Automated Formal Analysis of Internet Routing Systems

Automated Formal Analysis of Internet Routing Systems Boon Thau Loo University of Pennsylvania [Joint work with Anduo Wang (Penn -> UIUC), Wenchao Zhou (Georgetown), Andre Scedrov (Penn), Limin Jia (CMU), Jennifer Rexford (Princeton), Carolyn Talcott (SRI), and several others] Secure Information MURI Presentation 6 Aug 2013

Today s Internet Policy-based The global (convergence) behavior depends on how each AS configures its routing policy BGP: Border gateway protocol AS2 R border gateway router internal router R2 R3 AS1 A BGP R1 R4 BGP AS3 R5 R1 BGP routing table: B R2 [AS1 AS2 AS3] LP: 200 B R4 [AS1 AS3] LP: 150 B Source: Nina Taft, The Basics of BGP Routing in Today's Internet 2

Routing Instability Rapid change of network reachability and topology information Internet is increasingly complicated and fragile Less reliable, harder to manage, routing instability Routing instability leads to Increased packet loss, delay of network convergence Additional resource overhead (Extreme) loss of connectivity, (common) route oscillation 3

Routing Oscillation Example Route updates for B(67.97.156.0/24) in 7 days(nov 28-Dec 5,2011) AS 4777 A 19223 B (67.97.156.0/24) Source: http://bgpupdates.potaroo.net/instability 4

Routing Oscillation Example Route updates for B(67.97.156.0/24) in 7 days(nov 28-Dec 5,2011) 3356 4777 Path 4777 2516 2497 2516 3549 4323 19223 21h 50m 40s, 2513 times, avg 31.0s Path 4777 2516 3356 3549 4323 19223 Path 4777 2497 701 3549 4323 Path 19223 4777 2516 4323 19223 4h 44m 37s, 560 times, 701 avg 30.0s 1d 0h 39m 37s, 2487 times, avg 2d 35.0s 16h 30m 8s, 3836 times, avg 1m 0.0s Path 35494777 2497 4323 19223 12h 58m 45s, 1417 times, avg 32.0s 6453 4323 Path 4777 2497 6453 4323 19223 1h 43m 17s, 176 times, avg 35.0s 19223 B (67.97.156.0/24) Source: http://bgpupdates.potaroo.net/instability 5

Routing Oscillation Example Route updates for B(67.97.156.0/24) in 7 days(nov 28-Dec 5,2011) 4777 2516 2497 3356 701 Causes include 4323 3549 6453 Operator error: misconfiguration Conflicting routing policy (this talk) 19223 B (67.97.156.0/24) Source: http://bgpupdates.potaroo.net/instability 6

Safety of Policy-based Routing Policy configuration Topology [A 1 A 2 A 0 ] 200 [A 1 A 0 ] 100 [A 2 A 3 A 0 ] 200 [A 2 A 0 ] 100 nodes A 1,A 2,A 3 compute routes to A 0 Per-node preference Node A1 prefers route from A2 Node A2 prefers route from A3 Node A3 prefers route from A1 Permanent oscillation due to conflicting policies A 1 A 2 A 0 A 3 [A 3 A 1 A 0 ] 200 [A 3 A 0 ] 100 Safety property: A policy configuration is safe, if the routing system is guaranteed to converge to a stable state [SIGCOMM 99] Griffin et al. 7

Techniques for Safe Routing Enabling technique Routing algebra Combinatory model Static configuration checker Runtime debugging tool Formal Reasoning System Weakness Identify the correctness property but not how to achieve Abstract away low-level details [SIGCOMM 03, 05] Griffin Sobrinho [SIGCOMM 99] Griffin et al. Checking safety is NP hard State explosion for actual network system Best effort: neither sound nor complete [SIGCOMM 05] Feamster et al. [NSDI 07] Killian et al. 8

Techniques for Safe Routing Enabling technique Routing algebra Combinatory model Static configuration checker Runtime debugging tool Weakness Formal Reasoning Identify the correctness property but not how to achieve Abstract away low-level details [SIGCOMM 03, 05] Griffin Sobrinho [SIGCOMM 99] Griffin et al. System Formal reasoning is decoupled from actual network systems Checking safety is NP hard State explosion for actual network system Best effort: neither sound nor complete [SIGCOMM 05] Feamster et al. [NSDI 07] Killian et al. 9

Approach Formally Verifiable Routing (FVR) Synthesize faithful implementations from verified formal models Programming Language Formal Reasoning Formal Model System 10

Approach Formally Verifiable Routing (FVR) Synthesize faithful implementations from verified formal models Programming Language Formal Reasoning Formal Model System Scalability Technique Analyze large Internet routing configuration Scale up formal analysis to large Internet routing configurations 11

Architecture Formally Verifiable Routing (FVR) Synthesize faithful implementations from verified formal models Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Analyze large Internet routing configuration Scale up formal analysis to large Internet routing configurations 12

Outline Introduction Formally safe routing (FSR) toolkit Analyze large network configuration Conclusion and future work [TON 12, SIGCOMM 11 demonstration] FSR: Formal Analysis and Implementation Toolkit for Safe Inter-domain Routing. [PADL 09] Declarative Verification [ACM HotNets 09] Formally Verifiable ing 13

Formally Safe Routing (FSR) Toolkit Synthesize faithful implementations from verified formal models Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Contribution #1: Automated reasoning of routing algebra model Reduction of safety analysis to SMT solving Contribution #2: Provably correct distributed implementation Generation of declarative networking programs Correctness proof for the policy NDlog translation 14

Formally Safe Routing (FSR) Toolkit Synthesize faithful implementations from verified formal models Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Contribution #1: Automated reasoning of routing algebra model Reduce safety analysis to SMT solving Contribution #2: Provably correct distributed implementation Generation of declarative networking programs Correctness proof for the policy NDlog translation 15

Background: Routing Algebra Shortest path routing policy Routing algebra,, L, Path/link attributes {1,2,} Path concatenation The metrics of new path is the summation of the constituting path/link cost Per-node preference Prefers lower-cost path (signature), L (label) = {1,2,} L = {1,2,} says how to compute routes signature/labels + determines how to compare routes in route selection < Routing Algebra [SIGCOMM'05] Timothy G. Griffin, Joäo Luís Sobrinho 16

Background: Routing Algebra Shortest path routing policy Routing algebra,, L, Path/link attributes Costs: {1,2,} Path concatenation The metrics of the new path is the summation of the constituting path/link cost Per-node preference Prefers lower-cost path (signature), L (label) = {1,2,} L = {1,2,} says how to compute route signature from labels + determines how to compare routes in route selection < Theorem (Safety condition) A routing configuration is safe if its routing algebra satisfies the strict monotonicity (SM) condition: l L, s. s < l s Routing Algebra [SIGCOMM'05] Timothy G. Griffin, Joäo Luís Sobrinho 17

Automated Safety Analysis [TON 12 Wang et al.] Reduce safety analysis to a satisfiability problem (Algebra) satisfies (SM condition)? Map (Algebra), (SM condition) to integer constraints ((Algebra) (SM condition)) satisfiable? Map routing algebra (, <), SM into integer constraints Map each s 1 < s 2 to preference constraint s 1 < s 2 (assert (< s 1 s 2 )) Map SM constraints, for each s = l s (assert (< s s )) Automate satisfiability problem solving in SMT solver 18

Pinpoint BGP Misconfigurations [SIGCOMM 11 demo, Ren, Zhou,Wang et al.] Use SMT solver (Yices) to perform safety analysis Node 7 Node 27 Node 32 19

Formally Safe Routing (FSR) Toolkit Synthesize faithful implementations from verified formal models Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Contribution #1: Automated verification of network model Reduction of safety analysis to SMT solving Contribution #2: Provably correct distributed implementation Generation of declarative networking specification Correctness proof for the policy/path vector NDlog translation Declarative networking [CACM'09] Loo et al. 20

Outline Introduction Formally safe routing (FSR) toolkit Analyze large network configuration Conclusion and future work [PODC 12. Brief announcement] A Calculus of Policy-Based Routing Systems. [SIGCOMM 12 demo, TACAS 12] Reduction-based analysis of BGP systems with BGPVerif. [FMOODS/FORTE 11] Analyzing BGP Instances in Maude. 21

Analyze Large Configurations Scale up formal analysis through network reduction Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Contribution #1: Detect anomalies in actual policy configuration Develop Maude library that analyzes input configuration Contribution #2: reduction scales up analysis A rewriting calculus that simplifies network prior to analysis Reduction properties deepens understanding of configuration space 22

Duplicate Reduction [TACAS 12, Wang et al.] u p i u q j p i u d q j v v p i v q j u,v u p i d u q j x y z x y z u p i u q j Nodes u,v are merged by duplicate reduction if they agree on how to route to destination d through their neighbors x,y,,z: For any path p i p j, u,v agree on their preference 23

Complementary Reduction [PODC Announcement 12, Wang et al.] u p i x x u p i x v q j u p i y d y u p i y v q j q j v z v q j z u p i z v q j u,v u x x u p i x u q j p i y y u p i y u q j d u qj u p i u q j z z u p i z u q j Nodes u,v are merged by complementary reduction if their neighbors x,y,,z agree on how to route to destination d through them: After merging, the route preference for any path p i, p j are set according to the consensus among x,y,,z 24

Reduction Properties [TACAS 12,PODC Announcement 12, Wang et al.] Soundness Theorem Reduction preserves the safety property Local completeness & Duality Theorem Locality: Duplicate Computation and complementary involving two nodes reductions and their neighbors are the only local rules Duality: which One preserve implies the safety other property Theorem If all the neighbors of u, v are duplicate (complementary), then u, v must be complementary (duplicate) Confluence Complementary reduction is not: order matters (Counterexample) Theorem If, for a set of nodes V, any pair of nodes u and v in V are duplicate, then V can be merged into one single node by multiple steps of duplicate reduction, regardless of the reduction order. 25

Outline Introduction Formally safe routing (FSR) toolkit Analyze large network configuration Conclusion and future work 26

Ongoing work Reduction-based security analysis of Internet protocols Use of Proverif and Coq for analyzing Secure BGP and recent Future Internet Architectures, e.g. SCION Safety analysis given incomplete policy specifications Traffic optimizations Routing recovery Formal synthesis of Software-defined ing (SDN) configurations SDN: Decouples centralized logical control and actual forwarding. A general abstraction for programming, network management and reasoning Dual of verification, manage complexity from the beginning Synthesizing safe update sequences given security and optimization policies 27

Student and Postdoc Highlights NetDB@Penn research group: netdb.cis.upenn.edu Anduo Wang Recently graduated in summer 2013. Co-advised with Andre Scedrov. Formally Verifiable Routing (FVR) toolkit Post-doctoral researcher at University of Illinois at Urbana-Champaign. Wenchao Zhou Graduated in summer 2012 Georgetown University (tenure-track faculty) PhD thesis on Secure Distributed Time-aware Provenance ACM SIGMOD Dissertation Award (Runner-up), 2013. Alex Gurney Post-doctoral researcher. Partial network specifications and traffic engineering. Chen Chen 2 nd year Ph.D. student. Formal analysis on secure routing protocols. 28

Thank You Full version of all papers available at http://netdb.cis.upenn.edu/fvr/ http://netdb.cis.upenn.edu/reduction/ 29

Bridge Reasoning & Actual System Formally Verifiable Routing (FVR) Synthesize faithful implementations from verified formal models Declarative ing Specification Formal Reasoning Theorem Prover SMT Solver Maude Analyzer Algebra Combinatorial Protocol Implementation Policy Configuration System Reduction Analyze large network configuration Scale up formal analysis through network reduction 30

Unified Framework Declarative programming Logic, functional Domain-specific language Software engineering Programming Language BGP system SDN Virtual network Mobile network Cloud, datacenter Formal Reasoning Formal Model System Verification & Synthesis Deductive reasoning Formal methods Inductive reasoning Machine learning Scalability Technique Reduction Abstraction 31