Upload
suzan-carson
View
213
Download
0
Embed Size (px)
Citation preview
VeriCon: Towards Verifying Controller Programs in SDNs
(PLDI 2014)
Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv,
Michael Schapira, Asaf Valadarsky
2
Traditional Computer Networks
Data plane:packet streaming
Control plane:distributed algorithms
3
New Paradigm:Software Defined Networking (SDN)
API to the data plane(e.g., OpenFlow)
logically-centralized control in software
switches
smart but slow software
dumb but fasthardware
4
Controller: Programmability
Controller
events from switchestopology changes,traffic statistics,arriving packets
commands to switches(un)install rules,query statistics
APPAPPAPP
5
Desired Network Properties
• Routing–No forwarding loops, no black holes, …
• Security–ACL, firewall, middleboxes, …
• Traffic Engineering– Load balancing, VM migration, …
• …
6
How can we guarantee such properties?
7
Traditional Networks vs. SDN
• Guaranteeing these properties in a traditional network is nearly impossible– Switch / Router code is a “black box”– Protocols are distributed across devices.
• SDN opens up the possibility of applying formal software verification to networks!– Accessible code– Centralized control
8
Existing Approaches
• Finite-state model checking– E.g., NICE & Verificare
• Analyzing network snapshots– E.g., HSA
• Run-time checks– E.g., VeriFlow & NetPlumber
Might missbugs!
Discover bugstoo late
&run-timeoverhead
9
Dream Scenario
• Verify network-wide propertiesin compile time– Find violations before they occur!
• Provable verification–Prove correctness for correct programs– Find a counterexample for incorrect programs
(useful for debugging)
10
The VeriCon Tool
Controller Code (P)
Desired Properties
VerificationConditionsGenerator
T P “”
SAT Solver
Counterexample Proof
Restrictions onTopology (T)
11
Running Times – Correct ProgramsProgram Description Time to prove
(seconds)
Firewall A basic firewall abstraction. 0.11
MigFirewall Firewall supporting migration of “safe” hosts. 0.12
Learning A simple learning switch. 0.14
Resonance Access control for host authentication in enterprises. 0.18
Stratos Forwarding traffic through a sequence of middleboxes. 0.09
12
Running Times – Incorrect ProgramsProgram Description Time to
disprove (seconds)
Firewall-Bug 1 Forgot to check if packets in port 2 are from a trusted location.
0.13
Firewall-Bug 2 Forgot to add the definition for a “trusted host”.
0.09
Learning-Bug 3 Forgot to forward the packets. 0.15
Resonance-Bug 1 Forgot to define that the states a host could be at are mutually exclusive.
0.07
13
VeriCon: Challenges and Solutions• Programmer must specify properties in 1st-order logic– We build a tool that infers formulas for SDN programs– Future research: static analysis
• SDN programs must be coded in a specific language (CSDN)– VeriCon can be extended to support Java, Python, etc.
• SAT solver might not terminate!– SDN programs considered are in a sub-family of FOL– … solver termination guaranteed!
• VeriCon assumes atomicity of events– “Existing” solutions– Future research: verify stronger properties
14
Summary
• SDN opens up the possibility for applying formal verification to networks
• VeriCon is the first system to provably verify SDN programs at compile time– for unbounded topology, #packets, etc.
15
Thank You