Formal Verification of Computer Switch Networks Sharad Malik ; - - PowerPoint PPT Presentation

formal verification of computer switch networks
SMART_READER_LITE
LIVE PREVIEW

Formal Verification of Computer Switch Networks Sharad Malik ; - - PowerPoint PPT Presentation

May 06, 2023 310 likes •669 views

Formal Verification of Computer Switch Networks Sharad Malik ; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1 SDN: So what changes for verification? SDN: So what changes for

slide-1
SLIDE 1

Formal Verification of Computer Switch Networks

Sharad Malik; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1

slide-2
SLIDE 2

SDN: So what changes for verification? SDN: So what changes for verification?

 Previously

 System complexity precluded formal modeling and verification  R li d

l i l t ti b d t h i

 Relied exclusively on testing based techniques

 traceroute, ping, tcpdump, wireshark

 Now

 Hardware  Hardware

 Switch network is purely hardware (finite state)  Can apply hardware verification techniques

 Software

 Centralized control algorithm, easier to analyze

 However

 Hardware

 Large network size

 Switches: From tens to hundreds  Rules per switch: From hundreds to thousands

 Software

 Interacts with distributed hardware

2

slide-3
SLIDE 3

Hardware Snapshot Verification Hardware Snapshot Verification

 Verify the static network state at a single instance of time

 A snapshot of a dynamic system

p y y

 Do not consider network performance, e.g. delay, bandwidth, …

 Verify consistency of updates separately

 Reitblatt, Foster, Rexford, and Walker. 2011. Consistent updates for

software-defined networks: change you can believe in!. In Proceedings

  • f the 10th ACM Workshop on Hot

Topics in Networks (HotNets-X)

 Rationale

 Network state change (rule deletion/addition/change at a switch)[1]

 T

ens of events per second

 T

ens of events per second

 Packet arrival rate

 Millions of arrivals per second 3 [1] Gude, N., Koponen, T., Pettit, J., Pfa, B., Casado, M., McKeown, N., Shenker, S.: “Nox: towards an operating system for networks”

slide-4
SLIDE 4

Talk Goals/Outline Talk Goals/Outline

 Review specific verification efforts

 Formalisms  Formalisms

 Modeling  Verification Tasks

 Emphasis on verification engines

 Model checking  Symbolic simulation

y

 SAT based propositional logic verification

 With insights on their applicability

 From verification to design synthesis

 Formal methods based optimal synthesis of network

components components

4

slide-5
SLIDE 5

Packet State  System State Packet State System State

 Verification is packet centric  Packet State

 (packet header, packet location)

 (h,p)

 Ignore payload

P k d k l

 Packet state transitions during network traversal

 State Space Size

 Packet Header

Bit # 0~31 32~63 64~79 80~95 96~103 104~207 Pkt Src IP Dst IP Src port Dst port Protocol Src IP’, …… , Proto’

 Packet Location

 Global Port ID

 Stanford campus network: 47 ports, 6 bit encoding

5

slide-6
SLIDE 6

Network State Network State

 Switch State

 Set of rules defining how a packet is processed  Set of rules defining how a packet is processed  Routing Information Base, Forwarding Information Base, Access

Control List, Forwarding Table, Configuration Policies… R l i i i d

 Rules are prioritized

 Network State

 The combination of all switch states

Match packet header Match packet header Modify/ route packets Modify/ route packets

 The combination of all switch states  Fixed → Snapshot verification

6

slide-7
SLIDE 7

Talk Goals/Outline Talk Goals/Outline

 Review specific verification efforts

 Formalisms  Formalisms

 Modeling  Verification Tasks

 Emphasis on verification engines

 Model checking  Symbolic simulation

y

 SAT based propositional logic verification

 With insights on their applicability

 From verification to design synthesis

 Formal methods based optimal synthesis of network

components components

7

slide-8
SLIDE 8

Network Properties Network Properties

 Reachability Checking:

 Check if a packet can always reach B

A B p y from A.  No Forwarding Loop: B  No Forwarding Loop:

 Make sure there is no packet that can

reach the same switch/port more than

  • nce during its lifetime

Packet

  • nce during its lifetime.

 Packet Destination Control:

 Make sure a packet can/cannot go

through certain switches/hosts. A B X C

8

slide-9
SLIDE 9

Slice Isolation Slice Isolation

Slice 1

X

A B

X

C D Slice 2

9 [2] Kazemian, P., Varghese, G., McKeown, N.: “Header space analysis: static checking for networks”

slide-10
SLIDE 10

Talk Goals/Outline Talk Goals/Outline

 Review specific verification efforts

 Formalisms  Formalisms

 Modeling  Verification Tasks

 Emphasis on verification engines

 Model checking  Symbolic simulation

y

 SAT based propositional logic verification

 With insights on their applicability

 From verification to design synthesis

 Formal methods based optimal synthesis of network

components components

10

slide-11
SLIDE 11

Model Checking Based Verification Model Checking Based Verification

 Transition of packet states

 Given a packet, FSM based approaches model how the packet

transitions during its lifetime.

(h2, p2) Time 1 Time 2 Time 3 Switch 2 (h1, p1) (h2, p4) Switch 1 Switch 4 (h2, p3) Switch 3 Real Network Transition Model

 Properties specified using temporal logic formulas

11

 Properties specified using temporal logic formulas

 CTL: Computation Tree Logic

slide-12
SLIDE 12

Header Space Analysis: Ternary Symbolic Simulation Implementation Ternary Symbolic Simulation Implementation

 Can follow a symbolic packet through the network  Example:  Example: * * 1 *

R l 1

* * 1

Rule 1 Rule 1 Rule 2

1 1 1

Rule 2 Rule 1

 Limitation

The whole header space

* 1 1

Rule 2 12

 No clean formalism to express/check properties

slide-13
SLIDE 13

Reachability Analysis Reachability Analysis

 Packets can reach from A to B  Model Checking Based Approach

AF: Along All paths there

 Model Checking Based Approach

 CTL Property

 (p=A) → AF (p=B)

some Future state

 Ternary Symbolic Simulation

 Follow the symbolic packet along all possible paths

13

slide-14
SLIDE 14

Forwarding Loop Forwarding Loop

drop, outside world are encoded as some port ID drop, outside world are encoded as some port ID Inject 1 3 4 Visit:{1,2} Visit:{1,2,3} Visit:{1,2,3,4} Loop! Packet 1 2 Visit:{} Visit:{1}

14

slide-15
SLIDE 15

Packet Destination Control Packet Destination Control

 Example:

 All packets from A get to B without reaching C.

A B

X

C

p g g

B

15

slide-16
SLIDE 16

Experimental Evidence: BDD Based Model Checking

BDD: Binary Decision Diagram

BDD Based Model Checking

 Scalability:

 # of variables in transition relation

 H

d bit O Fl 1 1 15 t hi fi ld 356 t hi bit

 Header bits: OpenFlow v1.1 → 15 matching fields → 356 matching bits  Network size: 47 ports (as in Stanford campus) → 6 bits

 Experimental Result:

 ConfigChecker: 111 bits for header + (largest) 4000 nodes  ConfigChecker: 111 bits for header + (largest) 4000 nodes  Atomic Update: 64 bits header + Hundreds of switches + hundreds of

thousands of rules → over an hour

 Why does this even work?

y

 Space: Largest part of the system is the rules

 BDD variables only for packet state bits

Packet state

Transition Rules

Packet state

16

 Time: Shallow transition systems. Packets go through relatively few hops.

slide-17
SLIDE 17

Experimental Evidence: Ternary Symbolic Simulation

 Potential Difficulty:

Ternary Symbolic Simulation

Packet: h H2=(h-k1) H (H k ) H3=(H2-k2)

 Operation “-” is expensive in ternary symbolic simulation

Hn=(Hn-1–kn-1)

p p y y

 It is equivalent to DNF complementation.

17

slide-18
SLIDE 18

Experimental Evidence: Ternary Symbolic Simulation Ternary Symbolic Simulation

 Experimental result:

 Stanford campus network:  Stanford campus network:

 2 backbone routers + 14 zone routers + 10 switches  # of forwarding rules after compression: 4,200 (originally 757,000)

 Loop Detection on 30 ports: 560 seconds

 Why does this even work?

 Shallow transition system: A packet  Shallow transition system: A packet

reaches its destination in a few hops.

 Rule overlaps are small  Limited number of packet trajectories  Limited number of packet trajectories

 Exploited in incremental verification

 Khurshid, Zhou, Caesar, and Godfrey.

2012. VeriFlow: verifying network-wide

18

y g invariants in real time. HotSDN '12

slide-19
SLIDE 19

Talk Goals/Outline Talk Goals/Outline

 Review specific verification efforts

 Formalisms  Formalisms

 Modeling  Verification Tasks

 Emphasis on verification engines

 Model checking  Symbolic simulation

y

 SAT based propositional logic verification

 With insights on their applicability

 From verification to design synthesis

 Formal methods based optimal synthesis of network

components components

19

slide-20
SLIDE 20

From Model Checking to SAT From Model Checking to SAT

 Model Checking vs. SAT

 Higher in the complexity hierarchy  Higher in the complexity hierarchy

 Ternary Symbolic Simulation

 Properties are hard to specify

p p y

 Book-keeping overhead (e.g. check forwarding loop)

 Can we model the network as a combinational circuit?

 Propositional logic model  SAT based property checking

20

slide-21
SLIDE 21

SAT Based Verification: An Overview SAT Based Verification: An Overview

 Split one bidirectional link into two unidirectional links  Switch can be modeled as acyclic combinational logic  Use traditional hardware verification techniques.

SAT Formula

21

slide-22
SLIDE 22

Encoding Property: Find A Forwarding Loop Encoding Property: Find A Forwarding Loop

 Forwarding Loop:

 The same packet shows up at the same switch twice, not necessarily

with the same header format

 Assumption:

 There is a packet entering the

network

 Constraint:

 No packet gets out

1

 No packet gets out.  No packet is dropped.

 Return: …

 SAT: find forwarding loop  UNSAT: no forwarding loop

22

slide-23
SLIDE 23

Encoding Property: Reachability Checking Encoding Property: Reachability Checking

 Example properties:

 Packets with format h=10xx

will always get to B from A

 Packets with format h=10xx… will always get to B from A.

 Constraint:

 Packet h=10xx… enters

the network at port A

 No packet shows up at

port B

h Port A

port B

 Return:

 SAT: Reachability fails

Port B

 SAT: Reachability fails  UNSAT: Reachability holds

23

slide-24
SLIDE 24

Preliminary Results Preliminary Results

Forwarding Loop

Waxman topology

10 switches+1000 hosts

Policy: shortest path between certain port pairs

Policy: shortest path between certain port pairs

Property: Check if there is forwarding loop.

200 switches + 1000 hosts + 300,000 rules → 11 minutes

200 switches + 1000 hosts + 750,000 rules → 3 hours and 48 minutes

200 switches + 1000 hosts + 2,700,000 rules → Run out of memory

70 80 90 100

SAT Atomic Update[5]

Ti

30 40 50 60 70

Time (second)

10 20

10000 20000 30000 40000 50000 60000 70000 80000 90000 100000 110000 120000130000 140000 150000160000 170000 180000190000 200000

24

# Rule [5] Reitblatt, M., et al..: “Abstractions for network update”

slide-25
SLIDE 25

SAT Based Firewall Verification SAT Based Firewall Verification

 Firewall

 Inputs: Incoming packet  Outputs: “accept” or “reject” action

 Firewall Encoding Rule #1 Rule Permit Packet Encoding Rule #2 … Packet

Pkt bit 1 Pkt bit 2 True

Rule #n Reject

Prev Match Match (10X)

25

slide-26
SLIDE 26

Firewall Equivalence Check Firewall Equivalence Check

 Feed the same input to the two firewalls and check if the

two outputs can differ two outputs can differ.

Permit

Experimental Result Firewall 1

p Reject i1 != i2 i1 Input packet

Firewall

Permit i2 i2

2

Reject

26

Classbench for firewall generation

slide-27
SLIDE 27

Firewall Inclusion Check Firewall Inclusion Check

Permit

Experimental Result Firewall 1

p Reject i1 Input packet

Firewall

Permit i2

2

Reject

27

Classbench for firewall generation

slide-28
SLIDE 28

Firewall Redundancy Removal Firewall Redundancy Removal

 Single rule redundancy checking

 Delete it and check the equivalence of the new firewall with the old

  • ld

 If they are equivalent, delete the rule

 Sequentially iterate over all rules

q y

70.00% 80.00% 90.00% 5000 6000 Execution Time (seconds) Redundancy 40.00% 50.00% 60.00% 3000 4000

Redundancy Execution Time

10.00% 20.00% 30.00% 1000 2000 28 0.00% 130 286 438 702 887 1007 1135 1355 1753 1932

# Rules

slide-29
SLIDE 29

Other SAT Formulations: Anteater[6] Other SAT Formulations: Anteater

A B C

29

[6] Mai, H., Khurshid, A., Agarwal, R., Caesar, M., Godfrey, P .B., King, S.T.: “Debugging the data plane with anteater”

slide-30
SLIDE 30

Property Checking for Anteater Property Checking for Anteater

A B C A A’ A B C B C A’

30

slide-31
SLIDE 31

Talk Goals/Outline Talk Goals/Outline

 Review specific verification efforts

 Formalisms  Formalisms

 Modeling  Verification Tasks

 Emphasis on verification engines

 Model checking  Symbolic simulation

y

 SAT based propositional logic verification

 With insights on their applicability

 From verification to design synthesis

 Formal methods based optimal synthesis of network

components components

31

slide-32
SLIDE 32

Firewall Synthesis Firewall Synthesis

Permit

Given Firewall Spec

Permit Reject Packet X={x1, x2, x3,…} f(x, r) Reject i1 != i2 Symbolic Rule Variables

Symbolic Firewall with

Permit Symbolic Rule Variables R={r1, r2, r3…}

k rules

Reject Solve using a QBF Solver

32

Current QBF Solvers don’t scale 

slide-33
SLIDE 33

Wrap Up Wrap Up

 Summary

 Reviewed emerging Symbolic Simulation/Model Checking/SAT based

approaches.

 Challenges

 Speed

p

 T

ernary Symbolic Simulation: 10 switches + 2 backbone router,s a total of 4,200 forwarding rules (after compression) → 10 minutes.

 Model Checking Based (using NuSMV): Hundreds of switches + hundreds

  • f thousands of rules → Over an hour.

 Current SAT Based Propositional Property Checking: Similar in scale

 What we need:

 Verification between two network updates → continuous verification

 Explore incremental verification techniques

 Network Application Verification

 Opportunities for tailored software verification techniques 33

slide-34
SLIDE 34

References References

[1] Kazemian, P., Varghese, G., McKeown, N.: “Header space analysis: static checking for networks” [2] Al-Shaer, E., Marrero, W., El-Atawy, A., ElBadawi, K.: “Network configuration in a box: towards end-to-end verification of network reachability and security” y y [3] Al-Shaer, E., Al-Haj, S.: “FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures” [4] Reitblatt M F ster N Re f rd J Schlesin er C Walker D: [4] Reitblatt, M., Foster, N., Rexford, J., Schlesinger, C., Walker, D.: “Abstractions for network update” [5] Mai, H., Khurshid, A., Agarwal, R., Caesar, M., Godfrey, P.B., King, S.T.: “Debugging the data plane with anteater” [6] Gude, N., Koponen, T., Pettit, J., Pfa, B., Casado, M., McKeown, N., Shenker, S.: “Nox: towards an operating system for networks” , , p g y

34