Nicolas Amat,Silvano Dal Zilio,Didier Le Botlan

DOI: https://doi.org/10.1007/s10009-022-00694-8

2023-02-06

Abstract:We propose a new method that takes advantage of structural reductions to accelerate the verification of reachability properties on Petri nets. Our approach relies on a state space abstraction, called polyhedral abstraction, which involves a combination between structural reductions and sets of linear arithmetic constraints between the marking of places. We propose a new data-structure, called a Token Flow Graph (TFG), that captures the particular structure of constraints occurring in polyhedral abstractions. We leverage TFGs to efficiently solve two reachability problems: first to check the reachability of a given marking; then to compute the concurrency relation of a net, that is all pairs of places that can be marked together in some reachable marking. Our algorithms are implemented in a tool, called Kong, that we evaluate on a large collection of models used during the 2020 edition of the Model Checking Contest. Our experiments show that the approach works well, even when a moderate amount of reductions applies.

Logic in Computer Science

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/qsic.2010.50

2010-01-01

Abstract:Automated verification of noninterference is commonly considered more precise than type-based approach on enforcing secure information flow for program. We propose an approach on model checking symbolic pushdown system generated from Java bytecode, and develop a deployment-time verification framework to ensure noninterference of bytecode. In order to overcome the constraints brought by the nature of object-oriented language and application scenario, we extend self-composition to low-recorded self-composition to reduce the partial correctness judgements on safety property to reachability analysis. In this variation, meta-level indices of heap are recorded into the self-composed pushdown system for the construction of auxiliary interleaving assignments and branch condition to illegal-flow state. Our experiments show that the approach is more scalable than previous work based on automated verification.

Zhuoruo Zhang,Jilin Hu,Chenyang Yu,Rui Chang,Yongwang Zhao

DOI: https://doi.org/10.1109/icws60048.2023.00022

2023-01-01

Abstract:Virtual Private Cloud (VPC) has become a widely used cloud computing service, serving as a foundational web infrastructure for many organizations. Nevertheless, the growing problem of reachability issues poses significant threats to the security and reliability of VPC networks, potentially resulting in critical security concerns such as data breaches and service outages. Although there has been substantial progress in recent reachability analysis, existing methods lack validation of correctness. Moreover, current analyses are tailored for One-to-One reachability where both the source and the destination are fixed, and fail to efficiently answer One-to-Multi reachability queries, which involve computing all reachable destinations for a given source node. To address the above challenges, we propose VeriReach, the first formally verified algorithm that provides comprehensive and efficient reachability analysis in large-scale VPC networks. The reachability analysis result of VeriReach is proved to be equivalent to the original reachability semantics of the VPC networks, ensuring its correctness (i.e., soundness and completeness). The fine-grained formalization of VeriReach and its fully mechanized correctness proofs are carried out in Isabelle/HOL theorem prover with 282 lemmas/theorems and $\sim 4,900{\mathrm{LoC}}$. We further implement VeriReach in C++ and the evaluations indicate that VeriReach is more efficient and scalable than MonoSAT, the state-of-the-art SMT solver, when applied to large-scale VPC networks for reachability analysis.

Jiazhao Xu,Mark Williams,Hari Mony,Jason Baumgartner

DOI: https://doi.org/10.1007/s10703-014-0213-0

2014-08-15

Formal Methods in System Design

Abstract:While SAT-based algorithms have largely displaced BDD-based verification techniques due to their typically higher scalability, there are classes of problems for which BDD-based reachability analysis is the only existing method for an automated solution. Nonetheless, reachability engines require a high degree of tuning to perform well on challenging benchmarks. In addition to clever partitioning and scheduling techniques, the use of hints has been proposed to decompose an otherwise breadth-first fixedpoint computation into a series of underapproximate computations, requiring a larger number of (pre-)image iterations though often significantly reducing peak BDD size and thus resource requirements. In this paper, we introduce a novel approach to boost the scalability of reachability computation: automated netlist-based hint generation. Experiments confirm that this approach can yield significant resource reductions; often over an order of magnitude on complex problems compared to reachability analysis without hints, and even compared to SAT-based proof techniques.

computer science, theory & methods

Aurojit Panda,Ori Lahav,Katerina Argyraki,Mooly Sagiv,Scott Shenker

DOI: https://doi.org/10.48550/arXiv.1607.00991

2016-07-05

Abstract:Recent work has made great progress in verifying the forwarding correctness of networks . However, these approaches cannot be used to verify networks containing middleboxes, such as caches and firewalls, whose forwarding behavior depends on previously observed traffic. We explore how to verify reachability properties for networks that include such "mutable datapath" elements. We want our verification results to hold not just for the given network, but also in the presence of failures. The main challenge lies in scaling the approach to handle large and complicated networks, We address by developing and leveraging the concept of slices, which allow network-wide verification to only require analyzing small portions of the network. We show that with slices the time required to verify an invariant on many production networks is independent of the size of the network itself.

Networking and Internet Architecture

SUN Cong,TANG Li-yong,CHEN Zhong

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.07.023

2011-01-01

Computer Science

Abstract:We proposed an approach for analyzing information-flow security of imperative language with output channels.The program is Abstracted with pushdown system,which is then self-composed in order to adapt noninterference as a safety property.The output operations in the two relevant runs are respectively modeled as storing and matching procedure by pushdown rules.Then the termination-insensitive noninterference is verified by a reachability analysis of illegal-flow state.A variation of this approach can deal with program containing divergent run.An upper-bound regression algorithm was proposed to find the maximum upper-bound in order to trigger coercive termination of divergent run.The experimental results show that the approach is more precise and efficient than existing work.

Alex Horn,Ali Kheradmand,Mukul R. Prasad

DOI: https://doi.org/10.48550/arXiv.1702.07375

2017-02-24

Abstract:Real-time network verification promises to automatically detect violations of network-wide reachability invariants on the data plane. To be useful in practice, these violations need to be detected in the order of milliseconds, without raising false alarms. To date, most real-time data plane checkers address this problem by exploiting at least one of the following two observations: (i) only small parts of the network tend to be affected by typical changes to the data plane, and (ii) many different packets tend to share the same forwarding behaviour in the entire network. This paper shows how to effectively exploit a third characteristic of the problem, namely: similarity among forwarding behaviour of packets through parts of the network, rather than its entirety. We propose the first provably amortized quasi-linear algorithm to do so. We implement our algorithm in a new real-time data plane checker, Delta-net. Our experiments with SDN-IP, a globally deployed ONOS software-defined networking application, and several hundred million IP prefix rules generated using topologies and BGP updates from real-world deployed networks, show that Delta-net checks a rule insertion or removal in approximately 40 microseconds on average, a more than 10X improvement over the state-of-the-art. We also show that Delta-net eliminates an inherent bottleneck in the state-of-the-art that restricts its use in answering Datalog-style "what if" queries.

Networking and Internet Architecture,Logic in Computer Science

Yahui Li,Han Zhang,Jilong Wang,Xingang Shi,Xia Yin,Zhiliang Wang,Jiankun Hu,Congcong Miao,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2024.3409935

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network managers configure networks to enforce various high-level policies, and to respond to the wide range of network events (e.g., attacks, intrusions, malicious route announcements from neighbors) that may occur. It is incredibly difficult to specify these high-level policies in terms of distributed low-level configuration. These high-level policies hold only if the distributed configurations are well equipped to react to unsafe and unreliable environments (e.g., malicious route announcements, unsafe components and devices). Therefore, it is important to proactively verify whether network policies hold across continually changing environments in terms of current network configurations. State-of-the-art policy verification techniques are limited because they can check only the Boolean policies (e.g., forwarding reachability, waypoint or blackhole-freeness). However, many policy violations express themselves in quantitative ways (e.g., a link becomes overloaded). In this paper, we propose quantitative network verification (QNV) analyzing the quantitative policies of networks across unsafe and unreliable environments. QNV translates network configurations into a symbolic simulation model that captures the stable states to which the network forwarding will converge as a result of interactions between routing protocols. It then generates a logical formula matrix that describes network forwarding in the event of failures and verifies quantitative policies based on the formula matrix. We implement QNV and evaluate it on realistic and synthetic configurations. Our evaluation shows that QNV can precisely verify quantitative policies in only a few minutes, even in large networks.

Leifeng He,Guanjun Liu

DOI: https://doi.org/10.1109/TCSS.2022.3164052

2020-12-18

Abstract:Computation Tree Logic of Knowledge (CTLK) can specify many design requirements of privacy and security of multi-agent systems (MAS). In our conference paper, we defined Knowledge-oriented Petri Nets (KPN) to model MAS and proposed Reachability Graphs with Equivalence Relations (RGER) to verify CTLK. In this paper, we use the technique of Ordered Binary Decision Diagrams (OBDD) to encode RGER in order to alleviate the state explosion problem and enhance the verification efficiency. We propose a heuristic method to order those variables in OBDD, which can well improve the time and space performance of producing, encoding and exploring a huge state space. More importantly, our method does not produce and encode any transition or equivalence relation of states when producing and encoding an RGER, and in fact it dynamically produces those transition or equivalence relations that are required in the verification process of CTLK formulas. This policy can save a lot of time and space since the number of transition or equivalence relations of states is much greater than the number of states themselves. We design symbolic model checking algorithms, develop a tool and apply them to two famous examples: Alice-Bob Protocol and Dining Cryptographers Protocol. We compare our tool with MCMAS which is the state-of-the-art model checker of verifying CTLK. The experimental results illustrate the advantages of our model and method. Our tool running in a general PC can totally spend less than 14 hours to verify Dining Cryptographers Protocol with 1200 concurrent cryptographers where there are about $10^{1080}$ states and the two verified CTLK formulas have more than 6000 atomic propositions and more than 3600 operators. These good performances are owed to a combination of the OBDD technique and the structure characteristics of KPN.

Software Engineering

Yahui Li,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu,Fangdan Ye,Jiangyuan Yao,Han Zhang

DOI: https://doi.org/10.1016/j.comnet.2020.107326

IF: 5.493

2020-01-01

Computer Networks

Abstract:Configuring a network is always difficult and error-prone because of low-level configuration languages and complex routing mechanisms. Most network outages occur when network the configuration is updated. Thus, it is important to proactively verify network configurations. Unfortunately, there are two practical obstacles that inhibit the performance of existing configuration verification tools: (i) Lack of knowledge. Network users often do not know which input verification queries need to be verified. (ii) Limited scalability. Even the state-of-the-art tool (i.e., Minesweeper [1]) takes approximately 500 seconds to complete a single reachability query for a network with tens of routers. Considering the total number of queries that must be verified, real networks often make such techniques impractical. In this paper, we propose NUV, a framework for performing network configuration update verification. NUV outputs verification queries for only the endpoints whose forwarding behavior has changed under the updated network configuration. Based on the network forwarding model, NUV infers the potential traffic impact and eliminates endpoints whose forwarding behavior is equivalent in both the original network configuration and the updated configuration. The NUV outputs can be used as input to a rich collection of existing configuration verification tools. Evaluations on a series of benchmark networks show that NUV can solve the lack of knowledge problem, and it enables query verification to execute at speeds orders of magnitude faster than existing tools; thus, it also improves verification scalability.

Vasileios Klimis,George Parisis,Bernhard Reus

DOI: https://doi.org/10.48550/arXiv.2008.06149

2022-01-15

Abstract:Software-defined networking (SDN) enables advanced operation and management of network deployments through (virtually) centralised, programmable controllers, which deploy network functionality by installing rules in the flow tables of network switches. Although this is a powerful abstraction, buggy controller functionality could lead to severe service disruption and security loopholes, motivating the need for (semi-)automated tools to find, or even verify absence of, bugs. Model checking SDNs has been proposed in the literature, but none of the existing approaches can support dynamic network deployments, where flow entries expire due to timeouts. This is necessary for automatically refreshing (and eliminating stale) state in the network (termed as soft-state in the network protocol design nomenclature), which is important for scaling up applications or recovering from failures. In this paper, we extend our model (MoCS) to deal with timeouts of flow table entries, thus supporting soft state in the network. Optimisations are proposed that are tailored to this extension. We evaluate the performance of the proposed model in UPPAAL using a load balancer and firewall in network topologies of varying size.

Networking and Internet Architecture

Duan Li,Xiaoling Sun,Jianjun Gao,Shenshen Gu,Xiaojin Zheng

DOI: https://doi.org/10.3182/20090603-3-ru-2001.0100

2009-01-01

IFAC Proceedings Volumes

Abstract:Reachability is one of the most important behavioral properties of Petri nets and the past four decades have witnessed great efforts in developing various implementable methodologies in determining reachability of Petri nets. We propose in this paper a novel method for solving the fundamental equation in the reachability analysis, which has been known to be NP-complete. More specifically, by adopting a revised version of the cell enumeration method for an arrangement of hyperplanes in discrete geometry, we develop an efficient solution scheme to identify firing count vector solution(s) to the fundamental equation on a bounded integer set, with a complexity bound of O((nω)n–m), where n is the number of transitions, m is the number of places and ω is the upper bound of the number of firings for every transition.

Xiaoli Zhang,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/MNET.001.1800330

IF: 10.294

2020-01-01

IEEE Network

Abstract:Guaranteeing that large scale networks are always operated as policy goals dictate is critical for network availability, security, and performance. The problem is challenging, as it should not only assure the correctness of policy configurations across various network devices, but also guarantee the faithfulness of policy enforcement on actual packet forwarding behaviors. In this article, we provide a systematic overview of the direction of network verification, which covers both verification of network configurations and assurance of device actual behaviors. In particular, we summarize state-of-the-art designs with focuses from early stateless data planes with switches/routers to more recent stateful ones containing middleboxes. After analyzing and comparing these works, we also specify future directions in the verification of stateful networks.

Jiangyuan Yao,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2013.6614178

2013-01-01

Abstract:Current researches on model-based testing mainly focus on the single component model, such as FSM (Finite State Machine) and EFSM (Extended FSM). To model and test parallelism and concurrency among different protocol components, traditional CFSM (Communicating FSMs) models communication as asynchronous message exchange, which is not suitable for the scenario that parallel protocol components read shared variables from each other. We have developed Parallel Parameterized Extended Finite State Machine (PaP-EFSM) to handle this situation. In this paper, we present a hierarchical test generation approach for PaP-EFSMs based on reachability graphs. The combination of bottom-up reachability graph generation and top-down test sequence generation ensures the executability of the test sequences and alleviates state explosion. We apply this method to the conformance testing of SAVI, a real protocol for anti-spoofing of IP source addresses. We build a set of PaP-EFSMs for SAVI and derive the executable test sequences, which expose many implementation faults when applied to real devices from 4 different vendors.

Lei Bu,Jiawan Wang,Yuming Wu,Xuandong Li

DOI: https://doi.org/10.1007/978-3-030-55089-9_2

2019-01-01

Abstract:Hybrid Automata are a well-known framework used to model hybrid systems, containing both discrete and continuous dynamic behavior. However, reachability analysis of hybrid automata is difficult. Existing work does not scale well to the size of practical problems. This paper gives a review of how we handle the verification of hybrid systems in a path-oriented way. First, we propose a path-oriented bounded reachability analysis method to control the complexity of verification of linear hybrid automata. As we only check the reachability of one path at a time, the resulted state space for each computation is limited and hence can be solved efficiently. Then, we present an infeasible constraint guided path-pruning method to tailor the search space, a shallow synchronization semantics to handle compositional behavior, and a method based on linear temporal logic (LTL) to extend the bounded model checking (BMC) result to an unbounded state space. Such methods and tools are implemented in a tool, BACH, and have been used as the underlying decision procedure of our verification of cyber-physical systems (CPS) and Internet of Things (IoT).

Shunbin Dong,Yumin Xie,Jin Zhao,Kun Qi

DOI: https://doi.org/10.1109/icdcs60910.2024.00050

2024-01-01

Abstract:Network policy plays a crucial role in cloud-native networking, especially in multi-tenant scenarios. It provides precise control over connectivity by specifying source and destination endpoints, traffic types, and other criteria to allow or deny traffic. However, manual configuration of these policies introduces the risk of errors, leading to isolation violations or network service unavailability. Therefore, network policy verification is essential for maintaining security and quality of service in cloud-native networking. Currently, a naive approach involves individually checking each policy within the cluster, which can take over 100s for verification in a cluster size of over 100k. Existing verification frameworks, like Kano and Verikube, improve performance by leveraging pre-filtering and Satisfiability Modulo Theories (SMT) solvers, achieving a 3.12x to 12.99x performance boost over the naive baseline. However, as network policy changes rapidly within 100ms in real cloud-native networks, both frameworks need over 10s to perform verification for cluster sizes over 100k, which is far from satisfying. To overcome these issues, we propose and implement a novel network policy verification framework NPV, which utilizes the policy-label pre-filter process with bitwise compression. We further enhance the policy verification algorithm with a policy-namespace divide-and-conquer strategy to improve the data-level parallelism. We implement NPV on commodity servers and evaluate its performance using real network policy datasets. Our experiments indicate that, compared with the state-of-the-art methods, NPV can achieve up to 139.00x to 651.06x improvement in verification time compared to Kano and Verikube, with 65% less memory usage.

Xuandong Li,Sumit Jha Aanand,Lei Bu

DOI: https://doi.org/10.1016/j.entcs.2006.12.023

2007-01-01

Electronic Notes in Theoretical Computer Science

Abstract:The existing techniques for reachability analysis of linear hybrid automata do not scale well to problem sizes of practical interest. Instead of developing a tool to perform reachability check on all the paths of a linear hybrid automaton, a complementary approach is to develop an efficient path-oriented tool to check one path at a time where the length of the path being checked can be made very large and the size of the automaton can be made large enough to handle problems of practical interest. This approach of symbolic execution of paths can be used by design engineers to check important paths and thereby, increase the faith in the correctness of the system. Unlike simple testing, each path in our framework represents a dense set of possible trajectories of the system being analyzed. In this paper, we develop the linear programming based techniques towards an efficient path-oriented tool for the bounded reachability analysis of linear hybrid systems.

Zhenyu Chen,Conghua Zhou,Decheng Ding

DOI: https://doi.org/10.1109/HLDVT.2005.1568832

2005-01-01

Abstract:Model checking has emerged as a promising and powerful approach to analyze Petri nets automatically, but a main challenge is the state explosion problem. To obtain an efficient state space, we implement a series of formalisms based on Petri nets to achieve automatically predicate abstraction and refinement via new predicate discovery. However, the complicated predicates would slow down the abstraction refinement process. Novel Feature of our approach is minimizing the support of predicates, via diagnosing the failure reasons of transitions and projecting places on predicates to eliminate the dumb variables. In addition, a demonstrative example shows that our techniques could work efficiently on Petri nets.

Nicolas Amat,Silvano Dal Zilio,Didier Le Botlan

DOI: https://doi.org/10.1007/978-3-031-50524-9_5

2024-01-08

Abstract:We propose a method for checking generalized reachability properties in Petri nets that takes advantage of structural reductions and that can be used, transparently, as a pre-processing step of existing model-checkers. Our approach is based on a new procedure that can project a property, about an initial Petri net, into an equivalent formula that only refers to the reduced version of this net. Our projection is defined as a variable elimination procedure for linear integer arithmetic tailored to the specific kind of constraints we handle. It has linear complexity, is guaranteed to return a sound property, and makes use of a simple condition to detect when the result is exact. Experimental results show that our approach works well in practice and that it can be useful even when there is only a limited amount of reductions.

Logic in Computer Science

Lei Bu,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1007/978-3-642-11319-2_9

2010-01-01

Abstract:Hybrid automata are well-studied formal models for dynamical systems. However, the analysis of hybrid automata is extremely difficult, and even state-of-the-art tools can only analyze systems with few continuous variables and simple dynamics. Because the reachability problem for general hybrid automata is undecidable, we give a path-oriented reachability analysis procedure for a class of nonlinear hybrid automata called convex hybrid automata. Our approach encodes the reachability problem along a path of a convex hybrid automaton as a convex feasibility problem, which can be efficiently solved by off-the-shelf convex solvers, such as CVX. Our path-oriented reachability verification approach can be applied in the frameworks of bounded model checking and counterexample-guided abstraction refinement with the goal of achieving significant performance improvement for this subclass of hybrid automata.