Towards Model Checking Real-World Software-Defined Networks (version with appendix)

In software-defined networks (SDN), a controller program is in charge of deploying diverse network functionality across a large number of switches, but this comes at a great risk: deploying buggy controller code could result in network and service disruption and security loopholes. The automatic detection of bugs or, even better, verification of their absence is thus most desirable, yet the size of the network and the complexity of the controller makes this a challenging undertaking. In this paper we propose MOCS, a highly expressive, optimised SDN model that allows capturing subtle real-world bugs, in a reasonable amount of time. This is achieved by (1) analysing the model for possible partial order reductions, (2) statically pre-computing packet equivalence classes and (3) indexing packets and rules that exist in the model. We demonstrate its superiority compared to the state of the art in terms of expressivity, by providing examples of realistic bugs that a prototype implementation of MOCS in UPPAAL caught, and performance/scalability, by running examples on various sizes of network topologies, highlighting the importance of our abstractions and optimisations

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

Abstract Interpretation of Stateful Networks

Modern networks achieve robustness and scalability by maintaining states on their nodes. These nodes are referred to as middleboxes and are essential for network functionality. However, the presence of middleboxes drastically complicates the task of network verification. Previous work showed that the problem is undecidable in general and EXPSPACE-complete when abstracting away the order of packet arrival. We describe a new algorithm for conservatively checking isolation properties of stateful networks. The asymptotic complexity of the algorithm is polynomial in the size of the network, albeit being exponential in the maximal number of queries of the local state that a middlebox can do, which is often small. Our algorithm is sound, i.e., it can never miss a violation of safety but may fail to verify some properties. The algorithm performs on-the fly abstract interpretation by (1) abstracting away the order of packet processing and the number of times each packet arrives, (2) abstracting away correlations between states of different middleboxes and channel contents, and (3) representing middlebox states by their effect on each packet separately, rather than taking into account the entire state space. We show that the abstractions do not lose precision when middleboxes may reset in any state. This is encouraging since many real middleboxes reset, e.g., after some session timeout is reached or due to hardware failure

Modelado y validación formal de una topología SDN/OPENFLOW

RESUMEN: Las redes actuales están creciendo a una velocidad donde la administración se vuelve engorrosa y complicada al momento de operarlas, mantenerlas y asegurarlas. Es por esto que el concepto de administración de la red está cambiando a nivel mundial. Las redes definidas por software (SDN) se definen como el futuro de Internet al permitir separar el plano de control del plano de envío de los datos de la red, donde el plano de control, mediante un controlador basado en software, administra múltiples dispositivos de red asignándoles políticas definidas para el tratamiento de los flujos de datos. SDN es una arquitectura emergente que es dinámica y de bajo costo, siendo ideal para altos anchos de banda, dinámica natural de las aplicaciones actuales. El protocolo OpenFlow es el elemento fundamental y primer estándar para la implementación de soluciones SDN al hacer realidad la comunicación entre el equipo de red (Plano de datos) y el controlador SDN (Plano de control). El cambio de paradigma con SDN ha generado nuevos retos, siendo objeto de estudio de diferentes grupos de investigación alrededor del mundo en los últimos años. En particular, dada la relevancia que adquiere el controlador y el protocolo Openflow, la predicción de su desempeño ha generado alto interés investigativo. Las herramientas de modelamiento de sistemas dinámicos a eventos discretos (DEDS) son ampliamente utilizadas para realizar modelos de protocolos y dispositivos de telecomunicaciones, permitiendo analizar y comprender el detalle del comportamiento mediante simulación y validación formal y funcional

تطوير نموذج تجريدي لتوصيف خصائص الشبكات المتغيرة

نظراً للعدد الكبير من قواعد النفاذ المعرفة للشبكات والتغير الديناميكي لطوبولوجيا الشبكات, فإن التحقق اليدوي من الخواص المهمة في الشبكة مثل الوصولية, عدم تضارب القواعد وعدم وجود حلقات أمراً صعباً على المبرمج. يعدَ التوصيف الصوري(Formal Specification) للأنظمة والبروتوكولات من أهم الطرق التي تستخدم لإزالة الغموض في تعريفات الأنظمة واكتشاف الثغرات في عملها. هناك العديد من الأبحاث التي قدمت في مجال توصيف وصولية الرزم في الشبكات لكن القليل منها تم اختبارها عبر أدوات فحص النماذج التي تساعد في كشف أخطاء هذه النماذج. في هذا البحث تم تطوير نموذج تجريدي من أجل توصيف الشبكات الديناميكية ليصبح مناسباً للتحقق من مجموعة من الخصائص المهمة ومنها وصولية الرزم, عدم وجود التضاربات..الخ اعتماداً على ترميز حالة الشبكة. تم تحقيق النموذج المقترح الذي يوصف الشبكة بواسطة لغة المنطق المؤقت للأفعال(Temporal Logic of Action) ,TLA+ والتي هي عبارة عن لغة توصيف عالية المستوى, تعتمد على نظرية المجموعات والجبر المنطقي الأولي. تم تحليل النموذج وفحص خصائصه باستخدام أداة فحص النماذج TLCالمستخدمة مع الأداة TLA, تظهر النتائج صحة النموذج وتحسيناً من ناحية تخفيض زمن استجابة وعدد الحالات المطلوبة للحصول على نتيجة التحقق. According to the large number of the access rules that define the networks, and the dynamic changing of the network topology, that is the verification by hand of the important properties in the network such as reachability, access rules conflict free and loop free is so hard to accomplish by the programmer. Formal specification of systems and protocols is considered one of the most important methods that is used to eliminate the ambiguous of the system configurations and find bugs of its work. A lot of the researches have been introduced in packet reachability and network specification domain, but a little of them are checked and analyzed by model checkers which help to detect the errors of these models. In this paper an abstraction model for dynamic networks specification has been introduced and developed to be appropriate for several important properties of the network such as reachability, no conflict..etc, depending on the network state. The proposed model specification is implemented by TLA+(Temporal Logic of Action) language which is a high level specification language built on Set-theory and First Order Logic, the model has been analyzed and the properties are checked by TLC model checking tool which used by TLA tool. Results show the correctness of the model, and improvement in reducing the response time and the required states to get the result of the verification