Presentation is loading. Please wait.

Presentation is loading. Please wait.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

Similar presentations


Presentation on theme: "VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly."— Presentation transcript:

1 VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv, Michael Schapira, Asaf Valadarsky

2 Traditional Computer Networks Data plane: packet streaming Control plane: distributed algorithms 2

3 New Paradigm: Software Defined Networking (SDN) API to the data plane (e.g., OpenFlow) logically-centralized control in software switches smart but slow software dumb but fast hardware 3

4 Controller: Programmability Controller events from switches topology changes, traffic statistics, arriving packets commands to switches (un)install rules, query statistics APP 4

5 Desired Network Properties Routing – No forwarding loops, no black holes, … Security – ACL, firewall, middleboxes, … Traffic Engineering – Load balancing, VM migration, … … 5

6 How can we guarantee such properties? 6

7 Traditional Networks vs. SDN Guaranteeing these properties in a traditional network is nearly impossible – Switch / Router code is a “black box” – Protocols are distributed across devices. SDN opens up the possibility of applying formal software verification to networks! – Accessible code – Centralized control 7

8 Existing Approaches Finite-state model checking – E.g., NICE & Verificare Analyzing network snapshots – E.g., HSA Run-time checks – E.g., VeriFlow & NetPlumber 8 Might miss bugs! Discover bugs too late & run-time overhead

9 Dream Scenario Verify network-wide properties in compile time – Find violations before they occur! Provable verification – Prove correctness for correct programs – Find a counterexample for incorrect programs (useful for debugging) 9

10 The VeriCon Tool Controller Code (P) Desired Properties  Verification Conditions Generator T   P  “  ”  SAT Solver Counterexample Proof Restrictions on Topology (T) 10

11 Running Times – Correct Programs ProgramDescriptionTime to prove (seconds) FirewallA basic firewall abstraction.0.11 MigFirewallFirewall supporting migration of “safe” hosts.0.12 LearningA simple learning switch.0.14 ResonanceAccess control for host authentication in enterprises.0.18 StratosForwarding traffic through a sequence of middleboxes

12 Running Times – Incorrect Programs ProgramDescriptionTime to disprove (seconds) Firewall-Bug 1Forgot to check if packets in port 2 are from a trusted location Firewall-Bug 2Forgot to add the definition for a “trusted host” Learning-Bug 3Forgot to forward the packets.0.15 Resonance-Bug 1Forgot to define that the states a host could be at are mutually exclusive

13 VeriCon: Challenges and Solutions Programmer must specify properties in 1 st -order logic – We build a tool that infers formulas for SDN programs – Future research: static analysis SDN programs must be coded in a specific language (CSDN) – VeriCon can be extended to support Java, Python, etc. SAT solver might not terminate! – SDN programs considered are in a sub-family of FOL – … solver termination guaranteed! VeriCon assumes atomicity of events – “Existing” solutions – Future research: verify stronger properties 13

14 Summary SDN opens up the possibility for applying formal verification to networks VeriCon is the first system to provably verify SDN programs at compile time – for unbounded topology, #packets, etc. 14

15 Thank You 15


Download ppt "VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly."

Similar presentations


Ads by Google