1. VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv, Michael Schapira, Asaf Valadarsky

2. Traditional Computer Networks Data plane: packet streaming Control plane: distributed algorithms 2

3. New Paradigm: Software Defined Networking (SDN) API to the data plane (e.g., OpenFlow) logically-centralized control in software switches smart but slow software dumb but fast hardware 3

4. Controller: Programmability Controller events from switches topology changes, traffic statistics, arriving packets commands to switches (un)install rules, query statistics APP 4

5. Desired Network Properties Routing – No forwarding loops, no black holes, … Security – ACL, firewall, middleboxes, … Traffic Engineering – Load balancing, VM migration, … … 5

6. How can we guarantee such properties? 6

7. Traditional Networks vs. SDN Guaranteeing these properties in a traditional network is nearly impossible – Switch / Router code is a “black box” – Protocols are distributed across devices. SDN opens up the possibility of applying formal software verification to networks! – Accessible code – Centralized control 7

8. Existing Approaches Finite-state model checking – E.g., NICE & Verificare Analyzing network snapshots – E.g., HSA Run-time checks – E.g., VeriFlow & NetPlumber 8 Might miss bugs! Discover bugs too late & run-time overhead

9. Dream Scenario Verify network-wide properties in compile time – Find violations before they occur! Provable verification – Prove correctness for correct programs – Find a counterexample for incorrect programs (useful for debugging) 9

10. The VeriCon Tool Controller Code (P) Desired Properties  Verification Conditions Generator T   P  “  ”  SAT Solver Counterexample Proof Restrictions on Topology (T) 10

11. Running Times – Correct Programs ProgramDescriptionTime to prove (seconds) FirewallA basic firewall abstraction.0.11 MigFirewallFirewall supporting migration of “safe” hosts.0.12 LearningA simple learning switch.0.14 ResonanceAccess control for host authentication in enterprises.0.18 StratosForwarding traffic through a sequence of middleboxes.0.09 11

12. Running Times – Incorrect Programs ProgramDescriptionTime to disprove (seconds) Firewall-Bug 1Forgot to check if packets in port 2 are from a trusted location. 0.13 Firewall-Bug 2Forgot to add the definition for a “trusted host”. 0.09 Learning-Bug 3Forgot to forward the packets.0.15 Resonance-Bug 1Forgot to define that the states a host could be at are mutually exclusive. 0.07 12

13. VeriCon: Challenges and Solutions Programmer must specify properties in 1 st -order logic – We build a tool that infers formulas for SDN programs – Future research: static analysis SDN programs must be coded in a specific language (CSDN) – VeriCon can be extended to support Java, Python, etc. SAT solver might not terminate! – SDN programs considered are in a sub-family of FOL – … solver termination guaranteed! VeriCon assumes atomicity of events – “Existing” solutions – Future research: verify stronger properties 13

14. Summary SDN opens up the possibility for applying formal verification to networks VeriCon is the first system to provably verify SDN programs at compile time – for unbounded topology, #packets, etc. 14

15. Thank You 15