Network Verification Solvers, Symmetries, Surgeries. Nikolaj Bjørner

Transcription

1 Network Verification Solvers, Symmetries, Surgeries Nikolaj Bjørner NetPL, August, 2016

2 Networking needs: Configuration Sanity/Synthesis, Programming, Provisioning Network Design Automation Z3 Z3 advances: Bit-vector Reasoning ~ Header Spaces Reachability Checking, Quantitative Reasoning

3 Symbolic Analysis with Solution/Model x 2 + y 2 < 1 and xy > 0.1 sat, x = 1, y = x 2 + y 2 < 1 and xy > 1 unsat, Proof Is execution path P feasible? SAGE W I T N E S S Z3 solved more than 10 billion constraints created by SymEx tools including SAGE checking Win8,10 and Office Is Formula F Satisfiable? Does Policy Satisfy Contract? Z3 used by Pex, Static Driver Verifier, many other tools

4 Our competition also likes symbolic solving Microsoft Azure and MSR are always hiring. Top engineering and research orgs with big and long term bets.

5 Application Research Synchronized Optimization Mehdi Network Logic Solver Rybalchenko Network Optimized Datalog Lopes min cost max flow fault, Batfish Fogel, Mahajan Varghese Plotkin Network Optimization Control Plane Network buildout Traffic Engineering Reachability in IP networks Flows and Fault analysis Some secret sauce. Network Optimized Datalog Symmetries and surgeries Compact Header Space Enumeration Jayaraman Data Plane Sanity checking of Data plane Configuration Models of Bit-vector formulas Contracts & Netw. Beliefs

6 Calculus and Solvers Application Calculus Solver SecGuru: Access Control Routing Validation Static configurations for Border Gateway Protocol Satisfiability Modulo Theories for Bit-vectors SAT Checking beliefs in networks Verifying SDN controllers Network Optimized Datalog Network Symmetries and Surgeries Quantified logical formulas Datalog for Header Spaces Tries for Header Space partitioning Instantiation based reasoning

7 Verification: Values and Obstacles Hardware Software Networks Chips Devices (PC, phone) Service Bugs are: Burned into silicone Exploitable, workarounds Latent, Exposed Dealing with bugs: Costly recalls Online updates Live site incidents Obstacles to eradication: Design Complexity Code churn, legacy, false positives Topology, configuration churn Value proposition Cut time to market Safety/OS critical systems, Quality of code base Meet SLA, Utilize bandwidth, Enable richer policies

8 SecGuru

9 Policies as Logical Formulas Precise Semantics as formulas Traditional Low level of Configuration network managers use Allow: srcip dstip protocol = 6 Deny: dstip (protocol = 4) Combining semantics Contracts/ Policies Semantic Diffs ሧ Allow i ሥ Deny j i j

10 Access Control Contract: DNS ports on DNS servers are accessible from tenant devices over both TCP and UDP. Contract: The SSH ports on management devices are inaccessible from tenant devices.

11 SecGuru workflow Azure Network Devices GNS Edge Network Devices Contract Database StreamInsight Complex Event Processing (CEP) Application Configuration Stream Contract Stream SECGURU ACL Validation Theorem Prover Device Validation Stream Reports Database Alerts + Reporting in WANetmon Windows Azure Network Monitoring Infrastructure

12 SecGuru for GNS edge ACLs Regression test suite + SecGuru check correctness of Edge ACL prior to deployment Edge ACL Regression Contracts SecGuru to 1000 ACLs Regression Contracts Several major Edge ACL pushes Edge ACL Edge ACL SecGuru no major impact on any services Stable state

13 Beyond Z3: a new idea to go from one violation to all violations ሧ Allow i ሥ Deny j i j Semantic Diffs ሧ Allow m ሥ Deny n m n srcip = /16, /16 dstip = /24, /24 port = 80,443 Representing solutions = 2 27 single solutions, or - 8 products of contiguous ranges, or - A single product of ranges dstip dstip SecGuru contains optimized algorithm for turning single solutions into all (product of ranges) srcip srcip srcport

14 Verifying Forwarding Rules Routes with SecGuru Logic Contract Cluster dst Router 1 dst Router 2 (dst)

15 Network Reachability

16 Checking beliefs in Dynamic Networks A 10* 01* 10* *** B 1** *** 1** *** dst[1] := 0 D *** 1** Which packets can reach B from A? Datalog useful for encoding a broad range of queries. We use belief for a class of general properties that one may expect to hold of networks. Sample belief: packets flow through middle-box [Lopes, B, Godefroid, Jayaraman, Varghese NSDI 15]

17 Applying NoD to P P4 code + Config NoD [Lopes, Rybalchenko, B, McKeown, Talayco, Varghese]

18 Scaling Network Verification using Symmetry and Surgery A Theory of Network Dataplanes - out Nodes 2 Ports - Port = n. i n Nodes, i out n } - links: Port N Nodes - h@n. i i Trans Header Port Header Port Such that n = links n. i, i out(n ) A basis for defining bisimulation relations: h@n. i i [Plotkin, B, Lopes, Rybalchenko, Varghese, POPL 16]

19 Scaling Network Verification using Symmetry and Surgery A Toolbox of Network Transformations Example: Replace a core of a network by a single hub: [Plotkin, B, Lopes, Rybalchenko, Varghese, POPL 16]

20 Scaling Network Verification using Symmetry and Surgery Scaling comprehensive Network Verification Example: Move rules from B to C if forwarding is the same. Relies on efficient representation of header equivalence classes.

21 Router Rules Venn Diagrams ddnf Forwarding rules *** 1** via port1 *1* via port2 **1 via port3 *** via port2 Original guards 1** *1* **1 11* 1*1 * ** 11* *1* 1*1 111 *11 **1 Intersection [B, Juniwal, Mahajan, Seshia, Varghese MSR-TR]

22 Summary Much is about Configuration Correctness: Is intent captured? (SecGuru) Usage (NoD + P4) Synthesis (Control Plane) Bandwidth Use and Provisioning (QNA) Modern packet switched networks a good use case for PL + Symbolic Methods