Automated Synthesis of Reactive Controller for Software-defined Networks

Transcription

1 Automated Synthesis of Reactive Controller for Software-defined Networks Anduo Wang Salar Moarref Ufuk Topcu Boon Thau Loo Andre Scedrov University of Pennsylvania 1

2 Networks are complicated network operator Management scripts and tools network operator Control Software Control Software Control Software Control Software Control Software 2

3 Management in Software-Defined Network network operator Management scripts and tools network operator Openflow Controller Software Control Software SDN eases enforcing control logic But constructing Control a control logic is... stillcontrol Manual, low-level, Software hidden dependencies, Software silent failures Lacking rigorous and scalable management tool Control Software 3

4 Example problem: constructing access control Flows: U,G,S,F Flows: U,G,S,F F : Forward to F 2 S : Forward to F 1 U : Forward to F 1 G : Forward to F 1 I F : Forward to F 2 S : Forward to F 1 U : Forward to F 1 G : Forward to F 1 I F 1 F 2 F 1 F 2 U: Deny G: Monitor SSH G: Deny other S: all F: all?? Switches: I (ingress), F 1,2 (for two servers) Flows: U (untrusted), G(guest), S(student), F(faculty) Security policy: do not allow U flows to transit Routing path changes How to update access control Find a strategy for updating access control rules Enforce security policy for all path changes Given a strategy, find an ordering of rule updates Enforce security policy for all transient states 4

5 Outline Synthesize provably correct control logic Formulate and solve as a reactive synthesis problem Scale by network abstraction Introduce network abstraction as simulation relation 5

6 Synthesize access-control for example problem ( path, control) change access update Formulate as reactive synthesis -- a two-player, temporal logic game Routing path rule (player 1) triggers a change, access-control (player 2) makes an update in response Temporal property specifies security policy A winning strategy for access-control enforces security policy against any path change 6

7 Background: two player, temporal logic game q1 start q0 q3 q2 Two players make alternating moves Circle (Square) represents two player states Q 1(Q2) Temporal logic specifies player s goal Never enter state: ( ) Synthesize a winning strategy Q 2 avoids state regardless how Q1 moves 7

8 Synthesis -- two player, temporal logic game Combine alternating transitions into a joint action (a1,b1) b1 (a1,b1) b1 a1 (a1,b2) b2 a1 (a1,b2) b2 a2 b1 (a2,b1) (a2,b2) b2 a2 b1 (a2,b1) (a2,b2) b2 Circle Winning has strategy a winning (a2,b1), strategy (a2,b2) Square has no winning strategy Square Winning has strategy a winning (a1,b2) strategy (a2,b2) b2 Circle has no winning strategy 8

9 Example: synthesize access-control F : Forward to F 2 S: Forward to F 1 U: Forward to F 1 U: Forward to F 2 G: Forward to F 1? Flows: U,G,S,F I F 1 F 2? Input Two player variables, system transitions, security invariant Output A strategy with finite memory F1ac: Deny, F2ac: Deny, Iac: Deny, IF: 1 U: Deny G: Monitor SSH G: Deny other S: all F: all U: Deny F1ac: Deny, F2ac:, Iac:, IF: 1 F1ac: Deny, F2ac: Deny, Iac:, IF: 2 9

10 Synthesis is hard ( path, control) change access update Synthesis for general temporal property is hard (Relative) efficient for some properties Safety (always avoid P), response (if P 1 then P2), persistence (eventually stay at P), recurrence (infinitely often P) Need scaling technique... 10

11 Scaling by abstraction Large network A Network abstraction Smaller network B that simulates A Perform synthesis on abstract network Implement synthesized solution on original network Deny Deny Deny Deny 11

12 Synthesis by abstraction Large network A with Property φ Abstraction Implementation Smaller network B Synthesize strategy for φ Introduce network abstraction by simulation relation Simulation is a relation R : A B Model A, B by transition system with observation R maps states and transition in A to that in B with same observation Simulation R ensures φ synthesized for B is also preserved in A 12

13 Transition system model Transition system (V0, V, T, O, H) for a network Network states V (initial V 0 ), observable outputs O Network transitions T V V Output function H:V O maps each network state to its observable behavior relevant in synthesis Network a1a2a3 r2r3 V: a1, a2, a3 are access control for1,2,3 O: r2, r3 are reachability for 2,3 States State transition

14 Simulation preserves synthesis property Simulation from Sa to Sb is a relation R that: maps each v a Va to some vb Vb with same output value maps each transition (va, va ) Ta in Sa to some transition (vb,vb ) Tb in Sb A Sa 0 Sb B O: r2,r R ,2 3 O: r12,r3 Theorem If Sa is simulated by Sb. Let φ be a LTL property over the output variables Oa(Ob). Then, we have Sb satisfies φ implies Sa satisfies φ 14

15 More abstraction examples ,2 3 2,3 3 3 O: r1,r3 O: r1,r23 O: r3 O: r3 Network Abstract network Network Abstract network O: r2,r3 a 1 a 2 a 3 f 1011 r 2 r 3 01 No abstraction exists 15

16 Conclusion Construct provably correct configuration Automate critical part of network management Formulate and solve reactive synthesis problem Leverage off-the-shelf tools Scale by network abstraction Propose network abstraction as simulation relation 16

17 Discussion Need killer app for synthesis Look for complex network elements and properties Middlebox, racing conditions, failure recovery Extract properties from examples Combine logical constraints and optimization goal Network abstraction General patterns in edge configuration Abstraction for composing distributed control 17