symnet scalable symbolic execution for modern networks
play

Symnet: scalable symbolic execution for modern networks University - PowerPoint PPT Presentation

Aug 20, 2023 •133 likes •549 views

Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu Stoenescu , Matei Popovici, Lorina Negreanu and Costin Raiciu Networks are increasingly complex 2 Understand the network B A Reachability

  1. Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu Stoenescu , Matei Popovici, Lorina Negreanu and Costin Raiciu

  2. Networks are increasingly complex 2

  3. Understand the network B A Reachability Packet modifications Security policy violations 3

  4. Static verification to the rescue Data plane snapshot Network model Symbolic Execution Friendly Language (SEFL) - Network model Symnet – Verification engine Verification engine 4

  5. Choosing a modeling language C code • Expressive, well understood • Symbolic execution captures many properties • Very expensive to verify Middle ground Header Space Analysis • Cheap, scalable • No arbitrary protocol layering • Only captures reachability 5

  6. Symbol execution of firewall - C code 1: packet* filter(packet* p){ 2: if (p->dst_port==80) 4: return p; 5: else { 6: free p; 7: return NULL; 8: } 9:} 6

  7. Symbol execution of firewall - C code Path 1 p=* 1: packet* filter(packet* p){ 2: if (p->dst_port==80) 4: return p; 5: else { 6: free p; 7: return NULL; 8: } 9:} 7

  8. Symbol execution of firewall - C code Path 1 p=* 1: packet* filter(packet* p){ 2: if (p->dst_port==80) 4: return p; 5: else { 6: free p; 7: return NULL; 8: } 9:} 8

  9. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ p ->dst_port=80 p ->dst_port!=80 2: if (p->dst_port==80) 4: return p; 5: else { 6: free p; 7: return NULL; 8: } 9:} 9

  10. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ p ->dst_port=80 p ->dst_port!=80 2: if (p->dst_port==80) 4: return p; 5: else { 6: free p; 7: return NULL; 8: } 9:} 10

  11. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ p ->dst_port!=80 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { 6: free p; 7: return NULL; 8: } 9:} 11

  12. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ p ->dst_port!=80 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { 6: free p; 7: return NULL; 8: } 9:} 12

  13. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ p ->dst_port!=80 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { 6: free p; 7: return NULL; 8: } 9:} 13

  14. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { p= NULL 6: free p; 7: return NULL; 8: } 9:} 14

  15. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { p= NULL 6: free p; 7: return NULL; 8: } 9:} 15

  16. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { 6: free p; p= NULL 7: return NULL; filter=NULL 8: } 9:} 16

  17. Symbol execution of firewall - C code Path 1 Path 2 1: packet* filter(packet* p){ 2: if (p->dst_port==80) p ->dst_port=80 4: return p; filter = p 5: else { 6: free p; p= NULL 7: return NULL; filter=NULL 8: } 9:} Two symbolic paths vs. one viable in the network Non-packet processing being executed 17

  18. Symbol execution of firewall - C code s Firewall #1 Firewall #2 Firewall #3 N-1 unnecessary symbolic paths 18

  19. Symbolic execution of network data plane implementations does not scale • A core IP router results in hundreds of thousands of paths • For a TCP options-parsing middlebox, runtime depends on option length (<40): – 6B ~ 1 hour, 7B ~ 3 hours 19

  20. Principles for scalable data plane symbolic execution Fundamental tradeoff between fast symbolic execution and runtime efficiency [Wagner‘13] => Use models of networks instead of real code Only analyze relevant code => 1 execution path == 1 network packet Complex data structures kill symbolic execution => Use symbolic-execution friendly data structures Loops + conditionals are dangerous => Careful looping semantics with low branching factor 20

  21. Our solution SEFL symbolic execution friendly language Symnet symbolic execution tool Memory safety by design • The memory space is the packet • No pointers • Memory access via concrete offsets; validated Symbolic execution constructs part of the language • Explicit forking of new execution paths • Explicit stating of path constraints No arbitrary data structures • Only a map data structure 21

  22. SEFL symbolic execution friendly language • Variables are packet headers or metadata – Packet headers allocated at specific addresses in the packet header – Metadata are key/value pairs in a map data structure 22

  23. The packet header in SEFL L2 L3 MAC DST IP SRC IP DST * 192.168. 0 96 CreateTag(“L3”,0) 32 Allocate(Tag("L3")+96,32) Allocate(IpSrc,32) //IpSrc = Tag(“L3”)+96 Assign(IpSrc,"192.168.1.1") Allocate(IpDst,32) Assign(IpDst,Symbolic) CreateTag(“L2”,Tag(“L3)-112) ERROR Assign(DstMac,Symbolic) 23

  24. Firewall C SEFL 1:packet* filter(packet* p){ 1: filter(){ 2: if (p->dst_port==80) 2: constrain(IpDst==80); 4: return p; 3: } 5: else { 6: free p; 7: return NULL; 8: } 9:} Only relevant paths explored Concise 24

  25. Symnet symbolic execution tool • 10K LOC of Scala; Z3 for constraint solving Input: SEFL network model – SEFL models of individual network elements – Connections between elements Output: all feasible symbolic paths – Values of header and metadata fields – Path constraints 25

  26. SEFL Network Models 0 {…} P 0 {…} P {...} 1 P {…} 1 Element A P P Element B {…} {…} 0 0

  27. Symbolic execution of filter + DNAT Packet 1 Packet 2 Element A model IpDst=* TcpDst=* InputPort(0): IpDst=1,1… TcpDst=* Constrain(IPDst==1.1.1.1), IpDst=1.1, If (Constrain(TcpDst==20), IpDst=1.1…TcpDst=20 TcpDst != 20 InstructionBlock( IpDst=192…TcpDst=20 Assign(IPDst,192.168.0.1), IpDst=192…TcpDst=30 Assign(TcpDst,30), CrtPort = 0 Forward(OutputPort(0)) ), CrtPort = 1 Forward(OutputPort(1)), • Invariant header fields • Reachability • Header memory safety • Loop detection 27

  28. Ready-made network models Modeling network boxes is fairly difficult We have developed parsers that output SEFL code from: • Router/switch forwarding table snapshots • CISCO ASA firewall configuration • Click modular router configurations • Openstack Neutron network configurations 28

  29. Evaluation Model correctness Functionality Scalability 29

  30. Verifiable properties Property HSA NoD SymNet Reachability ✔ ✔ ✔ Loop Detection ✔ ✖ ✔ Header Field Invariance ✖ ✖ ✔ Arbitrary Packet Layout ✖ ✔ ✔ Tunneling ✖ ✖ ✔ Stateful Data Plane Processing ✖ ✔ ✔ Payload-sensitive Processing ✖ ✖ ✖ Properties Across Multiple Flows ✖ ✖ ✖ 30

  31. Does Symnet scale? 31

  32. Does Symnet scale? 32

  33. Does Symnet scale? 33

  34. Analyzing bigger networks • Stanford university backbone network • Switches, routers and VLANs – Two-layer topology – Core routers have 180.000 entries in their FIBs HSA Symnet Model Generation 3.2 min 8.1 min Time Runtime 24s 37s 34

  35. Conclusions SEFL + Symnet offers a deeper understanding of modern data planes at a low price. Symnet is open-source Check demo session tomorrow 35

  36. Backup slides 36

  37. TCP options parsing Symbolic variable Path 1 int crt = 0; while (crt>=0 && crt<length && options[crt]){ switch(options[crt]){ case 1: crt++; break; case 2://MSS case 3://WINDOW SCALE case 4://SACK PERMITTED case 8://TIMESTAMP crt += options[crt+1]; break; default: //unknown options, scrub int len = options[crt+1]; for (i=crt;i<crt+len;i++) options[i] = 1; crt += len; break; } } 37

  38. TCP options parsing Path 2 Path 3 Path 1 int crt = 0; while (crt>=0 && crt<length && options[crt]){ options[0] options[0] in switch(options[crt]){ options[0]==1 not in {2,3,4,8} case 1: {1,2,3,4,8} crt++; break; case 2://MSS case 3://WINDOW SCALE case 4://SACK PERMITTED case 8://TIMESTAMP crt += options[crt+1]; break; default: //unknown options, scrub int len = options[crt+1]; for (i=crt;i<crt+len;i++) options[i] = 1; crt += len; break; } } 38

  39. TCP Options parsing Leave the TCP options header outside of symbolic execution Model TCP options as metadata instead “OPT-x” models the presence of option x “SZ-x” size of the option in bytes “DATA-x” value of the option 39

  40. Does Symnet scale? Symbolic execution of a core router 40

  41. Running Klee for options parsing 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Massively Scalable Indoor Positioning: The Skyhook Solution Christopher Steger Skyhook

Massively Scalable Indoor Positioning: The Skyhook Solution Christopher Steger Skyhook

Massively Scalable Indoor Positioning: The Skyhook Solution Christopher Steger Skyhook Positioning Overview WiFi-Based Positioning Metro-Scale Worldwide Coverage Skyhook Positioning Overview Beacons of Opportunity

340 views • 31 slides
Scalable financial solutions for energy renovations Best practices from Utrecht Region. Whats

Scalable financial solutions for energy renovations Best practices from Utrecht Region. Whats

Scalable financial solutions for energy renovations Best practices from Utrecht Region. Whats next?! Stef Rell March 2019 A Green , Healthy and Smart Region Lets talk renovation but I dont have money to renovate but I want

193 views • 18 slides
Testing CLTS Approaches for Scalability: Project Briefing Jonny Crocker &amp; Vidya Venkataramanan

Testing CLTS Approaches for Scalability: Project Briefing Jonny Crocker &amp; Vidya Venkataramanan

Testing CLTS Approaches for Scalability: Project Briefing Jonny Crocker &amp; Vidya Venkataramanan The Water Institute at UNC 37 th International WEDC Conference Hanoi, Vietnam September 15 19, 2014 Generously funded by the Bill &amp; Melinda

471 views • 17 slides
Promising Practices in Disaster Behavioral Health (DBH) Planning: Plan Scalability August 30,

Promising Practices in Disaster Behavioral Health (DBH) Planning: Plan Scalability August 30,

Promising Practices in Disaster Behavioral Health (DBH) Planning: Plan Scalability August 30, 2011 Presented by Terri Spear, Lori McGee, and Anthony Speier Welcome Remarks Speaker Terri Spear, Ed.M. Emergency Coordinator Substance Abuse

719 views • 36 slides
50% pass developmental credit course course pass take pass developmental credit credit

50% pass developmental credit course course pass take pass developmental credit credit

Calculating Success Co-Requisite Models # who # who # who # who take pass take pass 115 115 121 121 # who # who = Success Rate pass take 121 115 credit course 50% pass developmental credit course course pass take

633 views • 16 slides
Major IT companies run datacenters Datacenter infra market is huge. @ 2018 Jangwoo Kim 1 All

Major IT companies run datacenters Datacenter infra market is huge. @ 2018 Jangwoo Kim 1 All

DCS: A Fast, Scalable, Flexible Device-Centric Server Architecture Jangwoo Kim E-mail: jangwoo@snu.ac.kr Web: https://hpcs.snu.ac.kr/~jangwoo High Performance Computer System (HPCS) Lab Department of Electrical and Computer Engineering Seoul

985 views • 44 slides
Agenda 5 David 1 Maija Product development Team Members &amp; Roles journey [video graphic]

Agenda 5 David 1 Maija Product development Team Members &amp; Roles journey [video graphic]

Agenda 5 David 1 Maija Product development Team Members &amp; Roles journey [video graphic] How team worked 3 Barbara together Design processes Methodologies Used 6 Maija Final scope achieved 2 Aggi 4 Gareth Initial brief &amp;

617 views • 23 slides
Hamilton &amp; National Grid Select reset slide (note: Using this action will

Hamilton &amp; National Grid Select reset slide (note: Using this action will

Click on the picture placeholder icon Go to Format tab Select Crop Hamilton &amp; National Grid Select reset slide (note: Using this action will reset all of August

375 views • 6 slides

More recommend