Sanjai NarainInformation Assurance and Security Department

Telcordia Technologies, Inc.narain@research.telcordia.com

Applying Formal Methods to Configuration Synthesis and Debugging

DIMACS Workshop on Designing Networks for Manageability, November 11, 2009

2

Home Theater Configuration Problem

To Satisfy End-To-End Requirement Set Up Physical Layer

Then Configure It Confused? Here Is Help.

Bridging Gap Between Requirement and Configuration

Why are these hard?

• Need to specify connectivity, security, performance and reliability

• Synthesis, reconfiguration planning and verification require searching very large spaces

• Security and functionality interact

• Components can correctly work in isolation but not together

• Removing one error can cause another

• Distributed configuration is not well-understood

• Hard to formalize configuration language grammar documented in hundreds of pages of English

End-To-End Requirements

Configurations

Requirement specification

Configuration synthesis

Diagnosis

Repair

Reconfiguration planning

Verification

Distributed configuration

Configuration file parsing

Classes of Configuration Errors In Enterprise Networks

• Connectivity– Incorrect addressing or IP, GRE, MPLS, IPSec links

• Security– Incorrect firewall policies

• Performance– Inconsistent QoS policies

• Reliability– Single points of failure due to misconfigured routing protocols, in spite of diversity– Single points of failure across layers

• Interaction between security and performance– Packet dropping due to mismatched MTU and ICMP blocking

• Interaction between security and reliability– IPSec tunnels not replicated in HSRP cluster

• Interaction between security and connectivity– Static routes not directing packets into IPSec tunnels

• Lack of centralized configuration authority – Static routes accumulated due to inefficient collaboration between network administrators

Consequences of Configuration Errors

• Setting it [security] up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.

– Butler Lampson, MIT. Computer Security in the Real World. IEEE Computer, June 2004

• …human factors, is the biggest contributor—responsible for 50 to 80 percent of network device outages.

– What’s Behind Network Downtime? Proactive Steps to Reduce Human Error and Improve Availability of Networks, 2008. http://www.juniper.net/solutions/literature/white_papers/200249.pdf

• We don’t need hackers to break the systems because they’re falling apart by themselves.

– Peter G. Neumann, SRI. “Who Needs Hackers”, NY Times, September 7, 2007. http://www.nytimes.com/2007/09/12/technology/techspecial/12threat.html

• Things break. Complex systems break in complex ways. – Steve Bellovin, Columbia University. Above article

5

ConfigAssure Design

• Project jointly with Sharad Malik, Princeton, Daniel Jackson, MIT

• QFF = Boolean combination of:– x op y– contained(a, m, b, n) – where x, y, a, m, b, n are integer variables

or constants and op is =,<,>,<=,>=

• Application-layer quantifier elimination with partial evaluation scales to networks of realistic size

• Narain, 2005• Narain, Kaul, Levin, Malik, 2008• Narain, Talpade, Levin, 2010

Kodkod

First order logic: Alloy

FOLBoolean quantifier elimination does not scale to large variable ranges

SATSolver

Boolean

Solve millions of constraints in millions of variables in seconds

Requirement

Hard

ArithmeticQuantifier-Free

Form

Easier

Bridging The Gap With ConfigAssure

• Specification: Security, functionality and configurations all specified as constraints

• Synthesis: Use Kodkod constraint solver

• Diagnosis: Analyze UNSAT-CORE

• Repair: If x=c appears in UNSAT-CORE, it is a root-cause. Remove it and re-solve

• Reconfiguration planning: Transform safety invariant into a constraint on times at which variables change from initial to final value. Solve.

• Verification– Represent firewall policy P as a QFF auth_P on generic packet header s,sp,d,dp,p – P1 is subsumed by P2 if there is no solution to auth_P1 ¬auth_P2. – P1 is equivalent to P2 if P1 subsumes P2 and vice versa – A rule R in P1 is redundant if P1-{R} is equivalent to P1

• Parsing– No grammar – Parse file into a database of command blocks. Query these to extract needed information

7

ConfigAssure Technology Transition

• Trialed with major enterprise

• Diagnosis only product, IP Assure, deployed at Securities and Exchange Commission.

– Non-invasive network testing

• Currently, being transitioned to High Assurance Platform– Integrates VMWare with SELinux

– Configuration complex

– Jointly with Trent Jaeger, Penn State, Sharad Malik and Daniel Jackson

Related Work

• Optimal identification of configurations to change to prevent attacks: Ou, Homer, 2009– Specification language: Datalog– Uses properties of Datalog proofs and MinCost SAT solvers

• Firewall verification with BDD-based model-checking: Hamed, Al-Shaer, Marrero, 2005

• Symbolic Reachability Analysis: – Answer questions e.g.:“Does firewall policy strengthening change the set of packets flowing from A to B?”– Abstract algorithm by Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, and Rexford, 2005– Implementation of more general algorithm using BDD-based model-checking: Al-Shaer, Marrero, El-Atawy,

2009

• BGP policy verification in a higher-order logic, Isabelle: Voellmy, 2009

• Parsing with PADS/ML: Mandelbaum, 2007

• Parsing with ANTLR: Narain, Talpade, Levin, 2009

A Question on Specification Language

• Are logic-based languages really hard for an administrator?

• IOS is declarative – no side-effects

• What is the problem with introducing Boolean connectives, quantifiers?

References

1. Al-Shaer E, Marrero W, El-Atawy A, ElBadawy K (2009) Towards Global Verification and Analysis of Network Access Control Configuration. International Conference on Network Protocols

2. Anderson P (2006) System Configuration. In Short Topics in System Administration ed. Rick Farrow. USENIX Association

3. Enck W, Moyer T, McDaniel P, Sen S, Sebos P, Spoerel S, Greenberg A, Sung Y-W, Rao S, Aiello W, (2009) Configuration Management at Massive Scale: System Design and Experience. IEEE Journal on Selected Areas in Communications

4. Hamed H, Al-Shaer E and Will Marrero (2005) Modeling and Verification of IPSec and VPN Security Policies, Proceedings of IEEE International Conference on Network Protocols.

5. Homer J, Ou X (2009) SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration

6. Mandelbaum Y, Fisher K, Walker D, Fernandez M, and Gleyzer A (2007) PADS/ML: A functional data description language. ACM Symposium on Principles of Programming Language

7. Narain S (2005) Network Configuration Management via Model-Finding. Proceedings of USENIX Large Installation System Administration (LISA) Conference

8. Narain S, Levin G, Kaul V, Malik, S (2008) Declarative Infrastructure Configuration Synthesis and Debugging. Journal of Network Systems and Management, Special Issue on Security Configuration, eds. Ehab Al-Shaer, Charles Kalmanek, Felix Wu

9. Narain S, Talpade R, Levin G (2010) Network configuration validation. Chapter in “Guide to reliable Internet Services and Applications” eds Chuck Kalmanek, Richard Yang, Sudip Misra, Springer

10. Voellmy A, Hudak P Nettle (2009) A domain-specific language for routing configuration. Proceedings of ACM SafeConfig Workshop. http://bebop.cs.yale.edu/voellmy/nettle.html

11. Xie G, Zhan J, Maltz D, Zhang H, Greenberg A, Hjalmtysson G, and Rexford J (2005) On Static Reachability Analysis of IP Networks. IEEE INFOCOM

Summary

• Configuration errors cause 50%-80% of down time and vulnerabilities

• To eliminate these, we need tools for synthesis, diagnosis, repair, reconfiguration planning, verification, distributed configuration, and parsing

• Modern formal methods based on constraint solving, BDD-based model-checking and logic programming are being used to build these tools that solve configuration problems for real networks