NeTS: Medium: From Verification to Synthesis in Software Defined Networks

NeTS：媒介：软件定义网络从验证到综合

• 批准号: 1513906
• 负责人: Philip Godfrey
• 金额: $ 120万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-10-01 至 2020-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1513906&HistoricalAwards=false
• 关键词: NeTS; Medium; Verification; Synthesis; Software

Every aspect of our society, from business, to government, to medicine and the sciences, is now tightly intertwined with the functioning of computer networks such as the Internet. Unfortunately, modern computer networks are extremely complicated, making them prone to implementation errors and misconfigurations, which can lead to vulnerabilities and other avenues to attack. To address this challenge, this project is designing and implementing systems which automatically verify correctness of network behavior, and correct vulnerabilities and errors in operational networks. These systems can provide immediate practical assistance to protecting networks and critical infrastructure against the attacks and cyberthreats we read about in the news every day.The project's technology functions by scanning a network, constructing a formal model of the network's behavior, and using custom formal logic algorithms to automatically derive diagnoses and repairs to network state. The core technical approach is founded on data-plane verification (DPV), which models network-wide properties using a view of the network that is as close as possible to the network's actual running behavior, i.e., the data plane: forwarding tables contained in routers, switches, firewalls, and other networking equipment. This low-level view allows DPV to catch and prevent errors that other tools miss, and provides a framework for the unified analysis of heterogeneous, multi-protocol networks.Intellectual Merit: This research is designing new algorithms to detect, prevent, and repair errors in complex networks. To achieve this, the researchers are developing a new class of formal methods to efficiently model network properties such as reachability, as well as techniques to store and query these models in real time. The researchers are also developing systems based on these algorithms to quickly and correctly localize faults, repair them before they can affect live networks, and deploy operating environments based on software-defined networking that automate application of their techniques. This research is shedding light on the ability to formally model networks, and is building insights into how to design networks and network protocols that have strong security properties from first principles. The work will also help enable interdisciplinary research across formal methods and networking disciplines, with the common goal of enabling highly available networking infrastructures.Broader Impacts: The results of this research will significantly enhance reliability and security of critical network infrastructure, and ease network management tasks. Being able to construct networks that can provide formal guarantees on the correctness and resilience of packet forwarding would have significant economic impact, by making networks more reliable and cost-effective. Networks that can deal reliably with rarely encountered exceptions are an essential component of attack survival and recovery for business and government communication systems. The techniques developed in this research will also improve resilience to misconfigurations, which may accelerate deployment of networks in underdeveloped and rural areas lacking experienced network operators with resources to troubleshoot network problems. Finally, the project is training students on cutting-edge and cross-disciplinary research in networking, formal methods, and security.

我们社会的每一个方面，从商业到政府，再到医学和科学，现在都与互联网等计算机网络的功能紧密交织在一起。不幸的是，现代计算机网络非常复杂，容易出现实施错误和错误配置，这可能导致漏洞和其他攻击途径。为了应对这一挑战，该项目正在设计和实现自动验证网络行为正确性的系统，并纠正运营网络中的漏洞和错误。这些系统可以为保护网络和关键基础设施免受我们每天在新闻中看到的攻击和网络威胁提供即时的实际帮助。该项目的技术功能是扫描网络，构建网络行为的形式模型，并使用自定义形式逻辑算法自动诊断和修复网络状态。核心技术方法建立在数据平面验证（DPV）的基础上，该方法使用尽可能接近网络实际运行行为的网络视图对网络范围的属性进行建模，即，数据平面：包含在路由器、交换机、防火墙和其他网络设备中的转发表。这种低层次的视图允许DPV捕捉和防止错误，其他工具missing.Intellectual优点：这项研究是设计新的算法来检测，防止和修复复杂网络中的错误，并提供了一个统一的分析框架异构，多协议networks.Intellectual。为了实现这一目标，研究人员正在开发一类新的形式化方法来有效地建模网络属性，如可达性，以及真实的时间存储和查询这些模型的技术。研究人员还在开发基于这些算法的系统，以快速正确地定位故障，在它们影响实时网络之前修复它们，并基于软件定义的网络部署操作环境，以自动化其技术的应用。这项研究揭示了正式建模网络的能力，并深入了解如何设计具有强大安全特性的网络和网络协议。这项工作还将有助于实现跨正式方法和网络学科的跨学科研究，共同目标是实现高度可用的网络基础设施。更广泛的影响：这项研究的结果将显著提高关键网络基础设施的可靠性和安全性，并简化网络管理任务。能够构建能够对数据包转发的正确性和弹性提供正式保证的网络将通过使网络更加可靠和具有成本效益而产生重大的经济影响。能够可靠地处理罕见异常的网络是企业和政府通信系统抵御攻击和恢复的重要组成部分。本研究中开发的技术还将提高对错误配置的适应能力，这可能会加快欠发达地区和农村地区的网络部署，这些地区缺乏经验丰富的网络运营商，缺乏解决网络问题的资源。最后，该项目正在培训学生在网络，正式方法和安全方面的前沿和跨学科研究。