Applying Formal Methods to Configuration Synthesis and Debugging

1. Applying Formal Methods to Configuration Synthesis and Debugging Sanjai Narain Information Assurance and Security Department Telcordia Technologies, Inc. narain@research.telcordia.com DIMACS Workshop on Designing Networks for Manageability, November 11, 2009

2. Home Theater Configuration Problem To Satisfy End-To-End Requirement Set Up Physical Layer Then Configure It Confused? Here Is Help. 2

3. Why are these hard? Need to specify connectivity, security, performance and reliability Synthesis, reconfiguration planning and verification require searching very large spaces Security and functionality interact Components can correctly work in isolation but not together Removing one error can cause another Distributed configuration is not well-understood Hard to formalize configuration language grammar documented in hundreds of pages of English End-To-End Requirements Configurations Bridging Gap Between Requirement and Configuration Requirement specification Configuration synthesis Diagnosis Repair Reconfiguration planning Verification Distributed configuration Configuration file parsing

4. Connectivity Incorrect addressing or IP, GRE, MPLS, IPSec links Security Incorrect firewall policies Performance Inconsistent QoS policies Reliability Single points of failure due to misconfigured routing protocols, in spite of diversity Single points of failureacrosslayers Interaction between security and performance Packet dropping due to mismatched MTU and ICMP blocking Interaction between security and reliability IPSec tunnels not replicated in HSRP cluster Interaction between security and connectivity Static routes not directing packets into IPSec tunnels Lack of centralized configuration authority Static routes accumulated due to inefficient collaboration between network administrators Classes of Configuration Errors In Enterprise Networks

5. Consequences of Configuration Errors • Setting it [security] up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security. • Butler Lampson, MIT. Computer Security in the Real World.IEEE Computer, June 2004 • …human factors, is the biggest contributor—responsible for 50 to 80 percent of network device outages. • What’s Behind Network Downtime? Proactive Steps to Reduce Human Error and Improve Availability of Networks, 2008. http://www.juniper.net/solutions/literature/white_papers/200249.pdf • We don’t need hackers to break the systems because they’re falling apart by themselves. • Peter G. Neumann, SRI. “Who Needs Hackers”, NY Times, September 7, 2007. http://www.nytimes.com/2007/09/12/technology/techspecial/12threat.html • Things break. Complex systems break in complex ways. • Steve Bellovin, Columbia University. Above article 5

6. Project jointly with Sharad Malik, Princeton, Daniel Jackson, MIT QFF = Boolean combination of: x op y contained(a, m, b, n) where x, y, a, m, b, n are integer variables or constants and op is =,<,>,<=,>= Application-layer quantifier elimination with partial evaluation scales to networks of realistic size Narain, 2005 Narain, Kaul, Levin, Malik, 2008 Narain, Talpade, Levin, 2010 Requirement First order logic: Alloy Kodkod Hard FOLBoolean quantifier elimination does not scale to large variable ranges Boolean SAT Solver Solve millions of constraints in millions of variables in seconds ConfigAssure Design Easier Arithmetic Quantifier-Free Form

7. Specification: Security, functionality and configurations all specified as constraints Synthesis: Use Kodkod constraint solver Diagnosis: Analyze UNSAT-CORE Repair: If x=c appears in UNSAT-CORE, it is a root-cause. Remove it and re-solve Reconfiguration planning: Transform safety invariant into a constraint on times at which variables change from initial to final value. Solve. Verification Represent firewall policy P as a QFF auth_P on generic packet header s,sp,d,dp,p P1 is subsumed by P2 if there is no solution to auth_P1  ¬auth_P2. P1 is equivalent to P2 if P1 subsumes P2 and vice versa A rule R in P1 is redundant if P1-{R} is equivalent to P1 Parsing No grammar Parse file into a database of command blocks. Query these to extract needed information Bridging The Gap With ConfigAssure

8. ConfigAssure Technology Transition • Trialed with major enterprise • Diagnosis only product, IP Assure, deployed at Securities and Exchange Commission. • Non-invasive network testing • Currently, being transitioned to High Assurance Platform • Integrates VMWare with SELinux • Configuration complex • Jointly with Trent Jaeger, Penn State, Sharad Malik and Daniel Jackson

9. Related Work • Optimal identification of configurations to change to prevent attacks: Ou, Homer, 2009 • Specification language: Datalog • Uses properties of Datalog proofs and MinCost SAT solvers • Firewall verification with BDD-based model-checking: Hamed, Al-Shaer, Marrero, 2005 • Symbolic Reachability Analysis: • Answer questions e.g.:“Does firewall policy strengthening change the set of packets flowing from A to B?” • Abstract algorithm by Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, and Rexford, 2005 • Implementation of more general algorithm using BDD-based model-checking: Al-Shaer, Marrero, El-Atawy, 2009 • BGP policy verification in a higher-order logic, Isabelle: Voellmy, 2009 • Parsing with PADS/ML: Mandelbaum, 2007 • Parsing with ANTLR: Narain, Talpade, Levin, 2009

10. A Question on Specification Language • Are logic-based languages really hard for an administrator? • IOS is declarative – no side-effects • What is the problem with introducing Boolean connectives, quantifiers?

11. References • Al-Shaer E, Marrero W, El-Atawy A, ElBadawy K (2009) Towards Global Verification and Analysis of Network Access Control Configuration. International Conference on Network Protocols • Anderson P (2006) System Configuration. In Short Topics in System Administration ed. Rick Farrow. USENIX Association • Enck W, Moyer T, McDaniel P, Sen S, Sebos P, Spoerel S, Greenberg A, Sung Y-W, Rao S, Aiello W, (2009) Configuration Management at Massive Scale: System Design and Experience. IEEE Journal on Selected Areas in Communications • Hamed H, Al-Shaer E and Will Marrero (2005) Modeling and Verification of IPSec and VPN Security Policies, Proceedings of IEEE International Conference on Network Protocols. • Homer J, Ou X (2009) SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration • Mandelbaum Y, Fisher K, Walker D, Fernandez M, and Gleyzer A (2007) PADS/ML: A functional data description language. ACM Symposium on Principles of Programming Language • Narain S (2005) Network Configuration Management via Model-Finding. Proceedings of USENIX Large Installation System Administration (LISA) Conference • Narain S, Levin G, Kaul V, Malik, S (2008) Declarative Infrastructure Configuration Synthesis and Debugging. Journal of Network Systems and Management, Special Issue on Security Configuration, eds. Ehab Al-Shaer, Charles Kalmanek, Felix Wu • Narain S, Talpade R, Levin G (2010) Network configuration validation. Chapter in “Guide to reliable Internet Services and Applications” eds Chuck Kalmanek, Richard Yang, Sudip Misra, Springer • Voellmy A, Hudak P Nettle (2009) A domain-specific language for routing configuration. Proceedings of ACM SafeConfig Workshop. http://bebop.cs.yale.edu/voellmy/nettle.html • Xie G, Zhan J, Maltz D, Zhang H, Greenberg A, Hjalmtysson G, and Rexford J (2005) On Static Reachability Analysis of IP Networks. IEEE INFOCOM

12. Summary • Configuration errors cause 50%-80% of down time and vulnerabilities • To eliminate these, we need tools for synthesis, diagnosis, repair, reconfiguration planning, verification, distributed configuration, and parsing • Modern formal methods based on constraint solving, BDD-based model-checking and logic programming are being used to build these tools that solve configuration problems for real networks