NSF Award
2421734
Computer networking provides a foundation for many exciting developments, from artificial intelligence to the control of industrial systems. To keep pace with these advancements, networking hardware is continually evolving. However, these development activities are expensive, requiring significant up-front effort in quality assurance, as bugs are difficult to fix after hardware is manufactured and deployed. As a result, there is a potential for significant economic benefits from improved hardware development techniques that reduce the prevalence of bugs. Formal methods are a long-standing family of techniques offering mathematical proof that system components behave correctly in all possible scenarios. However, formal methods have not previously been applied to prove that programmable networking hardware is correct – the focus of this project. The project impact is reduced cost of finding and fixing bugs, through a hardware project’s whole lifecycle, from initial design through deployment in the field. <br/><br/>This project develops novel tools for implementing and proving the correctness of programmable networking hardware, starting with examples in the style of Intel's Tofino switches. Formal proofs of functional correctness (i.e., for every possible set of input packets, the expected output packets will be produced) are carried out in the general-purpose Coq theorem prover. The focus of the proofs is on justifying the correctness of complex optimizations that allow switches and other networking hardware to process packets very quickly. Most relevant optimizations improve performance by increasing concurrency through a variety of mechanisms. These optimizations can be justified as separate algebraic rewrites (i.e., transformations) within larger proof module hierarchies. By the end of the project, the aim is not just to prove that switches are correct, but to derive optimized switches semi-automatically from non-optimized switches, where engineers assemble lists of optimizing rewrites to be performed. Any switch produced through such a flow is correct by construction, removing the need to apply time-consuming and incomplete techniques like testing and code auditing to find bugs after the fact. To support the adoption of the new methods in industry, tutorials at major networking research conferences are planned, to demonstrate the derivation of realistic switches, introducing all required formal methods content.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
