Symbolic Analysis of Networked Systems Klaus Wehrle t Joint work by the COMSYS team http://comsys.rwth-aachen.de klaus@comsys.rwth-aachen.de Challenges in Softwarized Communication Systems Software plays an increasingly important role in networking Protocols, billions of apps, etc. Network elements become flexible (SDN, NFV, In-network processing) Important: Analysis of real code – not models Data Data Center Center Switch Switch Cloud- based Control Switch Switch Switch Switch wired network Sensors Actuators Ne Netwo worked Systems (protocols, apps) Lat Latenc ency-cr critica cal networke ked co control Goal: devise a new methodology for Networked Systems In-Network Processing Reliability? Predictable? Software Analysis of Interacting Systems? Edge: Protocols, Apps, ... Reducing latency (bugs, loops) (performance, resources) Rigorous, automated and effective! Core: Network Functions Networked control http://comsys.rwth-aachen.de 2
State of the Art in Distributed Systems Testing Testbeds, Prototypes Random testing Simulation Model-based proofs Emulation model model Automatism Automatism Automatism Automatism Coverage Coverage Coverage Coverage Effectiveness Effectiveness Effectiveness Effectiveness http://comsys.rwth-aachen.de 3 if (x == 0) Traditional if (x<5) Symbolic Execution http://comsys.rwth-aachen.de
Symbolic Execution: A Simple Example int get_range(int x) { int x = symbolic_input(); if (x == 0) à x may be any value return blue(); if (x < 50) { if (x == 0) if (x > 10) x = 0 x ≠ 0 return red(); if (x < 50) return green(); x ≥ 50 x ≠ 0 && x < 50 } if (x > 10) return orange(); x > 10 && x < 50 x ≤ 10 && x ≠ 0 } SMT Path 1: { x = 0 } Test 1: x = 0 But, is Symbolic Execution able Path 2: { 10 < x < 50 } Test 2: x = 22 Path 3: { x ≠ 0 ∧ x ≤ 10 } Test 3: x = 5 to analyze networked systems? Path 4: { 50 ≤ x } Test 4: x = 99 http://comsys.rwth-aachen.de 5 Symbolic Execution and Networked Systems Symbolic analysis of networked systems? Additional influence factor: à Consider packets as additional input X Y P if (x == 0) if (x < 5) P http://comsys.rwth-aachen.de 6
Symbolic Execution and Networked Systems Symbolic analysis of networked systems? Additional influence factor: à Consider packets as additional input X Y à It may arrive at various/any times P if (x == 0) if (x < 5) P Need for a rigorous analysis of any input at any time http://comsys.rwth-aachen.de 7 Symbolic Analysis of Network Input t http://comsys.rwth-aachen.de
Symbolic Execution of Networked Systems Symbolic analysis of network input P P P P P P P P P P ? http://comsys.rwth-aachen.de 9 Symbolic Distributed Execution (SDE) Branching within a node causes branches in all other nodes http://comsys.rwth-aachen.de 10
SDE: State Explosion Test scenarios Destination Grid with n 2 nodes (example: 49) Transmissions via a static path Symbolic network failures 10s simulated time Source Results using the conservative approach (49 nodes) >779K states The basic implementation of >24 GB the formal model of SDE is not scalable >22 h http://comsys.rwth-aachen.de 11 SDE: Elimination of Redundant States Test scenarios Destination Grid with n 2 nodes (example: 49) Transmissions via static path Symbolic network failures 10s simulated time Source Results using conservative and lazy forking algorithms 533 states Significant elimination of duplicates enables much more scalable analyses ~587 MB 1:49 min http://comsys.rwth-aachen.de 12
Infinite Loop Detection Symbolic Analysis of Protocol Loops t http://comsys.rwth-aachen.de Liveness of a Protocol – Infinite Loop Detection Why are infinite loops an issue with protocols? The outmost (protocol) loop should run infinitely (intended loop) The input handler should always finalize (non-intended loop) Infinite inner loop is a bug When is a loop infinite? If it comes to the same state, again and again! ¾ maybe with (different) intermediate steps o r When is a loop erroneous If it does not consume any input any more? How can we detect re-occurring same states? http://comsys.rwth-aachen.de Source: baynote.com 14
Efficient Implementation of Same State Detection Two states are the same if all their memory is the same Including call stack and instruction pointer Compare each new state S X to all its predecessor states How can this be achieved efficiently ? memcmp(NULL1, NULL2, 0xFF…FF); 1 bool x = false; S 0 For every predecessor state Naïve implementation is 2 x = true; S 1 prohibitively expensive! 3 while (x) { S 2 … S 2 4 x = true; S 3 … S 3 5 } http://comsys.rwth-aachen.de 15 Efficient Implementation of Same State Detection Two states are the same if all their memory is the same Including call stack and instruction pointer Compare each new state S X to all its predecessor states How can this be achieved efficiently ? Efficient same state detection? 1 bool x = false; S 0 Compare hashes instead of states H 0 Hash after blocks, not instructions 2 x = true; 3 while (x) { S 2 H 2 … S 2 H 2 4 x = true; S 3 H 3 … S 3 H 3 5 } http://comsys.rwth-aachen.de 16
Efficient Implementation of Same State Detection Two states are the same if all their memory is the same Including call stack and instruction pointer Compare each new state S X to all its predecessor states How can this be achieved efficiently ? Efficient same state detection? 1 bool x = false; S 0 H 0 Compare hashes instead of states H 0 Hash blocks, not instructions 2 x = true; H 1 Compute hashes iteratively 3 while (x) { H 2 … H 2 4 x = true; H 3 … H 3 5 } http://comsys.rwth-aachen.de 17 Results So far, a total of seven previously undetected bugs were detected Five bugs in the GNU Coreutils ¾ e.g. in “ tail ”: 130 line while(1) loop calling 2 functions Two bugs in busybox ¾ e.g. In a 490 line while(1) loop calling 2 functions o r All bugs have been reported, confirmed and fixed The coreutils bugs have existed for over 12 years! http://comsys.rwth-aachen.de 18
The Next Challenge Symbolic Analysis of Temporal Uncertainty t http://comsys.rwth-aachen.de A B t Analyzing uncertain event times – Why is time so important? State of system at arrival time of input determines the behavior Rigorous analysis requires analysis of all points in time! Moreover, time is continuous – not discrete! 20
A B t Challenge: Automatic Generation of Temporal Equivalence Classes Symbolic Time: Symbolic analysis of uncertain event times Problems Challenges Time is continuous – not discrete à How to derive temporal equival. classes? Temporal dependencies in code à How to detect them? Deriving all combinations and dependencies à How to make sure to consider all cases? 21 Challenges in Softwarized Communication Systems Trend: Software plays an increasingly important role in networking Protocols, billions of apps, etc. Network elements become flexible (SDN, NFV, In-network processing) Important: Analysis of real code – not models Data Data Center Switch Center Switch Cloud- based Control Switch Switch Switch Switch wired network Sensors Actuators Netwo Ne worked Systems (protocols, apps) Lat Latenc ency-cr critica cal networke ked co control Networked Systems In-Network Processing Reliability? Reliability! Predictable? Edge: Protocols, Apps, ... Reducing latency (bugs, loops) (bugs, loops) (performance, resources) Core: Network Functions Networked control http://comsys.rwth-aachen.de 22
? If pkt > 40 do_this(pkt); else do_that(pkt): ... Symbolic Analysis of Protocol / NF Performance http://comsys.rwth-aachen.de Performance Prediction of Softwarized Network Functions Challenge: Prediction of Processing Effort/Time of a NF Necessary processing resources? Expected/worst latency? Achievable data rate? Influence among NFs? Are we under attack? … Achieved throughput per processing effort of a NF Influence Factors Code of the NF Input Traffic (Pattern, Volume) CPU Execution ¾ Superscalar execution ¾ Branch prediction ¾ Caching http://comsys.rwth-aachen.de 24
Recommend
More recommend