Automated Verification of Customizable Middlebox Properties with Gravel

Building a formally-verified software middlebox is attractive for network reliability. In this paper, we explore the feasibility of verifying “almost unmodified” software middleboxes. Our key observation is that software middleboxes are already designed and implemented in a modular way (e.g., Click). Further, to achieve high performance, the number of operations each element or module performs is finite and small. These two characteristics place them within reach of automated verification through symbolic execution. We perform a systematic study to test how many existing Click elements can be automatically verified using symbolic execution. We show that 45% of the elements can be automatically verified and an additional 33% of Click elements can be automatically verified with slight code modifications. To allow automated verification, we build Gravel, a software middlebox verification framework. Gravel allows developers to specify high-level middlebox properties and checks correctness in the implementation without requiring manual proofs. We then use Gravel to specify and verify middleboxspecific properties for several Click-based middleboxes. Our evaluation shows that Gravel avoids bugs that are found in today’s middleboxes with minimal code changes and that the code modifications needed for proof automation do not affect middlebox performance.

[1]  Bryan Ford,et al.  Peer-to-Peer Communication Across Network Address Translators , 2005, USENIX Annual Technical Conference, General Track.

[2]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[3]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[4]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[5]  David Walker,et al.  SNAP: Stateful Network-Wide Abstractions for Packet Processing , 2015, SIGCOMM.

[6]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[7]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[8]  Nicolas Christin,et al.  Push-Button Verification of File Systems via Crash Refinement , 2016, USENIX Annual Technical Conference.

[9]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[10]  Emina Torlak,et al.  Nickel: A Framework for Design and Verification of Information Flow Control Systems , 2018, OSDI.

[11]  Costin Raiciu,et al.  Dataplane equivalence and its applications , 2019, NSDI.

[12]  Katerina J. Argyraki,et al.  A Formally Verified NAT , 2017, SIGCOMM.

[13]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[14]  Kirill Levchenko,et al.  Uncovering Bugs in P4 Programs with Assertion-based Verification , 2018, SOSR.

[15]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[16]  Ming Zhang,et al.  Duet: cloud scale load balancing with hardware and software , 2015, SIGCOMM.

[17]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[18]  George Varghese,et al.  Checking Beliefs in Dynamic Networks , 2015, NSDI.

[19]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[20]  Carlo Contavalli,et al.  Maglev: A Fast and Reliable Software Network Load Balancer , 2016, NSDI.

[21]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[22]  Ratul Mahajan,et al.  A General Approach to Network Configuration Verification , 2017, SIGCOMM.

[23]  Xi Wang,et al.  Hyperkernel: Push-Button Verification of an OS Kernel , 2017, SOSP.

[24]  Nick McKeown,et al.  p4v: practical verification for programmable data planes , 2018, SIGCOMM.

[25]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[26]  Costin Raiciu,et al.  Debugging P4 programs with vera , 2018, SIGCOMM.

[27]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[28]  Ramesh Govindan,et al.  Flow-level state transition as a new switch primitive for SDN , 2014, HotSDN.

[29]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[30]  George Candea,et al.  Verifying software network functions with no verification expertise , 2019, SOSP.