vericon: towards verifying controller programs in sdns (pldi 2014) thomas ball, nikolaj bjorner,...
TRANSCRIPT
![Page 1: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/1.jpg)
VeriCon: Towards Verifying Controller Programs in SDNs
(PLDI 2014)
Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv,
Michael Schapira, Asaf Valadarsky
![Page 2: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/2.jpg)
2
Traditional Computer Networks
Data plane:packet streaming
Control plane:distributed algorithms
![Page 3: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/3.jpg)
3
New Paradigm:Software Defined Networking (SDN)
API to the data plane(e.g., OpenFlow)
logically-centralized control in software
switches
smart but slow software
dumb but fasthardware
![Page 4: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/4.jpg)
4
Controller: Programmability
Controller
events from switchestopology changes,traffic statistics,arriving packets
commands to switches(un)install rules,query statistics
APPAPPAPP
![Page 5: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/5.jpg)
5
Desired Network Properties
• Routing–No forwarding loops, no black holes, …
• Security–ACL, firewall, middleboxes, …
• Traffic Engineering– Load balancing, VM migration, …
• …
![Page 6: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/6.jpg)
6
How can we guarantee such properties?
![Page 7: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/7.jpg)
7
Traditional Networks vs. SDN
• Guaranteeing these properties in a traditional network is nearly impossible– Switch / Router code is a “black box”– Protocols are distributed across devices.
• SDN opens up the possibility of applying formal software verification to networks!– Accessible code– Centralized control
![Page 8: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/8.jpg)
8
Existing Approaches
• Finite-state model checking– E.g., NICE & Verificare
• Analyzing network snapshots– E.g., HSA
• Run-time checks– E.g., VeriFlow & NetPlumber
Might missbugs!
Discover bugstoo late
&run-timeoverhead
![Page 9: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/9.jpg)
9
Dream Scenario
• Verify network-wide propertiesin compile time– Find violations before they occur!
• Provable verification–Prove correctness for correct programs– Find a counterexample for incorrect programs
(useful for debugging)
![Page 10: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/10.jpg)
10
The VeriCon Tool
Controller Code (P)
Desired Properties
VerificationConditionsGenerator
T P “”
SAT Solver
Counterexample Proof
Restrictions onTopology (T)
![Page 11: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/11.jpg)
11
Running Times – Correct ProgramsProgram Description Time to prove
(seconds)
Firewall A basic firewall abstraction. 0.11
MigFirewall Firewall supporting migration of “safe” hosts. 0.12
Learning A simple learning switch. 0.14
Resonance Access control for host authentication in enterprises. 0.18
Stratos Forwarding traffic through a sequence of middleboxes. 0.09
![Page 12: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/12.jpg)
12
Running Times – Incorrect ProgramsProgram Description Time to
disprove (seconds)
Firewall-Bug 1 Forgot to check if packets in port 2 are from a trusted location.
0.13
Firewall-Bug 2 Forgot to add the definition for a “trusted host”.
0.09
Learning-Bug 3 Forgot to forward the packets. 0.15
Resonance-Bug 1 Forgot to define that the states a host could be at are mutually exclusive.
0.07
![Page 13: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/13.jpg)
13
VeriCon: Challenges and Solutions• Programmer must specify properties in 1st-order logic– We build a tool that infers formulas for SDN programs– Future research: static analysis
• SDN programs must be coded in a specific language (CSDN)– VeriCon can be extended to support Java, Python, etc.
• SAT solver might not terminate!– SDN programs considered are in a sub-family of FOL– … solver termination guaranteed!
• VeriCon assumes atomicity of events– “Existing” solutions– Future research: verify stronger properties
![Page 14: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/14.jpg)
14
Summary
• SDN opens up the possibility for applying formal verification to networks
• VeriCon is the first system to provably verify SDN programs at compile time– for unbounded topology, #packets, etc.
![Page 15: VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cce5503460f94999213/html5/thumbnails/15.jpg)
15
Thank You