41
Symnet: scalable symbolic execution for modern networks University Politehnica of Bucharest Radu Stoenescu, Matei Popovici, Lorina Negreanu and Costin Raiciu
Symnet:scalablesymbolicexecutionfor
modernnetworks
UniversityPolitehnica ofBucharestRadu Stoenescu,Matei Popovici,Lorina Negreanu and
CostinRaiciu
Networksareincreasinglycomplex
2
Understandthenetwork
3
ReachabilityPacketmodificationsSecuritypolicyviolations
A
B
Staticverificationtotherescue
4
Dataplanesnapshot
Networkmodel
Verificationengine
SymbolicExecutionFriendlyLanguage(SEFL)- Networkmodel
Symnet – Verificationengine
Choosingamodelinglanguage
Ccode• Expressive,wellunderstood• Symbolicexecutioncaptures
manyproperties• Veryexpensivetoverify
HeaderSpaceAnalysis• Cheap,scalable• Noarbitraryprotocollayering• Onlycapturesreachability
Middleground
5
Symbolexecutionoffirewall- Ccode
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
6
Path1
p=*
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
Symbolexecutionoffirewall- Ccode
7
Path1
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p=*
Symbolexecutionoffirewall- Ccode
8
p->dst_port=80 p->dst_port!=80
Path2
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
Path1
Symbolexecutionoffirewall- Ccode
9
p->dst_port=80 p->dst_port!=80
Path2
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
Path1
Symbolexecutionoffirewall- Ccode
10
p->dst_port=80filter=p
p->dst_port!=80
Path2
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
Path1
Symbolexecutionoffirewall- Ccode
11
p->dst_port!=801: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
12
Path2Path1
p->dst_port!=801: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
13
Path2Path1
p=NULL
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
14
Path2Path1
p=NULL
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
15
Path2Path1
p=NULLfilter=NULL
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
16
Path2Path1
p=NULLfilter=NULL
1: packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
p->dst_port=80filter=p
Symbolexecutionoffirewall- Ccode
17
Path2Path1
Twosymbolicpathsvs.oneviableinthenetworkNon-packetprocessingbeingexecuted
Symbolexecutionoffirewall- Ccode
18
s
Firewall#1
Firewall#2
Firewall#3
N-1unnecessarysymbolicpaths
Symbolicexecutionofnetworkdataplaneimplementationsdoesnotscale
• AcoreIProuterresultsinhundredsofthousandsofpaths
• ForaTCPoptions-parsingmiddlebox,runtimedependsonoptionlength(<40):– 6B~1hour,7B~3hours
19
Principlesforscalabledataplanesymbolicexecution
Fundamentaltradeoffbetweenfastsymbolicexecutionandruntimeefficiency[Wagner‘13]=>Usemodelsofnetworksinsteadofrealcode
Onlyanalyzerelevantcode=>1executionpath==1networkpacket
Complexdatastructureskillsymbolicexecution=>Usesymbolic-executionfriendlydatastructures
Loops+conditionalsaredangerous=>Carefulloopingsemanticswithlowbranchingfactor
20
OursolutionSEFL symbolicexecutionfriendlylanguageSymnet symbolicexecutiontoolMemorysafetybydesign• Thememoryspaceisthepacket• Nopointers• Memoryaccessviaconcreteoffsets;validated
Symbolicexecutionconstructspartofthelanguage• Explicitforkingofnewexecutionpaths• Explicitstatingofpathconstraints
Noarbitrarydatastructures• Onlyamapdatastructure 21
SEFL symbolicexecutionfriendlylanguage
• Variablesarepacketheadersormetadata– Packetheadersallocatedatspecificaddressesinthepacketheader
–Metadata arekey/valuepairsinamapdatastructure
22
ThepacketheaderinSEFL
0
CreateTag(“L3”,0)
L3 IPSRC
Allocate(Tag("L3")+96,32)
Assign(IpSrc,"192.168.1.1")
192.168.
Allocate(IpDst,32)
IPDST
Assign(IpDst,Symbolic)
*
Assign(DstMac,Symbolic) ERROR
CreateTag(“L2”,Tag(“L3)-112)
L2
23
9632
Allocate(IpSrc,32) //IpSrc = Tag(“L3”)+96
MACDST
Firewall
1:packet* filter(packet* p){2: if (p->dst_port==80) 4: return p;5: else {6: free p;7: return NULL;8: }9:}
C
1: filter(){2: constrain(IpDst==80); 3: }
SEFL
24
OnlyrelevantpathsexploredConcise
Symnet symbolicexecutiontool
• 10KLOCofScala;Z3forconstraintsolving
Input:SEFLnetworkmodel– SEFLmodelsofindividualnetworkelements– Connectionsbetweenelements
Output:allfeasiblesymbolicpaths– Valuesofheaderandmetadatafields– Pathconstraints
25
00
11
{…}
{...}{…}
{…}
ElementA
00 ElementB
SEFLNetworkModels
{…}{…}
PP
P
PP
Packet1 Packet2Element A modelInputPort(0):Constrain(IPDst==1.1.1.1),If (Constrain(TcpDst==20),InstructionBlock(
Assign(IPDst,192.168.0.1),Assign(TcpDst,30),Forward(OutputPort(0))
),Forward(OutputPort(1)),
IpDst=*TcpDst=*IpDst=1,1…TcpDst=*
IpDst=1.1…TcpDst=20 IpDst=1.1,TcpDst !=20
IpDst=192…TcpDst=20IpDst=192…TcpDst=30
CrtPort =0
CrtPort =1
Symbolicexecutionoffilter+DNAT
27
• Reachability• Loopdetection
• Invariantheaderfields• Headermemorysafety
Ready-madenetworkmodels
ModelingnetworkboxesisfairlydifficultWehavedevelopedparsersthatoutputSEFLcodefrom:• Router/switchforwardingtablesnapshots• CISCOASAfirewallconfiguration• Clickmodularrouterconfigurations• Openstack Neutronnetworkconfigurations
28
Evaluation
Modelcorrectness
Functionality
Scalability
29
Verifiableproperties
30
Property HSA NoD SymNetReachability ✔ ✔ ✔
LoopDetection ✔ ✖ ✔
HeaderField Invariance ✖ ✖ ✔
ArbitraryPacket Layout ✖ ✔ ✔
Tunneling ✖ ✖ ✔
Stateful Data PlaneProcessing ✖ ✔ ✔
Payload-sensitiveProcessing ✖ ✖ ✖
Properties AcrossMultipleFlows ✖ ✖ ✖
DoesSymnet scale?
31
DoesSymnet scale?
32
DoesSymnet scale?
33
Analyzingbiggernetworks
• Stanforduniversitybackbonenetwork• Switches,routersandVLANs– Two-layertopology– Coreroutershave180.000entriesintheirFIBs
34
HSA SymnetModel Generation
Time3.2min 8.1min
Runtime 24s 37s
Conclusions
SEFL +Symnet offersadeeperunderstandingofmoderndataplanesatalowprice.
35
Symnet isopen-sourceCheckdemosessiontomorrow
Backupslides
36
TCPoptionsparsingint crt = 0;while (crt>=0 && crt<length &&
options[crt]){switch(options[crt]){
case 1:crt++; break;
case 2://MSScase 3://WINDOW SCALEcase 4://SACK PERMITTEDcase 8://TIMESTAMP
crt += options[crt+1]; break;default:
//unknown options, scrubint len = options[crt+1];for (i=crt;i<crt+len;i++)
options[i] = 1;crt += len; break;
}}
SymbolicvariablePath1
37
TCPoptionsparsingint crt = 0;while (crt>=0 && crt<length &&
options[crt]){switch(options[crt]){
case 1:crt++; break;
case 2://MSScase 3://WINDOW SCALEcase 4://SACK PERMITTEDcase 8://TIMESTAMP
crt += options[crt+1]; break;default:
//unknown options, scrubint len = options[crt+1];for (i=crt;i<crt+len;i++)
options[i] = 1;crt += len; break;
}}
options[0]==1
Path1 Path2 Path3
options[0]in{2,3,4,8}
options[0]notin{1,2,3,4,8}
38
TCPOptionsparsingLeavetheTCPoptionsheaderoutsideofsymbolicexecutionModelTCPoptionsasmetadatainstead
“OPT-x”modelsthepresenceofoptionx“SZ-x”sizeoftheoptioninbytes“DATA-x”valueoftheoption
39
DoesSymnet scale?
Symbolicexecutionofacorerouter
40
RunningKleeforoptionsparsing
41
