VeriCon: Towards Verifying
Controller Programs in SDNs
(PLDI 2014)
Thomas Ball, Nikolaj Bjorner, Aaron Gember,
Shachar Itzhaky, Aleksandr Karbyshev, Mooly Sagiv,
Michael Schapira, Asaf Valadarsky
Traditional Computer Networks
Control plane:
distributed algorithms
Data plane:
packet
streaming
2
New Paradigm:
Software Defined Networking (SDN)
logically-centralized control in software
smart
but slow
software
API to the data plane
(e.g., OpenFlow)
dumb
but fast
hardware
switches
3
Controller: Programmability
APP
APP
APP
Controller
events from switches
topology changes,
traffic statistics,
arriving packets
commands to switches
(un)install rules,
query statistics
4
Desired Network Properties
• Routing
– No forwarding loops, no black holes, …
• Security
– ACL, firewall, middleboxes, …
• Traffic Engineering
– Load balancing, VM migration, …
• …
5
How can we guarantee
such properties?
6
Traditional Networks vs. SDN
• Guaranteeing these properties in a traditional
network is nearly impossible
– Switch / Router code is a “black box”
– Protocols are distributed across devices.
• SDN opens up the possibility of applying
formal software verification to networks!
– Accessible code
– Centralized control
7
Existing Approaches
• Finite-state model checking
Might miss
bugs!
– E.g., NICE & Verificare
• Analyzing network snapshots
– E.g., HSA
Discover bugs
too late
&
run-time
overhead
• Run-time checks
– E.g., VeriFlow & NetPlumber
8
Dream Scenario
• Verify network-wide properties
in compile time
– Find violations before they occur!
• Provable verification
– Prove correctness for correct programs
– Find a counterexample for incorrect programs
(useful for debugging)
9
The VeriCon Tool
Restrictions on
Topology (T)
Controller Code
(P)
Desired
Properties 
Verification
Conditions
Generator
T P “” 
SAT Solver
Counterexample
Proof
10
Running Times – Correct Programs
Program
Description
Time to prove
(seconds)
Firewall
A basic firewall abstraction.
0.11
MigFirewall
Firewall supporting migration of “safe” hosts.
0.12
Learning
A simple learning switch.
0.14
Resonance
Access control for host authentication in enterprises.
0.18
Stratos
Forwarding traffic through a sequence of middleboxes.
0.09
11
Running Times – Incorrect Programs
Program
Description
Time to
disprove
(seconds)
Firewall-Bug 1
Forgot to check if packets in port 2 are from 0.13
a trusted location.
Firewall-Bug 2
Forgot to add the definition for a “trusted
host”.
0.09
Learning-Bug 3
Forgot to forward the packets.
0.15
Resonance-Bug 1
Forgot to define that the states a host could 0.07
be at are mutually exclusive.
12
VeriCon: Challenges and Solutions
• Programmer must specify properties in 1st-order logic
– We build a tool that infers formulas for SDN programs
– Future research: static analysis
• SDN programs must be coded in a specific language (CSDN)
– VeriCon can be extended to support Java, Python, etc.
• SAT solver might not terminate!
– SDN programs considered are in a sub-family of FOL
– … solver termination guaranteed!
• VeriCon assumes atomicity of events
– “Existing” solutions
– Future research: verify stronger properties
13
Summary
• SDN opens up the possibility for applying
formal verification to networks
• VeriCon is the first system to provably verify
SDN programs at compile time
– for unbounded topology, #packets, etc.
14
Thank You
15