NeTS: Small: Detecting Races in SDN Control Plane

NeTS：小型：检测 SDN 控制平面中的竞争

• 批准号: 1617985
• 负责人: Guofei Gu
• 金额: $ 35万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1617985&HistoricalAwards=false
• 关键词: NeTS; Small; Detecting; Races; SDN

Software Defined Networking (SDN) has rapidly emerged as a promising solution to building the future Internet. Current legacy network devices are typically proprietary, closed, and complex platforms, which as a result have severely throttled innovation in networking. SDN in contrast is designed to separate intelligent control plane (controller) from switching fabrics, ushering in enormous opportunities for rapid open innovations and quick creation of customized services. In SDN, the controllers play a central role, acting as the brain of the entire network. Thus, the reliable and secure operation of them is of extreme importance. Unfortunately, the asynchrony of network events and the complex architecture of SDN controllers make them prone to hard-to-find yet serious data race bugs, that can cause serious reliability and security issues to the whole SDN network.In the principal investigators' (PIs) initial investigation, they found that data race bugs in the control plane can greatly reduce the reliability and security of SDN, e.g., causing system crashes, denying critical network services, interfering with service chains, or leaking privacy network information. These are not acceptable for SDN technology deployment. Unfortunately there is a serious lack of techniques to detect systematically these harmful concurrency bugs in the SDN control plane. This work seeks to address these issues. First, this project will conduct a systematic investigation of mainstream SDN controllers and develop an abstracted causality model to capture the unique happens-before semantics of the SDN control plane for race detection. Second, the project will develop the first dynamic race detection tool for the SDN control plane and will target mainstream controllers, such as Floodlight, ONOS and OpenDaylight, to maximize the impact on the SDN community. Third, this project will design new techniques to handle missing events in the dynamic execution of SDN controllers to reduce false alarms and for more complete race detection. Finally, the PIs will extend the techniques to detect a broad range of concurrency bugs.The goal of the project is to develop a reliability and security model for the SDN control plane. The PIs have been developing network security, SDN, and software analysis related courses. The PIs will recruit and educate minorities and underrepresented students. The teams are well positioned to help shape the landscape of SDN reliability/security research and education in the academic communities and to influence the industry.

软件定义网络（SDN）已迅速成为构建未来互联网的一种有前途的解决方案。当前的传统网络设备通常是专有的、封闭的和复杂的平台，因此严重限制了网络方面的创新。相反，SDN旨在将智能控制平面（控制器）与交换结构分离，为快速开放创新和快速创建定制服务带来巨大机会。在SDN中，控制器起着中心作用，充当整个网络的大脑。因此，它们的可靠和安全运行是极其重要的。不幸的是，网络事件的异步性和SDN控制器的复杂架构使它们容易出现难以发现但严重的数据竞争错误，这可能会给整个SDN网络带来严重的可靠性和安全性问题。在pi的初步调查中，他们发现控制平面的数据竞争漏洞会大大降低SDN的可靠性和安全性，例如导致系统崩溃、拒绝关键网络服务、干扰服务链、泄露隐私网络信息等。这些对于SDN技术部署来说是不可接受的。不幸的是，目前严重缺乏系统地检测SDN控制平面中这些有害的并发错误的技术。这项工作旨在解决这些问题。首先，本项目将对主流SDN控制器进行系统调查，并开发一个抽象的因果关系模型，以捕获SDN控制平面独特的happens-before语义，用于竞赛检测。其次，该项目将为SDN控制平面开发第一个动态竞争检测工具，并将针对主流控制器，如泛光灯，ONOS和OpenDaylight，以最大限度地影响SDN社区。第三，本项目将设计新的技术来处理SDN控制器动态执行中的缺失事件，以减少误报和更完整的竞争检测。最后，pi将扩展这些技术，以检测广泛的并发错误。该项目的目标是为SDN控制平面开发一个可靠性和安全性模型。pi一直在开发网络安全、SDN、软件分析等相关课程。私立学校将招收和教育少数民族和代表性不足的学生。这些团队能够帮助塑造学术界SDN可靠性/安全研究和教育的格局，并影响整个行业。

项目成果

Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

• DOI: 10.1007/978-3-030-00470-5_8
• 发表时间: 2018-09
• 作者: Menghao Zhang;Guanyu Li;Lei Xu;J. Bi;G. Gu;Jia-Ju Bai

The CrossPath Attack: Disrupting the SDN Control Channel via Shared Links

• 发表时间: 2019
• 作者: Jiahao Cao;Qi Li;Renjie Xie;Kun Sun;G. Gu;Mingwei Xu;Yuan Yang

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

• DOI: 10.1145/3243734.3243862
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Hongda Li;Hongxin Hu;G. Gu;Gail-Joon Ahn;Fuqiang Zhang

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

• DOI: 10.14722/ndss.2020.23040
• 发表时间: 2020
• 期刊: Proceedings 2020 Network and Distributed System Security Symposium
• 作者: Jiahao Cao;Renjie Xie;Kun Sun;Qi Li;G. Gu;Mingwei Xu

Security Study of Service Worker Cross-Site Scripting.

Service Worker 跨站点脚本的安全研究。

• DOI: 10.1145/3427228.3427290
• 发表时间: 2020
• 期刊: Proc. of 2020 Annual Computer Security Applications Conference (ACSAC’20
• 作者: Chinprutthiwong, Phakpoom;Vardhan, Raj;Yang, GuangLiang;Gu, Guofei
• 通讯作者: Gu, Guofei