ABSTRACT
A popular technique in regular expression matching accelerators is to decompose a regular expression and communicate through instructions executed by a post-processor. We present a complete verification method that leverages the success of sequential equivalence checking (SEC) to proving correctness of the technique. The original regular expression and the system of decomposed regular expressions are modeled as net-lists and their equivalence is proved using SEC. SEC proves correct handling of 840 complex patterns from the Emerging Threats open rule set in 50 hours, eliminating altogether informal simulation and testing.
- Emerging Threats. http://www.emergingthreats.net/.Google Scholar
- PCRE - Perl Compatible Regular Expressions. http://www.pcre.org/.Google Scholar
- SNORT network intrusion detection system. http://www.snort.org/.Google Scholar
- J. Baumgartner, H. Mony, V. Paruthi, R. Kanzelman, and G. Janssen. Scalable sequential equivalence checking across arbitrary design transformations. In ICCD'06, pages 259--266, 2006.Google ScholarCross Ref
- J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Inf. Comput., 98:142--170, June 1992. Google ScholarDigital Library
- D. D. Gajski, N. D. Dutt, A. C.-H. Wu, and S. Y.-L. Lin. High-level synthesis: Introduction to Chip and System Design. Kluwer Academic Publishers, Norwell, MA, USA, 1992. Google ScholarDigital Library
- J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2000. Google ScholarDigital Library
- S. Kumar, B. Chandrasekaran, J. Turner, and G. Varghese. Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia. In ANCS '07, pages 155--164. ACM, 2007. Google ScholarDigital Library
- K. McMillan. Interpolation and SAT-based model checking. In Computer Aided Verification, volume 2725 of Lecture Notes in Computer Science, pages 1--13. Springer Berlin/Heidelberg, 2003.Google ScholarCross Ref
- H. Mony, J. Baumgartner, A. Mishchenko, and R. Brayton. Speculative reduction-based scalable redundancy identification. In DATE '09, pages 1674--1679, 2009. Google ScholarDigital Library
- J. Rohrer, K. Atasu, J. van Lunteren, and C. Hagleitner. Memory-efficient distribution of regular expressions for fast deep packet inspection. In CODES+ISSS, pages 147--154, 2009. Google ScholarDigital Library
- R. Smith, C. Estan, S. Jha, and S. Kong. Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. In SIGCOMM '08, pages 207--218. ACM, 2008. Google ScholarDigital Library
- L. Tan and T. Sherwood. A high throughput string matching architecture for intrusion detection and prevention. In ISCA '05, pages 112--122, 2005. Google ScholarDigital Library
- N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic memory-efficient string matching algorithms for intrusion detection. In IEEE Infocom, pages 2628--2639, 2004.Google ScholarCross Ref
- J. van Lunteren. High-performance pattern-matching for intrusion detection. In INFOCOM 2006, pages 1--13, 2006.Google ScholarCross Ref
Index Terms
- Proving correctness of regular expression accelerators
Recommendations
Regular model checking for LTL(MSO)
Regular model checking is a form of symbolic model checking for parameterized and infinite-state systems whose states can be represented as words of arbitrary length over a finite alphabet, in which regular sets of words are used to represent sets of ...
Abstract Regular Tree Model Checking
Regular (tree) model checking (RMC) is a promising generic method for formal verification of infinite-state systems. It encodes configurations of systems as words or trees over a suitable alphabet, possibly infinite sets of configurations as finite word ...
Abstract regular (tree) model checking
Regular model checking is a generic technique for verification of infinite-state and/or parametrised systems which uses finite word automata or finite tree automata to finitely represent potentially infinite sets of reachable configurations of the ...
Comments