Performance Contracts for Software Network Functions

Software network functions (NFs), or middleboxes, promise flexibility and easy deployment of network services but face the serious challenge of unexpected performance behaviour. We propose the notion of a performance contract, a construct formulated in terms of performance critical variables, that provides a precise description of NF performance. Performance contracts enable fine-grained prediction and scrutiny of NF performance for arbitrary workloads, without having to run the NF itself. We describe BOLT, a technique and tool for computing such performance contracts for the entire software stack of NFs written in C, including the core NF logic, DPDK packet processing framework, and NIC driver. BOLT takes as input the NF implementation code and outputs the corresponding contract. Under the covers, it combines pre-analysis of a library of stateful NF data structures with automated symbolic execution of the NF’s code. We evaluate BOLT on four NFs—a Maglev-like load balancer, a NAT, an LPM router, and a MAC bridge—and show that its performance contracts predict the dynamic instruction count and memory access count with a maximum gap of 7% between the real execution and the conservatively predicted upper bound. With further engineering, this gap can be reduced.

[1]  Katerina J. Argyraki,et al.  A Formally Verified NAT , 2017, SIGCOMM.

[2]  Thomas R. Gross,et al.  Synthesizing programs that expose performance bottlenecks , 2018, CGO.

[3]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[4]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[5]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[6]  Thomas Rauber,et al.  A source code analyzer for performance prediction , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[7]  Aditya Akella,et al.  Paving the Way for NFV: Simplifying Middlebox Modifications Using StateAlyzr , 2016, NSDI.

[8]  Carlo Contavalli,et al.  Maglev: A Fast and Reliable Software Network Load Balancer , 2016, NSDI.

[9]  Angelos D. Keromytis,et al.  SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities , 2017, CCS.

[10]  Keqiang He,et al.  PerfSight: Performance Diagnosis for Software Dataplanes , 2015, Internet Measurement Conference.

[11]  Peng Wang,et al.  TiML: a functional language for practical complexity analysis with invariants , 2017, Proc. ACM Program. Lang..

[12]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[13]  George Candea,et al.  A Formally Verified NAT Stack , 2018, KBNets@SIGCOMM.

[14]  Seungjoon Lee,et al.  Network function virtualization: Challenges and opportunities for innovations , 2015, IEEE Communications Magazine.

[15]  Ramesh Govindan,et al.  Analyzing Protocol Implementations for Interoperability , 2015, NSDI.

[16]  Dawson R. Engler,et al.  RWset: Attacking Path Explosion in Constraint-Based Test Generation , 2008, TACAS.

[17]  Mythili Vutukuru,et al.  NFVPerf: Online performance monitoring and bottleneck detection for NFV , 2016, 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN).

[18]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[19]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[20]  Somesh Jha,et al.  Backtracking Algorithmic Complexity Attacks against a NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[21]  Marco Canini,et al.  Automating the Testing of OpenFlow Applications , 2011 .

[22]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[23]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[24]  Tevfik Bultan,et al.  Symbolic path cost analysis for side-channel detection , 2018, ISSTA.

[25]  Yehuda Afek,et al.  Making DPI Engines Resilient to Algorithmic Complexity Attacks , 2016, IEEE/ACM Transactions on Networking.

[26]  Ion Stoica,et al.  Ernest: Efficient Performance Prediction for Large-Scale Advanced Analytics , 2016, NSDI.

[27]  Katerina J. Argyraki,et al.  ResQ: Enabling SLOs in Network Function Virtualization , 2018, NSDI.

[28]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[29]  Kay Ousterhout,et al.  Architecting for Performance Clarity in Data Analytics Frameworks , 2017 .

[30]  Vyas Sekar,et al.  Verifiable resource accounting for cloud computing services , 2011, CCSW '11.

[31]  Katerina J. Argyraki,et al.  Automated synthesis of adversarial workloads for network functions , 2018, SIGCOMM.

[32]  Van Chan Ngo,et al.  Bounded expectations: resource analysis for probabilistic programs , 2017, PLDI.

[33]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[34]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[35]  Isil Dillig,et al.  Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications , 2015, CCS.

[36]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[37]  Peter P. Puschner,et al.  Testing the results of static worst-case execution-time analysis , 1998, Proceedings 19th IEEE Real-Time Systems Symposium (Cat. No.98CB36279).

[38]  Katerina J. Argyraki,et al.  Toward Predictable Performance in Software Packet-Processing Platforms , 2012, NSDI.

[39]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[40]  Jakob Engblom,et al.  The worst-case execution-time problem—overview of methods and survey of tools , 2008, TECS.

[41]  Boyana Norris,et al.  Mira: A Framework for Static Performance Analysis , 2017, 2017 IEEE International Conference on Cluster Computing (CLUSTER).

[42]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.