View
215
Download
0
Embed Size (px)
Citation preview
Sanjai NarainInformation Assurance and Security Department
Telcordia Technologies, [email protected]
Applying Formal Methods to Configuration Synthesis and Debugging
DIMACS Workshop on Designing Networks for Manageability, November 11, 2009
2
Home Theater Configuration Problem
To Satisfy End-To-End Requirement Set Up Physical Layer
Then Configure It Confused? Here Is Help.
Bridging Gap Between Requirement and Configuration
Why are these hard?
• Need to specify connectivity, security, performance and reliability
• Synthesis, reconfiguration planning and verification require searching very large spaces
• Security and functionality interact
• Components can correctly work in isolation but not together
• Removing one error can cause another
• Distributed configuration is not well-understood
• Hard to formalize configuration language grammar documented in hundreds of pages of English
End-To-End Requirements
Configurations
Requirement specification
Configuration synthesis
Diagnosis
Repair
Reconfiguration planning
Verification
Distributed configuration
Configuration file parsing
Classes of Configuration Errors In Enterprise Networks
• Connectivity– Incorrect addressing or IP, GRE, MPLS, IPSec links
• Security– Incorrect firewall policies
• Performance– Inconsistent QoS policies
• Reliability– Single points of failure due to misconfigured routing protocols, in spite of diversity– Single points of failure across layers
• Interaction between security and performance– Packet dropping due to mismatched MTU and ICMP blocking
• Interaction between security and reliability– IPSec tunnels not replicated in HSRP cluster
• Interaction between security and connectivity– Static routes not directing packets into IPSec tunnels
• Lack of centralized configuration authority – Static routes accumulated due to inefficient collaboration between network administrators
Consequences of Configuration Errors
• Setting it [security] up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.
– Butler Lampson, MIT. Computer Security in the Real World. IEEE Computer, June 2004
• …human factors, is the biggest contributor—responsible for 50 to 80 percent of network device outages.
– What’s Behind Network Downtime? Proactive Steps to Reduce Human Error and Improve Availability of Networks, 2008. http://www.juniper.net/solutions/literature/white_papers/200249.pdf
• We don’t need hackers to break the systems because they’re falling apart by themselves.
– Peter G. Neumann, SRI. “Who Needs Hackers”, NY Times, September 7, 2007. http://www.nytimes.com/2007/09/12/technology/techspecial/12threat.html
• Things break. Complex systems break in complex ways. – Steve Bellovin, Columbia University. Above article
5
ConfigAssure Design
• Project jointly with Sharad Malik, Princeton, Daniel Jackson, MIT
• QFF = Boolean combination of:– x op y– contained(a, m, b, n) – where x, y, a, m, b, n are integer variables
or constants and op is =,<,>,<=,>=
• Application-layer quantifier elimination with partial evaluation scales to networks of realistic size
• Narain, 2005• Narain, Kaul, Levin, Malik, 2008• Narain, Talpade, Levin, 2010
Kodkod
First order logic: Alloy
FOLBoolean quantifier elimination does not scale to large variable ranges
SATSolver
Boolean
Solve millions of constraints in millions of variables in seconds
Requirement
Hard
ArithmeticQuantifier-Free
Form
Easier
Bridging The Gap With ConfigAssure
• Specification: Security, functionality and configurations all specified as constraints
• Synthesis: Use Kodkod constraint solver
• Diagnosis: Analyze UNSAT-CORE
• Repair: If x=c appears in UNSAT-CORE, it is a root-cause. Remove it and re-solve
• Reconfiguration planning: Transform safety invariant into a constraint on times at which variables change from initial to final value. Solve.
• Verification– Represent firewall policy P as a QFF auth_P on generic packet header s,sp,d,dp,p – P1 is subsumed by P2 if there is no solution to auth_P1 ¬auth_P2. – P1 is equivalent to P2 if P1 subsumes P2 and vice versa – A rule R in P1 is redundant if P1-{R} is equivalent to P1
• Parsing– No grammar – Parse file into a database of command blocks. Query these to extract needed information
7
ConfigAssure Technology Transition
• Trialed with major enterprise
• Diagnosis only product, IP Assure, deployed at Securities and Exchange Commission.
– Non-invasive network testing
• Currently, being transitioned to High Assurance Platform– Integrates VMWare with SELinux
– Configuration complex
– Jointly with Trent Jaeger, Penn State, Sharad Malik and Daniel Jackson
Related Work
• Optimal identification of configurations to change to prevent attacks: Ou, Homer, 2009– Specification language: Datalog– Uses properties of Datalog proofs and MinCost SAT solvers
• Firewall verification with BDD-based model-checking: Hamed, Al-Shaer, Marrero, 2005
• Symbolic Reachability Analysis: – Answer questions e.g.:“Does firewall policy strengthening change the set of packets flowing from A to B?”– Abstract algorithm by Xie, Zhan, Maltz, Zhang, Greenberg, Hjalmtysson, and Rexford, 2005– Implementation of more general algorithm using BDD-based model-checking: Al-Shaer, Marrero, El-Atawy,
2009
• BGP policy verification in a higher-order logic, Isabelle: Voellmy, 2009
• Parsing with PADS/ML: Mandelbaum, 2007
• Parsing with ANTLR: Narain, Talpade, Levin, 2009
A Question on Specification Language
• Are logic-based languages really hard for an administrator?
• IOS is declarative – no side-effects
• What is the problem with introducing Boolean connectives, quantifiers?
References
1. Al-Shaer E, Marrero W, El-Atawy A, ElBadawy K (2009) Towards Global Verification and Analysis of Network Access Control Configuration. International Conference on Network Protocols
2. Anderson P (2006) System Configuration. In Short Topics in System Administration ed. Rick Farrow. USENIX Association
3. Enck W, Moyer T, McDaniel P, Sen S, Sebos P, Spoerel S, Greenberg A, Sung Y-W, Rao S, Aiello W, (2009) Configuration Management at Massive Scale: System Design and Experience. IEEE Journal on Selected Areas in Communications
4. Hamed H, Al-Shaer E and Will Marrero (2005) Modeling and Verification of IPSec and VPN Security Policies, Proceedings of IEEE International Conference on Network Protocols.
5. Homer J, Ou X (2009) SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration
6. Mandelbaum Y, Fisher K, Walker D, Fernandez M, and Gleyzer A (2007) PADS/ML: A functional data description language. ACM Symposium on Principles of Programming Language
7. Narain S (2005) Network Configuration Management via Model-Finding. Proceedings of USENIX Large Installation System Administration (LISA) Conference
8. Narain S, Levin G, Kaul V, Malik, S (2008) Declarative Infrastructure Configuration Synthesis and Debugging. Journal of Network Systems and Management, Special Issue on Security Configuration, eds. Ehab Al-Shaer, Charles Kalmanek, Felix Wu
9. Narain S, Talpade R, Levin G (2010) Network configuration validation. Chapter in “Guide to reliable Internet Services and Applications” eds Chuck Kalmanek, Richard Yang, Sudip Misra, Springer
10. Voellmy A, Hudak P Nettle (2009) A domain-specific language for routing configuration. Proceedings of ACM SafeConfig Workshop. http://bebop.cs.yale.edu/voellmy/nettle.html
11. Xie G, Zhan J, Maltz D, Zhang H, Greenberg A, Hjalmtysson G, and Rexford J (2005) On Static Reachability Analysis of IP Networks. IEEE INFOCOM
Summary
• Configuration errors cause 50%-80% of down time and vulnerabilities
• To eliminate these, we need tools for synthesis, diagnosis, repair, reconfiguration planning, verification, distributed configuration, and parsing
• Modern formal methods based on constraint solving, BDD-based model-checking and logic programming are being used to build these tools that solve configuration problems for real networks