May 4, 2016
Network administrators’ jobs are getting tougher in today’s world, protecting their organizations’ valuable information from increasingly sophisticated cyberattacks and ensuring that security and access control policies are implemented correctly. Many of these jobs involve manual expertise, trial-and-error, and in some cases, blind faith that the security policies they intend to enforce are correctly implemented in the network.
“What’s critically lacking is a principled way to check if the network correctly implements a given suite of policies,” said CyLab faculty member Vyas Sekar, an assistant professor of Electrical and Computer Engineering. “This problem is already very challenging even for very basic policy intents. As networks and policies both become more complex, and with emerging technology trends like software-defined networking and network functions virtualization, the problem will only become worse.”
The National Science Foundation (NSF) just awarded Sekar with an NSF Faculty Early Career Development (CAREER) Award to pave the way towards reliable network security assurances. The CAREER Award is one of NSF’s most prestigious awards in support of junior faculty who exemplify the role of teacher-scholars through outstanding research and education.
“With this award, my research team will lead the development of a principled model-based testing framework and open-source tool for identifying if, and how, policies are violated,” said Sekar. “The tool will also help network administrators automatically locate the sources of these violations.”
While there have been significant technological advances in software testing with the development of program analysis and formal verification techniques, network testing has lagged behind.
“If we take off-the-shelf machinery from the program analysis and formal verification community, it completely chokes,” said Sekar. “Even on a small network with four to five nodes, it takes several days of computing time to provide operators with assurances about the behavior of their networks with the types of dynamic policies we envision.”
An early proof-point of their research is a system called “BUZZ,” a testing framework that takes policy intents from a network operator and automatically generates test traffic to check if the policies are implemented correctly. If a policy is violated, the tool helps operators identify the root cause.
“Our novel approach to model network functions and their interactions significantly cuts down the time it takes to systematically test cases from days to a few tens of seconds,” Sekar said. “This can potentially change the operational workflows of real networks by offering network administrators near real-time capabilities to test the correctness of their networks.”
With this CAREER award, Sekar’s team is planning to tackle a number of significant and fundamental technical challenges toward realizing the vision of an end-to-end framework that network administrators can integrate into their everyday workflows to ensure the security and performance.
For example, Sekar’s team plans to deploy BUZZ and its successors in real operational network settings to help transition the results from an academic setting into practice. This means the team will need to developing mechanisms for mining hard-coded policy intents or extracting them automatically from network configurations.
“Given the model-based testing approach that BUZZ adopts, one natural question that arises is where do the models come from?” Sekar said. To this end, the team plans to develop systematic techniques to automatically extract the relevant information from the network devices.
In BUZZ’s current form, which one can view as an effective “bug finding” tool, there may be subtle bugs that are difficult to find. Sekar’s team sees room for improvement.
“The ultimate goal is to get closer to providing exhaustive ‘bug-free’ guarantees to network administrators,” Sekar said.
See all CyLab News articles