a program logic for automated p4 …automated p4 verification a program logic for nate foster...
TRANSCRIPT
![Page 1: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/1.jpg)
AUTOMATED P4 VERIFICATIONA PROGRAM LOGIC FOR
Nate Foster Barefoot Networks/ Cornell University
Cole Schlesinger Barefoot Networks
Robert Soulé Barefoot Networks/
University della Svizzera italiana
Han Wang Barefoot Networks
1
![Page 2: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/2.jpg)
P4 PROPERTIES
General P4 safety properties
Program-specific properties
2
![Page 3: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/3.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
Program-specific properties
2
![Page 4: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/4.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
Program-specific properties
2
![Page 5: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/5.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
- Catch all parser exceptions
Program-specific properties
2
![Page 6: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/6.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
- Catch all parser exceptions- Always explicitly handle every packet
Program-specific properties
2
![Page 7: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/7.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
- Catch all parser exceptions- Always explicitly handle every packet
Program-specific properties- The ACL blocks SSH traffic
2
![Page 8: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/8.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
- Catch all parser exceptions- Always explicitly handle every packet
Program-specific properties- The ACL blocks SSH traffic- If an IP packet is not
dropped, the TTL is decremented by one
2
![Page 9: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/9.jpg)
P4 PROPERTIES
General P4 safety properties
- Don’t read uninitialized metadata/invalid headers
- Avoid unexpected arithmetic overflow/truncation
- Catch all parser exceptions- Always explicitly handle every packet
Program-specific properties- The ACL blocks SSH traffic- If an IP packet is not
dropped, the TTL is decremented by one
- NAT and multicast are never applied to the same packet
2
![Page 10: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/10.jpg)
P4 MODEL
ACL Forward
P4 pipeline
NAT
Control Plane
3
![Page 11: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/11.jpg)
P4 MODEL
ACL Forward
P4 pipeline
NAT
Control Plane
The specific behavior of a P4 program depends on the control plane.
3
![Page 12: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/12.jpg)
Packet-processing pipeline
P4 PROGRAM LOGIC
ACL
action forward(p) { … } table T { reads { tcp.dstPort; eth.src;} actions { drop; forward; } }
4
![Page 13: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/13.jpg)
Packet-processing pipeline
ACL
action forward(p) { … } table T { reads { tcp.dstPort; eth.src;} actions { drop; forward; } }
Desired property:
If tcp.dstPort is 22, packet has been dropped.
5P4 PROGRAM LOGIC
![Page 14: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/14.jpg)
Packet-processing pipeline
ACL
action forward(p) { … } table T { reads { tcp.dstPort; eth.src;} actions { drop; forward; } }
Desired property:
If tcp.dstPort is 22, packet has been dropped.
Under what condition is the desired property guaranteed to be true?
If the packet has already been dropped.
6P4 PROGRAM LOGIC
![Page 15: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/15.jpg)
Packet-processing pipeline
ACL
action forward(p) { … } table T { reads { tcp.dstPort; eth.src; } actions { @pragma(true) drop; @pragma(tcp.dstPort != 22) forward; } }
Desired property:
If tcp.dstPort is 22, packet has been dropped.
Under what condition is the desired property guaranteed to be true?
If the packet has already been dropped.
“table constraint”
7P4 PROGRAM LOGIC
![Page 16: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/16.jpg)
Packet-processing pipeline
ACL
action forward(p) { … } table T { reads { tcp.dstPort; eth.src; } actions { @pragma(true) drop; @pragma(tcp.dstPort != 22) forward; } }
Desired property:
If tcp.dstPort is 22, packet has been dropped.
Under what condition is the desired property guaranteed to be true?
If the packet has already been dropped.
Always.
“table constraint”
8P4 PROGRAM LOGIC
![Page 17: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/17.jpg)
Packet-processing pipeline
T
action forward(p) { … } table T { reads { tcp.dstPort; eth.src; } actions { @pragma(true) drop; @pragma(tcp.dstPort != 22) forward; } }
Desired property:
No packet is sent to the control port (say, 512).
Under what condition is the desired property guaranteed to be true?
???
9P4 PROGRAM LOGIC
![Page 18: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/18.jpg)
Packet-processing pipeline
T
action forward(p) { … } table T { reads { tcp.dstPort; … } actions { @pragma(true) drop; @pragma(tcp.dstPort != 22) (0 <= p < 48) forward; } }
Desired property:
No packet is sent to the control port (say, 512).
Under what condition is the desired property guaranteed to be true?
Always.
10P4 PROGRAM LOGIC
![Page 19: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/19.jpg)
OUR APPROACH…Translating P4 to IMP +
tables
Defining a program logic
for P4-IMP
Annotating P4-IMP to check
specific properties
Reducing to Z3
11
![Page 20: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/20.jpg)
OUR APPROACH…
Defining a program logic
for P4-IMP
Annotating P4-IMP to check
specific properties
Reducing to Z3
12
Translating P4 to IMP +
tables
![Page 21: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/21.jpg)
IMPAssignments, if statements,
and table applications
+ HOARE LOGICAxioms describing what is true before and after a command executes.
c { Q }{ P }
If P holds and c executes, then Q holds.
13P4 PROGRAM LOGIC
if b then c1 else c2 { Q }{ P }
IF
THEN
{ P /\ b } c1 { Q }
{ P /\ -b } c2 { Q }AND
![Page 22: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/22.jpg)
P4 PROGRAM LOGICHoare logic + table constraints
T() { Q }|- { P }
table T { reads { … } actions { @pragma(true) drop; @pragma(tcp.dstPort != 22) (0 <= p < 48) forward; } }
Given a table T:
Then P (plus the table constraints) is sufficient to establish that Q holds after applying T, written
drop { Q }|- { P /\ true /\ true }
|= R1 \/ … \/ Rn
14P4 PROGRAM LOGIC
forward(p) { Q }P /\
tcp.dstPort != 22 /\ 0 <= p < 48 {|- }
![Page 23: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/23.jpg)
P4 PROGRAM LOGICHoare logic + table constraints
T() { Q }|- { P }
table T { reads { … } actions { @pragma(R1) (S1) a1; @pragma(R2) (S2) a2; } }
Given a table T:
Then P (plus the table constraints) is sufficient to establish that Q holds after applying T, written
If for all actions ai,
ai(xi) { Q }|- { P /\ Ri /\ Si(xi) }
And
|= R1 \/ … \/ Rn
15P4 PROGRAM LOGIC
![Page 24: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/24.jpg)
c { Q }|- { P }wp(c, Q) = PGiven a command c and a post-condition Q,
such that
P4 PROGRAM
16
P4 PROGRAM LOGICHoare logic + table constraints
P4 PROGRAM LOGIC
![Page 25: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/25.jpg)
c { Q }|- { P }wp(c, Q) = PGiven a command c and a post-condition Q,
such that
P4 PROGRAM
wp(IMP PROGRAM, Q)
16
P4 PROGRAM LOGICHoare logic + table constraints
P4 PROGRAM LOGIC
![Page 26: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/26.jpg)
c { Q }|- { P }wp(c, Q) = PGiven a command c and a post-condition Q,
such that
P4 PROGRAMeg. if tcp.dstPort is 22, packet has been dropped.
wp(IMP PROGRAM, Q)
16
P4 PROGRAM LOGICHoare logic + table constraints
P4 PROGRAM LOGIC
![Page 27: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/27.jpg)
c { Q }|- { P }wp(c, Q) = PGiven a command c and a post-condition Q,
such that
P4 PROGRAMeg. if tcp.dstPort is 22, packet has been dropped.
wp(IMP PROGRAM, Q)
P
16
P4 PROGRAM LOGICHoare logic + table constraints
P4 PROGRAM LOGIC
![Page 28: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/28.jpg)
Z3 SAT/UNSAT
c { Q }|- { P }wp(c, Q) = PGiven a command c and a post-condition Q,
such that
P4 PROGRAMeg. if tcp.dstPort is 22, packet has been dropped.
wp(IMP PROGRAM, Q)
P
16
P4 PROGRAM LOGICHoare logic + table constraints
P4 PROGRAM LOGIC
![Page 29: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/29.jpg)
NEXT STEPS
Defining a program logic
for P4-IMP
Annotating P4-IMP to check
specific properties
Reducing to Z3
1. Automatically annotate P4-IMP programs to check safety properties.
2. Explore table constraints that hold across multiple tables.
3. Build a control plane run-time monitor.
4. Use table constraints to drive compiler optimizations.
17
Translating P4 to IMP +
tables
![Page 30: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/30.jpg)
QUESTIONS?THANK YOU
18
![Page 31: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/31.jpg)
X
![Page 32: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/32.jpg)
Standard Hoare logic axioms for commands: commands c ::=
skip
c1; c2 (sequence)
e1 := e2 (assignment)
if b then c1 else c2 (if)
IMPAssignments, if statements,
and table applications
+ HOARE LOGICAxioms describing what is true before and after a command executes.
Predicates P, Q ::= - true - false - equals expr expr - less expr expr - not P - P /\ Q - P \/ Q - P ==> Q - forall X. P - exists X. P
First order logic with comparisons over program expressions.
How to handle tables?
XP4 PROGRAM LOGIC
![Page 33: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/33.jpg)
TRANSLATING P4 TO IMP
P4 IMPAssignments, if statements,
and table applications
parser start { return parse_ethernet; }
parser parse_ethernet { extract(ethernet); return select(ethernet.typ) { ETH_IPV4 : parse_ipv4; default: ingress; } }
parser parse_ipv4 { extract(ipv4); return ingress; }
control ingress { if(valid(ipv4) and ipv4.ttl > 0) { apply(ipv4_lpm); apply(forward); } }
X
![Page 34: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/34.jpg)
TRANSLATING P4 TO IMP
P4 IMPAssignments, if statements,
and table applications
parser start { return parse_ethernet; }
parser parse_ethernet { extract(ethernet); return select(ethernet.typ) { ETH_IPV4 : parse_ipv4; default: ingress; } }
parser parse_ipv4 { extract(ipv4); return ingress; }
control ingress { if(valid(ipv4) and ipv4.ttl > 0) { apply(ipv4_lpm); apply(forward); } }
X
![Page 35: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/35.jpg)
TRANSLATING P4 TO IMP
P4 IMPAssignments, if statements,
and table applications
parser start { return parse_ethernet; }
parser parse_ethernet { extract(ethernet); return select(ethernet.typ) { ETH_IPV4 : parse_ipv4; default: ingress; } }
parser parse_ipv4 { extract(ipv4); return ingress; }
control ingress { if(valid(ipv4) and ipv4.ttl > 0) { apply(ipv4_lpm); apply(forward); } }
extract(ethernet); if(ethernet.typ == ETH_IPV4)
extract(ipv4);
if(valid(ipv4) and ipv4.ttl > 0) apply(ipv4_lpm); apply(forward);
X
![Page 36: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/36.jpg)
TRANSLATING P4 TO IMP
P4 IMPAssignments, if statements,
and table applications
parser start { return parse_ethernet; }
parser parse_ethernet { extract(ethernet); return select(ethernet.typ) { ETH_IPV4 : parse_ipv4; default: ingress; } }
parser parse_ipv4 { extract(ipv4); return ingress; }
control ingress { if(valid(ipv4) and ipv4.ttl > 0) { apply(ipv4_lpm); apply(forward); } }
ethernet.valid := 1; ethernet.src := havoc; ethernet.dst := havoc; ethernet.typ := havoc;
if(ethernet.typ == ETH_IPV4)
ipv4.valid := 1; ipv4.src := havoc; ipv4.dst := havoc; ipv4.ttl := havoc;
if(valid(ipv4) and ipv4.ttl > 0) apply(ipv4_lpm); apply(forward);
X
![Page 37: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/37.jpg)
GOAL 1 Automatically detect violations of generic safety properties, including:
‣ reads of uninitialized values
‣ unsafe arithmetic operations
‣ unhandled parser exceptions
‣ and so on…
X
![Page 38: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/38.jpg)
GOAL 1 Automatically detect violations of generic safety properties, including:
‣ reads of uninitialized values
‣ unsafe arithmetic operations
‣ unhandled parser exceptions
‣ and so on…
And enable programmers to describe expected control plane behavior with table constraints.
X
![Page 39: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/39.jpg)
Check table constraints in the control plane with run-time monitoring.
GOAL 2
Sample Forward
Monitor
Control Plane
run-time monitorFlag or reject updates that violate table constraints.
X
![Page 40: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/40.jpg)
MORE GOALS Automatically generate table
constraints necessary to ensure correct behavior.
X
![Page 41: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/41.jpg)
MORE GOALS Automatically generate table
constraints necessary to ensure correct behavior.
Use table constraints to drive compiler optimizations.
X
![Page 42: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/42.jpg)
TRANSLATING P4 TO IMP
P4
IMPAssignments, if statements,
and table applications
Observation: P4 programs are loop-free* table graphs.
X
![Page 43: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/43.jpg)
TRANSLATING P4 TO IMP
P4
IMPAssignments, if statements,
and table applications
Convert parsers/controls to functions
with imperative bodies
Observation: P4 programs are loop-free* table graphs.
X
![Page 44: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/44.jpg)
TRANSLATING P4 TO IMP
P4
IMPAssignments, if statements,
and table applications
Convert parsers/controls to functions
with imperative bodies
Unroll parser loops and inline function bodiesObservation: P4
programs are loop-free* table graphs.
X
![Page 45: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/45.jpg)
TRANSLATING P4 TO IMP
P4
IMPAssignments, if statements,
and table applications
Convert parsers/controls to functions
with imperative bodies
Unroll parser loops and inline function bodiesObservation: P4
programs are loop-free* table graphs.
Define primitive actions as reads/writes of
metadata fields
X
![Page 46: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/46.jpg)
TRANSLATING P4 TO IMP
P4
IMPAssignments, if statements,
and table applications
Convert parsers/controls to functions
with imperative bodies
Unroll parser loops and inline function bodiesObservation: P4
programs are loop-free* table graphs.
Define primitive actions as reads/writes of
metadata fields
Treat tables and externs as uninterpreted
functions
X
![Page 47: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/47.jpg)
TRANSLATING PARSERS/CONTROLS
P4
IMPAssignments, if statements,
and table applications
parser start { extract(eth); return ingress; }
control ingress { if valid(eth) { apply(acl); apply(forward); } }
X
![Page 48: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/48.jpg)
TRANSLATING PARSERS/CONTROLS
P4
IMPAssignments, if statements,
and table applications
parser start { extract(eth); return ingress; }
control ingress { if valid(eth) { apply(acl); apply(forward); } }
Convert parsers/controls to functions
with imperative bodiesdef start() = extract(eth); ingress();
def ingress() = if valid(eth) then acl(); forward();
start();
X
![Page 49: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/49.jpg)
TRANSLATING PARSERS/CONTROLS
P4
IMPAssignments, if statements,
and table applications
parser start { extract(eth); return ingress; }
control ingress { if valid(eth) { apply(acl); apply(forward); } }
Convert parsers/controls to functions
with imperative bodiesdef start() = extract(eth); ingress();
def ingress() = if valid(eth) then acl(); forward();
start();
Unroll parser loops and inline function bodies
extract(eth); if valid(eth) then acl(); forward();
X
![Page 50: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/50.jpg)
TRANSLATING PRIMITIVE ACTIONS
P4
IMPAssignments, if statements,
and table applications
def extract(eth) = eth.valid = 1; eth.srcaddr = havoc; eth.dstaddr = havoc; eth.ethTyp = havoc;
Encode primitive actions as bit manipulation
def valid(h) = h.valid == 1
extract(eth); if valid(eth) then acl(); forward();
X
![Page 51: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/51.jpg)
TRANSLATING PRIMITIVE ACTIONS
P4
IMPAssignments, if statements,
and table applications
def extract(eth) = eth.valid = 1; eth.srcaddr = havoc; eth.dstaddr = havoc; eth.ethTyp = havoc;
Encode primitive actions as bit manipulation
def valid(h) = h.valid == 1
extract(eth); if valid(eth) then acl(); forward();
Inline the encodingeth.valid = 1; eth.srcaddr = havoc; eth.dstaddr = havoc; eth.ethTyp = havoc; if eth.valid == 1 then acl(); forward();
X
![Page 52: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/52.jpg)
ADDING ASSERTIONS AND ASSUMPTIONS
P4
IMPAssignments, if statements,
and table applications
parser start { @pragma assert(X == egress_spec); extract(eth); @pragma assume(eth.ethTyp == 0x806) return ingress; } control ingress { if valid(eth) { apply(acl); apply(forward); @pragma assert(egress_spec != X) } }
assert(X == egress_spec); extract(eth); assume(eth.ethTyp == 0x806); if valid(eth) then acl(); forward(); assert(egress_spec != havoc);
Assertion/assumption annotations are passed through to IMP
X
![Page 53: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/53.jpg)
P4
IMPAssignments, if statements,
and table applications
table acl { reads = { eth.ethTyp; } actions = { drop; nop; } } control ingress { if valid(eth) {
apply(acl); @pragma assert(eth.ethTyp == 0x86DD ==> egress_spec == DROP)
apply(forward); } }
X
![Page 54: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/54.jpg)
COMPILE TIME
Packet-processing pipeline
bit<1> do_monitoring; table Sample { reads = { … } actions = { nop; } }
table Monitor { … } table Forward { … }
control ingress { Sample.apply(); if (do_monitoring) Monitor.apply(); Forward.apply(); }
Metadata for flow sampling
Decides whether Monitor is applied
But is never set…
Sample Forward
Monitor
X
![Page 55: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/55.jpg)
bit<1> do_monitoring; table Sample { reads = { … } actions = { sampling; set; nop; } }
table Monitor { … } table Forward { … }
control ingress { Sample.apply(); if (do_monitoring) Monitor.apply(); Forward.apply(); }
COMPILE TIME
Packet-processing pipeline
sample() randomly sets
do_monitoring
set() explicitly sets do_monitoring
Sample Forward
Monitor
Metadata for flow sampling
Decides whether Monitor is applied
X
![Page 56: A PROGRAM LOGIC FOR AUTOMATED P4 …AUTOMATED P4 VERIFICATION A PROGRAM LOGIC FOR Nate Foster Barefoot Networks/ Cornell University Cole Schlesinger Barefoot Networks Robert Soulé](https://reader030.vdocuments.us/reader030/viewer/2022041121/5f35d80658d891110659a80d/html5/thumbnails/56.jpg)
Sample Forward
Packet-processing pipeline
RUN TIME
Monitor
Control Plane
if ipv4_src == 10/24 then sample()
Add:
if ipv4_src == 10.12/16 then set(1)
Add:
Problems: 1. nop() leaves
do_monitoring uninitialized
2. Table “miss” is nop()
if ipv4_src == 192/24 then nop()
Add:
X