Abstractions for Verifying Isolation Properties in Stateful Networks

Modern networks achieve robustness and scalability by maintaining states on their nodes. These nodes are referred to as middleboxes and are essential for network functionality. However, the presence of middleboxes drastically complicates the task of network verification. Previous work showed that the problem is undecidable in general and EXPSPACE-complete when abstracting away the order of packet arrival. We describe a new algorithm for conservatively checking isolation properties of stateful networks. The asymptotic complexity of the algorithm is polynomial in the size of the network, albeit being exponential in the maximal number of queries of the local state that a middlebox can do, which is often small. Our algorithm is sound, i.e., it can never miss a violation of safety but may fail to verify some properties. The algorithm performs on-the fly abstract interpretation by (1) abstracting away the order of packet processing and the number of times each packet arrives, (2) abstracting away correlations between states of different middleboxes and channel contents, and (3) representing middlebox states by their effect on each packet separately, rather than taking into account the entire state space. We show that the abstractions do not lose precision when middleboxes may reset in any state. This is encouraging since many real middleboxes reset, e.g., after some session timeout is reached or due to hardware failure.

[1]  Navendu Jain,et al.  Demystifying the dark side of the middle: a field study of middlebox failures in datacenters , 2013, Internet Measurement Conference.

[2]  Jochen Hoenicke,et al.  Thread modularity at many levels: a pearl in compositional verification , 2017, POPL.

[3]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[4]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[5]  Amir Pnueli,et al.  Liveness with (0, 1, infty)-Counter Abstraction , 2002, CAV.

[6]  Samuel T. King,et al.  Debugging the data plane with anteater , 2011, SIGCOMM 2011.

[7]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[8]  Kedar S. Namjoshi,et al.  Uncovering Symmetries in Irregular Process Networks , 2013, VMCAI.

[9]  Robert M. Marmorstein,et al.  A Tool for Automated iptables Firewall Analysis , 2005, USENIX Annual Technical Conference, FREENIX Track.

[10]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[11]  Azer Bestavros,et al.  A Verification Platform for SDN-Enabled Applications , 2014, 2014 IEEE International Conference on Cloud Engineering.

[12]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[13]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[14]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[15]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[16]  Alexandra Silva,et al.  A Coalgebraic Decision Procedure for NetKAT , 2015, POPL.

[17]  C. A. R. Hoare,et al.  The Laws of Occam Programming , 1988, Theor. Comput. Sci..

[18]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[19]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[20]  Sharad Malik,et al.  Abstractions for model checking SDN controllers , 2013, 2013 Formal Methods in Computer-Aided Design.

[21]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[22]  Sanjit A. Seshia,et al.  Modular verification of multithreaded programs , 2005, Theor. Comput. Sci..

[23]  Kathi Fisler,et al.  The Margrave Tool for Firewall Analysis , 2010, LISA.

[24]  Vishal Misra,et al.  On the robustness of soft state protocols , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[25]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[26]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[27]  George Varghese,et al.  Scaling network verification using symmetry and surgery , 2016, POPL.

[28]  Marco Canini,et al.  A SOFT way for openflow switch interoperability testing , 2012, CoNEXT '12.

[29]  Costin Raiciu,et al.  SymNet: Scalable symbolic execution for modern networks , 2016, SIGCOMM.

[30]  Scott Shenker,et al.  Some complexity results for stateful network verification , 2016, Formal Methods in System Design.

[31]  Shriram Krishnamurthi,et al.  Tierless Programming and Reasoning for Software-Defined Networks , 2014, NSDI.