NetSMC: a custom symbolic model checker for stateful network verification
Pages 181 - 200
Abstract
Modern networks enforce rich and dynamic policies (e.g., dynamic service chaining and path pinning) over a number of complex and stateful NFs (e.g., stateful firewall and load balancer). Verifying if those policies are correctly implemented is important to ensure the network's availability, safety, and security. Unfortunately, theoretical results suggest that verifying even simple policies (e.g., A cannot talk to B) in stateful networks is undecidable. Consequently, any approach for stateful network verification has to fundamentally make some relaxations; e.g., either on policies supported, or the network behaviors it can capture, or in terms of the soundness/completeness guarantees. In this paper, we identify practical opportunities for relaxations in order to develop an efficient verification tool. First, we identify key domain-specific insights to develop a more compact network semantic model which is equivalent to a general semantic model for checking a wide range of policies under practical conditions. Second, we identify a restrictive-yet-expressive policy language to support a wide range of policies including dynamic service chaining and path pinning while enable efficient verification. Third, we develop customized symbolic model checking algorithms as our model and policy specification allows us to succinctly encode network states using existential first-order logic, which enables efficient checking algorithms. We prove the correctness of our approach for a subset of policies and show that our tool, NetSMC, achieves orders of magnitude speedup compared to existing approaches.
References
[1]
What is Double NAT? https://kb.netgear.com/30186/What-is-Double-NAT.
[2]
haproxy. https://www.haproxy.org/.
[3]
pfSense. https://www.pfsense.org/.
[4]
Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. A scalable, commodity data center network architecture. In Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication, SIGCOMM '08, 2008.
[5]
Kalev Alpernas, Roman Manevich, Aurojit Panda, Mooly Sagiv, Scott Shenker, Sharon Shoham, and Yaron Velner. Abstract Interpretation of Stateful Networks. arXiv preprint arXiv:1708.05904, 2017.
[6]
Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger, and David Walker. Netkat: Semantic foundations for networks. In Proceedings of the 41st annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL), 2014.
[7]
Mina Tahmasbi Arashloo, Yaron Koral, Michael Greenberg, Jennifer Rexford, and David Walker. Snap: Stateful network-wide abstractions for packet processing. In Proceedings of the 2016 Conference on ACM SIGCOMM 2016 Conference, SIGCOMM '16, 2016.
[8]
Thomas Ball, Nikolaj Bjørner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv, Michael Schapira, and Asaf Valadarsky. Vericon: towards verifying controller programs in software-defined networks. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 31. ACM, 2014.
[9]
Ryan Beckett, Aarti Gupta, Ratul Mahajan, and David Walker. A General Approach to Network Configuration Verification. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, SIGCOMM '17, 2017.
[10]
Marco Canini, Daniele Venzano, Peter Peresini, Dejan Kostic, Jennifer Rexford, et al. A nice way to test open-flow applications. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2012.
[11]
Ashok K Chandra and Philip M Merlin. Optimal Implementation of Conjunctive Queries in Relational Data bases. In Proceedings of the ninth annual ACM symposium on Theory of computing. ACM, 1977.
[12]
Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. Nusmv 2: An opensource tool for symbolic model checking. In Proceedings of International Conference on Computer Aided Verification (CAV), 2002.
[13]
Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages 52-71, Berlin, Heidelberg, 1982. Springer-Verlag.
[14]
Edmund M Clarke, Orna Grumberg, and Doron Peled. Model checking. MIT press, 1999.
[15]
Sylvain Conchon, Amit Goel, Sava Krstić, Alain Mebsout, and Fatiha Zaïdi. Cubicle: A Parallel SMT-based Model Checker for Parameterized Systems. In Proceedgins of International Conference on Computer-Aided Verification (CAV), 2012.
[16]
Ahmed El-Hassany, Jeremie Miserez, Pavol Bielik, Laurent Vanbever, and Martin Vechev. SDNRacer: concurrency analysis for software-defined networks. In ACM SIGPLAN Notices, volume 51, pages 402-415. ACM, 2016.
[17]
Seyed K. Fayaz, Tushar Sharma, Ari Fogel, Ratul Mahajan, Todd Millstein, Vyas Sekar, and George Varghese. Efficient Network Reachability Analysis Using a Succinct Control Plane Representation. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), 2016.
[18]
Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, and Vyas Sekar. Buzz: Testing context-dependent policies in stateful networks. In Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), 2016.
[19]
Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and Jeffrey C. Mogul. Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, NSDI'14, 2014.
[20]
Ari Fogel, Stanley Fung, Luis Pedrosa, Meg Walraed-Sullivan, Ramesh Govindan, Ratul Mahajan, and Todd D Millstein. A General Approach to Network Configuration Analysis. In Proceedings of Symposium on Networked Systems Design and Implementation (NSDI, 2015.
[21]
Nate Foster, Rob Harrison, Michael J Freedman, Christopher Monsanto, Jennifer Rexford, Alec Story, and David Walker. Frenetic: A network programming language. In ACM SIGPLAN Notices, volume 46, pages 279-291. ACM, 2011.
[22]
Aaron Gember-Jacobson, Raajay Viswanathan, Aditya Akella, and Ratul Mahajan. Fast Control Plane Analysis Using an Abstract Representation. In Proceedings of the 2016 ACM SIGCOMM Conference, 2016.
[23]
Alex Horn, Ali Kheradmand, and Mukul Prasad. Delta-net: Real-time Network Verification Using Atoms. In Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17), 2017.
[24]
Alan Jeffrey and Taghrid Samak. Model checking firewall policy configurations. In Proceedings of IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), 2009.
[25]
Peyman Kazemian, Michael Chang, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. Real Time Network Policy Checking Using Header Space Analysis. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), 2013.
[26]
Peyman Kazemian, George Varghese, and Nick McKeown. Header space analysis: Static checking for networks. In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12), 2012.
[27]
Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. VeriFlow: Verifying Network-Wide Invariants in Real Time. In Proceedings of 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), 2013.
[28]
Hyojoon Kim, Joshua Reich, Arpit Gupta, Muhammad Shahbaz, Nick Feamster, and Russ Clark. Kinetic: Verifiable dynamic network control. In Proceedings of 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), 2015.
[29]
Anthony Klug. On conjunctive queries containing inequalities. Journal of the ACM (JACM), 35(1):146-160, 1988.
[30]
S. Knight, H.X. Nguyen, N. Falkner, R. Bowden, and M. Roughan. The internet topology zoo. Selected Areas in Communications, IEEE Journal on, 29(9):1765 -1775, october 2011.
[31]
Nuno P. Lopes, Nikolaj Bjørner, Patrice Godefroid, Karthick Jayaraman, and George Varghese. Checking Beliefs in Dynamic Networks. In Proceedings of 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), 2015.
[32]
Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, P. Brighten Godfrey, and Samuel Talmadge King. Debugging the Data Plane with Anteater. In Proceedings of the ACM SIGCOMM 2011 Conference, SIGCOMM '11, 2011.
[33]
Rupak Majumdar, Sai Deep Tetali, and Zilong Wang. Kuai: A model checker for software-defined networks. In Proceedgins of Formal Methods in Computer-Aided Design (FMCAD), 2014.
[34]
J Mccauley. Pox: A python-based openflow controller, 2014.
[35]
Kenneth L McMillan. Symbolic Model Checking. In Symbolic Model Checking, pages 25-60. Springer, 1993.
[36]
Christopher Monsanto, Nate Foster, Rob Harrison, and David Walker. A compiler and run-time system for network programming languages. ACM SIGPLAN Notices, 47(1):217-230, 2012.
[37]
Christopher Monsanto, Joshua Reich, Nate Foster, Jennifer Rexford, David Walker, et al. Composing software defined networks. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2013.
[38]
Soo-Jin Moon, Jeffrey Helt, Yifei Yuan, Yves Bieri, Sujata Banerjee, Vyas Sekar, Wenfei Wu, Mihalis Yannakakis, and Ying Zhang. Alembic: Automated model inference for stateful network functions. In 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI 19), 2019.
[39]
Tim Nelson, Andrew D Ferguson, Michael JG Scheer, and Shriram Krishnamurthi. Tierless programming and reasoning for software-defined networks. Proceedings of USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2014.
[40]
Timothy Nelson, Christopher Barratt, Daniel J Dougherty, Kathi Fisler, and Shriram Krishnamurthi. The Margrave Tool for Firewall Analysis. In Proceedings of the 24th International Conference on Large Installation System Administration, LISA'10, 2010.
[41]
Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, and Scott Shenker. Verifying Reachability in Networks with Mutable Datapaths. In Proceedings of 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), 2016.
[42]
A. Pnueli. The temporal logic of programs. In 18th Annual Symposium on Foundations of Computer Science (sfcs 1977), pages 46-57, Oct 1977.
[43]
Robert Ricci, Eric Eide, and CloudLab Team. Introducing CloudLab: Scientific infrastructure for advancing cloud architectures and applications. ; login:: the magazine of USENIX & SAGE, 39(6):36-38, 2014.
[44]
Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. Making Middleboxes Someone else's Problem: Network Processing As a Cloud Service. In Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM '12, 2012.
[45]
Radu Stoenescu, Matei Popovici, Lorina Negreanu, and Costin Raiciu. Symnet: Scalable symbolic execution for modern networks. In Proceedings of the 2016 Conference on ACM SIGCOMM 2016 Conference, SIGCOMM '16, 2016.
[46]
Brendan Tschaen, Ying Zhang, Theo Benson, Sujata Benerjee, JK Lee, and Joon-Myung Kang. SFC-Checker: Checking the Correct Forwarding Behavior of Service Function Chaining. In Proceedings of IEEE SDN-NFV Conference, 2016.
[47]
Yaron Velner, Kalev Alpernas, Aurojit Panda, Alexander Rabinovich, Mooly Sagiv, Scott Shenker, and Sharon Shoham. Some complexity results for stateful network verification. In Proceedings of International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2016.
[48]
Wenfei Wu, Ying Zhang, and Sujata Banerjee. Automatic synthesis of nf models by program analysis. In Proceedings of the 15th ACM Workshop on Hot Topics in Networks, HotNets '16, 2016.
[49]
Geoffrey G Xie, Jibin Zhan, David A Maltz, Hui Zhang, Albert Greenberg, Gisli Hjalmtysson, and Jennifer Rexford. On Static Reachability Analysis of IP Networks. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), 2015.
[50]
H. Yang and S. S. Lam. Real-Time Verification of Network Properties Using Atomic Predicates. IEEE/ACM Transactions on Networking, 24(2):887-900, April 2016.
[51]
Lihua Yuan, Hao Chen, Jianning Mai, Chen-Nee Chuah, Zhendong Su, and Prasant Mohapatra. Fireman: A toolkit for firewall modeling and analysis. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP '06, 2006.
[52]
Yifei Yuan, Dong Lin, Rajeev Alur, and Boon Thau Loo. Scenario-based Programming for SDN Policies. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT), CoNEXT '15, 2015.
[53]
Hongyi Zeng, Peyman Kazemian, George Varghese, and Nick McKeown. Automatic test packet generation. IEEE/ACM Trans. Netw., 22(2):554-566, April 2014.
[54]
Hongyi Zeng, Shidong Zhang, Fei Ye, Vimalkumar Jeyakumar, Mickey Ju, Junda Liu, Nick McKeown, and Amin Vahdat. Libra: Divide and Conquer to Verify Forwarding Tables in Huge Networks. In Proceedings of USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2014.
[55]
Shuyuan Zhang, Abdulrahman Mahmoud, Sharad Malik, and Sanjai Narain. Verification and synthesis of firewalls using SAT and QBF. In Proceedings of 20th IEEE International Conference on Network Protocols (ICNP), 2012.
Index Terms
- NetSMC: a custom symbolic model checker for stateful network verification
Index terms have been assigned to the content through auto-classification.
Recommendations
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Formal verification of ASMs using MDGs
We present a framework for the formal verification of abstract state machine (ASM) designs using the multiway decision graphs (MDG) tool. ASM is a state based language for describing transition systems. MDG provides symbolic representation of transition ...
Transition predicate abstraction and fair termination
POPL '05: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languagesPredicate abstraction is the basis of many program verification tools. Until now, the only known way to overcome the inherent limitation of predicate abstraction to safety properties was to manually annotate the finite-state abstraction of a program. We ...
Comments
Information & Contributors
Information
Published In
Sponsors
- NetApp
- amazon: amazon
- Google Inc.
- NSF
- Microsoft: Microsoft
Publisher
USENIX Association
United States
Publication History
Published: 25 February 2020
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Jan 2025