Yuanjie Si,Jun Sun,Yang Liu,Jin Song Dong,Jun Pang,Shao Jie Zhang,Xiaohu Yang

DOI: https://doi.org/10.1007/s11704-013-3091-5

2014-01-01

Abstract:Recent development on distributed systems has shown that a variety of fairness constraints (some of which are only recently defined) play vital roles in designing self-stabilizing population protocols. Existing model checkers are deficient in verifying the systems as only limited kinds of fairness are supported with limited verification efficiency. In this work, we support model checking of distributed systems in the toolkit PAT (process analysis toolkit), with a variety of fairness constraints (e.g., process-level weak/strong fairness, event-level weak/strong fairness, strong global fairness). It performs on-the-fly verification against linear temporal properties. We show through empirical evaluation (on recent population protocols as well as benchmark systems) that PAT has advantage in model checking with fairness. Previously unknown bugs have been revealed against systems which are designed to function only with strong global fairness.

Ali Kheradmand,Grigore Rosu

DOI: https://doi.org/10.48550/arXiv.1804.01468

2018-04-04

Networking and Internet Architecture

Abstract:Programmable packet processors and P4 as a programming language for such devices have gained significant interest, because their flexibility enables rapid development of a diverse set of applications that work at line rate. However, this flexibility, combined with the complexity of devices and networks, increases the chance of introducing subtle bugs that are hard to discover manually. Worse, this is a domain where bugs can have catastrophic consequences, yet formal analysis tools for P4 programs / networks are missing. We argue that formal analysis tools must be based on a formal semantics of the target language, rather than on its informal specification. To this end, we provide an executable formal semantics of the P4 language in the K framework. Based on this semantics, K provides an interpreter and various analysis tools including a symbolic model checker and a deductive program verifier for P4. This paper overviews our formal K semantics of P4, as well as several P4 language design issues that we found during our formalization process. We also discuss some applications resulting from the tools provided by K for P4 programmers and network administrators as well as language designers and compiler developers, such as detection of unportable code, state space exploration of P4 programs and of networks, bug finding using symbolic execution, data plane verification, program verification, and translation validation.

Karuna Grewal,Loris D'Antoni,Justin Hsu

DOI: https://doi.org/10.48550/arXiv.2204.03113

2022-04-06

Programming Languages

Abstract:Modern programmable network switches can implement custom applications using efficient packet processing hardware, and the programming language P4 provides high-level constructs to program such switches. The increase in speed and programmability has inspired research in dataplane programming, where many complex functionalities, e.g., key-value stores and load balancers, can be implemented entirely in network switches. However, dataplane programs may suffer from novel security errors that are not traditionally found in network switches. To address this issue, we present a new information-flow control type system for P4. We formalize our type system in a recently-proposed core version of P4, and we prove a soundness theorem: well-typed programs satisfy non-interference. We also implement our type system in a tool, P4bid, which extends the type checker in the p4c compiler, the reference compiler for the latest version of P4. We present several case studies showing that natural security, integrity, and isolation properties in networks can be captured by non-interference, and our type system can detect violations of these properties while certifying correct programs.

Apoorv Shukla,Seifeddine Fathalli,Thomas Zinner,Artur Hecker,Stefan Schmid

DOI: https://doi.org/10.1109/jsac.2020.2999653

IF: 16.4

2020-07-01

IEEE Journal on Selected Areas in Communications

Abstract:The prevailing wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Unfortunately, bugs, misconfigurations, faults or attacks can introduce inconsistencies between the network control and the data plane that can undermine the correct operation at runtime. Through our experiments, we realize that P4 SDNs are no exception, and are prone to similar problems. With the aim to verify the control-data plane inconsistency, we present the design and implementation of P4Consist, a system to detect the inconsistency between control and data plane in P4 SDNs. P4Consist generates active probe-based traffic continuously or periodically as an input to the P4 SDNs to check whether the actual behavior on the data plane corresponds to the expected control plane behavior. In P4Consist, the control plane and the data plane generate independent reports which are later, compared to verify the control-data plane consistency. The previous works in the field of monitoring and verification mostly aim to test the P4 programs through static analysis and thus, are insufficient to verify the network consistency at runtime. Experiments with our prototype implementation of P4Consist are promising and show that P4Consist can verify the control-data plane consistency in the complex datacenter 4-ary fat-tree (20 switches) and multipath grid (4, 9 and 16 switches) topologies with 60k rules per switch within a minimum time of 4 minutes. At the same time, P4Consist scales to multiple source-destination pairs to detect control-data plane inconsistency.

telecommunications,engineering, electrical & electronic

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Matthias Eichholz,Eric Campbell,Nate Foster,Guido Salvaneschi,Mira Mezini

DOI: https://doi.org/10.48550/arXiv.1906.07223

2019-06-24

Abstract:The P4 programming language offers high-level, declarative abstractions that bring the flexibility of software to the domain of networking. Unfortunately, the main abstraction used to represent packet data in P4, namely header types, lacks basic safety guarantees. Over the last few years, experience with an increasing number of programs has shown the risks of the unsafe approach, which often leads to subtle software bugs. This paper proposes SafeP4, a domain-specific language for programmable data planes in which all packet data is guaranteed to have a well-defined meaning and satisfy essential safety guarantees. We equip SafeP4 with a formal semantics and a static type system that statically guarantees header validity---a common source of safety bugs according to our analysis of real-world P4 programs. Statically ensuring header validity is challenging because the set of valid headers can be modified at runtime, making it a dynamic program property. Our type system achieves static safety by using a form of path-sensitive reasoning that tracks dynamic information from conditional statements, routing tables, and the control plane. Our evaluation shows that SafeP4's type system can effectively eliminate common failures in many real-world programs.

Programming Languages

Yu Zhou,Jun Bi,Yunsenxiao Lin,Yangyang Wang,Dai Zhang,Zhaowei Xi,Jiamin Cao,Chen Sun

DOI: https://doi.org/10.1145/3326285.3329040

2019-01-01

Abstract:P4 and programmable data planes bring significant flexibility to network operation but are inevitably prone to various faults. Some faults, like P4 program bugs, can be verified statically, while some faults, like runtime rule faults, only happen to running network devices, and they are hardly possible to handle before deployment. Existing network testing systems can troubleshoot runtime rule faults via injecting probes, but are insufficient for programmable data planes due to large overheads or limited fault coverage. In this paper, we propose P4Tester, a new network testing system for troubleshooting runtime rule faults on programmable data planes. First, P4Tester proposes a new intermediate representation based on Binary Decision Diagram, which enables efficient probe generation for various P4-defined data plane functions. Second, P4Tester offers a new probe model that uses source routing to forward probes. This probe model largely reduces rule fault detection overheads, i.e. requiring only one server to generate probes for large networks and minimizing the number of probes. Moreover, this probe model can test all table rules in a network, achieving full fault coverage. Evaluation based on real-world data sets indicates that P4Tester can efficiently check all rules in programmable data planes, generate 59% fewer probes than ATPG and Pronto, be faster than ATPG by two orders of magnitude, and troubleshoot multiple rule faults within one second on BMv2 and Tofino.

Zichen Xu,Ziye Lu,Zuqing Zhu

DOI: https://doi.org/10.1109/tnet.2024.3448244

2024-01-01

Abstract:With the development of programmable data plane (PDP), in-band network telemetry (INT) has become a promising network monitoring technique to visualize network operations in a fine-grained and real-time way. In this work, to better balance the tradeoff between INT overheads and monitoring accuracy, we design and optimize an information-sensitive INT system (namely, P4InfoSen-INT), which makes each PDP switch decide locally whether and what type(s) of telemetry data should be inserted in a packet based on the “information content” of the data, and implement it in P4-based PDP switches. We first realize the basic principle of P4InfoSen-INT with P4 programs. Then, we propose algorithms to estimate the information content of telemetry data accurately in a dynamic network and optimize the tradeoff between INT overheads and monitoring accuracy. Finally, we further optimize the implementation of P4InfoSen-INT by proposing table merging to reduce stage occupation in each switch. Experimental results verify that our proposed P4InfoSen-INT can balance the tradeoff between INT overheads and monitoring accuracy better than existing benchmarks.

Chong Ye,Fei He

DOI: https://doi.org/10.1145/3611643.3613091

2023-01-01

Abstract:P4 is a mainstream language for Software Defined Network (SDN) data planes. P4 is designed to achieve target-independent, protocol-independent, and configurable SDN data planes. However, logic errors may occur in P4 programs, resulting in improper packet processing, which may cause serious network errors and information disclosure. In addition, P4 programs contain many branches and thus are more challenging to ensure correctness. Formal verification is a powerful technique to verify the correctness of P4 programs. Unfortunately, current P4 verification studies lack basic toolchains, and their intermediate languages are not expressive enough. We present P4b, an efficient translator from P4 programs to Boogie, a verification-oriented intermediate representation. We provide formal translation rules to ensure the correctness of the translation process. The translated results can be verified by the toolchain of Boogie. We conducted experiments on 170 P4 programs collected from GITHUB, and the experimental results demonstrate that our translator is useful and practical. The screencast is available at https://youtu.be/8_rEj3QFQeM. The tool is available at https://github.com/Invincibleyc/P4B-Translator.

Heyu Chang,Xiaobing Zhang,Nianwen Si,Ping Wu

DOI: https://doi.org/10.1016/j.cose.2024.103906

IF: 5.105

2024-05-28

Computers & Security

Abstract:By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9% additional forwarding delay and less than 8% throughput degradation.

computer science, information systems

Shenshen Chen,Jian Luo,Dong Guo,Kai Gao,Yang Richard Yang

2024-02-26

Abstract:Data plane verification (DPV) analyzes routing tables and detects routing abnormalities and policy violations during network operation and planning. Thus, it has become an important tool to harden the networking infrastructure and the computing systems building on top. Substantial advancements have been made in the last decade and state-of-the-art DPV systems can achieve sub-us verification for an update of a single forwarding rule.

Networking and Internet Architecture

Shou-Yi WANG,Qi LI,Yun ZHANG

DOI: https://doi.org/10.11897/SP.J.1016.2019.00176

2019-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Software-Defined Networking (SDN) simplifies network management by separating control and data planes, and has been received much attention recently.However, SDN cannot ensure correctness of packet forwarding in the networks, e.g., the packets in SDN can be dropped, tampered with, or faked, which may be incurred by false forwarding rule enforcement or attacks.SDN has a simple packet forwarding mechanism in its data plane so that the forwarding verification techniques in the traditional IP networks cannot be applied in SDN.Therefore, it is challenging to verify packet forwarding and ensure correctness of packet forwarding in SDN.The existing studies verify packet forwarding in SDN by verifying packets hop-by-hop or periodically comparing flow statistics of all flows, which incurs significant computation and communication overhead.In this paper, we present LPV (Lightweight Packet Forwarding Verification), a system provides the ability of verifying SDN data plane forwarding.The goal of LPV is to provide a reliable and practical mechanism to detect and defend against wrong packet forwarding.To this end, we develop a lightweight forwarding verification approach to detecting forwarding anomalies and locating malicious switches by leveraging the Packet-in mechanism and the flow statistics maintained in switches.LPV samples packets delivered by ingress and egress switches according to dedicated flow rules, and reports the message authentication code (MAC) values of packets and the statistics of the corresponding flows by Packet-in messages.Thereby, the controllers can detect malicious forwarding behaviors by comparing the MAC values of the packets and the statistics of the flows.Moreover, LPV can locate the switches that perform the malicious packet forwarding behaviors, e.g., malicious packet modification and packet dropping, by analyzing the correlations of the information, i.e., the Packet-in messages and flow statistics.By enforcing the sample mechanism, LPV significantly reduces the computation cost, and communication and storage overheads, which incurred by packet processing in switches and controllers.In particular, by randomly sampling packets according to the flow rules, LPV ensures the consistency of packet processing performed by different switches.Adversaries cannot easily infer which packets are sampled so that they cannot interfere with the verification.We implement a prototype of LPV with open source OpenFlow controllers, i.e., Floodlight, and open source OpenFlow switches, i.e., ofsoftware13, and evaluate the performance by Mininet experiments.The experimental results show that LPV detects various forwarding anomalies, while introducing negligible overhead, i.e., around 10％average delays in packet forwarding and less than 10％communication overhead.

Dirk Beyer,Po-Chun Chien,Nian-Ze Lee

2024-10-25

Abstract:Software model checking is a challenging problem, and generating relevant invariants is a key factor in proving the safety properties of a program. Program invariants can be obtained by various approaches, including lightweight procedures based on data-flow analysis and intensive techniques using Craig interpolation. Although data-flow analysis runs efficiently, it often produces invariants that are too weak to prove the properties. By contrast, interpolation-based approaches build strong invariants from interpolants, but they might not scale well due to expensive interpolation procedures. Invariants can also be injected into model-checking algorithms to assist the analysis. Invariant injection has been studied for many well-known approaches, including k-induction, predicate abstraction, and symbolic execution. We propose an augmented interpolation-based verification algorithm that injects external invariants into interpolation-based model checking (McMillan, 2003), a hardware model-checking algorithm recently adopted for software verification. The auxiliary invariants help prune unreachable states in Craig interpolants and confine the analysis to the reachable parts of a program. We implemented the proposed technique in the verification framework CPAchecker and evaluated it against mature SMT-based methods in CPAchecker as well as other state-of-the-art software verifiers. We found that injecting invariants reduces the number of interpolation queries needed to prove safety properties and improves the run-time efficiency. Consequently, the proposed invariant-injection approach verified difficult tasks that none of its plain version (i.e., without invariants), the invariant generator, or any compared tools could solve.

Software Engineering

Swati Goswami,Nodir Kodirov,Craig Mustard,Ivan Beschastnikh,Margo Seltzer

DOI: https://doi.org/10.48550/arXiv.2006.05182

2020-11-02

Abstract:Network Function (NF) deployments suffer from poor link goodput, because popular NFs such as firewalls process only packet headers while receiving and transmitting complete packets. As a result, unnecessary packet payloads needlessly consume link bandwidth. We introduce PayloadPark, which improves goodput by temporarily parking packet payloads in the stateful memory of dataplane programmable switches. PayloadPark forwards only packet headers to NF servers, thereby saving bandwidth between the switch and the NF server. PayloadPark is a transparent in-network optimization that complements existing approaches for optimizing NF performance on end-hosts. We prototyped PayloadPark on a Barefoot Tofino ASIC using the P4 language. Our prototype, when deployed on a top-of-rack switch, can service up to 8 NF servers using less than 40% of the on-chip memory resources. The prototype improves goodput by 10- 36% for Firewall and NAT NFs and by 10-26% for a Firewall -> NAT NF chain without harming latency. The prototype also reduces PCIe bus load by 2-58% on the NF server thanks to the reduced data transmission between the switch and the NF server. With workloads that have datacenter network traffic characteristics, PayloadPark provides a 13% goodput gain with the Firewall -> NAT -> LB NF chain without latency penalty. In the same setup, we can further increase the goodput gain to 28% by using packet recirculation.

Networking and Internet Architecture

Hasanin Harkous,Michael Jarschel,Mu He,Rastin Priest,Wolfgang Kellerer

DOI: https://doi.org/10.1109/ancs.2019.8901881

2019-09-01

Abstract:P4 programmable data planes are becoming more popular due to the flexibility they provide in describing the packet processing pipeline. P4 successfully abstracts the processing pipeline of data planes using a limited set of constructs. The performance variation as a function of the configured P4 pipeline is an important aspect that should be studied. Analyzing the impact of different P4 constructs on packet latency helps in understanding the overall performance of P4 programmable devices. In this paper, we analyze the impact of a basic set of P4 constructs on packet processing latency to derive the influential parameters. We use the derived results to propose a method for estimating the packet latency of P4-based network functions implemented using the surveyed P4 constructs. Finally, we validate the accuracy of the proposed method by applying it to realistic network functions.

Hasanin Harkous,Michael Jarschel,Mu He,Rastin Pries,Wolfgang Kellerer

DOI: https://doi.org/10.1109/tnsm.2020.3030102

2021-09-01

IEEE Transactions on Network and Service Management

Abstract:Data plane programmability brings network flexibility to a new level. However, it introduces the complexity of the data path's program as a new factor that influences packet forwarding latency and thus devices' performance. Accurate identification of the relation between data path complexity and packet forwarding latency enables the design and management of networks with predictable performance. In this article, we leverage the characteristics of P4 programming language to provide a method for estimating the packet forwarding latency as a function of the data path program. We analyze the impact of different P4 constructs on packet processing latency for three state-of-the-art P4 devices: Netronome SmartNIC, NetFPGA-SUME, and T4P4S DPDK-based software switch. Besides comparing the performance of these three targets, we use the derived results to propose a method for estimating the average packet latency, at compilation time, of arbitrary P4-based network functions implemented using the surveyed P4 constructs. The proposed method is finally validated using a set of realistic network functions, which shows that our method estimates the average packet latency with sub-microsecond precision.

computer science, information systems

Wei He

DOI: https://doi.org/10.48550/arXiv.1906.11929

2019-06-28

Abstract:Compilers can specialize programs having invariants for performance improvement. Detecting program invariants that span large and complex code, however, is difficult for compilers. Traditional compilers do not perform very expensive analysis and thus only identify limited invariants, which limits the potential of subsequent optimizations. We would like to address the invariant detection problem via more sophisticated analyses using program verification tools. In this paper, we reveal pitfalls of choosing program verification tools for invariant detection, identify challenges of modeling program behavior using one of these tools---CVC4, and propose some ideas about how to address the challenges.

Programming Languages

Radu Stoenescu,Dragos Dumitrescu,Matei Popovici,Lorina Negreanu,Costin Raiciu

DOI: https://doi.org/10.1145/3230543.3230548

2018-08-07

Abstract:We present Vera, a tool that verifies P4 programs using symbolic execution. Vera automatically uncovers a number of common bugs including parsing/deparsing errors, invalid memory accesses, loops and tunneling errors, among others. Vera can also be used to verify user-specified properties in a novel language we call NetCTL. To enable scalable, exhaustive verification of P4 program snapshots, Vera automatically generates all valid header layouts and uses a novel data-structure for match-action processing optimized for verification. These techniques allow Vera to scale very well: it only takes between 5s-15s to track the execution of a purely symbolic packet in the largest P4 program currently available (6KLOC) and can compute SEFL model updates in milliseconds. Vera can also explore multiple concrete dataplanes at once by allowing the programmer to insert symbolic table entries; the resulting verification highlights possible control plane errors. We have used Vera to analyze many P4 programs including the P4 tutorials, P4 programs in the research literature and the switch code from https://p4.org. Vera has found several bugs in each of them in seconds/minutes.