Automated verification of safety properties of declarative networking programs

Networks are complex systems that unfortunately are ridden with errors. Such errors can lead to disruption of services, which may have grave consequences. Verification of networks is key to eliminating errors and building robust networks. In this paper, we propose an approach to verify networks using declarative networking, where networks are specified in NDlog, a declarative language. We focus on analyzing safety properties. We develop a technique to statically analyze NDlog programs: first, we build a dependency graph of the predicates of NDlog programs; then, we build a summary data structure called a derivation pool to represent all possible derivations and their associated constraints for predicates in the program; finally, properties specified in first-order logic are checked on the data structure with the help of the SMT solver Z3. We build a prototype tool and demonstrate the effectiveness of the tool in validating and debugging several SDN applications.

[1]  Kathi Fisler,et al.  The Margrave Tool for Firewall Analysis , 2010, LISA.

[2]  Limin Jia,et al.  Maintaining distributed logic programs incrementally , 2011, Comput. Lang. Syst. Struct..

[3]  Ion Stoica,et al.  Declarative networking: language, execution and optimization , 2006, SIGMOD Conference.

[4]  Xiaozhou Li,et al.  RapidMesh: declarative toolkit for rapid experimentation of wireless mesh networks , 2009, WINTECH '09.

[5]  Joseph M. Hellerstein,et al.  Boom analytics: exploring data-centric, declarative programming for the cloud , 2010, EuroSys '10.

[6]  Véronique Cortier,et al.  Modeling and Verifying Ad Hoc Routing Protocols , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[8]  Atul Singh,et al.  BFT Protocols Under Fire , 2008, NSDI.

[9]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[10]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[11]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[12]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[13]  Hao Xu,et al.  A Program Logic for Verifying Secure Routing Protocols , 2015, Log. Methods Comput. Sci..

[14]  Atul Singh,et al.  Applying Prolog to develop distributed systems , 2010, Theory Pract. Log. Program..

[15]  Philip Levis,et al.  The design and implementation of a declarative sensor network system , 2007, SenSys '07.

[16]  Andreas Haeberlen,et al.  Distributed Time-aware Provenance , 2012, Proc. VLDB Endow..

[17]  Ion Stoica,et al.  Implementing declarative overlays , 2005, SOSP '05.

[18]  Yih-Chun Hu,et al.  Mechanized Network Origin and Path Authenticity Proofs , 2014, CCS.

[19]  Jeffrey D. Ullman,et al.  A Survey of Research in Deductive Database Systems , 1995 .

[20]  Micah Sherr,et al.  A3: An Extensible Platform for Application-Aware Anonymity , 2010, NDSS.

[21]  Véronique Cortier,et al.  Analysing Routing Protocols: Four Nodes Topologies Are Sufficient , 2012, POST.

[22]  Jonathan M. Smith,et al.  MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition , 2008 .

[23]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[24]  Véronique Cortier,et al.  Deciding Security for Protocols with Recursive Tests , 2011, CADE.

[25]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[26]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[27]  Azer Bestavros,et al.  Verifiably-safe software-defined networks for CPS , 2013, HiCoNS '13.

[28]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[30]  Jonathan M. Smith,et al.  MOSAIC: unified declarative platform for dynamic overlay composition , 2008, CoNEXT '08.

[31]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[32]  Ion Stoica,et al.  Declarative routing: extensible routing with declarative queries , 2005, SIGCOMM '05.

[33]  David Maier,et al.  Dedalus: Datalog in Time and Space , 2010, Datalog.

[34]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[35]  Xu Chen,et al.  Declarative configuration management for complex and dynamic networks , 2010, CoNEXT.

[36]  Junda Liu,et al.  Libra: Divide and Conquer to Verify Forwarding Tables in Huge Networks , 2014, NSDI.

[37]  Prithwish Basu,et al.  Declarative Network Verification , 2009, PADL.

[38]  Cole Schlesinger,et al.  Splendid isolation: a slice abstraction for software-defined networks , 2012, HotSDN '12.

[39]  Amin Vahdat,et al.  Life, death, and the critical transition: finding liveness bugs in systems code , 2007 .

[40]  Jeffrey D. Ullman,et al.  A survey of deductive database systems , 1995, J. Log. Program..

[41]  Mark-Oliver Stehr,et al.  Formal prototyping in early stages of protocol design , 2005, WITS '05.

[42]  Shriram Krishnamurthi,et al.  Tierless Programming and Reasoning for Software-Defined Networks , 2014, NSDI.

[43]  Xiaozhou Li,et al.  PUMA: Policy-based Unified Multi-radio Architecture for agile mesh networking , 2012, 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012).

[44]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[45]  Xiaozhou Li,et al.  Declarative Policy-Based Adaptive Mobile Ad Hoc Networking , 2012, IEEE/ACM Transactions on Networking.

[46]  Xiaozhou Li,et al.  Efficient querying and maintenance of network provenance at internet-scale , 2010, SIGMOD Conference.

[47]  Ion Stoica,et al.  Declarative networking , 2009, Commun. ACM.

[48]  Seth Copen Goldstein,et al.  A Linear Logic Programming Language for Concurrent Programming over Graph Structures , 2014, Theory and Practice of Logic Programming.

[49]  Fang Wang,et al.  Netlog, a Rule-Based Language for Distributed Programming , 2010, PADL.

[50]  O. Sokolsky,et al.  A Theorem Proving Approach Towards Declarative Networking , 2009 .

[51]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[52]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[53]  Seth Copen Goldstein,et al.  Meld: A declarative approach to programming ensembles , 2007, 2007 IEEE/RSJ International Conference on Intelligent Robots and Systems.