3DGen: AI-Assisted Generation of
Provably Correct Binary Format Parsers

In this work, we present 3dGen, a framework that uses AI agents to assist a human in translating an informal specification to executable code via a DSL, grounded specifically in generating binary format parsers using 3D. Our framework is agnostic to the AI model used, though for our experiments we use GPT-4 [4]. The core of 3dGen is an automated intent-refinement loop which assists a user in constructing a 3D specification that matches an oracle’s behavior on a set of test inputs. Figure 1 sketches the high-level workflow, whose main elements mirror the steps outlined above.

Having converged with 3dGen’s help on a given 3D specification, the user relies on EverParse to generate verified C code that is guaranteed to parse only all messages that are well-formed according to the specification.

We evaluate 3dGen on 20 Internet standard formats, starting from their specification in RFCs. While 3dTestGen can generate tests from candidate specifications, we still require oracles to label those tests with their desired outcome; specifically, we use the Wireshark ³³3https://www.wireshark.org/docs/man-pages/tshark.html network packet analyzer to decide if a packet should be accepted or not. Interestingly, in 11 cases, 3dGen discovers constraints specified in RFCs that Wireshark does not enforce. Additionally, for 7 protocol formats, we also evaluated 3dGen’s ability to produce 3D specification that match the behavior of prior, handwritten specifications for various formats provided as samples by the authors of EverParse. In this setting, 3dGen uncovers 3 cases in which the human authored specifications were incorrect. That said, the specifications 3dGen produces are only as good as the tests on which it is evaluated. In 2 cases, 3dGen produces specifications that agree with Wireshark, but 3dTestGen detects, via symbolic differential testing, that the generated specification is semantically distinct from a human-authored EverParse sample—the 3dGen-produced specification does not enforce a constraint that it should. As such, we caution that 3dGen should not be used to blindly match the behavior of a legacy tool. Instead, we envision 3dGen and its symbolic tools to be used by humans to iteratively refine a natural language document into a formal specification, while also growing a carefully curated test suite.

A key enabler of our technique is the use of an effectively analyzable DSL, coupled with a verified code generator, as a medium of interaction between a user’s informal intent and AI-generated output. In contrast, directly prompting AI agents to produce C code from informal specifications would leave open the question of analyzing ad hoc C code for safety and security, and with an unclear formal basis against which to assess code correctness. Further, targeting a DSL enables us to integrate powerful, fully automated tools like symbolic test-case generation and differential analysis that are usually intractable for large, general-purpose languages. We conjecture that future AI-assisted programming techniques might also benefit from the use of effectively analyzable DSLs as intermediate languages.

In summary, we make the following contributions:

1. 1.

   An architecture for AI-assisted programming using DSLs coupled with symbolic analysis tools to refine informal user intent into formal specifications, grounded in the scenario of binary format parsers.

2. 2.

   A new symbolic analysis and test generation tool for the 3D format language, integrated in 3dGen’s intent refinement loop.

3. 3.

   An evaluation of 3dGen on a suite of 20 binary format parsers specified in Internet standard RFCs, yielding safe and secure C code.

We assume the 3D DSL is equipped with the following functions:

• •

  3DSynChk: A syntax and type checker function, given a specification $p$ checks for syntax as well as type constraints imposed by the 3D language.

• •

  3DExec: An execution function; for any 3D specification $p$ that satisfies $\textsc{3DSynChk}(p)$, given a packet $i$, $\textsc{3DExec}(p,i)$ returns true iff the specification $p$ accepts the packet $i$. Concretely, we use EverParse to compile $p$ to C code and execute it on $i$.

• •

  $\it 3DDoc$: Natural language documentation about the 3D language and examples, provided as a manual.

Algorithm 1 takes as input an RFC document, function LblImpl that is used to classify packets, as well as a (possibly empty) seed sets of positive and negative packets, $\it I_{0}^{+}$ and $\it I_{0}^{-}$. The desired 3D specification $p$ should accept the positive packets $\it I_{0}^{+}$ and reject $\it I_{0}^{-}$. The algorithm returns a set of possible candidate 3D specifications CandProgs, along with an augmented set of positive ($I^{+}$) and negative ($I^{-}$) packets, generated by 3dTestGen and labeled using LblImpl, ensuring that every specification in CandProgs is consistent with the augmented set of packet inputs. Formally, $\it I_{0}^{+}\subseteq I^{+}$, $\it I_{0}^{-}\subseteq I^{-}$, and for each $p\in\textit{CandProgs}$, $\textsc{3DExec}(p,i^{+})=\text{true}$ for each $i^{+}\in I^{+}$, and $\textsc{3DExec}(p,i^{-})=\text{false}$ for each $i^{-}\in I^{-}$.

The algorithm iterates non-deterministically, accumulating state which records all relevant information to be fed to an LLM in $st$, initialized to the $\it 3DDoc$, the RFC, and the seed tests. At each iteration, it performs one of the following two actions non-deterministically: (i) augment CandProgs with a new well-formed 3D specification $p$ by querying an LLM (lines 5–13); or, (ii) augment the labeled packets in $I^{+}$ and $I^{-}$ using 3dTestGen and LabelInputs (lines 14–17). Finally, at lines 18–26, candidates in CandProgs that are not consistent with the labeled packets are pruned, and any failing candidate/test pairs are added to the state (line 20).

To generate a candidate program $p$, at line 6 we QueryLLM with the accumulated state—this step is implemented using agents, as described in Section III-B. If $p$ fails the 3DSynChk, we update the state with the error, and retry.

The 3D symbolic test generator 3dTestGen takes as input a set of well-formed candidate programs that satisfy the current $I^{+}\cup I^{-}$, and outputs new (unlabeled) packets by symbolically analyzing the programs in CandProgs; we describe the precise implementation in Section III-C. We then use LblImpl to label each packet as positive or negative—concretely, we use Wireshark as an implementation of LblImpl. Details of LabelInputs is present in Section IV-C.

Constructing a prompt for an LLM from the diverse information in Algorithm 1’s accumulated state is non-trivial. It involves choosing relevant sections of natural language documentations from several pages of $RFC$, $\it 3DDoc$, relevant examples, failing tests to focus on, etc. Composing a single monolithic prompt with all relevant context needed to solve a task is often impossible, given the restricted token context-window for LLMs.

Instead, research shows that LLM-based agents significantly extend the capabilities of standalone LLMs by equipping them with the abilities needed to solve tasks in a self-directed fashion, such as long-term planning, reasoning[6], conversing with other LLMs, using tools, and retrieving information critical to task resolution[7]. Agents demonstrate improved performance and generalization of task resolution abilities for a number of increasingly complex and real-world tasks [8, 9]. Furthermore, orchestrating multiple agents that are instructed to cooperate together, can scale up the capabilities of a single agent by decomposing tasks, improving factuality and reasoning [10], and validation [11].

Motivated by these findings, we design an agent system based on the AutoGen[12] multi-agent framework. AutoGen allows the instantiation of multiple agents, each unique in their task description, access to tools and inputs, and instructed to cooperate together to achieve a solution. We choose to use a multi-agent framework over a single agent, to decompose tasks and reduce overall input in the context window, shielding other agents from unrelated intermediate reasoning steps involved in distinct task refinement loops. In the AutoGen multi-agent setup agents converse in a group chat setting, critiquing and reflecting on task progress based on conversation history, and adapting from feedback. AutoGen provides the multi-agent conversation framework as a high level abstraction, requiring only meta prompts and tool customization from the user. The agent framework designed for 3dGen is not reliant on one particular LLM, however we use GPT4-32k across all experiments. The 3dGen multi-agent framework is implemented concretely as three distinct agents:

1. 1.

   Planner Agent: the planner agent is a tool-backed agent that orchestrates the multi-agent conversation. In AutoGen it is instantiated as the group chat manager. It has access to the meta task prompt, descriptions of the other two agents, and the ability to invoke tools 3DSynChk and 3DExec, and communicate the results to the other agents.

2. 2.

   3D Developer Agent: the 3D developer agent is tasked with generating 3D code based on instructions communicated from the other two agents. This agent has access to the full 3D language manual $\it 3DDoc$, a set of task examples, and high level tips about generating syntactically correct 3D code.

3. 3.

   Domain Expert Agent: the domain expert agent is tasked with communicating specifications to the 3D Developer Agent, and critiquing generated 3D code. It has access to all domain-relevant documents needed to solve the problem. In this work, the domain expert agent has access to an RFC, the network protocol specification document needed to solve the task, and examples of the task.

All three agents communicate via an inter-agent group chat, until one of two termination conditions are met: either the output of 3DExec indicates that the generated 3D specification passes on the test set, or the maximum number of iterations, as set by the user, have been completed. The control flow of task resolution follows the paradigm provided in AutoGen, and is entirely conversation-driven, i.e. the participating agents’ decisions on which agents to send messages to and the procedure of computation are functions of the inter-agent conversation. An example of control flow is as follows: 1) the Domain Expert agent communicates the relevant parts of the RFC specification to the 3D Developer Agent 2) the 3D Agent generates a candidate specification 3) the Planner Agent makes a call to 3DSynChk and communicates the result to the group 4) the 3D Agent reflects on a syntax error reported by the Planner and refines the specification. One example of the control flow is later shown in Figure 2.

In this section, we discuss our implementation of the 3dTestGen sub-routine of Algorithm 1. Our test (packet) generator, called 3dTestGen, is implemented as an extension of the EverParse toolchain, and is grounded in the formal semantics of 3D. 3dTestGen encodes 3D programs into the SMT-LIB version 2 language (a.k.a. SMT2) [13], relying on SMT-solver Z3 [14] to produce test cases. Given a 3D program $p$, to obtain positive (resp. negative) test cases, 3dTestGen encodes the semantics of $p$ to Z3 and asks for models of the existential predicate: ”does there exist a sequence of bytes that makes $p$ succeed (resp. fail)”. Z3 returns with one of the following answers:

• •

  SAT: Z3 finds a model to satisfy predicate, including a concrete sequence of bytes that makes the parser succeed (resp. fail)

• •

  UNSAT: the predicate is unsatisfiable, which means that $p$ always fails (resp. succeeds)

• •

  UNKNOWN: Z3 times out. While there may be multiple causes to Z3 timeout; in our case, this happens rarely.

Further, given two 3D programs $p_{1}$ and $p_{2}$, 3dTestGen can also produce differential test cases by asking Z3 to find a sequence of bytes that satisfy $p_{1}$ but not $p_{2}$. If Z3 returns UNSAT, then there are no such test cases: every packet satisfying $p_{1}$ also satisfies $p_{2}$. Separately, we can ask Z3 the same satisfiability question but with $p_{1}$ and $p_{2}$ swapped. If Z3 returns UNSAT for both ways, then the 3D programs $p_{1}$ and $p_{2}$ accept and reject the exact same packets: they are semantically equivalent. We do not bound the size of packets.

The semantics of a 3D program is represented by a pure F^⋆ function whose (simplified) signature is a value of type parser t, a function of the form (input:seq byte) $\rightarrow\,$ option (t * nat) which when applied to an input sequence of bytes may fail returning None, or succeed with Some (v, n), where v is the parsed value (of type t) and n is the number of bytes of the input that were consumed.

As described in §II, EverParse provides combinators, library functions that allow combining simpler parsers to build more complex ones in a correct-by-construction way. For example, the following 3D program defines a message data format specification as a structure of two unsigned 8-bit integer fields, first and second, where first has a constraint on its value:

We would like to encode parse_message to Z3, but SMT2 does not directly support higher-order functions like parse_pair. So, at the heart of 3dTestGen is a specialization pass over the 3D parser-combinator AST to turn it into a first-order program.

For starters, the SMT2 semantics of a 3D program is given in the context of an uninterpreted function Input representing the input byte sequence on which the parser operates. The assertion below constrains Z3 to pick models for the Input array where every element is a byte in the range $[0,256)$.

Next, we encode a 3D program as an SMT2 State transforming function, where the State records (among other things) the remaining size of the Input byte sequence (remaining-input-size); the number of bytes read so far (current-pos); whether or not the parser has failed (has-failed); and the value they return (return-value).

We start by showing a simplified encoding of parse_uint8:

Next, we show the encoding of the parse_message parser, where 3dTestGen has inlined the parse_pair and parse_refine higher-order combinators from the 3D AST. This representation of the parse-message is adequate for test-case generation.

Given a query such as the following, which constrains the initial state init and asserts that message parser parse-message does not fail when applied to init, Z3 can produce models for the Input variable and its length in bytes, yielding a positive test case; to generate a negative test case, we would assert instead that (has-failed (parse-message init)). Since the input byte sequence can be arbitrarily long, we do not constrain its initial size.

If Z3 returns a model, then 3dTestGen can iteratively query Z3 for further distinct models with additional appropriate assertions to avoid duplicates. However, with this encoding, Z3 generates models that may not cover all possible branches. Our implementation uses a more sophisticated encoding to track which branches of a specification are covered by a given test case, allowing us to systematically generate tests that cover all branches up to a user-provided branch depth. We provide more details in the Appendix.

Leveraging the existing semantics of 3D and its compact, structured language of parser combinators, our implementation of 3dTestGen took less than 3 person-weeks and around 2000 lines of F^⋆, OCaml, and SMT2.

We evaluate 3dGen on 20 network protocols specified in IETF standards. Table I lists each protocol and a short description and the specific RFC number. We include the length of the RFC in pages, as a rough measure of complexity, though RFCs contain a lot of information beyond the description of the format—the number in parenthesis, when present, shows the number of pages in the RFC concerned with header formats.

To evaluate 3dGen’s ability to translate natural language specifications into 3D format specifications, we use it to generate 5 candidate specifications for the protocols in Table I. We deem a generation successful if the produced specification correctly classifies a test set of generated packets labeled by Wireshark. We report a pass@5 metric, which counts the number of successful generations out of 5 runs. To evaluate how well agents in the 3dGen multi-agent framework are able to understand the natural language specifications contained in the network protocol RFC, as well as its ability to learn 3D syntax, we explore the number of refinement loops needed to generate 1) a syntax- and type-correct solution as determined by 3DSynChk and 2) a semantically correct solution with respect to the test set, as determined by 3DExec. In addition, we highlight common mistakes made by the agents, as well as several instances where the agent is able to learn constraints from the RFC that are not enforced by the Wireshark.

For each protocol we instantiate 3dGen, using GPT-4-32k as the underlying LLM, at temperature 1.0. We set the number of specifications to generate to 5 and the max number of syntax or packet refinements to 15 per attempt. If the agents are able to produce a specification that passes before 15 refinements, the agent loop is terminated. We observe that allowing more refinement loops within the 3dGen agent conversation flow does not always lead to a successful attempt at generating a specification. On the other hand, reducing the number of refinement loops often does not give the agents enough attempts at solving the problem. This is especially true when the protocol is more complex, requiring the agents to produce a longer specification, for example in the case of ICMP, where there are 8 distinct message types for which the agent must generate a 3D specification.

For each protocol, we download the RFC from the IETF Data Tracker⁴⁴4https://datatracker.ietf.org as a text file to provide as input in the 3D Developer agent prompt. In some cases, the full RFC is prohibitively long, and would exhaust the GPT-4-32k token window. Since we are only interested in the part of the specification related to the header data format, in such cases we manually extract the pages of the RFC related to the data format specification, (usually labeled in a section called “Header Specification”). The length of the extract pages is denoted in ( ) in Table I.In the future, we plan to explore building a retrieval tool specific to RFC extraction.

We build a test suite consisting of a mixture of real-world packet captures and synthetically generated tests by 3dTestGen, where we use Wireshark to decide if the packet should be considered valid or not. For each protocol, we collected a small number of real world packets from various sources on the Internet and retain only those that Wireshark considers valid—we discard the negative cases, since they are sometimes arbitrarily malformed. For synthetic tests, we run one iteration of the 3dGen loop seeded with the real-world packets. This produces a single candidate specification on which we run 3dTestGen to generate 200 test cases. We configure 3dTestGen to fully explore a trace with 100 branch points, and observed that while many examples have a large number of branches (e.g., ICMP has 82 branches), none of them have more than 100 branches. We then collect at least two examples from each branch point, until we reach 200 examples. This gives us some confidence that the generated test suite is diverse, though its completeness is limited by the quality of the specification on which 3dTestGen is executed. We then use Wireshark to label the tests, obtaining both positive and negative test cases.

Using Wireshark to label packets comes with its own challenges. For starters, Wireshark is a protocol analyzer typically used for diagnostics and experimentation and, by design, does not always enforce all constraints when validating a packet. Wireshark does not implement a dissector for a single RFC, but rather for a family of RFCs. Thus, a dissector may be more permissive compared to a given RFC, perhaps because a related RFC mandates such a behavior—our experiments in Section V uncover many such unenforced constraints. To label a test case produced by 3dTestGen, we rely on a Wireshark feature called Export PDU, which allows validating a given packet header without encapsulating it within outer protocol headers. Two exceptions were Ethernet, which does not require outer encapsulation; and TFTP which is not supported by Export PDU. We wrapped TFTP headers generated by 3dTestGen with a dummy UDP header. For Ethernet, IPv4, IPv6, VXLan, TCP, and UDP, we also had to generate dummy payloads to prevent Wireshark from raising trivial errors. We also had to disable checksums, since this is not enforced at the level of the formats. As such, using Wireshark as a labeler for 3dTestGen outputs involved a non-trivial effort.

The EverParse GitHub⁵⁵5https://github.com/project-everest/everparse repository contains 3D specifications for seven network protocols, written by the authors of EverParse. Protocols with an existing handwritten 3D specification are marked with a * in Table I. In Section V-C we use 3dTestGen to compare the specifications generated by 3dGen to the seven handwritten specifications. We report if any of the specifications produced by 3dGen are semantically equivalent to the handwritten specifications, and otherwise use the generated set of tests to identify the cause(s) of differences.

In this section, we present experimental evidence to answer the following central question underpinning our work:

Table II details results of 3dGen on our dataset of 20 network protocols, We report the pass@5 metric, the average number of syntax refinement, and packet feedback refinement loops across all attempts.

At a first glance, 3dGen is able to generate a passing specification for 9/20 protocols, with a pass@5 $=45\%$. For two protocols, such as UDP and IGMP, 3dGen generates a passing specification in all 5 attempts, requiring an average of 0.3 syntax refinements and 0 packet refinements for UDP, and 3.8 and 0 for IGMP respectively. For the other seven, IPV4, DHCP, DCCP, ARP, NTP, NBNS, and NSH, 3dGen can generate at least one passing specification, but is not successful in all 5 attempts.

For the remaining 11 protocols, 3dGen is unable to generate a specification that passes on the test set labeled by Wireshark. We investigate the cause of the errors and find in all cases that 3dGen generates a specification that is consistent with the header format described in the RFC, but that Wireshark labels packets as valid despite there being constraint violations, i.e., Wireshark does not fully enforce the RFC. In some cases, Wireshark emits a warning about these violations, which can be filtered on a case-by-case basis. However, this is not a straightforward task as some warnings do not impact the data format specification, e.g., Wireshark emits a warning when a packet indicates the TCP connection is reset. Besides, in most cases a warning is not reported.

Using the RFC as a guide, two authors manually identified tests that Wireshark labels too permissively and corrected the labels. Using these corrected labels, we checked if any of the 3dGen generated specifications already pass on this modified test set, or else restart the 3dGen loop with the corrected tests. Protocols for which 3dGen is able to generate a specification that passes on the corrected test set are denoted as (1*) in Table II—3dGen is able to generate at least one candidate specification that is consistent with the labels in all cases.

In many cases, 3dGen produces multiple specifications that are compatible with the test set. In this section, we aim to answer the following question:

We make use of 3dTestGen to help us answer this question, in particular its differential testing feature, to find tests that distinguish specifications or prove them semantically equivalent. Distinguishing tests, if any, can be surfaced to the user, along with feedback from 3dTestGen localizing semantic differences in 3D specifications, to help the user identify their desired specification.

Table IV shows protocols for which 3dGen generates multiple candidate specifications, and the results of 3dTestGen’s differential testing between every pair of candidates, with a description of the differences found, if any. Out of 8 protocols, 7 have at least two semantically distinct specifications, whereas for VXLAN the two candidates are semantically equivalent.

For example, for ARP, 3dGen generates 3 candidate specifications, two which are semantically equivalent, whereas the third mistakenly adds a field to the end of the ARP header UINT8 remainder[:consume-all]. This field consumes the rest of the data in the packet and is often used for optional variable length fields. The ARP RFC 826 does not describe such a field, and the specification is incorrect but passes the test set because there is no negative-label test for which there is additional data at the end of the ARP header.

3dGen generates two candidate specifications for IPV4, and 3dTestGen find a test that distinguishes them. One specification has a field: UINT16BE flags:3 { flags == Reserved0 || flags == DF || flags == MF }, where Reserved0, DF, MF are equal to 0, 1, and 2, which is consistent with the RFC. The second specification has the same field as UINT16BE Flags:3 and does not enforce constraints on the value. While these constraints should be added to be consistent with the RFC, the test set did not contain a test violating this constraint, thus both specifications were able to pass the test set.

In both the cases of ARP and IPV4, 3dTestGen labels the one specification as more permissive than the other, e.g. for IPV4 every test that passes on the first specification also passes on the second, but not the other way around. For both of these cases, the stricter specification correctly implements the RFC. Thus, a user of 3dGen could decide to always accept the stricter specification as a pruning heuristic between candidates.

Result 2: Multiple distinct specifications may be produced by 3dGen for a single protocol, and the degree to which they diverge is dependent on the quality and coverage of the test suite on which they are evaluated. 3dTestGen helps by finding differentiating tests or by grouping equivalent candidates, allowing users to focus on a semantic differences exhibited by concrete test cases.

The authors of EverParse provide specifications for 7 out of the 20 protocols we ran 3dGen on. In this section, we ask:

As before, we use 3dTestGen’s differential testing to semantically compare 3dGen’s specifications to the handwritten ones, with the results in Table V. For IPV6 and Ethernet, 3dTestGen proves that the specifications are equivalent, though syntactically distinct.

For UDP, ICMP, and VXLAN, we use 3dTestGen to identify tests that distinguish the handwritten and generated specifications. In all three cases, the root cause is incorrect or missing constraints in the handwritten specifications, demonstrating that even experts make mistakes when interpreting RFCs as 3D, and that 3dGen can help in ensuring consistency with RFCs. For UDP, the handwritten specification is missing a constraint on the Length field that exists in the 3dGen specification. For ICMP, the Unused Bytes field is too short, misinterpreting the 32 bytes as 32 bits. Similarly, in VXLAN, the VXLanID is two bytes short. After correcting the handwritten specification, 3dTestGen proves them equivalent to the 3dGen generated specifications. Pull requests with the revised specifications were merged into EverParse for all three protocols.

On the other hand, for TCP and IPV4, the 3dGen specification is missing constraints that exist in the handwritten specification. For TCP, although the produced specification passes on the set of tests, it is underconstrained and does not include a condition checking if the SYN flag is set to 1 and it does not implement all possible constraints for different Max Segment Size payloads. Instead it includes size constraints that are general to all options.

For IPV4, there are missing constraints on the IHL, TotalLength, and Options fields, which indicates that tests labeled by Wireshark do not capture these constraints. We explore whether 3dGen would be able to generate an equivalent specification, if it had access to a set of tests that can capture the missing constraints. To do this, we use 3dTestGen to generate positive and negative tests from the handwritten specification, guaranteeing that tests exercising the constraints will be included in the test set. With these tests, 3dGen is able to produce two passing specifications that contain the missing constraints, after an average of 11 syntax and 4 packet refinements. The generated specifications are both semantically equivalent to the handwritten specification.

Result 3: 3dGen is able to produce 3D specifications semantically equivalent to human written 3D. In addition, using our framework we were able to uncover three bugs in existing handwritten 3D code for UDP, ICMP, and VXLAN, highlighting the difficulties in translating RFCs into correct implementations.