BUZZ: testing context-dependent policies in stateful networks
作者: Yoshiaki Tobioka , Seyed K. Fayaz , Sagar Chaki , Vyas Sekar , Tianlong Yu
DOI:
关键词: Marketing buzz 、 Computer science 、 Complex network 、 Network packet 、 Distributed computing 、 Stateless protocol 、 Scalability 、 Stateful firewall 、 Symbolic execution 、 Test case
摘要: Checking whether a network correctly implements intended policies is challenging even for basic reachability (Can X talk to Y?) in simple stateless networks with L2/L3 devices. In practice, operators implement more complex context-dependent by composing stateful functions; e.g., if the IDS flags sending too many failed connections, then subsequent packets from must be sent deep-packet inspection device. Unfortunately, existing approaches verification have fundamental expressiveness and scalability challenges handling such scenarios. To bridge this gap, we present BUZZ, practical model-based testing framework. BUZZ's design makes two key contributions: (1) Expressive scalable models of data plane, using novel high-level traffic unit abstraction modeling functions as an ensemble finite-state machines; (2) A application symbolic execution tackle state-space explosion. We show that BUZZ generates test cases hundreds within minutes (five orders magnitude faster than alternative designs). also uncovers range both new known policy violations SDN/NFV systems.
acm.org 参考文章(54)
Fayazbakhsh SKaveh, L Chiang, V Sekar, M Yu, JC Mogul, Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags networked systems design and implementation. ,vol. 2014, pp. 533- 546 ,(2014) , 10.5555/2616448.2616497
Kathi Fisler, Daniel J. Dougherty, Shriram Krishnamurthi, Timothy Nelson, Christopher Barratt, The margrave tool for firewall analysis usenix large installation systems administration conference. pp. 1- 8 ,(2010)
Nick McKeown, George Varghese, Peyman Kazemian, Scott Whyte, Hongyi Zeng, Michael Chang, Real time network policy checking using header space analysis networked systems design and implementation. pp. 99- 112 ,(2013)
Katerina J. Argyraki, Scott Shenker, Mooly Sagiv, Aurojit Panda, Ori Lahav, Verifying Isolation Properties in the Presence of Middleboxes arXiv: Networking and Internet Architecture. ,(2014)
Meg Walraed-Sullivan, Todd Millstein, Ramesh Govindan, Ratul Mahajan, Ari Fogel, Luis Pedrosa, Stanley Fung, A general approach to network configuration analysis networked systems design and implementation. pp. 469- 483 ,(2015)
Nick McKeown, Amin Vahdat, Vimalkumar Jeyakumar, Fei Ye, Junda Liu, Shidong Zhang, Mickey Ju, Hongyi Zeng, Libra: divide and conquer to verify forwarding tables in huge networks networked systems design and implementation. pp. 87- 99 ,(2014) , 10.5555/2616448.2616457
Seyed Kaveh Fayaz, Yoshiaki Tobioka, Vyas Sekar, Michael Bailey, None, Bohatei: flexible and elastic DDoS defense usenix security symposium. ,vol. 2015, pp. 817- 832 ,(2015)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Sylvia Ratnasamy, Katerina Argyraki, Mihai Dobrescu, Toward predictable performance in software packet-processing platforms networked systems design and implementation. pp. 11- 11 ,(2012)
Jennifer Rexford, Christopher Monsanto, Nate Foster, Joshua Reich, David Walker, Composing software-defined networks networked systems design and implementation. pp. 1- 14 ,(2013)