I am a doctoral student in DSLAB and NAL at EPFL. I lead the Vigor project, that makes it possible to apply formal verification to real applications for common software developers.

I am most interested in programming languages, computer systems and formal methods.


For more details on the publications I invite you to visit my Google Scholar page.

We present the design and implementation of Vigor, a software stack and toolchain for building and running software network middleboxes that are guaranteed to be correct, while preserving competitive performance and developer productivity.

Developers write the core of the middlebox - the network function (NF) - in C, on top of a standard packet-processing framework, putting persistent state in data structures from Vigor’s library; the Vigor toolchain then automatically verifies that the resulting software stack correctly implements a specification, which is written in Python.

Vigor has three key features: network function developers need no verification expertise, and the verification process does not require their assistance (push-button verification); the entire software stack is verified, down to the hardware (full-stack verification); and verification can be done in a pay-as-you-go manner, i.e., instead of investing upfront a lot of time in writing and verifying a complete specification, one can specify one-off properties in a few lines of Python and verify them without concern for the rest.

We developed five representative NFs - a NAT, a Maglev load balancer, a MAC-learning bridge, a firewall, and a traffic policer - and verified with Vigor that they satisfy standards-derived specifications, are memory-safe, and do not crash or hang. We show that they provide competitive performance.

Arseniy Zaostrovnykh, Solal Pirelli, Rishabh Iyer, Matteo Rizzo, Luis Pedrosa, Katerina Argyraki, George Candea

Software network functions (NFs), or milddleboxes, promise flexibility and easy deployment of network services, but face the serious challenge of unexpected performance behaviour. We propose the notion of a performance contract, a construct formulated in terms of performance critical variables, that provides a precise description of NF performance. Performance contracts enable fine-grained prediction and scrutiny of NF performance for arbitrary workloads, without having to run the NF itself.

We describe Bolt, a technique and tool for computing such performance contracts for the entire software stack of NFs written in C, including the core NF logic, DPDK packet processing framework, and NIC driver. Bolt takes as input the NF implementation code and outputs the corresponding contract. Under the covers, it combines pre-analysis of a library of stateful NF data structures with automated symbolic execution of the NF’s code. We evaluate Bolt on four NFs - a Maglev-like load balancer, a NAT, an LPM router, and a MAC bridge - and show that its performance contracts predict the dynamic instruction count and memory access count with a maximum gap of 7% between the real execution and the conservatively predicted upper bound. With further engineering, this gap can drop to 0.

Rishabh Iyer, Luis Pedrosa, Arseniy Zaostrovnykh, Solal Pirelli, Katerina Argyraki, George Candea

Software network functions promise to simplify the deployment of network services and reduce network operation cost. However, they face the challenge of unpredictable performance. Given this performance variability, it is imperative that during deployment, network operators consider the performance of the NF not only for typical but also adversarial workloads.

We contribute a tool that helps solve this challenge: it takes as input the LLVM code of a network function and outputs packet sequences that trigger slow execution paths. Under the covers, it combines directed symbolic execution with a sophisticated cache model to look for execution paths that incur many CPU cycles and involve adversarial memory-access patterns. We used our tool on 11 network functions that implement a variety of data structures and discovered workloads that can in some cases triple latency and cut throughput by 19% relative to typical testing workloads.

Luis Pedrosa, Rishabh Iyer, Arseniy Zaostrovnykh, Jonas Fietz, Katerina Argyraki

Prior work proved a stateful NAT network function to be semantically correct, crash-free, and memory safe [29]. Their toolchain verifies the network function code while assuming the underlying kernel-bypass framework, drivers, operating system, and hardware to be correct. We extend the toolchain to verify the kernel-bypass framework and a NIC driver in the context of the NAT. We uncover bugs in both the framework and the driver.

Solal Pirelli, Arseniy Zaostrovnykh, George Candea

We present a Network Address Translator (NAT) written in C and proven to be semantically correct according to RFC 3022, as well as crash-free and memory-safe. There exists a lot of recent work on network verification, but it mostly assumes models of network functions and proves properties specific to network configuration, such as reachability and absence of loops.

Our proof applies directly to the C code of a network function, and it demonstrates the absence of implementation bugs. Prior work argued that this is not feasible (i.e., that verifying a real, stateful network function written in C does not scale) but we demonstrate otherwise: NAT is one of the most popular network functions and maintains per-flow state that needs to be properly updated and expired, which is a typical source of verification challenges. We tackle the scalability challenge with a new combination of symbolic execution and proof checking using separation logic; this combination matches well the typical structure of a network function. We then demonstrate that formally proven correctness in this case does not come at the cost of performance

Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea


Research Assistant

Sep 2014 - Present
EPFL, Lausanne, VD Switzerland

I lead the Vigor project. It enables regular developers of software network functions to apply formal verification to their applications. A core team of 6 people (doctoral students, professors and a postdoc) contributes to the project on a permanent basis, and more than 10 MS and BS students join for a semester or summer internship.

As part of the job, I coach student teams (4-7 people per team) as they learn applying scrum metodology in their semester project - android application development. My advisors:

Software Engineer Intern

Jun - Aug 2015
Google, Mountain View, CA USA

Added event tracking for network routing calculation. For the new Google datacenter network, in order to render performance more transparent in a distributed control plane, I implemented a logging and aggregate analytics system.

Software Engineer

Mar - July 2014
Samsung Research Institute, Moscow, Russia

Participated in development of an AOT of the ECMAScript 5.0 (JavaScript) language, for the Samsung Smart TV OS.

Software Engineer

May - Nov 2013
Intel, Moscow, Russia

Participated in development of a functional simulator for a new architecture with fine grained concurrency.

Software Engineer Intern

Jul 2010 - Apr 2013
Intel, Moscow, Russia

Participated in development of a performance-optimizing binary translator from x86 to a new artchitecture with fine-grained concurrency.

Junior Researcher

Summer 2012
OJS Co. "Institute of Electronic Control Computers", Moscow, Russia

Participated in development of a base model of prosthesis limbs.


PhD student in Computer Science (ongoing)

2014 - present
École Polytechnique Fédérale de Lausanne (EPFL)

I make formal software verification practical in the domain of network functions (used in middleboxes).

MSc in Applied Physics and Mathematics

2012 - 2014
Moscow Institute of Physics and Technology (MIPT)

I specialized in software engineering and PL systems at the Department of Radioelectronics and Cybernetics. During the studies I lectured and lead practical groups in compiler construction class for juniour students.

Graduation with honors.

BSc in Applied Physics and Mathematics

2008 - 2012
Moscow Institute of Physics and Technology (MIPT)

Graduation with honors, top 1% of the class. GPA 5.0 out of 5

Selected Projects

Here are some of my side and study projects. Visit my GitHub page for more.

Vigor -

An automatic formal verification framework for software network functions

mipt-vis -

A simple graph visualizer with automatic layout calculation implemented with QT

Natty -

An online music-searching and listening service based on GWT

Runningram -

Started as a second year class project, a 2d isometric arcade game based on SDL. It is based on a home grown 2d physics engine with developed collision detection algorithm, fairl solid body model for the cars and non-isotropic damage model. The game supports scripting in ECL, including bots, and multiplayer on the same-keyboard and across network.

A 3D tank shooter -

As side project during my school years, I enjoyed playing with 3d graphic rendering using open GL, and simulating solid body dynamics based on the first principles. The result was a tank-duel game with customizable terrain realistic physics with a home grown game engine.

Skills & Proficiency









Arseniy Zaostrovnykh is a fifth-year PhD student at Network Architecture Laboratory and Dependable System Laboratory at the École polytechnique fédérale de Lausanne (EPFL), working under the supervision of Prof. Katerina Argyraki and Prof. George Candea. He is interested in dependability of computer systems, formal methods, working on how to make formal methods practical. Arseniy earned his MSc(2014) and BSc(2012) in Moscow Institute of Physics and Technology. He has interned at Intel and Google, and worked as a software Engineer at the Samsung Research Institute (SRI) and Intel and as a junior researcher at the Institute of Electronic Control Computers in Moscow.