Model Checking Data Flows in Concurrent Network Updates (Full Version)

We present a model checking approach for the verification of data flow correctness in networks during concurrent updates of the network configuration. This verification problem is of great importance for software-defined networking (SDN), where errors can lead to packet loss, black holes, and security violations. Our approach is based on a specification of temporal properties of individual data flows, such as the requirement that the flow is free of cycles. We check whether these properties are simultaneously satisfied for all active data flows while the network configuration is updated. To represent the behavior of the concurrent network controllers and the resulting evolutions of the configurations, we introduce an extension of Petri nets with a transit relation, which characterizes the data flow caused by each transition of the Petri net. For safe Petri nets with transits, we reduce the verification of temporal flow properties to a circuit model checking problem that can be solved with effective verification techniques like IC3, interpolation, and bounded model checking. We report on encouraging experiments with a prototype implementation based on the hardware model checker ABC.

[1]  Xin Wu,et al.  zUpdate: updating data center networks with zero loss , 2013, SIGCOMM.

[2]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[3]  Muhammad Torabi Dashti,et al.  Access Control Synthesis for Physical Spaces , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[4]  David Walker,et al.  Incremental consistent updates , 2013, HotSDN '13.

[5]  Bernd Finkbeiner,et al.  Petri games: Synthesis of distributed systems with causal memory , 2014, Inf. Comput..

[6]  Baruch Sterin,et al.  A circuit approach to LTL model checking , 2013, 2013 Formal Methods in Computer-Aided Design.

[7]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[8]  Laurent Vanbever,et al.  Network-Wide Configuration Synthesis , 2016, CAV.

[9]  Wolfgang Reisig Petri Nets: An Introduction , 1985, EATCS Monographs on Theoretical Computer Science.

[10]  Xin Jin,et al.  Dynamic scheduling of network updates , 2014, SIGCOMM.

[11]  Karsten Schmidt LoLA: a low level analyser , 2000 .

[12]  Pavol Cerný,et al.  Synchronization Synthesis for Network Programs , 2017, CAV.

[13]  Ufuk Topcu,et al.  Automated synthesis of reactive controllers for software-defined networks , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[14]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[15]  Javier Esparza,et al.  Unfoldings - A Partial-Order Approach to Model Checking , 2008, Monographs in Theoretical Computer Science. An EATCS Series.

[16]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[17]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[18]  Thomas A. Henzinger,et al.  Handbook of Model Checking , 2018, Springer International Publishing.

[19]  Neil Immerman,et al.  Decentralizing SDN Policies , 2015, POPL.

[20]  Yann Thierry-Mieg,et al.  Symbolic Model-Checking Using ITS-Tools , 2015, TACAS.

[21]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[22]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[23]  Alfons Laarman,et al.  LTSmin: High-Performance Language-Independent Model Checking , 2015, TACAS.

[24]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[25]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[26]  Francisca Santana Robles,et al.  Coloured Petri Nets Basic Concepts, Analysis Methods and Practical Use , 2015 .

[27]  Kurt Jensen,et al.  Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1 , 1996 .

[28]  Rupak Majumdar,et al.  Kuai: A model checker for software-defined networks , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[29]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.

[30]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[31]  Armin Biere,et al.  Verifiying Safety Properties of a Power PC Microprocessor Using Symbolic Model Checking without BDDs , 1999, CAV.

[32]  Ratul Mahajan,et al.  Consistent updates in software defined networks: On dependencies, loop freedom, and blackholes , 2016, 2016 IFIP Networking Conference (IFIP Networking) and Workshops.

[33]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[34]  Bernd Finkbeiner,et al.  AdamMC: A Model Checker for Petri Nets with Transits against Flow-LTL , 2020, CAV.

[35]  Marco Canini,et al.  FatTire: declarative fault tolerance for software-defined networks , 2013, HotSDN '13.

[36]  Bernd Finkbeiner,et al.  Adam: Causality-Based Synthesis of Distributed Systems , 2015, CAV.

[37]  Pavol Cerný,et al.  Optimal Consistent Network Updates in Polynomial Time , 2016, DISC.

[38]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[39]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[40]  Joost Engelfriet,et al.  Branching processes of Petri nets , 1991, Acta Informatica.

[41]  Martín Casado,et al.  Abstractions for software-defined networks , 2014, Commun. ACM.

[42]  Kenneth L. McMillan Craig Interpolation and Reachability Analysis , 2003, SAS.