network verification solvers, symmetries,...
TRANSCRIPT
![Page 1: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/1.jpg)
Network Verification Solvers, Symmetries, Surgeries
Nikolaj Bjørner
NetPL, August, 2016
![Page 2: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/2.jpg)
Z3Network Design
Automation
Networking needs:
Configuration Sanity/Synthesis, Programming, Provisioning
Z3 advances:
Bit-vector Reasoning ~ Header Spaces
Reachability Checking, Quantitative Reasoning
![Page 3: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/3.jpg)
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1 sat, 𝑥 =1
8, 𝑦 =
7
8
𝑥2 + 𝑦2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1 unsat, Proof
Is execution path P feasible? Does Policy Satisfy Contract?
SAGE
Is Formula F Satisfiable?
WITNESS
Solution/Model
Z3 solved more than 10 billionconstraints created by SymEx
tools including SAGEchecking Win8,10 and Office
Z3 used by Pex, Static Driver Verifier,
many other tools
Symbolic Analysis with
![Page 4: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/4.jpg)
Our competition also likes symbolic solving
Microsoft Azure and MSR are
always hiring.
Top engineering and research orgs with big and long term bets.
![Page 5: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/5.jpg)
Data Plane
CompactHeader SpaceEnumeration
Jayaraman
Application Research
Network buildout
Traffic Engineering
Flows and Fault analysis
Some secret sauce .
Reachability in IP networks
Network OptimizedDatalog
Symmetries and surgeries
Sanity checking ofData plane Configuration
Models of Bit-vectorformulas
Contracts & Netw. Beliefs
Network Optimization
Synchronized Optimization
min 𝑐𝑜𝑠𝑡max𝑓𝑙𝑜𝑤∀fault, ∑
Mehdi
Control Plane
Network Logic
Solver
Network Optimized
Datalog
Batfish
Fogel, Mahajan
Rybalchenko
Lopes
Varghese Plotkin
![Page 6: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/6.jpg)
Calculus and SolversApplication Calculus Solver
SecGuru: Access ControlRouting ValidationStatic configurations for Border Gateway Protocol
SatisfiabilityModulo Theoriesfor Bit-vectors
SAT
Checking beliefs in networks Network OptimizedDatalog
Network Symmetriesand Surgeries
Datalog for Header Spaces
Tries for Header Space partitioning
Verifying SDN controllers Quantifiedlogical formulas
Instantiationbased reasoning
![Page 7: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/7.jpg)
Verification: Values and Obstacles
Hardware Software Networks
Chips Devices (PC, phone) Service
Bugs are: Burned intosilicone
Exploitable,workarounds
Latent, Exposed
Dealing withbugs:
Costly recalls Online updates Live site incidents
Obstacles to eradication:
Design Complexity Code churn, legacy, false positives
Topology, configuration churn
Value proposition
Cut time to market Safety/OS critical systems,Quality of code base
Meet SLA,Utilize bandwidth,Enable richer policies
![Page 8: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/8.jpg)
SecGuru
![Page 9: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/9.jpg)
Policies as Logical Formulas
Allow:10.20.0.0 ≤ 𝑠𝑟𝑐𝐼𝑝 10.20.31.255 ˄
157.55.252.0 ≤ 𝑑𝑠𝑡𝐼𝑝 ≤ 157.55.252.255 ˄
𝑝𝑟𝑜𝑡𝑜𝑐𝑜𝑙 = 6
𝐷𝑒𝑛𝑦:65.52.244.0 ≤ 𝑑𝑠𝑡𝐼𝑝 ≤ 65.52.247.255 ˄
(protocol = 4)
ሧ
𝑖
𝐴𝑙𝑙𝑜𝑤𝑖 ∧ ሥ
𝑗
¬𝐷𝑒𝑛𝑦𝑗
Combining semantics
Precise Semantics as formulas
Contracts/Policies
SemanticDiffs
Traditional Low level of Configuration network
managers use
![Page 10: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/10.jpg)
Access Control
DNS ports on DNS servers are accessible from
tenant devices over both TCP and UDP.
The SSH ports on management devices are
inaccessible from tenant devices.
Contract:
Contract:
![Page 11: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/11.jpg)
Contract
Database
Azure
Network Devices
GNS Edge
Network Devices
Configuration
Stream
Contract
Stream
SECGURU
ACL Validation
Theorem Prover
Device Validation
Stream
Reports
Database
Alerts
+
Reporting
in
WANetmon
StreamInsight Complex Event Processing (CEP) Application
Windows Azure Network Monitoring Infrastructure
SecGuru workflow
![Page 12: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/12.jpg)
SecGuru for GNS edge ACLs
RegressionContracts
Edge ACL
Edge ACL
RegressionContracts
Edge ACL
SecGuru
SecGuru
Regression test suite + SecGuru check
correctness of Edge ACL prior to
deployment
Several major
Edge ACL pushes
2700+ to 1000 ACLs
no major impact
on any services
Stable state
![Page 13: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/13.jpg)
¬ ሧ
𝑚
𝐴𝑙𝑙𝑜𝑤𝑚 ∧ ሥ
𝑛
¬𝐷𝑒𝑛𝑦𝑛
SemanticDiffs
ሧ
𝑖
𝐴𝑙𝑙𝑜𝑤𝑖 ∧ ሥ
𝑗
¬𝐷𝑒𝑛𝑦𝑗
srcIp srcIpsrcPort
dstIp
dstIp
𝑠𝑟𝑐𝐼𝑝 = 10.20.0.0/16,10.22.0.0/16𝑑𝑠𝑡𝐼𝑝 = 157.55.252.000/24,157.56.252.000/24
𝑝𝑜𝑟𝑡 = 80,443
Beyond Z3: a new idea to go from one violation to all violations
Representing solutions- 2 ∗ 216 ∗ 2 ∗ 28 ∗ 2 = 227 single solutions, or- 8 products of contiguous ranges, or- A single product of ranges
SecGuru contains optimized algorithm for turning
single solutions into all (product of ranges)
![Page 14: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/14.jpg)
Verifying Forwarding Rules with SecGuru
𝐶𝑙𝑢𝑠𝑡𝑒𝑟 𝑑𝑠𝑡 ⇒𝑅𝑜𝑢𝑡𝑒𝑟1 𝑑𝑠𝑡 ≡ 𝑅𝑜𝑢𝑡𝑒𝑟2(𝑑𝑠𝑡)
Contract
Logic
Routes
![Page 15: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/15.jpg)
Network Reachability
![Page 16: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/16.jpg)
Checking beliefs in Dynamic Networks
A B
D
10* 01*
1** ***
10* ***
*** 1**
1** *** dst[1] := 0
Which packets can reach B from A?
Datalog useful for encoding a broad range of queries. We use belief for a class of general properties that one may expect to hold of networks. Sample belief: packets flow through middle-box
[Lopes, B, Godefroid, Jayaraman, Varghese NSDI’15]
![Page 17: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/17.jpg)
Applying NoD to P414
[Lopes, Rybalchenko, B, McKeown, Talayco, Varghese]
+ P4 code + Config NoD
![Page 18: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/18.jpg)
Scaling Network Verification using Symmetry and Surgery
[Plotkin, B, Lopes, Rybalchenko, Varghese, POPL 16]
A Theory of Network Dataplanes
- 𝑜𝑢𝑡 ∶ 𝑁𝑜𝑑𝑒𝑠 → 2𝑃𝑜𝑟𝑡𝑠
- 𝑃𝑜𝑟𝑡 ∶= 𝑛. 𝑖 𝑛 ∈ 𝑁𝑜𝑑𝑒𝑠, 𝑖 ∈ 𝑜𝑢𝑡 𝑛 }
- 𝑙𝑖𝑛𝑘𝑠: 𝑃𝑜𝑟𝑡𝑁 → 𝑁𝑜𝑑𝑒𝑠
- ℎ@𝑛. 𝑖 ℎ′@𝑛′. 𝑖′
∈ 𝑇𝑟𝑎𝑛𝑠⊆ 𝐻𝑒𝑎𝑑𝑒𝑟 × 𝑃𝑜𝑟𝑡 × 𝐻𝑒𝑎𝑑𝑒𝑟 × 𝑃𝑜𝑟𝑡
Such that 𝑛′ = 𝑙𝑖𝑛𝑘𝑠 𝑛. 𝑖 , 𝑖′ ∈ 𝑜𝑢𝑡(𝑛′)
A basis for defining bisimulation relations:
ℎ@𝑛. 𝑖 ∼ ℎ′@𝑛′. 𝑖′
![Page 19: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/19.jpg)
Scaling Network Verification using Symmetry and Surgery
[Plotkin, B, Lopes, Rybalchenko, Varghese, POPL 16]
A Toolbox of Network Transformations
Example: Replace a core of a network by a single hub:
![Page 20: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/20.jpg)
Scaling Network Verification using Symmetry and Surgery
Scaling comprehensive Network Verification
Example: Move rules from B to C if forwarding is the same.
Relies on efficient representation of header equivalence classes.
![Page 21: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/21.jpg)
Router Rules Venn Diagrams ddNF
1** *1*11*
Original guards
Forwarding rules
1** via port1
*1* via port2
**1 via port3
*** via port2
Intersection
**1
*111*1111
***
1** *1*
11*
**1
1*1 *11
111
[B, Juniwal, Mahajan, Seshia, Varghese MSR-TR]
![Page 22: Network Verification Solvers, Symmetries, Surgeriesconferences.sigcomm.org/sigcomm/2016/files/program/netpl/...Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner](https://reader030.vdocuments.mx/reader030/viewer/2022040502/5e284121c383ea69dc1739cc/html5/thumbnails/22.jpg)
Summary
Much is about Configuration Correctness:
• Is intent captured? (SecGuru)
• Usage (NoD + P4)
• Synthesis (Control Plane)
• Bandwidth Use and Provisioning (QNA)
Modern packet switched networks a good use case for PL + Symbolic Methods