NeTS: Medium: From Verification to Synthesis in Software Defined Networks

NeTS：媒介：软件定义网络从验证到综合

• 批准号: 1513906
• 负责人: Philip Godfrey
• 金额: $ 120万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-10-01 至 2020-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1513906&HistoricalAwards=false
• 关键词: NeTS; Medium; Verification; Synthesis; Software

Every aspect of our society, from business, to government, to medicine and the sciences, is now tightly intertwined with the functioning of computer networks such as the Internet. Unfortunately, modern computer networks are extremely complicated, making them prone to implementation errors and misconfigurations, which can lead to vulnerabilities and other avenues to attack. To address this challenge, this project is designing and implementing systems which automatically verify correctness of network behavior, and correct vulnerabilities and errors in operational networks. These systems can provide immediate practical assistance to protecting networks and critical infrastructure against the attacks and cyberthreats we read about in the news every day.The project's technology functions by scanning a network, constructing a formal model of the network's behavior, and using custom formal logic algorithms to automatically derive diagnoses and repairs to network state. The core technical approach is founded on data-plane verification (DPV), which models network-wide properties using a view of the network that is as close as possible to the network's actual running behavior, i.e., the data plane: forwarding tables contained in routers, switches, firewalls, and other networking equipment. This low-level view allows DPV to catch and prevent errors that other tools miss, and provides a framework for the unified analysis of heterogeneous, multi-protocol networks.Intellectual Merit: This research is designing new algorithms to detect, prevent, and repair errors in complex networks. To achieve this, the researchers are developing a new class of formal methods to efficiently model network properties such as reachability, as well as techniques to store and query these models in real time. The researchers are also developing systems based on these algorithms to quickly and correctly localize faults, repair them before they can affect live networks, and deploy operating environments based on software-defined networking that automate application of their techniques. This research is shedding light on the ability to formally model networks, and is building insights into how to design networks and network protocols that have strong security properties from first principles. The work will also help enable interdisciplinary research across formal methods and networking disciplines, with the common goal of enabling highly available networking infrastructures.Broader Impacts: The results of this research will significantly enhance reliability and security of critical network infrastructure, and ease network management tasks. Being able to construct networks that can provide formal guarantees on the correctness and resilience of packet forwarding would have significant economic impact, by making networks more reliable and cost-effective. Networks that can deal reliably with rarely encountered exceptions are an essential component of attack survival and recovery for business and government communication systems. The techniques developed in this research will also improve resilience to misconfigurations, which may accelerate deployment of networks in underdeveloped and rural areas lacking experienced network operators with resources to troubleshoot network problems. Finally, the project is training students on cutting-edge and cross-disciplinary research in networking, formal methods, and security.

我们社会的各个方面，从商业、政府、医学和科学，现在都与互联网等计算机网络的运行紧密地交织在一起。不幸的是，现代计算机网络极其复杂，很容易出现实施错误和配置错误，从而导致漏洞和其他攻击途径。为了应对这一挑战，该项目正在设计和实施自动验证网络行为正确性并纠正运营网络中的漏洞和错误的系统。这些系统可以提供即时的实际帮助，以保护网络和关键基础设施免受我们每天在新闻中读到的攻击和网络威胁。该项目的技术通过扫描网络、构建网络行为的形式模型以及使用自定义形式逻辑算法自动得出网络状态的诊断和修复来发挥作用。核心技术方法基于数​​据平面验证（DPV），它使用尽可能接近网络实际运行行为的网络视图对网络范围的属性进行建模，即数据平面：路由器、交换机、防火墙和其他网络设备中包含的转发表。这种低级视图允许 DPV 捕获和防止其他工具遗漏的错误，并为异构多协议网络的统一分析提供框架。 智力优点：这项研究正在设计新的算法来检测、防止和修复复杂网络中的错误。为了实现这一目标，研究人员正在开发一类新的形式化方法来有效地对可达性等网络属性进行建模，以及实时存储和查询这些模型的技术。研究人员还在开发基于这些算法的系统，以快速、正确地定位故障，在影响实时网络之前对其进行修复，并部署基于软件定义网络的操作环境，以自动应用其技术。这项研究揭示了对网络进行正式建模的能力，并深入了解如何根据第一原理设计具有强大安全属性的网络和网络协议。这项工作还将有助于跨正式方法和网络学科进行跨学科研究，其共同目标是实现高度可用的网络基础设施。更广泛的影响：这项研究的结果将显着提高关键网络基础设施的可靠性和安全性，并简化网络管理任务。能够构建能够为数据包转发的正确性和弹性提供正式保证的网络，将使网络更加可靠和更具成本效益，从而产生重大的经济影响。能够可靠地处理很少遇到的异常的网络是企业和政府通信系统的攻击生存和恢复的重要组成部分。这项研究开发的技术还将提高对错误配置的恢复能力，这可能会加速欠发达和农村地区的网络部署，这些地区缺乏经验丰富的网络运营商和资源来解决网络问题。最后，该项目正在培训学生进行网络、形式化方法和安全方面的前沿和跨学科研究。