GapFuzz: Cross-Plane Divergence Fuzzing for Distributed SDN Controllers

Jacques Klein; Moustapha Awwalou Diouf; Samuel Ouya; Tegawend\'e F. Bissyand\'e

arxiv: 2606.11035 · v1 · pith:VAJ4PX5Vnew · submitted 2026-06-09 · 💻 cs.SE

GapFuzz: Cross-Plane Divergence Fuzzing for Distributed SDN Controllers

Moustapha Awwalou Diouf , Samuel Ouya , Jacques Klein , Tegawend\'e F. Bissyand\'e This is my paper

Pith reviewed 2026-06-27 12:18 UTC · model grok-4.3

classification 💻 cs.SE

keywords distributed SDNfuzz testingconcurrencycross-plane divergencereplication racesdatapath probestate inconsistencyONOS cluster

0 comments

The pith

GapFuzz detects cross-plane divergences between SDN controller clusters and the kernel datapath in 81.7 percent of timed tests.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

GapFuzz targets faults in distributed SDN clusters where asynchronous replication lets two backup nodes commit contradictory rules that the master serializes and the kernel datapath then acts on, even though no node holds that action as authoritative. It works by injecting conflicting Northbound requests on non-master nodes at a controlled delay, then querying every replica plus the kernel action to reconstruct the global state and assign one of four verdict classes. A sympathetic reader would care because existing fuzzers stay inside the control plane or test single controllers, so they miss this window. Experiments on a three-node cluster show the method produces divergent verdicts often, and that every such verdict involves the kernel datapath rather than a controller replica.

Core claim

GapFuzz is a stateful concurrency fuzzer that injects pairs of contradictory requests on two non-master nodes with controlled inter-injection delay, reconstructs cross-plane state by querying all replicas and the kernel datapath via ovs-appctl ofproto/trace, and uses a two-phase timing search followed by a lifetime probe to classify each outcome as transient or persistent and to place it in one of four classes derived from the ONOS source. On a three-node ONOS 2.7 cluster this produces a divergent verdict in 81.7 percent of attempts, with every divergence between the cluster's authoritative state and the kernel datapath. Phase 2 isolates a 5 ms race window for one template and a doubling-cap

What carries the argument

The two-phase timing search on injection delay combined with the kernel-datapath probe that reads the actual action taken in the datapath.

If this is right

Every detected divergence sits between the cluster's authoritative state and the kernel datapath.
The kernel-datapath probe is required to reach the reported detection rate; the user-space probe alone misses many cases.
99.4 percent of divergences persist past 30 seconds.
The timing search isolates a 5 ms race window for one template and larger windows up to 10.24 s for the others.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Distributed systems that rely on eventual consistency between application replicas and an underlying execution layer may need direct observation of that layer during testing.
The same controlled-delay injection plus bottom-layer probe pattern could be tried on other replication-based systems such as distributed databases.
Controller developers could use the identified race windows to tune synchronization intervals or add explicit cross-plane checks.

Load-bearing premise

The two-phase timing search together with the lifetime probe can reliably bound the injection-time window and correctly classify verdicts as transient or persistent.

What would settle it

An experiment that applies the same injection templates but finds that the kernel datapath action always matches at least one replica's reported state across repeated runs would show no cross-plane divergence of the claimed kind.

Figures

Figures reproduced from arXiv: 2606.11035 by Jacques Klein, Moustapha Awwalou Diouf, Samuel Ouya, Tegawend\'e F. Bissyand\'e.

**Figure 2.** Figure 2: Commit-to-replicate gap during flow rule instal [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Cross-plane divergence captured during exploita [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗

**Figure 4.** Figure 4: GapFuzz system overview and workflow. 1 The Exploration Engine generates contradictory pairs (𝑅, 𝑅′ ) with timing Δ𝑡 and injects them through the cluster’s Northbound REST API. 2 The master node sends the resulting FlowMod to the switch. The Differential Oracle then waits an observation delay 𝛿 > 𝑇2, 3a probes the switch for the forwarding action 𝐷 effectively applied to a packet, and queries each cluster … view at source ↗

**Figure 5.** Figure 5: Phase 2 Δ𝑡max per template (log scale, 𝑁 = 32 fullmode campaigns). drop_vs_output closes at 5 ms; the other six templates reach the doubling cap at 10.24 s, which is a lower bound on the actual injection-time window rather than a measurement. 𝑛 denotes the number of divergent verdicts contributing to each bar. RQ3: Are these divergences transient or persistent? The lifetime annotation re-observes the clu… view at source ↗

read the original abstract

Distributed Software-Defined Networking (SDN) clusters replicate flow state asynchronously between a master node and its backups, leaving a window during which two backup nodes can each commit a contradictory rule, the master can serialize both into the data plane, and the kernel datapath can latch onto an action that no node believes authoritative. Existing SDN fuzzers miss this fault: they confine their oracle to the control plane, target a single controller, or do not steer concurrency to provoke replication races. We present GapFuzz, a stateful concurrency fuzzer for distributed SDN clusters. GapFuzz injects pairs of contradictory Northbound requests on two non-master nodes with controlled inter-injection delay $\Delta t$, and reconstructs the global cross-plane state by querying every replica and the kernel-datapath action through ovs-appctl ofproto/trace. A two-phase timing search detects whether a divergence exists, then doubles and bisects on $\Delta t$ to bound the injection-time window; a lifetime probe labels each verdict transient or persistent and assigns it to one of four cross-plane state classes derived from the ONOS 2.7 source. On a three-node ONOS 2.7 cluster, GapFuzz produces a divergent verdict in 81.7% of attempts ($N=50$, Wilson 95% CI $[77.3, 85.4]$%); every divergence sits between the cluster's authoritative state and the kernel datapath. Phase 2 separates a 5 ms race window for one template from a doubling-cap regime ($\Delta t_{\max}=10.24$ s) for six others, and 99.4% of divergences persist past 30 s. Replacing the kernel-datapath probe with the OpenFlow user-space probe used by prior fuzzers drops detection by 26.6 percentage points overall and by 46.5 points after excluding canonicalization-forced verdicts.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

GapFuzz gives a concrete way to steer and detect cross-plane divergences in distributed SDN via kernel probes and timed injections on backups, with an 81.7% hit rate on ONOS, but the two-phase timing search is the unproven load-bearing part.

read the letter

The paper's main contribution is a fuzzer that injects contradictory requests on non-master ONOS nodes with a controlled Δt, then uses ovs-appctl to read the kernel datapath and classify whether the result diverges from the cluster's authoritative state. This targets a race that control-plane-only or single-node fuzzers miss.

What works is the direct comparison: swapping the kernel probe for the OpenFlow user-space one used in prior work drops detection by 26.6 points overall and 46.5 after removing canonicalization cases. The 81.7% figure (N=50, Wilson CI given) and the four verdict classes pulled from ONOS 2.7 source are specific enough to be checked. The two-phase search (detect then double/bisect on Δt) plus lifetime probe is a practical attempt to bound the race window and label persistent vs transient.

The soft spot is exactly the one the stress test flags. The headline numbers and the claim that every divergence is between authoritative state and kernel datapath depend on the timing search converging to the true window and the lifetime probe correctly distinguishing overwrite from persistence. Variable controller jitter or probe latency could break that without the paper showing an independent check that the search always terminates correctly or that probe latency is smaller than divergence lifetime. No raw data or code is referenced in the abstract, which makes it harder to verify.

This is for readers who build or test distributed network controllers and want a method to expose datapath-level inconsistencies. Someone working on SDN reliability or concurrency fuzzing would find the technique and the probe comparison useful.

It deserves a serious referee. The idea is grounded in a real system and produces measurable differences from prior oracles; the timing machinery is the part that needs the most scrutiny in review.

Referee Report

2 major / 0 minor

Summary. The paper presents GapFuzz, a stateful concurrency fuzzer for distributed SDN clusters. It injects pairs of contradictory Northbound requests on non-master nodes with controlled inter-injection delay Δt, reconstructs global cross-plane state via queries to replicas and the kernel datapath (using ovs-appctl ofproto/trace), employs a two-phase timing search (initial detection then doubling/bisection on Δt) plus a lifetime probe to bound the race window and classify verdicts as transient/persistent, and assigns them to one of four cross-plane classes. On a three-node ONOS 2.7 cluster it reports a divergent verdict in 81.7% of attempts (N=50, Wilson 95% CI [77.3, 85.4]%), with every divergence between the cluster's authoritative state and the kernel datapath; replacing the kernel probe with an OpenFlow user-space probe drops detection by 26.6 points overall.

Significance. If the timing search and lifetime probe are shown to be reliable, the result would be significant: it identifies a cross-plane divergence class missed by prior SDN fuzzers (which target only the control plane or single controllers), supplies a controlled empirical comparison, uses a Wilson interval for the headline rate, and demonstrates that 99.4% of detected divergences persist past 30 s while separating a 5 ms race window from a doubling-cap regime for other templates.

major comments (2)

[Abstract] Abstract (description of two-phase timing search and lifetime probe): the central claims—the 81.7% divergence rate, the assertion that every divergence lies between authoritative state and kernel datapath, and the four-class assignment—rest on the two-phase search (initial detection followed by doubling and bisection on Δt) plus the lifetime probe correctly bounding the injection window and distinguishing transient from persistent outcomes. No validation, convergence test, or sensitivity analysis is supplied showing that the search terminates at the true race window or that probe latency is smaller than the minimum observable divergence lifetime; this is load-bearing for both the percentage and the 'all divergences are kernel-datapath' conclusion.
[Abstract] Abstract (evaluation paragraph): the manuscript supplies no reference to the full experimental protocol, raw data, or source code, so it is impossible to confirm absence of post-hoc exclusions or to reproduce the timing-search behavior that underpins the reported detection rates and probe-comparison results.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive comments. We respond to each major comment below and indicate the revisions we will make.

read point-by-point responses

Referee: [Abstract] Abstract (description of two-phase timing search and lifetime probe): the central claims—the 81.7% divergence rate, the assertion that every divergence lies between authoritative state and kernel datapath, and the four-class assignment—rest on the two-phase search (initial detection followed by doubling and bisection on Δt) plus the lifetime probe correctly bounding the injection window and distinguishing transient from persistent outcomes. No validation, convergence test, or sensitivity analysis is supplied showing that the search terminates at the true race window or that probe latency is smaller than the minimum observable divergence lifetime; this is load-bearing for both the percentage and the 'all divergences are kernel-datapath' conclusion.

Authors: The two-phase timing search follows the established pattern of initial coarse detection followed by doubling and bisection to bound the race window, while the lifetime probe performs repeated queries to classify persistence. The reported results (5 ms race window for one template, doubling-cap regime for six others, and 99.4 % persistence past 30 s) provide empirical support that the procedure isolates the relevant timing intervals. We acknowledge that an explicit convergence test or sensitivity analysis with respect to probe latency is not present in the current manuscript. We will add a dedicated subsection describing the timing-search algorithm, its termination criteria, and a sensitivity study on probe latency in the revised version. revision: yes
Referee: [Abstract] Abstract (evaluation paragraph): the manuscript supplies no reference to the full experimental protocol, raw data, or source code, so it is impossible to confirm absence of post-hoc exclusions or to reproduce the timing-search behavior that underpins the reported detection rates and probe-comparison results.

Authors: The Evaluation section of the manuscript already specifies the three-node ONOS 2.7 cluster, the Northbound templates, the ovs-appctl probe, the two-phase search parameters, and the Wilson-interval calculation. To address reproducibility concerns, we will add an explicit pointer to the open-source GapFuzz implementation and a statement on the availability of the raw experimental traces in the revised manuscript. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical measurement of external system behavior

full rationale

The paper describes an empirical fuzzer (GapFuzz) and reports measured detection rates (81.7% divergent verdicts) obtained by executing the tool against an external ONOS 2.7 cluster and observing the kernel datapath via ovs-appctl. No equations, fitted parameters, or self-citations are used to derive the reported percentages or the cross-plane class assignments; the results are direct observations of an external artifact. The two-phase timing search and lifetime probe are implementation details whose correctness is an empirical assumption, not a definitional reduction. The evaluation therefore remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on domain assumptions about SDN replication behavior and the accuracy of kernel probing; no free parameters or invented entities are introduced in the abstract.

axioms (2)

domain assumption Contradictory Northbound requests injected on non-master nodes with controlled inter-injection delay can provoke replication races that reach the kernel datapath.
This is the triggering mechanism described for producing the divergent verdicts.
domain assumption The ovs-appctl ofproto/trace command accurately reports the action latched by the kernel datapath.
This underpins the claim that every detected divergence lies between authoritative state and the kernel.

pith-pipeline@v0.9.1-grok · 5906 in / 1602 out tokens · 33948 ms · 2026-06-27T12:18:35.499657+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

50 extracted references · 27 canonical work pages

[1]

Daniel Abadi. 2012. Consistency Tradeoffs in Modern Distributed Database System Design: CAP is Only Part of the Story.Computer45, 2 (2012), 37–42. doi:10.1109/MC.2012.33

work page doi:10.1109/mc.2012.33 2012
[2]

Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger, and David Walker. 2014. NetKAT: semantic foundations for networks. InProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(San Diego, California, USA)(POPL ’14). Association for Computing Machinery, New York, NY, USA...

arXiv 2014
[3]

Fetia Bannour, Sami Souihi, and Abdelhamid Mellouk. 2018. Distributed SDN Control: Survey, Taxonomy, and Challenges.IEEE Communications Surveys & Tutorials20, 1 (2018), 333–354. doi:10.1109/COMST.2017.2782482

work page doi:10.1109/comst.2017.2782482 2018
[4]

Pankaj Berde, Matteo Gerola, Jonathan Hart, Yuta Higuchi, Masayoshi Kobayashi, Toshio Koide, Bob Lantz, Brian O’Connor, Pavlin Radoslavov, William Snow, and Guru Parulkar. 2014. ONOS: towards an open, distributed SDN OS. InProceedings of the Third Workshop on Hot Topics in Software Defined Networking(Chicago, Illinois, USA)(HotSDN ’14). Association for Co...

work page doi:10.1145/2620728.2620744 2014
[5]

Marco Canini, Daniele Venzano, Peter Peresíni, Dejan Kostić, and Jennifer Rexford
[6]

In9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12)

A NICE Way to Test OpenFlow Applications. In9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). USENIX Association, San Jose, CA, 127–140
[7]

Xiaofeng Chi, Bingquan Wang, Jingling Zhao, and Baojiang Cui. 2023. A Vul- nerability Detection Method for SDN with Optimized Fuzzing. InInternational Conference on Advanced Information Networking and Applications. Springer, 525– 536

2023
[8]

Shuhua Deng, Lihui Chen, and Xieping Gao. 2024. Manipulating Sensitive Match Fields to Poison Applications in SDN.IEEE Transactions on Network and Service Management21, 2 (2024), 2413–2425. doi:10.1109/TNSM.2023.3337434

work page doi:10.1109/tnsm.2023.3337434 2024
[9]

Shuhua Deng, Xian Qing, Xiaofan Li, Xing Gao, and Xieping Gao. 2023. SDN Application Backdoor: Disrupting the Service via Poisoning the Topology. InIEEE INFOCOM 2023 - IEEE Conference on Computer Communications. 1–10. doi:10. 1109/INFOCOM53939.2023.10229058 11

arXiv 2023
[10]

Moustapha Awwalou Diouf, Samuel Ouya, Jacques Klein, and Tegawendé F Bissyandé. 2025. Software security in software-defined networking: A systematic literature review.arXiv preprint arXiv:2502.13828(2025)

arXiv 2025
[11]

Chi-Yao Hong, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Vijay Gill, Mohan Nanduri, and Roger Wattenhofer. 2013. Achieving high utilization with software- driven WAN.SIGCOMM Comput. Commun. Rev.43, 4 (Aug. 2013), 15–26. doi:10. 1145/2534169.2486012

arXiv 2013
[12]

Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, Jon Zolla, Urs Hölzle, Stephen Stuart, and Amin Vahdat. 2013. B4: experience with a globally- deployed software defined wan. InProceedings of the ACM SIGCOMM 2013 Con- ference on SIGCOMM(Hong Kong, China)(SIGCOMM ’13). ...

work page doi:10.1145/2486001.2486019 2013
[13]

Samuel Jero, Xiangyu Bu, Cristina Nita-Rotaru, Hamed Okhravi, Richard Skowyra, and Sonia Fahmy. 2017. Beads: Automated attack discovery in openflow-based sdn systems. InInternational Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 311–333

2017
[14]

Brighten Godfrey

Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey
[15]

InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland) (HotSDN ’12)

VeriFlow: verifying network-wide invariants in real time. InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland) (HotSDN ’12). Association for Computing Machinery, New York, NY, USA, 49–54. doi:10.1145/2342441.2342452

work page doi:10.1145/2342441.2342452
[16]

Jinwoo Kim, Minjae Seo, Eduard Marin, Seungsoo Lee, Jaehyun Nam, and Seung- won Shin. 2024. Ambusher: Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing.IEEE Transactions on Information Forensics and Security19 (2024), 6264–6279. doi:10.1109/TIFS.2024.3402967

work page doi:10.1109/tifs.2024.3402967 2024
[17]

Jiwon Kim, Dave Jing Tian, and Benjamin E. Ujcich. 2025. Chimera: Fuzzing P4 Network Infrastructure for Multi-Plane Bug Detection and Vulnerability Discovery. In2025 IEEE Symposium on Security and Privacy (SP). 3088–3106. doi:10.1109/SP61157.2025.00194

work page doi:10.1109/sp61157.2025.00194 2025
[18]

Ujcich, and Dave (Jing) Tian

Jiwon Kim, Benjamin E. Ujcich, and Dave (Jing) Tian. 2023. Intender: Fuzzing Intent-Based Networking with Intent-State Transition Guidance. In32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 4463–4480. https://www.usenix.org/conference/usenixsecurity23/presentation/ kim-jiwon

2023
[19]

Kyle Kingsbury. 2013. Jepsen: Distributed Systems Safety Research. https:// jepsen.io/. Accessed: 2026-05-02

2013
[20]

Diego Kreutz, Fernando M. V. Ramos, and Paulo Verissimo. 2013. Towards Secure and Dependable Software-Defined Networks. InProceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN ’13). 55–60. doi:10.1145/2491185.2491199

work page doi:10.1145/2491185.2491199 2013
[21]

Diego Kreutz, Fernando M. V. Ramos, Paulo Esteves Veríssimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. 2015. Software-Defined Networking: A Comprehensive Survey.Proc. IEEE103, 1 (2015), 14–76. doi:10. 1109/JPROC.2014.2371999

arXiv 2015
[22]

Leslie Lamport. 2019. The part-time parliament. InConcurrency: the works of Leslie Lamport. 277–317

2019
[23]

Chanhee Lee, Changhoon Yoon, Seungwon Shin, and Sang Kil Cha. 2018. INDAGO: A New Framework For Detecting Malicious SDN Applications. In 2018 IEEE 26th International Conference on Network Protocols (ICNP). 220–230. doi:10.1109/ICNP.2018.00031

work page doi:10.1109/icnp.2018.00031 2018
[24]

Seungsoo Lee, Jinwoo Kim, Seungwon Woo, Changhoon Yoon, Sandra Scott- Hayward, Vinod Yegneswaran, Phillip Porras, and Seungwon Shin. 2020. A comprehensive security assessment framework for software-defined networks. Computers & Security91 (2020), 101720. doi:10.1016/j.cose.2020.101720

work page doi:10.1016/j.cose.2020.101720 2020
[25]

Seungsoo Lee, Seungwon Woo, Jinwoo Kim, Jaehyun Nam, Vinod Yegneswaran, Phillip Porras, and Seungwon Shin. 2022. A Framework for Policy Inconsistency Detection in Software-Defined Networks.IEEE/ACM Transactions on Networking 30, 3 (2022), 1410–1423. doi:10.1109/TNET.2022.3140824

work page doi:10.1109/tnet.2022.3140824 2022
[26]

Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yeg- neswaran, and Phillip A Porras. 2017. Delta: A security assessment framework for software-defined networks.. InNDSS

2017
[27]

Seungsoo Lee, Changhoon Yoon, and Seungwon Shin. 2016. The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment. InProceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization(New Orleans, Louisiana, USA)(SDN-NFV Security ’16). Association for Computing Ma...

work page doi:10.1145/2876019.2876024 2016
[28]

Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol, and Anja Feld- mann. 2012. Logically centralized? state distribution trade-offs in software defined networks. InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland)(HotSDN ’12). Association for Computing Machinery, New York, NY, USA, 1–6. doi:10.1145/23...

work page doi:10.1145/2342441.2342443 2012
[29]

Hongliang Liang, Xiaoxiao Pei, Xiaodong Jia, Wuwei Shen, and Jian Zhang. 2018. Fuzzing: State of the art.IEEE Transactions on Reliability67, 3 (2018), 1199–1218

2018
[30]

Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Pe- terson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: Enabling Innovation in Campus Networks.ACM SIGCOMM Computer Commu- nication Review38, 2 (2008), 69–74. doi:10.1145/1355734.1355746

work page doi:10.1145/1355734.1355746 2008
[31]

Ruijie Meng, George Pîrlea, Abhik Roychoudhury, and Ilya Sergey. 2023. Greybox Fuzzing of Distributed Systems. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23). 1615–1629. doi:10.1145/ 3576915.3623097

arXiv 2023
[32]

Madanlal Musuvathi, Shaz Qadeer, Thomas Ball, Gerard Basler, Pira- manayagam Arumuga Nainar, and Iulian Neamtiu. 2008. Finding and Reproducing Heisenbugs in Concurrent Programs.. InOSDI, Vol. 8

2008
[33]

Raphaël Ollando, Seung Yeob Shin, and Lionel C. Briand. 2026. Learning-Guided Fuzzing for Testing Stateful SDN Controllers.ACM Transactions on Software Engineering and Methodology(2026). doi:10.1145/3733717

work page doi:10.1145/3733717 2026
[34]

Diego Ongaro and John Ousterhout. 2014. In search of an understandable con- sensus algorithm. In2014 USENIX annual technical conference (USENIX ATC 14). 305–319

2014
[35]

Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Raja- halme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martín Casado. 2015. The Design and Implementation of Open vSwitch. In12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, Oakland, CA, 117–130

2015
[36]

Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. 2012. A Security Enforcement Kernel for OpenFlow Networks. InProceedings of the First Workshop on Hot Topics in Software Defined Networks (HotSDN ’12). 121–126. doi:10.1145/2342441.2342466

work page doi:10.1145/2342441.2342466 2012
[37]

Zia, Waseem Iqbal, Yawar Abbas, and Hammad Afzal

Bilal Rauf, Haider Abbas, Muhammad Usman, Tanveer A. Zia, Waseem Iqbal, Yawar Abbas, and Hammad Afzal. 2021. Application Threats to Exploit North- bound Interface Vulnerabilities in Software Defined Networks.ACM Comput. Surv.54, 6, Article 121 (July 2021), 36 pages. doi:10.1145/3453648

work page doi:10.1145/3453648 2021
[38]

Mark Reitblatt, Nate Foster, Jennifer Rexford, Cole Schlesinger, and David Walker
[39]

InProceedings of the ACM SIGCOMM 2012 Conference

Abstractions for Network Update. InProceedings of the ACM SIGCOMM 2012 Conference. 323–334. doi:10.1145/2342356.2342427

work page doi:10.1145/2342356.2342427 2012
[40]

Ermin Sakic and Wolfgang Kellerer. 2018. Impact of Adaptive Consistency on Distributed SDN Applications: An Empirical Study.IEEE Journal on Selected Areas in Communications36, 12 (Dec 2018), 2702–2715. doi:10.1109/JSAC.2018.2871309

work page doi:10.1109/jsac.2018.2871309 2018
[41]

Ermin Sakic and Wolfgang Kellerer. 2018. Response Time and Availability Study of RAFT Consensus in Distributed SDN Control Plane.IEEE Transactions on Network and Service Management15, 1 (2018), 304–318. doi:10.1109/TNSM.2017.2775061

work page doi:10.1109/tnsm.2017.2775061 2018
[42]

Jawad Saidi, Stefan Schmid, Marco Canini, Thomas Zinner, and Anja Feldmann

Apoorv Shukla, S. Jawad Saidi, Stefan Schmid, Marco Canini, Thomas Zinner, and Anja Feldmann. 2020. Towards Consistent SDNs Through Network State Fuzzing.IEEE Transactions on Network and Service Management17, 2 (2020), 1156–1169. doi:10.1109/TNSM.2019.2955790

work page doi:10.1109/tnsm.2019.2955790 2020
[43]

Dylan Smyth, Donna O’Shea, Victor Cionca, and Sean McSweeney. 2019. Attack- ing distributed software-defined networks by leveraging network state consis- tency.Computer Networks156 (2019), 9–19. doi:10.1016/j.comnet.2019.02.020

work page doi:10.1016/j.comnet.2019.02.020 2019
[44]

Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean- Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking Control of SDN-based Cloud Systems via the Data Plane. InProceedings of the Symposium on SDN Research (SOSR ’18). 1–15. doi:10.1145/3185467.3185468

work page doi:10.1145/3185467.3185468 2018
[45]

Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H

Benjamin E. Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H. Sanders, Cristina Nita-Rotaru, and Hamed Okhravi. 2018. Cross-App Poisoning in Software-Defined Networking. InPro- ceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(Toronto, Canada)(CCS ’18). Association for Comp...

work page doi:10.1145/3243734.3243759 2018
[46]

Ujcich, Uttam Thakore, and William H

Benjamin E. Ujcich, Uttam Thakore, and William H. Sanders. 2017. ATTAIN: An Attack Injection Framework for Software-Defined Networking. In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 567–578. doi:10.1109/DSN.2017.59

work page doi:10.1109/dsn.2017.59 2017
[47]

Ben Weintraub, Jiwon Kim, Ran Tao, Cristina Nita-Rotaru, Hamed Okhravi, Dave (Jing) Tian, and Benjamin E. Ujcich. 2024. Exploiting Temporal Vulnerabil- ities for Unauthorized Access in Intent-based Networking. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security(Salt Lake City, UT, USA)(CCS ’24). Association for Compu...

work page doi:10.1145/3658644.3670301 2024
[48]

Edwin B Wilson. 1927. Probable inference, the law of succession, and statistical inference.J. Amer. Statist. Assoc.22, 158 (1927), 209–212

1927
[49]

Lei Xu, Jeff Huang, Sungmin Hong, Jialong Zhang, and Guofei Gu. 2017. Attacking the Brain: Races in the SDN Control Plane. In26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 451–468. https://www. usenix.org/conference/usenixsecurity17/technical-sessions/presentation/xu-lei

2017
[50]

Jiangyuan Yao, Zhiliang Wang, Xia Yin, Xingang Shi, Yahui Li, and Chongrong Li. 2017. Testing Black-Box SDN Applications with Formal Behavior Models. In 2017 IEEE 25th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). 110–120. doi:10.1109/ MASCOTS.2017.20 12

2017

[1] [1]

Daniel Abadi. 2012. Consistency Tradeoffs in Modern Distributed Database System Design: CAP is Only Part of the Story.Computer45, 2 (2012), 37–42. doi:10.1109/MC.2012.33

work page doi:10.1109/mc.2012.33 2012

[2] [2]

Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger, and David Walker. 2014. NetKAT: semantic foundations for networks. InProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(San Diego, California, USA)(POPL ’14). Association for Computing Machinery, New York, NY, USA...

arXiv 2014

[3] [3]

Fetia Bannour, Sami Souihi, and Abdelhamid Mellouk. 2018. Distributed SDN Control: Survey, Taxonomy, and Challenges.IEEE Communications Surveys & Tutorials20, 1 (2018), 333–354. doi:10.1109/COMST.2017.2782482

work page doi:10.1109/comst.2017.2782482 2018

[4] [4]

Pankaj Berde, Matteo Gerola, Jonathan Hart, Yuta Higuchi, Masayoshi Kobayashi, Toshio Koide, Bob Lantz, Brian O’Connor, Pavlin Radoslavov, William Snow, and Guru Parulkar. 2014. ONOS: towards an open, distributed SDN OS. InProceedings of the Third Workshop on Hot Topics in Software Defined Networking(Chicago, Illinois, USA)(HotSDN ’14). Association for Co...

work page doi:10.1145/2620728.2620744 2014

[5] [5]

Marco Canini, Daniele Venzano, Peter Peresíni, Dejan Kostić, and Jennifer Rexford

[6] [6]

In9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12)

A NICE Way to Test OpenFlow Applications. In9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). USENIX Association, San Jose, CA, 127–140

[7] [7]

Xiaofeng Chi, Bingquan Wang, Jingling Zhao, and Baojiang Cui. 2023. A Vul- nerability Detection Method for SDN with Optimized Fuzzing. InInternational Conference on Advanced Information Networking and Applications. Springer, 525– 536

2023

[8] [8]

Shuhua Deng, Lihui Chen, and Xieping Gao. 2024. Manipulating Sensitive Match Fields to Poison Applications in SDN.IEEE Transactions on Network and Service Management21, 2 (2024), 2413–2425. doi:10.1109/TNSM.2023.3337434

work page doi:10.1109/tnsm.2023.3337434 2024

[9] [9]

Shuhua Deng, Xian Qing, Xiaofan Li, Xing Gao, and Xieping Gao. 2023. SDN Application Backdoor: Disrupting the Service via Poisoning the Topology. InIEEE INFOCOM 2023 - IEEE Conference on Computer Communications. 1–10. doi:10. 1109/INFOCOM53939.2023.10229058 11

arXiv 2023

[10] [10]

Moustapha Awwalou Diouf, Samuel Ouya, Jacques Klein, and Tegawendé F Bissyandé. 2025. Software security in software-defined networking: A systematic literature review.arXiv preprint arXiv:2502.13828(2025)

arXiv 2025

[11] [11]

Chi-Yao Hong, Srikanth Kandula, Ratul Mahajan, Ming Zhang, Vijay Gill, Mohan Nanduri, and Roger Wattenhofer. 2013. Achieving high utilization with software- driven WAN.SIGCOMM Comput. Commun. Rev.43, 4 (Aug. 2013), 15–26. doi:10. 1145/2534169.2486012

arXiv 2013

[12] [12]

Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, Jon Zolla, Urs Hölzle, Stephen Stuart, and Amin Vahdat. 2013. B4: experience with a globally- deployed software defined wan. InProceedings of the ACM SIGCOMM 2013 Con- ference on SIGCOMM(Hong Kong, China)(SIGCOMM ’13). ...

work page doi:10.1145/2486001.2486019 2013

[13] [13]

Samuel Jero, Xiangyu Bu, Cristina Nita-Rotaru, Hamed Okhravi, Richard Skowyra, and Sonia Fahmy. 2017. Beads: Automated attack discovery in openflow-based sdn systems. InInternational Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 311–333

2017

[14] [14]

Brighten Godfrey

Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey

[15] [15]

InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland) (HotSDN ’12)

VeriFlow: verifying network-wide invariants in real time. InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland) (HotSDN ’12). Association for Computing Machinery, New York, NY, USA, 49–54. doi:10.1145/2342441.2342452

work page doi:10.1145/2342441.2342452

[16] [16]

Jinwoo Kim, Minjae Seo, Eduard Marin, Seungsoo Lee, Jaehyun Nam, and Seung- won Shin. 2024. Ambusher: Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing.IEEE Transactions on Information Forensics and Security19 (2024), 6264–6279. doi:10.1109/TIFS.2024.3402967

work page doi:10.1109/tifs.2024.3402967 2024

[17] [17]

Jiwon Kim, Dave Jing Tian, and Benjamin E. Ujcich. 2025. Chimera: Fuzzing P4 Network Infrastructure for Multi-Plane Bug Detection and Vulnerability Discovery. In2025 IEEE Symposium on Security and Privacy (SP). 3088–3106. doi:10.1109/SP61157.2025.00194

work page doi:10.1109/sp61157.2025.00194 2025

[18] [18]

Ujcich, and Dave (Jing) Tian

Jiwon Kim, Benjamin E. Ujcich, and Dave (Jing) Tian. 2023. Intender: Fuzzing Intent-Based Networking with Intent-State Transition Guidance. In32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 4463–4480. https://www.usenix.org/conference/usenixsecurity23/presentation/ kim-jiwon

2023

[19] [19]

Kyle Kingsbury. 2013. Jepsen: Distributed Systems Safety Research. https:// jepsen.io/. Accessed: 2026-05-02

2013

[20] [20]

Diego Kreutz, Fernando M. V. Ramos, and Paulo Verissimo. 2013. Towards Secure and Dependable Software-Defined Networks. InProceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN ’13). 55–60. doi:10.1145/2491185.2491199

work page doi:10.1145/2491185.2491199 2013

[21] [21]

Diego Kreutz, Fernando M. V. Ramos, Paulo Esteves Veríssimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. 2015. Software-Defined Networking: A Comprehensive Survey.Proc. IEEE103, 1 (2015), 14–76. doi:10. 1109/JPROC.2014.2371999

arXiv 2015

[22] [22]

Leslie Lamport. 2019. The part-time parliament. InConcurrency: the works of Leslie Lamport. 277–317

2019

[23] [23]

Chanhee Lee, Changhoon Yoon, Seungwon Shin, and Sang Kil Cha. 2018. INDAGO: A New Framework For Detecting Malicious SDN Applications. In 2018 IEEE 26th International Conference on Network Protocols (ICNP). 220–230. doi:10.1109/ICNP.2018.00031

work page doi:10.1109/icnp.2018.00031 2018

[24] [24]

Seungsoo Lee, Jinwoo Kim, Seungwon Woo, Changhoon Yoon, Sandra Scott- Hayward, Vinod Yegneswaran, Phillip Porras, and Seungwon Shin. 2020. A comprehensive security assessment framework for software-defined networks. Computers & Security91 (2020), 101720. doi:10.1016/j.cose.2020.101720

work page doi:10.1016/j.cose.2020.101720 2020

[25] [25]

Seungsoo Lee, Seungwon Woo, Jinwoo Kim, Jaehyun Nam, Vinod Yegneswaran, Phillip Porras, and Seungwon Shin. 2022. A Framework for Policy Inconsistency Detection in Software-Defined Networks.IEEE/ACM Transactions on Networking 30, 3 (2022), 1410–1423. doi:10.1109/TNET.2022.3140824

work page doi:10.1109/tnet.2022.3140824 2022

[26] [26]

Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yeg- neswaran, and Phillip A Porras. 2017. Delta: A security assessment framework for software-defined networks.. InNDSS

2017

[27] [27]

Seungsoo Lee, Changhoon Yoon, and Seungwon Shin. 2016. The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment. InProceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization(New Orleans, Louisiana, USA)(SDN-NFV Security ’16). Association for Computing Ma...

work page doi:10.1145/2876019.2876024 2016

[28] [28]

Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol, and Anja Feld- mann. 2012. Logically centralized? state distribution trade-offs in software defined networks. InProceedings of the First Workshop on Hot Topics in Software Defined Networks(Helsinki, Finland)(HotSDN ’12). Association for Computing Machinery, New York, NY, USA, 1–6. doi:10.1145/23...

work page doi:10.1145/2342441.2342443 2012

[29] [29]

Hongliang Liang, Xiaoxiao Pei, Xiaodong Jia, Wuwei Shen, and Jian Zhang. 2018. Fuzzing: State of the art.IEEE Transactions on Reliability67, 3 (2018), 1199–1218

2018

[30] [30]

Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Pe- terson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: Enabling Innovation in Campus Networks.ACM SIGCOMM Computer Commu- nication Review38, 2 (2008), 69–74. doi:10.1145/1355734.1355746

work page doi:10.1145/1355734.1355746 2008

[31] [31]

Ruijie Meng, George Pîrlea, Abhik Roychoudhury, and Ilya Sergey. 2023. Greybox Fuzzing of Distributed Systems. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23). 1615–1629. doi:10.1145/ 3576915.3623097

arXiv 2023

[32] [32]

Madanlal Musuvathi, Shaz Qadeer, Thomas Ball, Gerard Basler, Pira- manayagam Arumuga Nainar, and Iulian Neamtiu. 2008. Finding and Reproducing Heisenbugs in Concurrent Programs.. InOSDI, Vol. 8

2008

[33] [33]

Raphaël Ollando, Seung Yeob Shin, and Lionel C. Briand. 2026. Learning-Guided Fuzzing for Testing Stateful SDN Controllers.ACM Transactions on Software Engineering and Methodology(2026). doi:10.1145/3733717

work page doi:10.1145/3733717 2026

[34] [34]

Diego Ongaro and John Ousterhout. 2014. In search of an understandable con- sensus algorithm. In2014 USENIX annual technical conference (USENIX ATC 14). 305–319

2014

[35] [35]

Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Raja- halme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martín Casado. 2015. The Design and Implementation of Open vSwitch. In12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, Oakland, CA, 117–130

2015

[36] [36]

Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. 2012. A Security Enforcement Kernel for OpenFlow Networks. InProceedings of the First Workshop on Hot Topics in Software Defined Networks (HotSDN ’12). 121–126. doi:10.1145/2342441.2342466

work page doi:10.1145/2342441.2342466 2012

[37] [37]

Zia, Waseem Iqbal, Yawar Abbas, and Hammad Afzal

Bilal Rauf, Haider Abbas, Muhammad Usman, Tanveer A. Zia, Waseem Iqbal, Yawar Abbas, and Hammad Afzal. 2021. Application Threats to Exploit North- bound Interface Vulnerabilities in Software Defined Networks.ACM Comput. Surv.54, 6, Article 121 (July 2021), 36 pages. doi:10.1145/3453648

work page doi:10.1145/3453648 2021

[38] [38]

Mark Reitblatt, Nate Foster, Jennifer Rexford, Cole Schlesinger, and David Walker

[39] [39]

InProceedings of the ACM SIGCOMM 2012 Conference

Abstractions for Network Update. InProceedings of the ACM SIGCOMM 2012 Conference. 323–334. doi:10.1145/2342356.2342427

work page doi:10.1145/2342356.2342427 2012

[40] [40]

Ermin Sakic and Wolfgang Kellerer. 2018. Impact of Adaptive Consistency on Distributed SDN Applications: An Empirical Study.IEEE Journal on Selected Areas in Communications36, 12 (Dec 2018), 2702–2715. doi:10.1109/JSAC.2018.2871309

work page doi:10.1109/jsac.2018.2871309 2018

[41] [41]

Ermin Sakic and Wolfgang Kellerer. 2018. Response Time and Availability Study of RAFT Consensus in Distributed SDN Control Plane.IEEE Transactions on Network and Service Management15, 1 (2018), 304–318. doi:10.1109/TNSM.2017.2775061

work page doi:10.1109/tnsm.2017.2775061 2018

[42] [42]

Jawad Saidi, Stefan Schmid, Marco Canini, Thomas Zinner, and Anja Feldmann

Apoorv Shukla, S. Jawad Saidi, Stefan Schmid, Marco Canini, Thomas Zinner, and Anja Feldmann. 2020. Towards Consistent SDNs Through Network State Fuzzing.IEEE Transactions on Network and Service Management17, 2 (2020), 1156–1169. doi:10.1109/TNSM.2019.2955790

work page doi:10.1109/tnsm.2019.2955790 2020

[43] [43]

Dylan Smyth, Donna O’Shea, Victor Cionca, and Sean McSweeney. 2019. Attack- ing distributed software-defined networks by leveraging network state consis- tency.Computer Networks156 (2019), 9–19. doi:10.1016/j.comnet.2019.02.020

work page doi:10.1016/j.comnet.2019.02.020 2019

[44] [44]

Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean- Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking Control of SDN-based Cloud Systems via the Data Plane. InProceedings of the Symposium on SDN Research (SOSR ’18). 1–15. doi:10.1145/3185467.3185468

work page doi:10.1145/3185467.3185468 2018

[45] [45]

Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H

Benjamin E. Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H. Sanders, Cristina Nita-Rotaru, and Hamed Okhravi. 2018. Cross-App Poisoning in Software-Defined Networking. InPro- ceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(Toronto, Canada)(CCS ’18). Association for Comp...

work page doi:10.1145/3243734.3243759 2018

[46] [46]

Ujcich, Uttam Thakore, and William H

Benjamin E. Ujcich, Uttam Thakore, and William H. Sanders. 2017. ATTAIN: An Attack Injection Framework for Software-Defined Networking. In2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 567–578. doi:10.1109/DSN.2017.59

work page doi:10.1109/dsn.2017.59 2017

[47] [47]

Ben Weintraub, Jiwon Kim, Ran Tao, Cristina Nita-Rotaru, Hamed Okhravi, Dave (Jing) Tian, and Benjamin E. Ujcich. 2024. Exploiting Temporal Vulnerabil- ities for Unauthorized Access in Intent-based Networking. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security(Salt Lake City, UT, USA)(CCS ’24). Association for Compu...

work page doi:10.1145/3658644.3670301 2024

[48] [48]

Edwin B Wilson. 1927. Probable inference, the law of succession, and statistical inference.J. Amer. Statist. Assoc.22, 158 (1927), 209–212

1927

[49] [49]

Lei Xu, Jeff Huang, Sungmin Hong, Jialong Zhang, and Guofei Gu. 2017. Attacking the Brain: Races in the SDN Control Plane. In26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 451–468. https://www. usenix.org/conference/usenixsecurity17/technical-sessions/presentation/xu-lei

2017

[50] [50]

Jiangyuan Yao, Zhiliang Wang, Xia Yin, Xingang Shi, Yahui Li, and Chongrong Li. 2017. Testing Black-Box SDN Applications with Formal Behavior Models. In 2017 IEEE 25th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). 110–120. doi:10.1109/ MASCOTS.2017.20 12

2017