Thomas Ball
Aaron Gember
Aleksandr Karbyshev
Abstract
Software-defined networking (SDN) is a new paradigm for operating and managing computer networks. SDN enables logically-centralized control over network devices through a "controller" software that operates independently from the network hardware, and can be viewed as the network operating system. Network operators can run both inhouse and third-party SDN programs (often called applications) on top of the controller, e.g., to specify routing and access control policies. SDN opens up the possibility of applying formal methods to prove the correctness of computer networks. Indeed, recently much effort has been invested in applying finite state model checking to check that SDN programs behave correctly. However, in general, scaling these methods to large networks is challenging and, moreover, they cannot guarantee the absence of errors.
We present VeriCon, the first system for verifying that an SDN program is correct on all admissible topologies and for all possible (infinite) sequences of network events. VeriCon either confirms the correctness of the controller program on all admissible network topologies or outputs a concrete counterexample. VeriCon uses first-order logic to specify admissible network topologies and desired network-wide invariants, and then implements classical Floyd-Hoare-Dijkstra deductive verification using Z3. Our preliminary experience indicates that VeriCon is able to rapidly verify correctness, or identify bugs, for a large repertoire of simple core SDN programs. VeriCon is compositional, in the sense that it verifies the correctness of execution of any single network event w.r.t. the specified invariant, and can thus scale to handle large programs. To relieve the burden of specifying inductive invariants from the programmer, VeriCon includes a separate procedure for inferring invariants, which is shown to be effective on simple controller programs. We view VeriCon as a first step en route to practical mechanisms for verifying network-wide invariants of SDN programs.
- OpenFlow Switch Specification, Oct. 2013. Version 1.4.0.Google Scholar
- Anderson, C. J., Foster, N., Guha, A., Jeannin, J.-B., Kozen, D., Schlesinger, C., and Walker, D. NetKAT: Semantic foundations for networks. In POPL (2014), S. Jagannathan and P. Sewell, Eds., ACM, pp. 113--126. Google ScholarDigital Library
- Canini, M., Venzano, D., Peres, P., Kostic, D., and Rexford, J. A NICE Way to Test OpenFlow Applications. In NSDI (2012). Google ScholarDigital Library
- de Moura, L. M., and Bjørner, N. Z3: An Efficient SMT Solver. In TACAS (2008), C. R. Ramakrishnan and J. Rehof, Eds., vol. 4963 of Lecture Notes in Computer Science, Springer, pp. 337--340. Google ScholarDigital Library
- Dijkstra, E. W. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (1975), 453--457. Google ScholarDigital Library
- Foster, N., Guha, A., Reitblatt, M., Story, A., Freedman, M. J., Katta, N. P., Monsanto, C., Reich, J., Rexford, J., Schlesinger, C., Walker, D., and Harrison, R. Languages for software-defined networks. IEEE Communications Magazine 51, 2 (2013), 128--134.Google ScholarCross Ref
- Frade, M., and Pinto, J. Verification conditions for source-level imperative programs. Computer Science Review 5, 3 (2011), 252--277. Google ScholarDigital Library
- Gember, A., Krishnamurthy, A., John, S. S., Grandl, R., Gao, X., Anand, A., Benson, T., Akella, A., and Sekar, V. Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud. Tech. Rep. arXiv:1305.0209, 2013.Google Scholar
- Godefroid, P., Klarlund, N., and Sen, K. DART: directed automated random testing. In PLDI (2005), pp. 213--223. Google ScholarDigital Library
- Guha, A., Reitblatt, M., and Foster, N. Machine-verified network controllers. In PLDI (2013), pp. 483--494. Google ScholarDigital Library
- Jain, S., Kumar, A., Mandal, S., Ong, J., Poutievski, L., Singh, A., Venkata, S., Wanderer, J., Zhou, J., Zhu, M., Zolla, J., Hölzle, U., Stuart, S., and Vahdat, A. B4: Experience with a Globally-deployed Software Defined WAN. In ACM SIGCOMM (2013), pp. 3--14. Google ScholarDigital Library
- Katta, N. P., Rexford, J., and Walker, D. Logic programming for software-defined networks. In ACM SIGPLAN Workshop on Cross-model Language Design and Implementation (Sept. 2012).Google Scholar
- Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., and Whyte, S. Real Time Network Policy Checking using Header Space Analysis. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13) (2013). Google ScholarDigital Library
- Kazemian, P., Varghese, G., and McKeown, N. Header Space Analysis: Static Checking For Networks. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI '12) (2012). Google ScholarDigital Library
- Khurshid, A., Zhou, W., Caesar, M., and Godfrey, B. Veriflow: verifying network-wide invariants in real time. Computer Communication Review 42, 4 (2012), 467--472. Google ScholarDigital Library
- Koponen, T., Amidon, K., Balland, P., Casado, M., Chanda, A., Fulton, B., Ganichev, I., Gross, J., Gude, N., Ingram, P., Jackson, E., Lambeth, A., Lenglet, R., Li, S.-H., Padmanabhan, A., Pettit, J., Pfaff, B., Ramanathan, R., Shenker, S., Shieh, A., Stribling, J., Thakkar, P., Wendlandt, D., Yip, A., and Zhang, R. Network virtualization in multi-tenant datacenters. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI '14) (2014). Google ScholarDigital Library
- Kuzniar, M., Peresini, P., Canini, M., Venzano, D., and Kostic, D. A SOFT Way for OpenFlow Switch Interoperability Testing. In CoNEXT (2012), pp. 265--276. Google ScholarDigital Library
- McCarthy, J. Towards a mathematical science of computation. In IFIP Congress (1962), pp. 21--28.Google Scholar
- Nayak, A. K., Reimers, A., Feamster, N., and Clark, R. Resonance: Dynamic Access Control for Enterprise Networks. In Proceedings of the 1st ACM Workshop on Research on Enterprise Networking (WREN '09) (2009), pp. 11--18. Google ScholarDigital Library
- Nelson, T., Ferguson, A. D., Scheer, M. J. G., and Krishnamurthi, S. A balance of power: Expressive, analyzable controller programming. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI '14) (2014).Google Scholar
- Qazi, Z. A., Tu, C.-C., Miao, R., Sekar, V., and Yu, M. SIMPLE-fying Middlebox Policy Enforcement Using SDN. In ACM SIGCOMM (2013), pp. 27--38. Google ScholarDigital Library
- Reitblatt, M., Foster, N., Rexford, J., Schlesinger, C., and Walker, D. Abstractions for network update. In ACM SIGCOMM (2012), pp. 323--334. Google ScholarDigital Library
- Sethi, D., Narayana, S., and Malik, S. Abstractions for model checking sdn controllers. In FMCAD (2013).Google Scholar
- Skowyra, R., Lapets, A., Bestavros, A., and Kfoury, A. A verification platform for sdn-enabled applications. In HiCoNS (2013).Google Scholar
- Voellmy, A., Wang, J., Yang, Y. R., Ford, B., and Hudak, P. Maple: simplifying SDN programming using algorithmic policies. In ACM SIGCOMM (2013), pp. 87--98. Google ScholarDigital Library
Index Terms
- VeriCon: towards verifying controller programs in software-defined networks
Recommendations
VeriCon: towards verifying controller programs in software-defined networks
PLDI '14: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and ImplementationSoftware-defined networking (SDN) is a new paradigm for operating and managing computer networks. SDN enables logically-centralized control over network devices through a "controller" software that operates independently from the network hardware, and ...
UPPAAL-Based Software-Defined Network Verification
TMPA '13: Proceedings of the 2013 Tools & Methods of Program AnalysisA lot of efforts were made in the last few years in the area of software-defined networks (SDN) - a special kind of computer networks in which the switching device control is fully centralized. This paper investigates the problems of formal description ...
Verifiably-safe software-defined networks for CPS
HiCoNS '13: Proceedings of the 2nd ACM international conference on High confidence networked systemsNext generation cyber-physical systems (CPS) are expected to be deployed in domains which require scalability as well as performance under dynamic conditions. This scale and dynamicity will require that CPS communication networks be programmatic (i.e., ...
Comments