative engine, we identify common dependency library modules that remain stable across different versions, and carefully design their abstractions to make them amenable to automated reasoning. Our framework has been successful in identifying and preventing tens of critical bugs in different versions of our DNS authoritative engine from reaching production, with a porting effort of less than one person-week.
References
[1]
2017. How and why the leap second affected Cloudflare DNS. https://blog.cloudflare.com/how-and-why-the-leap-second-affected-cloudflare-dns/.
[2]
2018. Analyzing the Impact of a Public DNS Resolver Outage. https://www.catchpoint.com/blog/google-dns-outage.
[3]
2021. A DNS outage just took down a large chunk of the internet. https://techcrunch.com/2021/07/22/a-dns-outage-just-took-down-a-good-chunk-of-the-internet/.
[4]
2021. Observations on resolver behavior during DNS outages. https://blog.verisign.com/security/facebook-dns-outage/.
[5]
2021. Understanding how Facebook disappeared from the Internet. https://blog.cloudflare.com/october-2021-facebook-outage/.
[6]
2022. The Coq Proof Assistant. https://coq.inria.fr/.
[7]
2022. Gollvm: LLVM-based Go compiler. https://go.googlesource.com/gollvm.
[8]
Anish Athalye, M Frans Kaashoek, and Nickolai Zeldovich. 2022. Verifying Hardware Security Modules with {Information-Preserving} Refinement. In USENIX OSDI.
[9]
James Bornholt, Rajeev Joshi, Vytautas Astrauskas, Brendan Cully, Bernhard Kragl, Seth Markle, Kyle Sauri, Drew Schleit, Grant Slatton, Serdar Tasiran, Jacob Van Geffen, and Andrew Warfield. 2021. Using lightweight formal methods to validate a key-value storage node in Amazon S3. In ACM SOSP.
[10]
James Bornholt and Emina Torlak. 2018. Finding code that explodes under symbolic evaluation. Proceedings of the ACM on Programming Languages OOPSLA (2018).
[11]
Martin Carlisle and Barry Fagin. 2012. IRONSIDES: DNS with no singlepacket denial of service or remote code execution vulnerabilities. In IEEE GLOBECOM.
[12]
Tej Chajed, Joseph Tassarotti, Mark Theng, M Frans Kaashoek, and Nickolai Zeldovich. 2022. Verifying the {DaisyNFS} concurrent and crash-safe file system with sequential reasoning. In USENIX OSDI.
[13]
Haogang Chen, Tej Chajed, Alex Konradi, Stephanie Wang, Atalay İleri, Adam Chlipala, M Frans Kaashoek, and Nickolai Zeldovich. 2017. Verifying a high-performance crash-safe file system using a tree specification. In ACM SOSP.
[14]
Hao Chen, Xiongnan Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward compositional verification of interruptible OS kernels and device drivers. In ACM PLDI.
[15]
Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M Frans Kaashoek, and Nickolai Zeldovich. 2015. Using Crash Hoare logic for certifying the FSCQ file system. In ACM SOSP.
[16]
David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-end verification of information-flow security for C and assembly programs. ACM SIGPLAN Notices (2016).
[17]
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems.
[18]
Mihai Dobrescu and Katerina Argyraki. 2014. Software Dataplane Verification. In USENIX NSDI.
[19]
R. Elz. 1997. Clarifications to the DNS Specification. RFC 2181. https://www.rfc-editor.org/info/rfc2181
[20]
Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In ACM POPL.
[21]
Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In USENIX OSDI.
[22]
Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. ACM SIGPLAN Notices (2018).
[23]
Xiaojie Guo, Maxime Lesourd, Mengqi Liu, Lionel Rieg, and Zhong Shao. 2019. Integrating formal schedulability analysis into a verified OS kernel. In International Conference on Computer Aided Verification. Springer, 496--514.
[24]
Siva Kesava Reddy Kakarla, Ryan Beckett, Behnaz Arzani, Todd Millstein, and George Varghese. 2020. Groot: Proactive verification of dns configurations. In ACM SIGCOMM.
[25]
Siva Kesava Reddy Kakarla, Ryan Beckett, Todd Millstein, and George Varghese. 2022. {SCALE}: Automatically Finding {RFC} Compliance Bugs in {DNS} Nameservers. In USENIX NSDI.
[26]
James C King. 1976. Symbolic execution and program testing. Commun. ACM (1976).
[27]
Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems (2014).
[28]
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009. seL4: Formal verification of an OS kernel. In ACM SOSP.
[29]
Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International symposium on code generation and optimization, 2004. CGO 2004. IEEE.
[30]
Xavier Leroy. 2009. Formal verification of a realistic compiler. Commun. ACM (2009).
[31]
E. Lewis. 1997. The Role of Wildcards in the Domain Name System. RFC 4592. https://www.rfc-editor.org/info/rfc4592
[32]
Shih-Wei Li, Xupeng Li, Ronghui Gu, Jason Nieh, and John Zhuang Hui. 2021. A secure and formally verified Linux KVM hypervisor. In IEEE Symposium on Security and Privacy.
[33]
Xupeng Li, Xuheng Li, Christoffer Dall, Ronghui Gu, Jason Nieh, Yousuf Sait, and Gareth Stockwell. 2022. Design and Verification of the Arm Confidential Compute Architecture. In USENIX OSDI.
[34]
Mengqi Liu, Lionel Rieg, Zhong Shao, Ronghui Gu, David Costanzo, Jung-Eun Kim, and Man-Ki Yoon. 2019. Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation. ACM POPL (2019).
[35]
Mengqi Liu, Zhong Shao, Hao Chen, Man-Ki Yoon, and Jung-Eun Kim. 2022. Compositional virtual timelines: verifying dynamic-priority partitions with algorithmic temporal isolation. Proceedings of the ACM on Programming Languages OOPSLA (2022).
[36]
Paul Mockapetris. 1987. Domain names-concepts and facilities. RFC 1034. https://www.rfc-editor.org/rfc/rfc1034
[37]
Paul V Mockapetris. 1987. Domain names-implementation and specification. https://www.rfc-editor.org/rfc/rfc1035
[38]
Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, and Gerwin Klein. 2013. seL4: from general purpose to a proof of information flow enforcement. In IEEE Symposium on Security and Privacy.
[39]
Luke Nelson, James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, and Xi Wang. 2019. Scaling symbolic evaluation for automated verification of systems code with Serval. In ACM SOSP.
[40]
Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Pushbutton verification of an OS kernel. In ACM SOSP.
[41]
Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang. 2020. Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel. In USENIX OSDI.
[42]
Tobias Nipkow, Markus Wenzel, and Lawrence C Paulson. 2002. Isabelle/HOL: a proof assistant for higher-order logic.
[43]
NMap. 2023. NMap DNS Fuzzing. https://nmap.org/nsedoc/scripts/dns-fuzz.html
[44]
Jonas Oberhauser, Rafael Lourenco de Lima Chehab, Diogo Behrens, Ming Fu, Antonio Paolillo, Lilith Oberhauser, Koustubha Bhat, Yuzhong Wen, Haibo Chen, Jaeho Kim, et al. 2021. VSync: pushbutton verification and optimization for synchronization primitives on weak memory models. In ACM ASPLOS.
[45]
Oded Padon, Kenneth L McMillan, Aurojit Panda, Mooly Sagiv, and Sharon Shoham. 2016. Ivy: safety verification by interactive generalization. In ACM PLDI.
[46]
Aurojit Panda, Mooly Sagiv, and Scott Shenker. 2017. Verification in the age of microservices. In ACM SIGOPS HotOS Workshop.
[47]
Thomas Sewell, Felix Kam, and Gernot Heiser. 2016. Complete, high-assurance determination of loop bounds and infeasible paths for WCET analysis. In IEEE Real-Time and Embedded Technology and Applications Symposium.
[48]
Thomas Arthur Leck Sewell, Magnus O Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. In ACM PLDI.
[49]
Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: A framework for design and verification of information flow control systems. In USENIX OSDI.
[50]
Robert Swiecki and Anestis Bechtsoudis. 2020. Google Honggfuzz DNS Fuzzing. https://github.com/google/honggfuzz/tree/master/examples/bind
[51]
Runzhou Tao, Jianan Yao, Xupeng Li, Shih-Wei Li, Jason Nieh, and Ronghui Gu. 2021. Formal verification of a multiprocessor hypervisor on arm relaxed memory hardware. In ACM SOSP.
[52]
Runzhou Tao, Jianan Yao, Xupeng Li, Shih-Wei Li, Jason Nieh, and Ronghui Gu. 2021. Formal verification of a multiprocessor hypervisor on arm relaxed memory hardware. In ACM SOSP.
[53]
Emina Torlak and Rastislav Bodik. 2013. Growing solver-aided languages with Rosette. In ACM international symposium on New ideas, new paradigms, and reflections on programming & software.
[54]
Emina Torlak and Rastislav Bodik. 2014. A lightweight symbolic virtual machine for solver-aided host languages. ACM SIGPLAN Notices (2014).
[55]
P. Vixie. 1997. Dynamic Updates in the Domain Name System (DNS UPDATE). RFC 2136. https://www.rfc-editor.org/info/rfc2136
[56]
Jianan Yao, Runzhou Tao, Ronghui Gu, and Jason Nieh. 2022. {DuoAI}: Fast, Automated Inference of Inductive Invariants for Verifying Distributed Protocols. In USENIX OSDI.
[57]
Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, and George Candea. 2017. A formally verified NAT. In ACM SIGCOMM.
[58]
Mo Zou, Haoran Ding, Dong Du, Ming Fu, Ronghui Gu, and Haibo Chen. 2019. Using concurrent relational logic with helpers for verifying the AtomFS file system. In ACM SOSP.
Index Terms
- Automated Verification of an In-Production DNS Authoritative Engine
Index terms have been assigned to the content through auto-classification.
Recommendations
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAuthoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for ...
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Efficient and User-Friendly Verification
A compositional verification method from a high-level resource-management standpoint is presented for dense-time concurrent systems and implemented in the tool of SGM (State-Graph Manipulators) with graphical user interface. SGM packages sophisticated ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
802 pages
ISBN:9798400702297
DOI:10.1145/3600006
- Conference Chairs:
- Jason Flinn,
- Margo Seltzer,
- General Chairs:
- Peter Druschel,
- Antoine Kaufmann,
- Jonathan Mace
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
- USENIX
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key Research and Development Program of China
- National Natural Science Foundation of China under the grant number
Conference
SOSP '23
Sponsor:
Acceptance Rates
SOSP '23 Paper Acceptance Rate 43 of 232 submissions, 19%;
Overall Acceptance Rate 131 of 716 submissions, 18%
Upcoming Conference
SOSP '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 323Total Downloads
- Downloads (Last 12 months)273
- Downloads (Last 6 weeks)27
Reflects downloads up to 05 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in