vignat a formally verified nat
play

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal - PowerPoint PPT Presentation

Oct 17, 2022 •26 likes •836 views

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

  1. VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea

  2. Formally verify a stateful NF with competitive performance and reasonable human effort 2

  3. Formally verify a stateful NF with competitive performance and reasonable human effort 3

  4. Formally verify a stateful NF with competitive performance and reasonable human effort 4

  5. Software Network Functions: Pros and Cons ● Everywhere ○ OpenWRT/NetFilter, Click, RouteBricks ○ Vyatta, OpenVswitch, DPDK ● Flexibility, short time to market, but ... 5

  6. Software Network Functions: Pros and Cons ● Everywhere ○ OpenWRT/NetFilter, Click, RouteBricks ○ Vyatta, OpenVswitch, DPDK ● Flexibility, short time to market, but ... ● Bugs ○ Packets of death, table exhaustion, denial of service ○ Cisco NAT, Juniper NAT, NetFilter, Windows ICS ○ Network outages already cost up to $700B /year 6

  7. Testing: Easy but Incomplete 7

  8. Testing: Easy but Incomplete 8

  9. Formal Verification: Complete but Expensive 9

  10. ——?—— Formal Verification: Complete but Expensive 10

  11. Network Verification S D 11

  12. Network Verification S MODEL CODE D 12

  13. Network Verification ≠ NF Code Verification S CODE D 13

  14. How to Verify an NF (Before Vigor)? Bits Algebras Human effort quick slow (infeasible) Machine effort slow (infeasible) quick 14

  15. How to Verify an NF (Before Vigor)? Bits Algebras Human effort quick slow (infeasible) Machine effort slow (infeasible) quick 15

  16. How to Verify an NF (Before Vigor)? Bits Algebras Human effort quick slow (infeasible) Machine effort slow (infeasible) quick 16

  17. How to Verify an NF (Before Vigor)? Bits Algebras Human effort quick slow (infeasible) Machine effort slow (infeasible) quick 17

  18. Theorem Proving Bits Algebras Human effort quick high / infeasible Machine effort slow (infeasible) low 18

  19. Theorem Proving Bits Algebras Human effort quick high / infeasible Machine effort slow (infeasible) low Too complicated [1] Klein, Gerwin, et al. "seL4: Formal verification of an OS kernel." Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles . ACM, 2009. [2] Chen, Haogang, et al. "Using Crash Hoare logic for certifying the FSCQ file system." Proceedings of the 25th 19 Symposium on Operating Systems Principles . ACM, 2015.

  20. Exhaustive Symbolic Execution (SymbEx) Bits Algebras Human effort low high / infeasible Machine effort high / infeasible low 20

  21. Exhaustive Symbolic Execution (SymbEx) Bits Algebras Human effort low high / infeasible Machine effort high / infeasible low Path Explosion 21 Credit to Jonas Wagner

  22. Vigor Bits Algebras Human effort low high / infeasible Machine effort high / infeasible low 22

  23. Vigor Bits Algebras Human effort low high / infeasible Machine effort high / infeasible low Plus runtime performance 23

  24. Main Idea ● Split the code into two parts ● Verify each part separately ● Stitch the proofs — key challenge 24

  25. Outline ● Problem Statement ● VigNAT Formal Proof ○ General Idea ○ Proof Stitching Example ● RFC Formalization ● Performance 25

  26. Vigor: split code | verify parts | stitch proofs CODE 26

  27. Vigor: split code | verify parts | stitch proofs 27

  28. Vigor: split code | verify parts | stitch proofs 28

  29. Vigor: split code | verify parts | stitch proofs Interface contracts Stateful code Stateless code (data structures) (application logic) 29

  30. Vigor: split code | verify parts | stitch proofs Interface contracts Stateful code (data structures) Theorem Proving 30

  31. Vigor: split code | verify parts | stitch proofs Interface contracts Stateful code Stateless code (data structures) (application logic) 31

  32. Vigor: split code | verify parts | stitch proofs Interface contracts Stateful code Stateless code (data structures) (application logic) Exhaustive Symbolic Execution 32

  33. Vigor: split code | verify parts | stitch proofs Symbolic models Stateless code Approximation (not trusted) (application logic) Exhaustive Symbolic Execution 33

  34. Vigor: split code | verify parts | stitch proofs Symbolic models Stateless code Approximation (not trusted) (application logic) Exhaustive Symbolic Execution traces 34

  35. Vigor: split code | verify parts | stitch proofs Interface contracts traces 35

  36. Vigor: split code | verify parts | stitch proofs Interface contracts traces Vigor Validator 36

  37. Vigor: split code | verify parts | stitch proofs Interface contracts Stateful code Stateless code (data structures) (application logic) Exhaustive Theorem Proving Symbolic Execution traces Vigor Validator 37

  38. Outline ● Problem Statement ● VigNAT Formal Proof ○ General Idea ○ Proof Stitching Example ● RFC Formalization ● Performance 38

  39. Proof Stitching: SymbEx + Theorem Proving ● Stateful code: theorem proving ● Stateless code: exhaustive symbolic execution 1. Use symbolic models — rough interpretations of contracts ● Symbolic models are written in C 2. Replay call traces in a proof checker to check contracts 39

  40. Example NF Code if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p); send(&p); } 40

  41. Example NF Code if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p); send(&p); } 41

  42. Example NF Code if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p); send(&p); } 42

  43. For Each API Function ... Formal Symbolic contract model 43

  44. Example: Formal Contract void ring_pop_front( struct ring* r, struct packet* p); r is not empty and p points to valid memory ———————————— r contains one packet less and p points to a packet and p->port ≠ 9 Formal contract 44

  45. Example: Symbolic Model void ring_pop_front( struct ring* r, struct packet* p) { FILL_SYMBOLIC(p, sizeof(struct packet), "popped_packet"); ASSUME(p->port != 9); } Symbolic model 45

  46. Example NF Code if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p); send(&p); } 46

  47. Use Symbolic Models if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { Symbolic model ring_pop_front(r, &p); Symbolic send(&p); model } Symbolic model Symbolic model 47

  48. Execution Trace if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p); send(&p); } 48

  49. Execution Trace if (!ring_full(r); assume(r1 → true if (!ring_full(r) && receive(&p) && p.port != 9) ring_push_back(r, &p); ring_push_back(r, &p); if (!ring_empty(r); assume(r1 → false if (!ring_empty(r) && can_send()) { ring_pop_front(r, &p): after (p.port ≠ 9) ring_pop_front(r, &p); send(&p); } 49

  50. Over-Approximation Proof r1 = ring_full(r); assume(r1 == true ); ring_push_back(r, &p); r2 = ring_empty(r); assume(r2 == false ); ring_pop_front(r, &p); assert(p.port ≠ 9); 50

  51. Over-Approximation Proof r1 = ring_full(r); assume(r1 == true ); ring_push_back(r, &p); r2 = ring_empty(r); assume(r2 == false ); ring_pop_front(r, &p); assert(p.port ≠ 9); Formal contract 51

  52. Over-Approximation Proof r1 = ring_full(r); assume(r1 == true ); ring_push_back(r, &p); r2 = ring_empty(r); assume(r2 == false ); ring_pop_front(r, &p); assert(p.port ≠ 9); ⊂ Formal Symbolic contract model (covers) 52

  53. Outline ● Problem Statement ● VigNAT Formal Proof ○ General Idea ○ Proof Stitching Example ● RFC Formalization ● Performance 53

  54. Formalization of the NAT RFC ● Everything happens at packet arrival ● Abstract flow table summarizes history of previous interactions ● Packet arrival timestamps — the only source of time 54

  55. Formalization of the NAT RFC flowtable time packet NAT packet flowtable 55

  56. Formalization of the NAT RFC flowtable time packet NAT packet flowtable time packet NAT packet flowtable time packet NAT packet 56

  57. Formalization of the NAT RFC {flowtable before , time, packet in } ➡ {flowtable after , packet out } flowtable time packet NAT packet flowtable 57

  58. Formalization of the NAT RFC flowtable time expire_flows update/create flow packet forward/drop flowtable 58

  59. Outline ● Problem Statement ● VigNAT Formal Proof ○ General Idea ○ Proof Stitching Example ● RFC Formalization ● Performance 59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for

Towards A Formally Verified Network-on-Chip Tom van den Broek 1 Julien Schmaltz 12 1 Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands 2 School of Computer Science Open University The Netherlands

778 views • 62 slides
A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste

A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste

A Formally Verified Compiler for Lustre Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste Dagand 4 , 3 , 1 Xavier Leroy 1 Marc Pouzet 4 , 2 , 1 Lionel Rieg 5 , 6 1. Inria Paris 2. DI, cole normale suprieure 3. CNRS 4. Univ. Pierre et

1.15k views • 96 slides
FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault

FTCS 93 June 1993 A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model Patrick Lincoln and John Rushby Computer Science Laboratory SRI International Menlo Park CA USA FTCS 93 1 Summary What we have

494 views • 25 slides
Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

900 views • 79 slides
Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim Eldefrawy, Norrathep Rattanavipanon , Gene Tsudik June 28, 2017 nrattana@uci.edu http://sprout.ics.uci.edu IoT/CPS/ES IoT/CPS/ES IoT/CPS/ES Remote

451 views • 33 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 1.9/2.15, 2015-07-16 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs

553 views • 24 slides
EdgeBalance: Model-Based Load Balancing for Network Edge Data Planes Wei Zhang , Abhigyan

EdgeBalance: Model-Based Load Balancing for Network Edge Data Planes Wei Zhang , Abhigyan

EdgeBalance: Model-Based Load Balancing for Network Edge Data Planes Wei Zhang , Abhigyan Sharma * , Timothy Wood George Washington University * AT&T Labs Research 1 Outline Background and Motivation EdgeBalance Design

790 views • 25 slides
Network Function Control Aaron Gember-Jacobson , Chaithan Prakash, Raajay Viswanathan, Robert

Network Function Control Aaron Gember-Jacobson , Chaithan Prakash, Raajay Viswanathan, Robert

OpenNF: Enabling Innovation in Network Function Control Aaron Gember-Jacobson , Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 Network functions (NFs) Perform sophisticated stateful actions

1.16k views • 88 slides
OpenNF: Enabling Innovation in Network Function Control Aaron Gember-Jacobson , Chaithan Prakash,

OpenNF: Enabling Innovation in Network Function Control Aaron Gember-Jacobson , Chaithan Prakash,

OpenNF: Enabling Innovation in Network Function Control Aaron Gember-Jacobson , Chaithan Prakash, Raajay Viswanathan, Robert Grandl, Junaid Khalid, Sourav Das, Aditya Akella 1 Network functions (NFs) Perform sophisticated stateful actions

770 views • 76 slides
The State of NeXus . Tobias Richter Diamond Light Source and NeXus International Advisory

The State of NeXus . Tobias Richter Diamond Light Source and NeXus International Advisory

. The State of NeXus . Tobias Richter Diamond Light Source and NeXus International Advisory Committee NOBUGS 2014 Tobias Richter (DLS & NIAC) The State of NeXus NOBUGS 2014 1 / 17 What this talk is not about There is no report from:

743 views • 17 slides
(Asymptotic) Safety in QFT Francesco Sannino Plan Meaning of fundamental From complete

(Asymptotic) Safety in QFT Francesco Sannino Plan Meaning of fundamental From complete

(Asymptotic) Safety in QFT Francesco Sannino Plan Meaning of fundamental From complete freedom to complete safety Controllable asymp. safe theory in 4D a-theorem for asymptotic safety Asymptotically safe thermodynamics and

727 views • 61 slides
CS 61A Discussion 10 Streams (and Interpreters) Albert Xu Kaavya Shah Slides:

CS 61A Discussion 10 Streams (and Interpreters) Albert Xu Kaavya Shah Slides:

CS 61A Discussion 10 Streams (and Interpreters) Albert Xu Kaavya Shah Slides: albertxu.xyz/teaching/cs61a/ *part of these slides sourced from Jemmy and Is Final Review Fall 18 Streams Streams are lazy linked lists - the first element

334 views • 21 slides
Application of Information or How I learnt to stop Theory to Fault worrying and love the

Application of Information or How I learnt to stop Theory to Fault worrying and love the

p ( x ) log 2 p ( x ) x X X ) = CREST Open Workshop #41 Application of Information or How I learnt to stop Theory to Fault worrying and love the bomb entropy Localisation by Shin Yoo This talk is Not a theoretical

599 views • 22 slides
NF Risk Assessment Framework Increasing Predictability of Non-Functional Defects 2014 Outline

NF Risk Assessment Framework Increasing Predictability of Non-Functional Defects 2014 Outline

NF Risk Assessment Framework Increasing Predictability of Non-Functional Defects 2014 Outline Conventional approach to NFT What is not NFT? Why Risk Assessment? NF Risk Assessment Framework Framework Explained

344 views • 18 slides

More recommend