Applying formal methods to configuration synthesis and debugging
1 / 12

Applying Formal Methods to Configuration Synthesis and Debugging - PowerPoint PPT Presentation

  • Uploaded on

Applying Formal Methods to Configuration Synthesis and Debugging. Sanjai Narain Information Assurance and Security Department Telcordia Technologies, Inc. DIMACS Workshop on Designing Networks for Manageability, November 11, 2009.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Applying Formal Methods to Configuration Synthesis and Debugging' - tarmon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Applying formal methods to configuration synthesis and debugging l.jpg

Applying Formal Methods to Configuration Synthesis and Debugging

Sanjai Narain

Information Assurance and Security Department

Telcordia Technologies, Inc.

DIMACS Workshop on Designing Networks for Manageability, November 11, 2009

Home theater configuration problem l.jpg
Home Theater Configuration Problem Debugging

To Satisfy End-To-End Requirement

Set Up Physical Layer

Then Configure It

Confused? Here Is Help.


Bridging gap between requirement and configuration l.jpg

Why are these hard? Debugging

Need to specify connectivity, security, performance and reliability

Synthesis, reconfiguration planning and verification require searching very large spaces

Security and functionality interact

Components can correctly work in isolation but not together

Removing one error can cause another

Distributed configuration is not well-understood

Hard to formalize configuration language grammar documented in hundreds of pages of English

End-To-End Requirements


Bridging Gap Between Requirement and Configuration

Requirement specification

Configuration synthesis



Reconfiguration planning


Distributed configuration

Configuration file parsing

Classes of configuration errors in enterprise networks l.jpg

Connectivity Debugging

Incorrect addressing or IP, GRE, MPLS, IPSec links


Incorrect firewall policies


Inconsistent QoS policies


Single points of failure due to misconfigured routing protocols, in spite of diversity

Single points of failureacrosslayers

Interaction between security and performance

Packet dropping due to mismatched MTU and ICMP blocking

Interaction between security and reliability

IPSec tunnels not replicated in HSRP cluster

Interaction between security and connectivity

Static routes not directing packets into IPSec tunnels

Lack of centralized configuration authority

Static routes accumulated due to inefficient collaboration between network administrators

Classes of Configuration Errors In Enterprise Networks

Consequences of configuration errors l.jpg
Consequences of Configuration Errors Debugging

  • Setting it [security] up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.

    • Butler Lampson, MIT. Computer Security in the Real World.IEEE Computer, June 2004

  • …human factors, is the biggest contributor—responsible for 50 to 80 percent of network device outages.

    • What’s Behind Network Downtime? Proactive Steps to Reduce Human Error and Improve Availability of Networks, 2008.

  • We don’t need hackers to break the systems because they’re falling apart by themselves.

    • Peter G. Neumann, SRI. “Who Needs Hackers”, NY Times, September 7, 2007.

  • Things break. Complex systems break in complex ways.

    • Steve Bellovin, Columbia University. Above article


Configassure design l.jpg

Project jointly with Sharad Malik, Princeton, Daniel Jackson, MIT

QFF = Boolean combination of:

x op y

contained(a, m, b, n)

where x, y, a, m, b, n are integer variables or constants and op is =,<,>,<=,>=

Application-layer quantifier elimination with partial evaluation scales to networks of realistic size

Narain, 2005

Narain, Kaul, Levin, Malik, 2008

Narain, Talpade, Levin, 2010


First order logic: Alloy



FOLBoolean quantifier elimination

does not scale to large variable ranges




Solve millions of constraints in

millions of variables in seconds

ConfigAssure Design





Bridging the gap with configassure l.jpg

Specification: Security, functionality and configurations all specified as constraints

Synthesis: Use Kodkod constraint solver

Diagnosis: Analyze UNSAT-CORE

Repair: If x=c appears in UNSAT-CORE, it is a root-cause. Remove it and re-solve

Reconfiguration planning: Transform safety invariant into a constraint on times at which variables change from initial to final value. Solve.


Represent firewall policy P as a QFF auth_P on generic packet header s,sp,d,dp,p

P1 is subsumed by P2 if there is no solution to auth_P1  ¬auth_P2.

P1 is equivalent to P2 if P1 subsumes P2 and vice versa

A rule R in P1 is redundant if P1-{R} is equivalent to P1


No grammar

Parse file into a database of command blocks. Query these to extract needed information

Bridging The Gap With ConfigAssure

Configassure technology transition l.jpg
ConfigAssure Technology Transition all specified as constraints

  • Trialed with major enterprise

  • Diagnosis only product, IP Assure, deployed at Securities and Exchange Commission.

    • Non-invasive network testing

  • Currently, being transitioned to High Assurance Platform

    • Integrates VMWare with SELinux

    • Configuration complex

    • Jointly with Trent Jaeger, Penn State, Sharad Malik and Daniel Jackson

Related work l.jpg
Related Work all specified as constraints

  • Optimal identification of configurations to change to prevent attacks: Ou, Homer, 2009

    • Specification language: Datalog

    • Uses properties of Datalog proofs and MinCost SAT solvers

  • Firewall verification with BDD-based model-checking: Hamed, Al-Shaer, Marrero, 2005

  • Symbolic Reachability Analysis:

    • Answer questions e.g.:“Does firewall policy strengthening change the set of packets flowing from A to B?”

    • Abstract algorithm by Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, and Rexford, 2005

    • Implementation of more general algorithm using BDD-based model-checking: Al-Shaer, Marrero, El-Atawy, 2009

  • BGP policy verification in a higher-order logic, Isabelle: Voellmy, 2009

  • Parsing with PADS/ML: Mandelbaum, 2007

  • Parsing with ANTLR: Narain, Talpade, Levin, 2009

A question on specification language l.jpg
A Question on Specification Language all specified as constraints

  • Are logic-based languages really hard for an administrator?

  • IOS is declarative – no side-effects

  • What is the problem with introducing Boolean connectives, quantifiers?

References l.jpg
References all specified as constraints

  • Al-Shaer E, Marrero W, El-Atawy A, ElBadawy K (2009) Towards Global Verification and Analysis of Network Access Control Configuration. International Conference on Network Protocols

  • Anderson P (2006) System Configuration. In Short Topics in System Administration ed. Rick Farrow. USENIX Association

  • Enck W, Moyer T, McDaniel P, Sen S, Sebos P, Spoerel S, Greenberg A, Sung Y-W, Rao S, Aiello W, (2009) Configuration Management at Massive Scale: System Design and Experience. IEEE Journal on Selected Areas in Communications

  • Hamed H, Al-Shaer E and Will Marrero (2005) Modeling and Verification of IPSec and VPN Security Policies, Proceedings of IEEE International Conference on Network Protocols.

  • Homer J, Ou X (2009) SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration

  • Mandelbaum Y, Fisher K, Walker D, Fernandez M, and Gleyzer A (2007) PADS/ML: A functional data description language. ACM Symposium on Principles of Programming Language

  • Narain S (2005) Network Configuration Management via Model-Finding. Proceedings of USENIX Large Installation System Administration (LISA) Conference

  • Narain S, Levin G, Kaul V, Malik, S (2008) Declarative Infrastructure Configuration Synthesis and Debugging. Journal of Network Systems and Management, Special Issue on Security Configuration, eds. Ehab Al-Shaer, Charles Kalmanek, Felix Wu

  • Narain S, Talpade R, Levin G (2010) Network configuration validation. Chapter in “Guide to reliable Internet Services and Applications” eds Chuck Kalmanek, Richard Yang, Sudip Misra, Springer

  • Voellmy A, Hudak P Nettle (2009) A domain-specific language for routing configuration. Proceedings of ACM SafeConfig Workshop.

  • Xie G, Zhan J, Maltz D, Zhang H, Greenberg A, Hjalmtysson G, and Rexford J (2005) On Static Reachability Analysis of IP Networks. IEEE INFOCOM

Summary l.jpg
Summary all specified as constraints

  • Configuration errors cause 50%-80% of down time and vulnerabilities

  • To eliminate these, we need tools for synthesis, diagnosis, repair, reconfiguration planning, verification, distributed configuration, and parsing

  • Modern formal methods based on constraint solving, BDD-based model-checking and logic programming are being used to build these tools that solve configuration problems for real networks