Using alloy to formally model and reason about an OpenFlow network switch

Openflow provides a standard interface for separating a network into a data plane and a programmatic control plane. This enables easy network reconfiguration, but introduces the potential for programming bugs to cause network effects. To study OpenFlow switch behavior, we used Alloy to create a software abstraction describing the internal state of a network and its OpenFlow switches. This work is an attempt to model the static and dynamic behaviour a network built using OpenFlow switches

An Alloy Verification Model for Consensus-Based Auction Protocols

Max Consensus-based Auction (MCA) protocols are an elegant approach to establish conflict-free distributed allocations in a wide range of network utility maximization problems. A set of agents independently bid on a set of items, and exchange their bids with their first hop-neighbors for a distributed (max-consensus) winner determination. The use of MCA protocols was proposed, $e.g.$, to solve the task allocation problem for a fleet of unmanned aerial vehicles, in smart grids, or in distributed virtual network management applications. Misconfigured or malicious agents participating in a MCA, or an incorrect instantiation of policies can lead to oscillations of the protocol, causing, $e.g.$, Service Level Agreement (SLA) violations. In this paper, we propose a formal, machine-readable, Max-Consensus Auction model, encoded in the Alloy lightweight modeling language. The model consists of a network of agents applying the MCA mechanisms, instantiated with potentially different policies, and a set of predicates to analyze its convergence properties. We were able to verify that MCA is not resilient against rebidding attacks, and that the protocol fails (to achieve a conflict-free resource allocation) for some specific combinations of policies. Our model can be used to verify, with a "push-button" analysis, the convergence of the MCA mechanism to a conflict-free allocation of a wide range of policy instantiations

Using Alloy to Formally Model and Reason About an OpenFlow Network Switch

Abstract—Openflow provides a standard interface for separating a network into a data plane and a programmatic control plane. This enables easy network reconfiguration, but introduces the potential for programming bugs to cause network effects. To study OpenFlow switch behavior, we used Alloy to create a software abstraction describing the internal state of a network and its OpenFlow switches. This work is an attempt to model the static and dynamic behaviour a network built using OpenFlow switches. I

A theory of flow network typings and its optimization problems

Many large-scale and safety critical systems can be modeled as flow networks. Traditional approaches for the analysis of flow networks are whole-system approaches in that they require prior knowledge of the entire network before an analysis is undertaken, which can quickly become intractable as the size of network increases. In this thesis we study an alternative approach to the analysis of flow networks, which is modular, incremental and order-oblivious. The formal mechanism for realizing this compositional approach is an appropriately defined theory of network typings. Typings are formalized differently depending on how networks are specified and which of their properties is being verified. We illustrate this approach by considering a particular family of flow networks, called additive flow networks. In additive flow networks, every edge is assigned a constant gain/loss factor which is activated provided a non-zero amount of flow enters that edge. We show that the analysis of additive flow networks, more specifically the max-flow problem, is NP-hard, even when the underlying graph is planar. The theory of network typings gives rise to different forms of graph decomposition problems. We focus on one problem, which we call the graph reassembling problem. Given an abstraction of a flow network as a graph G = (V,E), one possible definition of this problem is specified in two steps: (1) We cut every edge of G into two halves to obtain a collection of |V| one-vertex components, and (2) we splice the two halves of all the edges, one edge at a time, in some order that minimizes the complexity of constructing a typing for G, starting from the typings of its one-vertex components. One optimization is minimizing “maximum” edge-boundary degree of components encountered during the reassembling of G (denoted as α measure). Another is to minimize the “sum” of all edge-boundary degrees encountered during this process (denoted by β measure). Finally, we study different variations of graph reassembling (with respect to minimizing α or β) and their relation with problems such as Linear Arrangement, Routing Tree Embedding, and Tree Layout