Software NFs The good: The fmexibility of software The software - PowerPoint PPT Presentation

Automated Synthesis of Adversarial Workloads for Network Functions Luis Pedrosa, Rishabh Iyer, Arseniy Zaostrovnykh, Jonas Fietz, Katerina Argyraki N etwork A rchitecture L aboratory

Software NFs The good: The fmexibility of software The software development cycle The bad: The reliability of software Inconsistent performance The ugly: Adversarial traffjc / DoS / Slowdowns 2

We need better tools... Dynamic analysis: profjling Reasons about known inputs Helps fjnd root cause / debug Only as good as the inputs used 3

We need better tools... Static analysis Reasons about potential inputs in abstract Over-approximating: WCET Under-approximating: adversarial inputs 0 Typical Adversarial MAX WCET Latency (not to scale) 4

CASTAN – Cycle Approximating Symbolic Timing Analysis for NFs Statically analyze NF Analyze code Generate PCAP fjle with adversarial workload Exploit The CPU cache hierarchy Algorithmic complexity It works! Increased NF latency up to 3× 5

Outline Introduction SymbEx in a Nutshell CASTAN Evaluation Conclusion 6

SymbEx in a Nutshell Procedure Interpret code with symbolic values α 0 1 : i n t v a r = i n p u t ( ) ; / / α 0 2 : r e t u r n v a r + + ; / / + 1 J. C. King, Symbolic Execution and Program Testing, 1976 7

SymbEx in a Nutshell Procedure Interpret code with symbolic values α 0 1 : i n t v a r = i n p u t ( ) ; / / 0 2 : i f ( v a r > = 0 ) { 0 3 : r e t u r n v a r ; 0 4 : } e l s e { 0 5 : r e t u r n - v a r ; 0 6 : } 8

SymbEx in a Nutshell Procedure Interpret code with symbolic values Fork execution on symbolic conditions Keep track of path constraints α 0 1 : i n t v a r = i n p u t ( ) ; / / 0 2 : i f ( v a r > = 0 ) { α α 0 3 : r e t u r n v a r ; / / i f > = 0 0 4 : } e l s e { α α 0 5 : r e t u r n - v a r ; / / - i f < 0 0 6 : } 9

SymbEx in a Nutshell Procedure Interpret code with symbolic values Fork execution on symbolic conditions Keep track of path constraints SMT solver fjnds concrete inputs α 0 1 : i n t v a r = i n p u t ( ) ; / / 0 2 : i f ( v a r > = 0 ) { α α α 0 3 : r e t u r n v a r ; / / i f > = 0 , e . g . = 0 0 4 : } e l s e { α α α 0 5 : r e t u r n - v a r ; / / - i f < 0 , e . g . = - 1 0 6 : } 10

SymbEx in a Nutshell Challenges Path Explosion! T ypically exponential # of paths / branch Unbounded with loops Impractical to SymbEx exhaustively 11

SymbEx in a Nutshell Mitigation Can’t do everything: prioritize! Directed Symbolic Execution Prioritize executing relevant paths over others Graph search with heuristic T ry to reach a bug / increase coverage / etc. Stop SEE when satisfjed (or impatient) 12

CASTAN Overview Generate adversarial NF workloads Packet sequence ⇒ more CPU cycles / packet Under-approximate: not WCET Largely automated 13

CASTAN Approach Exploits performance variation 1. CPU cache: +DRAM accesses 2. Algorithmic complexity: +instructions 3. Hashing: reverse to expose internals 14

CASTAN Attacking the CPU Cache Symbolic Pointers Index into memory with packet: a r r a y [ p a c k e t . d s t _ a d d r ] Find packets ⇒ memory addresses ⇒ DRAM access CPU Cache Model Simple 1-tier model of the LLC Models contention, associativity, write-back Empirical contention set model 15

CASTAN Attacking Algorithmic Complexity Maximize Instructions / Packet Find packets ⇒ longer code paths Guide SymbEx with a Heuristic Maximize cycles w/o inducing breadth-fjrst-search Estimate cycles / packet Receive Packet Receive Packet 16

CASTAN Attacking Algorithmic Complexity CFG Distance Heuristic max(successors)+cost<current> cost = cycles conservatively assuming an L1 hit 17

CASTAN Attacking Algorithmic Complexity CFG Distance Heuristic max(successors)+cost<current> cost = cycles conservatively assuming an L1 hit -∞ -∞ -∞ -∞ -∞ 0 18

CASTAN Attacking Algorithmic Complexity CFG Distance Heuristic max(successors)+cost<current> cost = cycles conservatively assuming an L1 hit -∞ 3 2 -∞ -∞ -∞ -∞ 0 -∞ -∞ 1 0 19

CASTAN Attacking Algorithmic Complexity CFG Distance Heuristic max(successors)+cost<current> cost = cycles conservatively assuming an L1 hit -∞ 3 2 3 2 -∞ -∞ -∞ -∞ 0 -∞ -∞ 1 0 5 4 1 0 20

CASTAN Attacking Algorithmic Complexity Handling Loops Distance vector algorithm Limit repeats to 2 (unrolls loops once) 21

CASTAN Attacking Algorithmic Complexity Handling Loops Distance vector algorithm Limit repeats to 2 (unrolls loops once) -∞ -∞ -∞ -∞ -∞ 0 22

CASTAN Attacking Algorithmic Complexity Handling Loops Distance vector algorithm Limit repeats to 2 (unrolls loops once) -∞ -∞ 3 4 -∞ -∞ -∞ 0 3 2 1 0 23

CASTAN Attacking Algorithmic Complexity Handling Loops Distance vector algorithm Limit repeats to 2 (unrolls loops once) -∞ -∞ 3 4 -∞ -∞ -∞ 0 3 2 1 0 24

CASTAN Attacking Algorithmic Complexity Handling Loops Distance vector algorithm Limit repeats to 2 (unrolls loops once) -∞ -∞ 3 4 7 8 -∞ -∞ -∞ 0 3 2 1 0 7 6 5 0 25

CASTAN Handling Hash Functions SymbExing hash functions is hard Complex expression / Path explosion Reason about hash value, without computing it? 26

CASTAN Handling Hash Functions SymbExing hash functions is hard Complex expression / Path explosion Reason about hash value, without computing it? Havocing Annotate and disable hash function Assign hash value a new symbol Analyze data structure internals unencumbered Find packet ⇒ hash value ⇒ expected behavior 27

CASTAN Handling Hash Functions ✘ Hash Packets Hashes Inputs Solve Reverse Solve Packets Hashes Hashes 28

Evaluation Setup Network Measurement Campaign E2E Latency / Throughput Intel Xeon E5-2667v2 3.3GHz 25.6MB LLC / 32GB RAM Intel 82599ES 10Gb NICs Tester DUT 29

Evaluation NFs 11 NF Implementations 3 types, difgerent data structures NAT LB LPM Unbalanced Tree ● ● Red-Black Tree ● ● Hash Ring ● ● Hash Table ● ● Hierarchical Lookup (DPDK) ● Single Lookup ● Patricia Trie ● 30

Evaluation NFs 11 NF Implementations Algorithmic Complexity 3 types, difgerent data structures NAT LB LPM Unbalanced Tree ● ● Red-Black Tree ● ● Hash Ring ● ● Hash Table ● ● Hierarchical Lookup (DPDK) ● Single Lookup ● Patricia Trie ● Cache 31

Evaluation Workloads Baseline NOP Adversarial CASTAN (~50 fmows), Manual (~50 fmows) Random UniRand (1Mfmows) Zipf (100kpkts, 6.7kfmows) UniRand CASTAN (# fmows = CASTAN) 32

Evaluation LPM / Single Lookup Table CDF 3× 3× 33

Evaluation LPM / Single Lookup Table CASTAN induces DRAM accesses 3× Latency CDF 3× 3× ≃ UniRand; 2×10 5 fewer flows 34

Evaluation LPM / Single Lookup Table -19% -19% 35

Evaluation NAT / Unbalanced Tree CDF 1.7× 1.7× 36

Evaluation NAT / Unbalanced Tree CASTAN skews the tree +70% Latency / -7% Throughput CDF 1.7× 1.7× ≃ Manual; without intuition 37

Conclusion CASTAN Attacks complexity, CPU cache, hash functions Little developer input Adversarial Workloads ≃ Manual when available > Uniform random for same number of fmows Up to +201% latency / -19% throughput 38

Find out more! Look for our poster! Get the source and more: https://pedrosa.2y.net/Projects/CASTAN 39

Backup Slides 40

Cache Structure L3 slice L2 line byte offset L1d line 34 bits 15 bits 3 bits 6 bits 6 bits 1GB page index 1GB page offset 41

Latency Deviation from NOP 42

Throughput 43

LPM / Single Lookup Table 44

NAT / Unbalanced Tree 45

NAT / Hash Ring 46

NAT / Red-Black Tree 47

NAT / Hash Table 48

LPM / Hierarchical Lookup (DPDK) 49

LPM / Patricia Trie 50

LB / Unbalanced Tree 51

LB / Red-Black Tree 52

LB / Hash Ring 53

LB / Hash Table 54