formal verification of computer switch networks
play

Formal Verification of Computer Switch Networks Sharad Malik ; - PowerPoint PPT Presentation

May 06, 2023 •310 likes •665 views

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1 SDN: So what changes for verification? SDN: So what changes for

  1. Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1

  2. SDN: So what changes for verification? SDN: So what changes for verification?  Previously  System complexity precluded formal modeling and verification  R li d  Relied exclusively on testing based techniques l i l t ti b d t h i  traceroute, ping, tcpdump, wireshark  Now  Hardware  Hardware  Switch network is purely hardware (finite state)  Can apply hardware verification techniques  Software  Centralized control algorithm, easier to analyze  However  Hardware  Large network size  Switches: From tens to hundreds  Rules per switch: From hundreds to thousands  Software  Interacts with distributed hardware 2

  3. Hardware Snapshot Verification Hardware Snapshot Verification  Verify the static network state at a single instance of time  A snapshot of a dynamic system p y y  Do not consider network performance, e.g. delay, bandwidth, …  Verify consistency of updates separately  Reitblatt, Foster, Rexford, and Walker. 2011. Consistent updates for software-defined networks: change you can believe in!. In Proceedings of the 10th ACM Workshop on Hot Topics in Networks (HotNets-X)  Rationale  Network state change (rule deletion/addition/change at a switch) [1]  T  T ens of events per second ens of events per second  Packet arrival rate  Millions of arrivals per second [1] Gude, N., Koponen, T., Pettit, J., Pfa, B., Casado, M., McKeown, N., Shenker, S.: “Nox: towards an operating 3 system for networks”

  4. Talk Goals/Outline Talk Goals/Outline  Review specific verification efforts  Formalisms  Formalisms  Modeling  Verification Tasks  Emphasis on verification engines  Model checking  Symbolic simulation y  SAT based propositional logic verification  With insights on their applicability  From verification to design synthesis  Formal methods based optimal synthesis of network components components 4

  5. Packet State  System State Packet State System State  Verification is packet centric  Packet State  (packet header, packet location)  (h,p)  Ignore payload  Packet state transitions during network traversal P k d k l  State Space Size  Packet Header Bit # 0~31 32~63 64~79 80~95 96~103 104~207 Pkt Src IP Dst IP Src port Dst port Protocol Src IP’, …… , Proto’  Packet Location  Global Port ID  Stanford campus network: 47 ports, 6 bit encoding 5

  6. Network State Network State  Switch State  Set of rules defining how a packet is processed  Set of rules defining how a packet is processed  Routing Information Base, Forwarding Information Base, Access Control List, Forwarding Table, Configuration Policies…  Rules are prioritized R l i i i d Modify/ Modify/ Match Match  Network State route route packet packet packets packets header header  The combination of all switch states  The combination of all switch states  Fixed → Snapshot verification 6

  7. Talk Goals/Outline Talk Goals/Outline  Review specific verification efforts  Formalisms  Formalisms  Modeling  Verification Tasks  Emphasis on verification engines  Model checking  Symbolic simulation y  SAT based propositional logic verification  With insights on their applicability  From verification to design synthesis  Formal methods based optimal synthesis of network components components 7

  8. Network Properties Network Properties  Reachability Checking:  Check if a packet can always reach B p y A B B from A.  No Forwarding Loop:  No Forwarding Loop:  Make sure there is no packet that can Packet reach the same switch/port more than once during its lifetime once during its lifetime.  Packet Destination Control: X C  Make sure a packet can/cannot go through certain switches/hosts. A B 8

  9. Slice Isolation Slice Isolation  Slice 1 A B X X D C Slice 2 9 [2] Kazemian, P., Varghese, G., McKeown, N.: “Header space analysis: static checking for networks”

  10. Talk Goals/Outline Talk Goals/Outline  Review specific verification efforts  Formalisms  Formalisms  Modeling  Verification Tasks  Emphasis on verification engines  Model checking  Symbolic simulation y  SAT based propositional logic verification  With insights on their applicability  From verification to design synthesis  Formal methods based optimal synthesis of network components components 10

  11. Model Checking Based Verification Model Checking Based Verification  Transition of packet states  Given a packet, FSM based approaches model how the packet transitions during its lifetime. Time 1 Time 2 Time 3 Switch 2 (h2, p2) Switch 4 Switch 1 (h1, p1) (h2, p4) Switch 3 (h2, p3) Real Network Transition Model  Properties specified using temporal logic formulas  Properties specified using temporal logic formulas  CTL: Computation Tree Logic 11

  12. Header Space Analysis: Ternary Symbolic Simulation Implementation Ternary Symbolic Simulation Implementation  Can follow a symbolic packet through the network  Example:  Example: 1 0 * * * 0 0 R l 1 Rule 1 * * 0 0 0 Rule 1 Rule 2 1 1 Rule 2 Rule 1 1 1 * 1 Rule 2 The whole header space 0 1  Limitation  No clean formalism to express/check properties 12

  13. Reachability Analysis Reachability Analysis  Packets can reach from A to B AF : Along A ll paths there  Model Checking Based Approach  Model Checking Based Approach some F uture state  CTL Property  (p=A) → AF (p=B)  Ternary Symbolic Simulation  Follow the symbolic packet along all possible paths 13

  14. Forwarding Loop Forwarding Loop  drop, outside world are drop, outside world are encoded as some port ID encoded as some port ID Visit:{1,2,3} Visit:{1,2,3,4} 4 Loop! Visit:{1,2} Inject 3 1 1 Packet Visit:{} 2 Visit:{1} 14

  15. Packet Destination Control Packet Destination Control  Example:  All packets from A get to B without reaching C. p g g C X A B B  15

  16. Experimental Evidence: BDD Based Model Checking BDD Based Model Checking BDD: Binary Decision Diagram  Scalability:  # of variables in transition relation  Header bits: OpenFlow v1.1 → 15 matching fields → 356 matching bits  H d bit O Fl 1 1 15 t hi fi ld 356 t hi bit  Network size: 47 ports (as in Stanford campus) → 6 bits  Experimental Result:  ConfigChecker: 111 bits for header + (largest) 4000 nodes  ConfigChecker: 111 bits for header + (largest) 4000 nodes  Atomic Update: 64 bits header + Hundreds of switches + hundreds of thousands of rules → over an hour  Why does this even work? y  Space: Largest part of the system is the rules  BDD variables only for packet state bits Packet state Packet state Transition Rules  Time: Shallow transition systems. Packets go through relatively few hops. 16

  17. Experimental Evidence: Ternary Symbolic Simulation Ternary Symbolic Simulation  Potential Difficulty: Packet: h H 2 =(h-k 1 ) H 3 =(H 2 -k 2 ) H n =(H n-1 –k n-1 ) H (H k )  Operation “-” is expensive in ternary symbolic simulation p p y y  It is equivalent to DNF complementation. 17

  18. Experimental Evidence: Ternary Symbolic Simulation Ternary Symbolic Simulation  Experimental result:  Stanford campus network:  Stanford campus network:  2 backbone routers + 14 zone routers + 10 switches  # of forwarding rules after compression: 4,200 (originally 757,000)  Loop Detection on 30 ports: 560 seconds  Why does this even work?  Shallow transition system: A packet  Shallow transition system: A packet reaches its destination in a few hops.  Rule overlaps are small  Limited number of packet trajectories  Limited number of packet trajectories  Exploited in incremental verification  Khurshid, Zhou, Caesar, and Godfrey. 2012. VeriFlow: verifying network-wide y g invariants in real time. HotSDN '12 18

  19. Talk Goals/Outline Talk Goals/Outline  Review specific verification efforts  Formalisms  Formalisms  Modeling  Verification Tasks  Emphasis on verification engines  Model checking  Symbolic simulation y  SAT based propositional logic verification  With insights on their applicability  From verification to design synthesis  Formal methods based optimal synthesis of network components components 19

  20. From Model Checking to SAT From Model Checking to SAT  Model Checking vs. SAT  Higher in the complexity hierarchy  Higher in the complexity hierarchy  Ternary Symbolic Simulation  Properties are hard to specify p p y  Book-keeping overhead (e.g. check forwarding loop)  Can we model the network as a combinational circuit?  Propositional logic model  SAT based property checking 20

  21. SAT Based Verification: An Overview SAT Based Verification: An Overview  Split one bidirectional link into two unidirectional links  Switch can be modeled as acyclic combinational logic  Use traditional hardware verification techniques. SAT Formula 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal approaches to the synthesis of biological networks Nicola Paoletti Department of Computer

Formal approaches to the synthesis of biological networks Nicola Paoletti Department of Computer

Formal approaches to the synthesis of biological networks Nicola Paoletti Department of Computer Science, University of Oxford Metable Workshop Computer Laboratory, University of Cambridge, 26 Mar 2015 MOTIVATION Model checking Verification

859 views • 38 slides
Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

911 views • 63 slides
NetKATA Formal System for the Verification of Networks Alexandra Silva University College

NetKATA Formal System for the Verification of Networks Alexandra Silva University College

NetKATA Formal System for the Verification of Networks Alexandra Silva University College London PUMA seminar, TU Munich NetKAT papers Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger,

845 views • 47 slides
CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

SWITCH DESIGN CHAPTER II CHAPTER II-1 SWITCH DESIGN CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH DESIGN SWITCH NETWORKS CHAPTER II-2 BASIC IDEAL SWITCH SWITCH DESIGN Simplest

348 views • 24 slides
Formal Verification of Traffic Networks at Equilibrium Matt Battifarano mbattifa@andrew.cmu.edu

Formal Verification of Traffic Networks at Equilibrium Matt Battifarano mbattifa@andrew.cmu.edu

Formal Verification of Traffic Networks at Equilibrium Matt Battifarano mbattifa@andrew.cmu.edu 15-624 Logical Foundations of Cyber-Physical Systems Carnegie Mellon University 11 Dec. 2018 Matt Battifarano (15-624) Traffic Networks at

441 views • 11 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin Software and Reliability Can we rely on our

891 views • 65 slides
Performance analysis and formal verification of cognitive wireless networks Gian-Luca Dei Rossi

Performance analysis and formal verification of cognitive wireless networks Gian-Luca Dei Rossi

Performance analysis and formal verification of cognitive wireless networks Gian-Luca Dei Rossi Lucia Gallina Sabina Rossi Dipartimento di Scienze Ambientali, Informatica e Statistica Universit` a Ca Foscari, Venezia EPEW 2013, Venice,

314 views • 16 slides
NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University

NetKATA Formal System for the Verification of Networks Dexter Kozen Cornell University AutoMathA 2015 Leipzig 7 May 2015 NetKAT Collaborators Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole

1.03k views • 56 slides
Formal verification of low-level execution platforms Roberto Guanciale Assistant professor

Formal verification of low-level execution platforms Roberto Guanciale Assistant professor

Roberto Guanciale Estonian Winter School Day 01 Formal verification of low-level execution platforms Roberto Guanciale Assistant professor Computer Security Department of Theoretical Computer Science @KTH Research interest in Formal

895 views • 71 slides
Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick

Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick

Abstract Interpretationbased Formal Verification of Complex Computer Systems Patrick Cousot Jerome C. Hunsaker Visiting Professor Department of Aeronautics and Astronautics Massachusetts Institute of Technology cousot mit edu

486 views • 4 slides
Switch Codes for Computer Networks Hui Zhang Joint work with Yeow Meng Chee, Fei Gao and Samuel

Switch Codes for Computer Networks Hui Zhang Joint work with Yeow Meng Chee, Fei Gao and Samuel

Switch Codes for Computer Networks Hui Zhang Joint work with Yeow Meng Chee, Fei Gao and Samuel Tien Ho Teo Institute of Computer Science University of Tartu Oct. 3, 2015 Network Switches 1 1 Image from http://www.cisco.com/c/en/us/support/docs/

613 views • 22 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui

Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui

Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, and Sam King Summer School on Formal Methods and Networks Cornell University, June 11, 2013

482 views • 36 slides
Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the

Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the

Ant-immigrant populism is not really a recent phenomenon Didier Ruedin University of the Witwatersrand & University of Neuchtel Contestng the Populist Challenge Malm, 17 November 2017 immigraton is increasingly politcized Share of all

561 views • 10 slides
Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software

Build Build Build Build System building The process of compiling and linking software components into an executable system Different systems are built from different combinations of components Invariably supported by automated

557 views • 20 slides
Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee,

Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee,

Ant Build Maintenance with Formiga R. Hardt and E. V. Munson University of Wisconsin-Milwaukee, USA Research Problem and Motivation Build maintenance refers to changes made to the build system as a software project evolves over time

321 views • 15 slides
A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois

A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois

A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois at Urbana-Champaign TSS Seminar, September 15, 2015 Part of the SoS Lablet with David Nicol Kevin Jin Matthew Caesar Bill Sanders Work with

939 views • 49 slides
Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning

Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning

Making Teaching a Shared Brian Sato Office of the Vice Provost of Teaching and Learning Responsibility through Ray Vadnais Departmental Reports Office of Information Technology UCI Strategic Plan First in Class - Elevating the student

1.32k views • 25 slides
Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from A can not reach B Content

585 views • 42 slides
Expressions Holism vs. Reductionism In his Pulitzer-prizewinning book, Expressions computer

Expressions Holism vs. Reductionism In his Pulitzer-prizewinning book, Expressions computer

Eric Roberts Handout #15 CS 106A January 13, 2010 Expressions Holism vs. Reductionism In his Pulitzer-prizewinning book, Expressions computer scientist Douglas Hofstadter identifies two concepts holism and reductionism that turn out

87 views • 4 slides

More recommend