About the talk
Recent verification work has made advances in finding bugs in P4 programs before deployment, but it requires that the programmer specifies table rules that are possible at runtime[32, 24, 27]. This imposes a specification burden on the programmer, while at the same time failing to guarantee that bugs will not be inserted at runtime by faulty controllers.
We present bf4, a novel verification approach for P4 programs that uses a mix of static verification, code changes and runtime checks to ensure that the deployed P4 program is bug free. To achieve this, bf4 uses static analysis to find all possible bugs in the P4 program; for each possible bug, bf4 attempts to find predicates that, when applied to table rules inserted by the controller, make that bug unreachable. If such predicates do not exist, bf4 can change the P4 code and re-run the procedure above.
We applied bf4 to a wide range of P4 programs; for all these, bf4 is able to generate controller assertions and propose fixes that guarantee no controller-induced bug is reachable. At runtime, bf4 checks that the controller does not insert faulty rules; when it does, it throws an exception which helps troubleshoot the bug.
02:28 Main Ingredients behind Bf4
02:57 Static Verification
18:30 Limits of the Approach
18:34 Scalability Issues
News. However, it turns out that the pro weather on Sunday, What's the latest addition to program program? Who sings No More. Hello, right back at 4. Here are the main ingredients behind the airport. Beaches. Show me. Where is instrument is a dachshund. What was Monday's instruction? The interest statement in Greece. Table lamp. The ruling green retire. Young time TV. Clearly, no controllers. Whoever answers takeru at one time. Which have become unreachable. YouTube
original How about the remaining? Second ingredient. What happened to you? Clearly in your pocket. So missing. So yeah, yeah. Okay. They show you how to Computer Builders insurance. Did Minnesota. people who created by means of the intercept. Change the law for our smaller pictures in the optimization program. Will you sing? It rained Childers. Checking program. Halo. I told you. Write. Thank you for the excellent talk. People have questions can post on his neck, but at worst always a great. We have one question coming
from home. Drew. His question is, can people for PS4? Very first aid for people program example. Yes. So Personal. Thank you for attention and know at the moment before is not capable of the checking multiple witnesses. That say, you provide more principled limitation. The number of enrolling my work around with the And then I tried to do to check for some properties in this way. The next question is from a non drive from Alibaba, Heather checking. So the question is, does it help solve identify box like functional corrected? Does it handle this
in principle are? There should be no, no, no, that's a no principled reason. Why you should not be able to add a customer service. But we indeed, are we planning to have the support for Richard kind of box in the near future? Okay. So, full of question like, from other people is like, is there some special box used back down? Be fundamentally heartful for PS4 to handle. It's really a shame to cover all kinds of bugs. Know that there are bugs which which are a little more difficult to close to impossible, to the capture,
one of them, about forcing the before to check for the outside box. So we are capturing them and in principle habits, eristic to sort of had to fix. Whatever it is, this kind of box. The reason is simple to stop things from ever occurring. In a packet, it's harder to say this thing should always occur because he has to reason across all the parts through a very hard to do to check formula to find time to perhaps it to be visible. Okay, so when do is present about the Box, we can find. There's a few other questions about the
execute ability of the post. So the first question is, how do BF4 in further notations? All of it. like you need some invitations for the verification and Patience is presented in the paper to find. Formulas, in terms of Cleveland. So it's going to split the rivals of the Bible says in the package variables and they weren't never never rule out good things from happening one last question which and systems you'll fix. This may add some keys to the tables. Does it do worry about that increase the results usage and
causing problems? Yes shrimp definitely adding extra keys, is a strategy, which will, of course, increase the keys, but it's just one bit so that we may not be a problem. However, it may turn out that you are going to have an increase in the height of the table. Busy Bee in the worst case. For each entry, you will end up with two entries. If you had one key but this is rarely the case so you can match and then for most of the actions, you will end up with just one. And then for the remaining was only for the buggy wants to do we get to it is indeed, I
need to investigate further on the actual impact dividing keys to program. All right, thank you. And I apologize for mispronouncing, the title BF4, not BP for I'm so we'll take questions both on the zoom Q&A. If folks are there in 1 to post questions or on the sitcom 2020, ts4 Dash verification channel on Slack. Real question from slack in the switch, Pete for evaluation. Where did the control financials come from? Are they from the open-source controlling
programs? Or did you write them by hand? Describing the mirror. Sophia Grace. It's actually funny car from the switch to just randomly generated. I have another question. So you know what are the cool things about you for and why it's kind of a rich language to look at? Is it combines a simple day in a plane with sir these holes where the control plane to meet you and so you know that's that's where there can be some flexibility there that can be hard to to manage if you're going to think about correctness because you deserve it don't know about the country and
so far is narrowing down that interface, interphase to avoid bugs and Jimmy thoughts on how the language design might evolve to better Express the properties that control planes need to know about a native plants need to know about an aide to work on together. That's a really interesting. Really interesting question. I guess that's one way to put it. No, you can sort of expressly designed to find behaviors. Can I add this filters, which is fine, but they also handling the higher-level
property will be trickier. I guess that even though we argue for automatically in elevations or some sort of way to a different information from the from the switch from the before world to the controller. I guess they could be essentially converted into into checks that and just go generation or any other strategies by means of indifferent. I can also generate these checks automatically dies Livermore question from slack, I guess, what about the limits of the approach? Is there anything inherent or any
scalability issues? And that you foresee specially? This too, is limited to information stuff, which can't be there trying to say things. Like there is an entry, which would always happen at some point. Let's say that you say I like to have the packets 10,000 of court. So these respects on Old pots. That's something you can't really reason about that. Really say that's a huge formula Where is the nearest wristox2 just have this whole drawing? And then ask for the pipeline for the secret spec, for dessert. We are managing to the check
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.