network verification and synthesis: lessons from hardware ... · sharad malik cornell-princeton...
TRANSCRIPT
Network Verification and Synthesis: Lessons from Hardware (and Software)
Verification and Synthesis
SharadMalik
Cornell-PrincetonCenterforNetworkProgramming6/20/2016
Need Strong Practical Motivation
Highcostoffailure• Needforfirstsiliconsuccess
• Highmaskcosts
• Productrecalls• IntelPenBumFDIVBug1994• Totalcost:$475million
DownBmeandsecuritybreachcostscompellingforNetworkVerificaBon
Scalability is Key
BehavioralSynthesis
Behavioral-levelSpecificaBons
RTLDescripBon
Gate-levelNetlist
PhysicalLayout
LogicSynthesis
LayoutSynthesis
Desig
nSpecificaBo
ns FuncBonalSpec
FuncBonal+TimingSpec
DetailedLogicDesign
≡? FullChipEquivalenceCheckingisRouBne
Watch the complexity barrier: PSPACE-complete vs. NP-complete
Combina(onalLogic
Memory
ExternalInputs
Clock
Combina(onalLogic
Combina(onalLogic
Combina(onalLogic
k-cycleverificaBon
ModelCheckingStatespaceexploraBon:Needtostoresetsofstates
BoundedModelCheckingProposiBonalLogic,SATbasedanalysis:Search,butnostatestorage
X(t+1)=f(X(t),I)
Snapshot Verification • VerifythestaBcnetworkstate
• Asnapshotofadynamicsystem• AsingleSDNruleconfiguraBon• NoperformanceverificaBon
1.0.0.0/8→port13.0.0.0/8→port2
……
10.0.0.0/8→port14.3.0.0/16→port2
……
8.0.0.0/8→port110.0.0.0/8→port2
……
1.0.0.0/8→port12.0.0.0/8→port2
……
• Networkstatechange(ruledeleBon/addiBon/changeataswitch)[1]• Tensofeventspersecond
• Packetarrivalrate• Millionsofarrivalspersecond
[1]Gude,N.,Koponen,T.,Peit,J.,Pfa,B.,Casado,M.,McKeown,N.,Shenker,S.:“Nox:towardsanoperaBngsystemfornetworks,”SIGCOMM2008
Modeling/Analysis Challenge • Evenforasinglepacketenteringanetwork,alinkmayseemulBplepackets
Loop
MulBcasBng
• SwitchoutputnotacombinaBonalfuncBonofitsinputs
IO-relaBon
Fixed-pointcomputaBon
Needtostoresetsofvalues
Adapting Modeling/Analysis • Limitpacketflowtoasinglepathforasinglepacketthroughthenetwork
Loop
• Capturesonlypartofthenetworkbehavior• Whatgoodisthis?
Loopsimplicitlyblocked
Goal: Counterexamples for Property Failures
A B
Packet
Slice1
Slice2
XA B
C D
Sufficesfor• FuncBonalProperBes:
• Reachabilitychecking• WaypoinBng• BlacklisBng
• FuncBonal/PerformanceProperBes:• Forwardingloop
• SecurityProperBes:• SliceisolaBon
• virtualizaBoncontext
SinglePathSinglePacketCounterexample
Evaluation Setup• SATsolver:Minisat• Stanfordbackbonenetwork
• 16routerswithfullnetworkfuncBons(VLAN,ACL,…)• ≈15,000rules• 129secondstofindaforwardingloop
• HeaderSpaceAnalysis(HSA):758seconds• UsesTernarySymbolicSimulaBon
• SyntheBcbenchmarksforscalabilityexperiments• Fattreetopology• ShortestpathrouBng• Depth-first-searchtogeneratematchingrules• Vary
• #ofswitches:N• #ofroutes:P• #ofpacketheaderbits:H
Evaluation • Property
• Forwardingloopcheck• Setup
• Vary• #Routes• #ofHeaderbits
• HSA:HeaderSpaceAnalysis• SAT:SAT-basedmethod
• ObservaBons• Sub-exponenBalgrowthwithnumberofroutes
• Lowdependenceonheadersize
Evaluation • Property
• Reachabilitycheck• Setup
• Vary• #Routes• #ofHeaderbits
• HSA:HeaderSpaceAnalysis• SAT:SAT-basedmethod
• ObservaBons• Sub-exponenBalgrowthwithnumberofroutes
• Lowdependenceonheadersize
Smallnumberofequivalenceclassesofpackets
Controller Verification: Challenges • Largenumberofpacketsaliveinnetwork
• Largebufferstate• Largeinterleavingstate
• Largenumberofrulesinstalledinswitches
• Largenetworkstate
RouBngTablePort1: inPkt.src = Host1 Port2: inPkt.src = Host3 Port3: inPkt.src = Hostk
Portp: inPkt.src = Hostr Portq: inPkt.src = Hosta
outPort(inPkt) =
Controller
Swt2
Swt3
Swt1 H1 H2
pktc pkt1 pkt4
Abstractions are Key
I S
EM
I S
EM
I S
E M AbstractComponentState
ConcreteComponentState
ConcreteCross-ProductState
• StateSpaceTraversalL• PSPACE-completeness
• AbstracBonstomanagestate-explosion• Over-abstracBons
• NofalsenegaBves
FigureSource:ValeriaBertacco
AbstractComponentState
ConcreteComponentState
Abstraction: Handling Large Number of Packets
Controller
Swt2
Swt3
Swt1 H1 H2
pktc pkt1 pkt4
pkte
pkte
pkte
pkte
Environmentpackets(pkte)simulatetheaffectofanunboundednumberofpackets.
Evaluation
• Verifiedalearningswitch• Nopacketgetsintoaloopinthenetwork
• Abuggystatefulfirewallexample• Nosourcehostgetsunnecessarilyblockedbythefirewall• Detectedknownbug:ahostdidgetblocked
D.Sethi,S.NarayanaandS.Malik,“AbstracBonsforModelCheckingSDNControllers,”FMCAD2013
Synthesis Hardware
• Compile-BmeopBmizaBonofcircuits
So=ware
• Programsketching[ASPLOS’06,ICSE’10,…]
• Fillinprogramholes
BehavioralSynthesis
Behavioral-levelSpecificaBons
RTLDescripBon
Gate-levelNetlist
PhysicalLayout
LogicSynthesis
LayoutSynthesis
Desig
nSpecificaBo
ns
S.Narain,G.Levin,S.Malik,V.Kaul,“DeclaraBveInfrastructureConfiguraBonSynthesisandDebugging,”2008,JournalofNetworkandSystemsManagement
S.Zhang,F.Ivancic,C.Lumezanu,Y.Yuan,A.GuptaandS.Malik,"AnAdaptableRulePlacementforSozware-DefinedNetworks,"2014DSN
From Verification to Synthesis: Firewall Case Study
PacketB={ 𝑏↓1 , 𝑏↓2 , …, 𝑏↓𝑁 }
𝒫
FirewallA
ℱ↓𝐴 ≢ ℱ↓𝐵
FirewallB
• FirewallEquivalenceChecking• 𝒫= ℱ↓𝐴 ≢ ℱ↓𝐵
• 𝒫 saBsfiable→notequivalent• 𝒫 unsaBsfiable→equivalent
Veryscalable!
Firewall Synthesis • FirewallSynthesis
• FirewallwiththefewestrulesforagivenspecificaBon• SymbolicFirewalls
• Representsallfirewallswithkrules
SymbolicFirewallwithkrules
IncomingPacket AcBonℱ
SymbolsR={( (𝑟↓1,0 ,𝑟↓1,1 , 𝑟↓1,2 ,…), ( (𝑟↓2,0 ,𝑟↓2,1 , 𝑟↓2,2 ,…), ( (𝑟↓3,0 ,𝑟↓3,1 , 𝑟↓3,2 ,…),…,( (𝑟↓𝑘,0 ,𝑟↓𝑘,1 , 𝑟↓𝑘,2 ,…)}
} EachassignmenttoRspecifiesonefirewall
Firewall Synthesis
∃𝑅 ∀𝐵 (𝑔)
• Findan𝑅,ifoneexists,suchthatforall 𝐵,𝑔holds• Binarysearchforminimumk• PracBcalQBF(andspecialpurpose)solversdonotscalewell
PacketB={ 𝑏↓1 , 𝑏↓2 , …, 𝑏↓𝑁 } 𝑔
SymbolicFirewallwithkrules
FirewallSpec
ℱ↓𝐴 ≡ ℱ↓𝐵
SymbolsR=
{( (𝑟↓1,0 ,𝑟↓1,1 , 𝑟↓1,2 ,…), ( (𝑟↓2,0 ,𝑟↓2,1 , 𝑟↓2,2 ,…), ( (𝑟↓3,0 ,𝑟↓3,1 , 𝑟↓3,2 ,…),…,( (𝑟↓𝑘,0 ,𝑟↓𝑘,1 , 𝑟↓𝑘,2 ,…)}
QuanBfiedBooleanFormula(QBF)
Watchthecomplexitybarrier!QBFisPSPACE-complete
Similartoprogramsketching
Summary
Verifica(on• Scalabilitybarriers
• NP-completevs.PSPACE-complete
• ImplementaBonverificaBonisinvaluable
• AbstracBonsarekey
Synthesis• Compile-BmeopBmizaBonopportuniBes
• Patchinholes• Debugging
• FixingconfiguraBonfiles• Networkupdates
• Large-scalesynthesis?