scalable verification of stateful networks
play

Scalable Verification of Stateful Networks Aurojit Panda, Ori - PowerPoint PPT Presentation

Nov 28, 2023 •508 likes •1.31k views

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI Roadmap Why consider stateful networks? The current state of stateful network verification?

  1. Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI

  2. Roadmap • Why consider stateful networks? • The current state of stateful network verification? • VMN: Our system for verifying stateful networks. • Scaling verification.

  3. Why consider stateful networks?

  4. Network State Increasingly Common • 1/3rd of deployed network devices are middleboxes • These are typically stateful (e.g., firewalls, caches, etc.) • NFV will only make these more common

  5. Network State Increasingly Common • 1/3rd of deployed network devices are middleboxes • These are typically stateful (e.g., firewalls, caches, etc.) • NFV will only make these more common • Later in this conference: stateful programming for P4 switches. • SNAP: Stateful Network-Wide Abstractions for Packet Processing

  6. Network State Increasingly Common • 1/3rd of deployed network devices are middleboxes • These are typically stateful (e.g., firewalls, caches, etc.) • NFV will only make these more common • Later in this conference: stateful programming for P4 switches. • SNAP: Stateful Network-Wide Abstractions for Packet Processing • Bottomline: Stateful is increasingly relevant.

  7. Verification Checks Invariants • We look at Reachability/Isolation invariants (same as stateless verification)

  8. Verification Checks Invariants • We look at Reachability/Isolation invariants (same as stateless verification) • Packets from host A cannot reach host B

  9. Verification Checks Invariants • We look at Reachability/Isolation invariants (same as stateless verification) • Packets from host A cannot reach host B • But statefulness raises some important issues:

  10. Verification Checks Invariants • We look at Reachability/Isolation invariants (same as stateless verification) • Packets from host A cannot reach host B • But statefulness raises some important issues: • Invariants include temporal aspects.

  11. Verification Checks Invariants • We look at Reachability/Isolation invariants (same as stateless verification) • Packets from host A cannot reach host B • But statefulness raises some important issues: • Invariants include temporal aspects. • Storing state can result in spooky action at a distance.

  12. Temporal Invariants User 0 Server 0 Firewall deny server* user* Server 1 User 1 User 1 receives no packets from server 0 unless a connection is initiated.

  13. Temporal Invariants User 0 Server 0 Firewall deny server* user* Server 1 User 1 User 1 receives no packets from server 0 unless a connection is initiated. Standard Reachability Temporal Property

  14. Action at a Distance User 0 Server 0 Firewall Cache deny user1 server0 Server 1 User 1 User 1 receives no packets from Server 0

  15. Action at a Distance Secret User 0 Server 0 Firewall Cache deny user1 server0 Server 1 User 1 User 1 receives no packets from Server 0

  16. Action at a Distance Secret User 0 Server 0 Secret Firewall Cache deny user1 server0 Server 1 User 1 User 1 receives no packets from Server 0

  17. Action at a Distance Secret User 0 Server 0 Secret Firewall Cache deny user1 server0 Server 1 Secret User 1 User 1 receives no packets from Server 0

  18. Action at a Distance Secret User 0 Server 0 Secret Firewall Cache deny user1 server0 Server 1 Secret User 1 User 1 receives no packets from Server 0 User 1 receives no data from Server 0

  19. Roadmap • Why consider stateful networks? • The current state of stateful network verification? • VMN: Our system for verifying stateful networks. • Scaling verification.

  20. Network Verification Today • Lots of existing work has looked at network verification.

  21. Network Verification Today • Lots of existing work has looked at network verification. • Switches: Static forwarding rules in switches. HSA, Veriflow, NetKAT, etc.

  22. Network Verification Today • Lots of existing work has looked at network verification. • Switches: Static forwarding rules in switches. HSA, Veriflow, NetKAT, etc. • SDN Controller: Code generating these rules. Vericon, FlowLog, etc

  23. Network Verification Today • Lots of existing work has looked at network verification. • Switches: Static forwarding rules in switches. HSA, Veriflow, NetKAT, etc. • SDN Controller: Code generating these rules. Vericon, FlowLog, etc • Testing for stateful networks Buzz: Generate packets that are likely to trigger interesting behavior.

  24. Network Verification Today • Lots of existing work has looked at network verification. • Switches: Static forwarding rules in switches. HSA, Veriflow, NetKAT, etc. • SDN Controller: Code generating these rules. Vericon, FlowLog, etc • Testing for stateful networks Buzz: Generate packets that are likely to trigger interesting behavior. • Verification for stateful networks SymNet: Uses symbolic execution to verify networks with middleboxes.

  25. Roadmap • Why consider stateful networks? • The current state of stateful network verification? • VMN: Our system for verifying stateful networks. • Scaling verification.

  26. VMN: System for scalable verification of stateful networks.

  27. VMN Flow Model each middlebox in the network Build network forwarding model Logical Invariants SMT Solver (Z3 from MSR) Invariant Holds Example of violation

  28. Modeling Middleboxes • One approach: Extract model from code

  29. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction.

  30. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction. • Code written to match bit patterns in packet, etc.

  31. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction. • Code written to match bit patterns in packet, etc. • Configuration is in terms of higher level abstractions

  32. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction. • Code written to match bit patterns in packet, etc. • Configuration is in terms of higher level abstractions • E.g., source and destination addresses, payload matches regex, etc.

  33. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction. • Code written to match bit patterns in packet, etc. • Configuration is in terms of higher level abstractions • E.g., source and destination addresses, payload matches regex, etc. • Operators think and configure in terms of these abstractions.

  34. Modeling Middleboxes • One approach: Extract model from code • Problem : At the wrong level of abstraction. • Code written to match bit patterns in packet, etc. • Configuration is in terms of higher level abstractions • E.g., source and destination addresses, payload matches regex, etc. • Operators think and configure in terms of these abstractions. • Verify invariants written in these terms.

  35. Example Middlebox Configuration • Drop all packets from connections transmitting infected files. • How to define infected files: bit pattern for all worms: not really accurate • Also not how operators think about this.

  36. Modeling Middleboxes • Take a different tack: model specified in terms of classification oracle . • Oracle responsible for classifying packet. • We are not verifying implementation (nor is anyone else).

  37. Modeling Middleboxes • Take a different tack: model specified in terms of classification oracle . • Oracle responsible for classifying packet. • We are not verifying implementation (nor is anyone else). • Model specifies forwarding behavior in terms of these abstractions. • Need to know forwarding behavior to reason about reachability. • Require that any state that affects forwarding behavior also specified.

  38. Modeling Middleboxes

  39. Modeling Middleboxes Determines what application sent a packet, etc. Classify Packet Complex, proprietary processing.

  40. Modeling Middleboxes Determines what application sent a packet, etc. Classify Packet Complex, proprietary processing. Update state required for classification. Update Classification State

  41. Modeling Middleboxes Determines what application sent a packet, etc. Classify Packet Complex, proprietary processing. Update state required for classification. Update Classification State Update forwarding State. Update Forwarding State

  42. Modeling Middleboxes Determines what application sent a packet, etc. Classify Packet Complex, proprietary processing. Update state required for classification. Update Classification State Update forwarding State. Update Forwarding State Always simple: forward or drop packets. Forward Packet

  43. Modeling Middleboxes Oracle: Specify data dependencies and outputs Determines what application sent a packet, etc. Classify Packet Complex, proprietary processing. Update state required for classification. Update Classification State Update forwarding State. Update Forwarding State Always simple: forward or drop packets. Forward Packet

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

409 views • 25 slides
Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel Computer Architecture Requirements and trade-offs at many levels Elegant mathematical structure Deep relationships to algorithm structure

691 views • 52 slides
Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of

Scalable and Cost-Effective Model-Based Software Verification and Testing University of Luxembourg Interdisciplinary Centre for Security, Reliability and Trust Software Verification and Validation Lab (www.svv.lu) May 17th, 2013 University of

1.03k views • 72 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search and Optimization Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS,

1.41k views • 113 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Policies in Stateful Networks Seyed K. Fayaz , Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas

Policies in Stateful Networks Seyed K. Fayaz , Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas

BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz , Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar Overview of checking network policies Does the network do what I want it to do? ??? Policies Network What I

383 views • 19 slides
Scalable Preference Aggregation in Social Networks IFCAM Workshop on Social Networks Indian

Scalable Preference Aggregation in Social Networks IFCAM Workshop on Social Networks Indian

Scalable Preference Aggregation in Social Networks IFCAM Workshop on Social Networks Indian Institute of Science, Bangalore Y. Narahari Joint work with Swapnil Dhamal Game Theory Lab Department of Computer Science and Automation Indian

1.08k views • 61 slides
Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel

Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel

Making Model-Driven Verification Practical and Scalable: Experiences and Lessons Learned Lionel Briand IEEE Fellow, FNR PEARL Chair Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg

717 views • 59 slides
TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation Han Song SJTU May 24, 2017 Han Song TenantGuard: Scalable Runtime

747 views • 54 slides
Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu

Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu

Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu Stoenescu , Matei Popovici, Lorina Negreanu and Costin Raiciu Networks are increasingly complex 2 Understand the network B A Reachability

549 views • 41 slides
UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER

REANNZ LUNCHTIME SESSION 17 JULY 2019 UNLEASHING THE HIVEMIND BUILDING SCALABLE NETWORKS AARON MURRIHY SENIOR NETWORK ENGINEER aaron.murrihy@reannz.co.nz 1 REANNZ Lunch 19 Scalable Networks 4 STAGES OF NETWORK PROGRESSION 2 REANNZ

198 views • 19 slides
Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

1 Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE KEY FEATURES LEARN MORE 3 OVERVIEW Vulcan generates stateful Ethernet traffic to analyze how

349 views • 34 slides
Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC

Scalable Termination Detection for Distributed Actor Systems Dan Plyukhin and Gul Agha UIUC Actor Model Actors are lightweight, stateful, async processes. Used to build low-latency distributed systems (e.g. Riak, Discord, CouchDB). Most popular

1.53k views • 122 slides
Scalable Interconnection Networks Chapter 10 1 Adaptado dos slides da editora por M Mario

Scalable Interconnection Networks Chapter 10 1 Adaptado dos slides da editora por M Mario

Scalable Interconnection Networks Chapter 10 1 Adaptado dos slides da editora por M Mario Crtes IC/Unicamp 2009s2 10.1 Scalable, High Performance Network Mario Crtes IC/Unicamp 2009s2 At Core of Parallel Computer

1.32k views • 85 slides
Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos RadioCommunications Laboratory (RCL) Aristotle University of Thessaloniki, Greece Cost Assist Workshop April 2008, Cyprus Outline 1. Introduction to RFIDs:

509 views • 29 slides
FCSL Previously on this channel Previously on this channel letrec span (x : ptr) : bool = {

FCSL Previously on this channel Previously on this channel letrec span (x : ptr) : bool = {

FCSL Previously on this channel Previously on this channel letrec span (x : ptr) : bool = { if x == null then val_ret false; else b CAS(x->m, 0, 1); if b then (r l ,r r ) (span(x->l) || span(x->r)); if r l then x->l :=

1.27k views • 88 slides
Class 38: Geometry of Conic Sections Class 38: Geometry of Conic Sections Orbital equation

Class 38: Geometry of Conic Sections Class 38: Geometry of Conic Sections Orbital equation

Class 38: Geometry of Conic Sections Class 38: Geometry of Conic Sections Orbital equation 2 Radial : ( r - r ) f(r) r 2 Tangential Tangential : : L L r 1 u r r

556 views • 17 slides
Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1 505 64 16 / 78 Idea & credits: Florian Weimer, BFK pDNS @ CERT.at passive DNS: Idea to capture the DNS answers and give them a timestamp.

336 views • 6 slides
Tim McCarthy Tim McCarthy McCarthy Information Systems tmccart1@san.rr.com Agenda Pros/Cons

Tim McCarthy Tim McCarthy McCarthy Information Systems tmccart1@san.rr.com Agenda Pros/Cons

Tim McCarthy Tim McCarthy McCarthy Information Systems tmccart1@san.rr.com Agenda Pros/Cons of application frameworks Refactoring to DDD patterns getting rid of the persistence/plumbing code from the Domain Model My own DDD

779 views • 11 slides
de Sitter Vacua Bret Underwood McGill University Pheno 2009 S. Haque, G. Shiu, BU , T . Van

de Sitter Vacua Bret Underwood McGill University Pheno 2009 S. Haque, G. Shiu, BU , T . Van

de Sitter Vacua Bret Underwood McGill University Pheno 2009 S. Haque, G. Shiu, BU , T . Van Riet, Phys. Rev. D79:086005 (2009), arXiv:0810.5328 Does dS space exist classically from a top down construction? dS Space Bottom Up 1 1 H 2 = H 2

481 views • 13 slides
UNDERSTANDING CONVERGENCE IN MPLS VPN NETWORKS Mukhtiar A. Shaikh (mshaikh@cisco.com) Moiz

UNDERSTANDING CONVERGENCE IN MPLS VPN NETWORKS Mukhtiar A. Shaikh (mshaikh@cisco.com) Moiz

UNDERSTANDING CONVERGENCE IN MPLS VPN NETWORKS Mukhtiar A. Shaikh (mshaikh@cisco.com) Moiz Moizuddin (mmoizudd@cisco.com) 1 Agenda Introduction Convergence Definition Expected (Theoretical) Convergence Test Methodology Day

565 views • 34 slides
Motivation Two important points Javier Estrada This issue is on very shaky ground IESE

Motivation Two important points Javier Estrada This issue is on very shaky ground IESE

Emerging Markets (III): Cost of Capital Javier Estrada ADFIN Winter/2014 1. Motivation Two important issues The CAPM in EMs 2. Models Lessard GodfreyEspinosa Goldman Sachs SalomonSmithBarney Motivation Two

333 views • 7 slides
Matrix Factorization with Binary Components Uniqueness in a randomized model Felix Krahmer,

Matrix Factorization with Binary Components Uniqueness in a randomized model Felix Krahmer,

Matrix Factorization with Binary Components Uniqueness in a randomized model Felix Krahmer, TU M unchen Joint work with: Matthias Hein, Saarland University, David James , University of G ottingen Matrix Factorization given data

1.49k views • 44 slides

More recommend