VeriCon: Towards Verifying Controller Programs in SDNs

(PLDI 2014)

Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv,

Michael Schapira, Asaf Valadarsky

2

Traditional Computer Networks

Data plane:packet streaming

Control plane:distributed algorithms

3

New Paradigm:Software Defined Networking (SDN)

API to the data plane(e.g., OpenFlow)

logically-centralized control in software

switches

smart but slow software

dumb but fasthardware

4

Controller: Programmability

Controller

events from switchestopology changes,traffic statistics,arriving packets

commands to switches(un)install rules,query statistics

APPAPPAPP

5

Desired Network Properties

• Routing–No forwarding loops, no black holes, …

• Security–ACL, firewall, middleboxes, …

• Traffic Engineering– Load balancing, VM migration, …

• …

6

How can we guarantee such properties?

7

Traditional Networks vs. SDN

• Guaranteeing these properties in a traditional network is nearly impossible– Switch / Router code is a “black box”– Protocols are distributed across devices.

• SDN opens up the possibility of applying formal software verification to networks!– Accessible code– Centralized control

8

Existing Approaches

• Finite-state model checking– E.g., NICE & Verificare

• Analyzing network snapshots– E.g., HSA

• Run-time checks– E.g., VeriFlow & NetPlumber

Might missbugs!

Discover bugstoo late

&run-timeoverhead

9

Dream Scenario

• Verify network-wide propertiesin compile time– Find violations before they occur!

• Provable verification–Prove correctness for correct programs– Find a counterexample for incorrect programs

(useful for debugging)

10

The VeriCon Tool

Controller Code (P)

Desired Properties

VerificationConditionsGenerator

T P “”

SAT Solver

Counterexample Proof

Restrictions onTopology (T)

11

Running Times – Correct ProgramsProgram Description Time to prove

(seconds)

Firewall A basic firewall abstraction. 0.11

MigFirewall Firewall supporting migration of “safe” hosts. 0.12

Learning A simple learning switch. 0.14

Resonance Access control for host authentication in enterprises. 0.18

Stratos Forwarding traffic through a sequence of middleboxes. 0.09

12

Running Times – Incorrect ProgramsProgram Description Time to

disprove (seconds)

Firewall-Bug 1 Forgot to check if packets in port 2 are from a trusted location.

0.13

Firewall-Bug 2 Forgot to add the definition for a “trusted host”.

0.09

Learning-Bug 3 Forgot to forward the packets. 0.15

Resonance-Bug 1 Forgot to define that the states a host could be at are mutually exclusive.

0.07

13

VeriCon: Challenges and Solutions• Programmer must specify properties in 1st-order logic– We build a tool that infers formulas for SDN programs– Future research: static analysis

• SDN programs must be coded in a specific language (CSDN)– VeriCon can be extended to support Java, Python, etc.

• SAT solver might not terminate!– SDN programs considered are in a sub-family of FOL– … solver termination guaranteed!

• VeriCon assumes atomicity of events– “Existing” solutions– Future research: verify stronger properties

14

Summary

• SDN opens up the possibility for applying formal verification to networks

• VeriCon is the first system to provably verify SDN programs at compile time– for unbounded topology, #packets, etc.

15

Thank You