A Survey on the Verification of Adversarial Data Planes in Software-Defined Networks

Black, Conor; Scott-Hayward, Sandra

doi:10.1145/3445968.3452092

Cited by 6 publications

(2 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Equally, many compromised switch detection mechanisms have been proposed [9], that, in general, attempt to detect compromise by injecting test packets through the data plane and comparing their forwarding to expected behaviour.…”

Section: Introductionmentioning

confidence: 99%

Defeating Data Plane Attacks With Program Obfuscation

Black,

Scott-Hayward

2024

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Data plane switches in software-defined networks are increasingly recognised as potential targets for attack, with recent exploits showing their vulnerability to full compromise. The serious consequences of such a breach have prompted the design of compromise detection mechanisms, which monitor switch forwarding behaviour at runtime to ensure that it has not been altered by an attack. However, such defences cannot achieve full coverage in stateful, programmable data planes, creating an opportunity for an attacker to evade detection by carefully editing a switch's forwarding program to mishandle a small subset of packets. To exploit this opportunity and avoid detection, an attacker must analyse and edit the program's behaviour within a narrow time window, which is possible when the data plane is defined by a uBPF program compiled from P4, due to the predictable compilation process. In this work, we aim to invalidate this analysis-guided attack technique with targeted obfuscation of P4-uBPF programs that increases the analysis complexity. We find that, by inserting additional program paths and syntactic dependencies between variables, we can force an attacker to analyse a higher proportion of program instructions and carry out time-consuming SMT solving to find valid program paths, rendering the previous attack technique infeasible. Furthermore, by applying our identified program optimisations, program performance can often be maintained after obfuscation. In evaluating our work, we identify the potential to improve our solution by tailoring obfuscations to individual program paths.

show abstract

Section: Introductionmentioning

confidence: 99%

Defeating Data Plane Attacks With Program Obfuscation

Black,

Scott-Hayward

2024

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…State-of-the-art solutions to detecting compromised data plane devices [4] have trended towards monitoring how the devices forward crafted sets of probe packets, raising an alert if this differs from the intended behaviour. Of course, testing the forwarding behaviour of every possible packet is infeasible, particularly in stateful networks, where naive testing can take 20 hours [13].…”

Section: Introductionmentioning

confidence: 99%

Investigating the Vulnerability of Programmable Data Planes to Static Analysis-Guided Attacks

Black

Scott-Hayward

2022

2022 IEEE 8th International Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

Programmable network data planes are paving the way for networking innovations, with the ability to perform complex, stateful tasks defined in high-level languages such as P4. The enhanced capabilities of programmable data plane devices has made verification of their runtime behaviour, using established methods such as probe packets, impossible to scale beyond probabilistic detection. This has created a potential opportunity for an attacker, with access to a compromised device, to subtly alter its forwarding program to mishandle only a small subset of packets, evading probabilistic detection. In practice, such subtle binary instrumentation attacks require extensive knowledge of the forwarding program, yet it is unclear whether a static analysis of compiled P4 programs to obtain this knowledge can be fast and accurate enough for an on-device attack scenario. In this work, we investigate this possibility by implementing a static analysis of P4 programs compiled to BPF bytecode. This analysis gathers sufficient information for the attacker to identify appropriate (reliably correct) edits to the program. We found that, due to predictable compiler behaviours, our analysis remains accurate even when several program behaviours are abstracted away. Our evaluation of the analysis requirements shows that, from a defensive perspective, there is scope for selectively manipulating those instructions in P4-BPF programs that are critical to attack-focused analysis in order to increase its difficulty, without increasing the number of program instructions.

show abstract