p4v: practical verification for programmable data planes

We present the design and implementation of p4v, a practical tool for verifying data planes described using the P4 programming language. The design of p4v is based on classic verification techniques but adds several key innovations including a novel mechanism for incorporating assumptions about the control plane and domain-specific optimizations which are needed to scale to large programs. We present case studies showing that p4v verifies important properties and finds bugs in real-world programs. We conduct experiments to quantify the scalability of p4v on a wide range of additional examples. We show that with just a few hundred lines of control-plane annotations, p4v is able to verify critical safety properties for switch.p4, a program that implements the functionality of on a modern data center switch, in under three minutes.

[1]  Xiaozhou Li,et al.  NetChain: Scale-Free Sub-RTT Coordination , 2018, NSDI.

[2]  Costin Raiciu,et al.  Debugging P4 programs with vera , 2018, SIGCOMM.

[3]  Kirill Levchenko,et al.  Uncovering Bugs in P4 Programs with Assertion-based Verification , 2018, SOSR.

[4]  Fernando Pedone,et al.  Paxos Made Switch-y , 2015, CCRV.

[5]  Ratul Mahajan,et al.  A General Approach to Network Configuration Verification , 2017, SIGCOMM.

[6]  Isil Dillig,et al.  Reasoning about the unknown in static analysis , 2010, Commun. ACM.

[7]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[8]  Rupak Majumdar,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 1997, Lecture Notes in Computer Science.

[9]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[10]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[11]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[12]  Alexandra Silva,et al.  A Coalgebraic Decision Procedure for NetKAT , 2015, POPL.

[13]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[14]  Peter Müller,et al.  Comparing Verification Condition Generation with Symbolic Execution: An Experience Report , 2012, VSTTE.

[15]  George Varghese,et al.  Programming Protocol-Independent Packet Processors , 2013, ArXiv.

[16]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[17]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[18]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[19]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[20]  Nate Foster,et al.  NetCache: Balancing Key-Value Stores with Fast In-Network Caching , 2017, SOSP.

[21]  Jacobus E. van der Merwe,et al.  HyPer4: Using P4 to Virtualize the Programmable Data Plane , 2016, CoNEXT.

[22]  Benjamin C. Pierce,et al.  Advanced Topics In Types And Programming Languages , 2004 .

[23]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[24]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[25]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[26]  George Varghese,et al.  Scaling network verification using symmetry and surgery , 2016, POPL.

[27]  Hongkun Yang,et al.  Real-time verification of network properties using Atomic Predicates , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[28]  George Varghese,et al.  Automatically verifying reachability and well-formedness in P4 Networks , 2016 .

[29]  Grigore Rosu,et al.  P4K: A Formal Semantics of P4 and Applications , 2018, ArXiv.

[30]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[31]  Arjun Guha,et al.  Machine-verified network controllers , 2013, PLDI.

[32]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[33]  Michael D. Ernst,et al.  Scalable verification of border gateway protocol configurations with an SMT solver , 2016, OOPSLA.

[34]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[35]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[36]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[37]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[38]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[39]  Katerina J. Argyraki,et al.  A Formally Verified NAT , 2017, SIGCOMM.

[40]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[41]  Todd D. Millstein,et al.  Generating error traces from verification-condition counterexamples , 2005, Sci. Comput. Program..

[42]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[43]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[44]  Scott Shenker,et al.  Some complexity results for stateful network verification , 2016, Formal Methods in System Design.

[45]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[46]  George Varghese,et al.  ddNF: An Efficient Data Structure for Header Spaces , 2016, Haifa Verification Conference.

[47]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[48]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[49]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[50]  Ratul Mahajan,et al.  Fast Control Plane Analysis Using an Abstract Representation , 2016, SIGCOMM.

[51]  Peter M. Athanas,et al.  p4pktgen: Automated Test Case Generation for P4 Programs , 2018, SOSR.

[52]  Nikolaj Bjørner,et al.  Satisfiability modulo theories , 2011, Commun. ACM.