NeTS: Medium: From Verification to Synthesis in Software Defined Networks

NeTS：媒介：软件定义网络从验证到综合

• 批准号: 1513906
• 负责人: Philip Godfrey
• 金额: $ 120万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-10-01 至 2020-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1513906&HistoricalAwards=false
• 关键词: NeTS; Medium; Verification; Synthesis; Software

Every aspect of our society, from business, to government, to medicine and the sciences, is now tightly intertwined with the functioning of computer networks such as the Internet. Unfortunately, modern computer networks are extremely complicated, making them prone to implementation errors and misconfigurations, which can lead to vulnerabilities and other avenues to attack. To address this challenge, this project is designing and implementing systems which automatically verify correctness of network behavior, and correct vulnerabilities and errors in operational networks. These systems can provide immediate practical assistance to protecting networks and critical infrastructure against the attacks and cyberthreats we read about in the news every day.The project's technology functions by scanning a network, constructing a formal model of the network's behavior, and using custom formal logic algorithms to automatically derive diagnoses and repairs to network state. The core technical approach is founded on data-plane verification (DPV), which models network-wide properties using a view of the network that is as close as possible to the network's actual running behavior, i.e., the data plane: forwarding tables contained in routers, switches, firewalls, and other networking equipment. This low-level view allows DPV to catch and prevent errors that other tools miss, and provides a framework for the unified analysis of heterogeneous, multi-protocol networks.Intellectual Merit: This research is designing new algorithms to detect, prevent, and repair errors in complex networks. To achieve this, the researchers are developing a new class of formal methods to efficiently model network properties such as reachability, as well as techniques to store and query these models in real time. The researchers are also developing systems based on these algorithms to quickly and correctly localize faults, repair them before they can affect live networks, and deploy operating environments based on software-defined networking that automate application of their techniques. This research is shedding light on the ability to formally model networks, and is building insights into how to design networks and network protocols that have strong security properties from first principles. The work will also help enable interdisciplinary research across formal methods and networking disciplines, with the common goal of enabling highly available networking infrastructures.Broader Impacts: The results of this research will significantly enhance reliability and security of critical network infrastructure, and ease network management tasks. Being able to construct networks that can provide formal guarantees on the correctness and resilience of packet forwarding would have significant economic impact, by making networks more reliable and cost-effective. Networks that can deal reliably with rarely encountered exceptions are an essential component of attack survival and recovery for business and government communication systems. The techniques developed in this research will also improve resilience to misconfigurations, which may accelerate deployment of networks in underdeveloped and rural areas lacking experienced network operators with resources to troubleshoot network problems. Finally, the project is training students on cutting-edge and cross-disciplinary research in networking, formal methods, and security.

我们社会的每一个方面，从商业到政府，到医学和科学，现在都与像互联网这样的计算机网络的功能紧密地交织在一起。不幸的是，现代计算机网络极其复杂，容易出现实现错误和错误配置，从而导致漏洞和其他攻击途径。为了应对这一挑战，该项目正在设计和实现自动验证网络行为正确性的系统，并纠正运行网络中的漏洞和错误。这些系统可以为保护网络和关键基础设施免受我们每天在新闻中看到的攻击和网络威胁提供即时的实际帮助。该项目的技术功能是扫描网络，构建网络行为的形式化模型，并使用自定义的形式化逻辑算法自动导出网络状态的诊断和修复。核心技术方法建立在数据平面验证（DPV）的基础上，它使用尽可能接近网络实际运行行为的网络视图（即数据平面：路由器、交换机、防火墙和其他网络设备中包含的转发表）对网络范围的属性进行建模。这种低级视图允许DPV捕捉和防止其他工具遗漏的错误，并为异构、多协议网络的统一分析提供框架。智力优势：这项研究设计了新的算法来检测、预防和修复复杂网络中的错误。为了实现这一目标，研究人员正在开发一类新的形式化方法来有效地建模网络属性，如可达性，以及实时存储和查询这些模型的技术。研究人员还在开发基于这些算法的系统，以快速、正确地定位故障，在故障影响现有网络之前进行修复，并基于软件定义网络部署操作环境，自动应用他们的技术。这项研究揭示了对网络进行形式化建模的能力，并为如何从第一原则设计具有强大安全属性的网络和网络协议提供了见解。这项工作还将有助于实现跨正式方法和网络学科的跨学科研究，共同目标是实现高度可用的网络基础设施。更广泛的影响：本研究的结果将显著提高关键网络基础设施的可靠性和安全性，并简化网络管理任务。能够构建能够对数据包转发的正确性和弹性提供正式保证的网络，通过使网络更可靠和更具成本效益，将产生重大的经济影响。能够可靠地处理很少遇到的异常的网络是企业和政府通信系统攻击生存和恢复的重要组成部分。本研究中开发的技术还将提高对错误配置的弹性，这可能会加速在缺乏经验丰富的网络运营商和资源来解决网络问题的农村地区部署网络。最后，该项目在网络、形式化方法和安全性方面对学生进行前沿和跨学科研究方面的培训。