BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.
Seyed K. Fayazbakhsh Vyas Sekar Minlan Yu Jeff Mogul
Verifiable Network Function Outsourcing Seyed K. FayazbakhshMichael K. ReiterVyas Sekar 1.
Compiling Path Queries in Software-Defined Networks Srinivas Narayana Jennifer Rexford and David Walker Princeton University.
Network Performance Measurement
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Toward Practical Integration of SDN and Middleboxes
SIMPLE-fying Middlebox Policy Enforcement Using SDN
SDN Applications Jennifer Rexford Princeton University.
Programmable Measurement Architecture for Data Centers Minlan Yu University of Southern California 1.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Toward Practical Convergence of Middleboxes and Software-Defined Networking Vyas Sekar Joint work with: Seyed Kaveh Fayazbakhsh, Zafar Qazi, Luis Chiang,
Practical and Incremental Convergence between SDN and Middleboxes 1 Zafar Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Header Space Analysis: Static Checking For Networks Peyman Kazemian, Nick McKeown (Stanford University) and George Varghese (UCSD and Yahoo Labs). Presented.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Troubleshooting SDNs Peyman Kazemian. Why SDN Troubleshooting SDN decouples software (control plane) from hardware (data plane). Opens doors for innovation.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
1 Advanced Material The following slides contain advanced material and are optional.
Data Plane Verification. Background: What are network policies Alice can talk to Bob Skype traffic must go through a VoIP transcoder All traffic must.
The Structuring of Systems Using Upcalls David D. Clark 4/26/20111Frank Sliz, CS533, Upcalls.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
COEN 252 Computer Forensics
Checking Network/Port Connectivity using Kaseya Agent Procedures Developed By: Emmanuel Giboyeaux Advisor : Dr. S. Masoud Sadjadi School of Computing and.
Software-Defined Networks Jennifer Rexford Princeton University.
Expensive bugsFrequent protocol changes Operators don’t have the full picture.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 9 Basic Router Troubleshooting.
Network Verification Star Wars amd The Empire Strikes Back.
Bohatei: Flexible and Elastic DDoS Defense
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags Seyed K. Fayazbakhsh *, Luis Chiang ¶, Vyas Sekar *, Minlan.
Extending SDN to Handle Dynamic Middlebox Actions via FlowTags (Full version to appear in NSDI’14) Seyed K. Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
Enabling a “RISC” Approach for Software-Defined Monitoring using Universal Streaming Vyas Sekar Zaoxing Liu, Greg Vorsanger, Vladimir Braverman.
Week 04 Object Oriented Analysis and Designing. What is a model? A model is quicker and easier to build A model can be used in simulations, to learn more.
SIMPLE-fying Middlebox Policy Enforcement Using SDN
Motivation: Finding the root cause of a symptom
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.
Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
KYUNG-HWA KIM HENNING SCHULZRINNE 12/09/2008 INTERNET REAL-TIME LAB, COLUMBIA UNIVERSITY DYSWIS.
SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang Vyas Sekar, Rui Miao, Minlan Yu Presenter : ChoongHee.
Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.
Design and Implementation of a Data Plane for the OpenBox Framework Pavel Lazar March 2016 This research was supported by the European Research Council.
NFP: Enabling Network Function Parallelism in NFV
Seyed K. Fayaz, Tushar Sharma, Ari Fogel
Ready-to-Deploy Service Function Chaining for Mobile Networks
Yotam Harchol The Hebrew University of Jerusalem
Problem: Internet diagnostics and forensics
A Survey of Network Function Placement
Jennifer Rexford Princeton University
The DPIaaS Controller Prototype
Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014
Praveen Tammana† Rachit Agarwal‡ Myungjin Lee†
Aaron Gember-Jacobson
of Dynamic NFV-Policies
Supporting Diverse Dynamic Intent-based Policies using Janus
NFP: Enabling Network Function Parallelism in NFV
Abstractions for Model Checking SDN Controllers
DDoS Attack Detection under SDN Context
NFP: Enabling Network Function Parallelism in NFV
Programmable Networks
Lecture 10, Computer Networks (198:552)
With slides from Ahmed Khurshid
Presentation transcript:

BUZZ: Testing Context-Dependent Policies in Stateful Networks Seyed K. Fayaz, Tianlong Yu, Yoshiaki Tobioka, Sagar Chaki, Vyas Sekar

Overview of checking network policies Does the network do what I want it to do? Network operator 2 Policies What I want the network to do Reality What the network does ??? network A B

R1R1 R2R2 R3R3 R4R4 A B Existing work on checking network policies 3 Static verification – HSA, NSDI’12 – Veriflow, NSDI’13 – NOD, NSDI’15 – Batfish, NSDI’15 reachability policies A can talk to B Active testing – Ping, Traceroute – ATPG, CoNext’12 – Pingmesh, SIGCOMM’15 Network operator stateless network

R1R1 R2R2 R3R3 R4R4 Light IPS Heavy IPS A B Real networks are about more than reachability context-dependent policies Network operator 4 stateful network A  B traffic Block Allow suspicious benign Heavy IPS bad signature found otherwise Light IPS # bad conn. >= 10 state context Light IPS suspicious How can we check context-dependent policies in stateful networks? Reachability policies  Context-dependent policies Stateless networks  Stateful networks Scalability: How to explore the state space? Expressiveness: How to capture stateful behaviors? Challenges:

Our solution: BUZZ Operator stateful data plane FW Proxy IPS Pass Fail 5 BUZZ is an active testing framework to check context-dependent policies in stateful data planes BUZZ test traffic context-dependent policies

Outline Motivation and challenges Design of BUZZ Implementation and evaluation 6

Data plane model Operator stateful data plane FW Proxy IPS Test traffic generation Pass Fail 7 context-dependent policies Challenge 1: Expressive models? Challenge 2: Scalable state space exploration test traffic Challenge 1: Expressive data plane model

2.How to model a network function (e.g., an IPS)? 8 Challenge 1: Expressive data plane model ? ? 1.How to model the traffic unit? ? NF 1 NF 2 NF 4 NF 3

9 Our idea: BDU as model of traffic unit Light IPS suspicious? or benign? Located packet (e.g., Pyretic, HSA) struct locPkt { IPHder ipHdr; NetworkPort port; }; Context-carrying located packet struct CntxlocPkt { IPHder ipHdr; NetworkPort port; Context context; }; struct BDU{ IPHeader ipHdr; NetworkPort port; Context context; … HTTPHdr httpHdr … }; BUZZ Data Unit (BDU) Expressive Scalable Expressive Scalable ✗ ✔ ✔ ✔ ✗ … IP packets … BDU

10 Our idea: NF as an ensemble of FSMs Light IPS NF model expressiveness NF model scalability Transfer function (e.g., Pyretic, HSA) Yes No Yes state? middlebox code large codebase (e.g., 300K LoC) bugs? A monolithic FSM count host1, count host2,… count host1 ++, count host2,… host 1 makes a conn. attempt … Ensemble of FSMs count host1 count host1 ++ count host2 count host2 ++ … Insight 1: Decoupling independent connections Insight 2: Decoupling independent tasks host 1 host 2 ✔ ✔ T(.) located packet located packet

Putting it together: Composing NF models 11 Individual NF models Data plane model

Data plane model Operator stateful data plane FW Proxy IPS Test traffic generation Pass Fail 12 context-dependent policies Challenge 1: Expressive models? Challenge 2: Scalable state space exploration test traffic Challenge 2: Scalable test traffic generation

Challenge 2: Exploring data plane state space 13 Conceptual view of test traffic generation: How to reach a colored state through a sequence of traffic units? Challenge of scalability wrt traffic space and state space – Strawman 1: All possible sequences of traffic units – Strawman 2: Generate random traffic units (e.g., fuzzing) – Strawman 3: Naïve use of exploration tools (e.g., model checking) Light IPS host 1 host 2 suspicious?

Our idea: Test traffic generation using optimized symbolic execution Optimized symbolic execution: – Minimize the number of symbolic BDUs – Scoping values of symbolic BDUs 14 Our high-level approach: Symbolic execution Light IPS host 1 host 2 suspicious?

Outline Motivation and challenges Design of BUZZ Implementation and evaluation 15

Implementation 16 Policy parser Network operator Data plane model instantiation (C) BDU-level test traffic generation (KLEE+optimizations) Translation into test scripts (custom library + code) Library of NF models (C) Test resolution (custom code) monitoring logs (tcpdump) intended policies stateful data plane under test FW Proxy IPS Pass Fail

Evaluation: Effectiveness of BUZZ Found new bugs in recent SDN-based systems – Violations due to reactive control in Kinetic – Incorrect state migration in OpenNF – Faulty policy composition in PGA – Incorrect traffic tagging in FlowTags … Found known violations – Broken link – Incorrect NAT configuration – SDN controller bug … 17

Evaluation: Scalability of BUZZ 18 Test generation takes < 2min for a network with 600 switches and 60 middleboxes

Existing work has fundamental limitations in checking context-dependent policies in stateful data planes Challenges: Expressive-yet-scalable model of stateful data planes Scalable state space exploration Our solution is BUZZ: BUZZ Data Unit (BDU) as traffic unit model Ensemble of FSMs as a network function (NF) model Scalable exploration via domain-specific optimizations BUZZ can help find bugs and is scalable 19 Conclusions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.