EAGER: USBRCCR: Collaborative: Securing Networks in the Programmable Data Plane Era

EAGER：USBRCCR：协作：确保可编程数据平面时代的网络安全

• 批准号: 1740791
• 负责人: Guofei Gu
• 金额: $ 10万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1740791&HistoricalAwards=false
• 关键词: EAGER; USBRCCR; Collaborative; Securing; Networks

Recent advances in software-defined networking (SDN) and programmable data planes allow datacenter and enterprise network operators to quickly deploy new protocols, customize network behavior, and develop innovative services. These advances promise to improve and streamline network operations, improving the quality of service provided to end users. However programmable data planes also introduce new complexities to network management, notably, ensuring that the network satisfies critical security properties. Current network verification and analysis tools cannot handle these complex new networks. This work aims to address three important problems at the intersection of networking and computer security: First, the work proposes to develop new techniques that allow operators to verify that their network satisfies security properties like tenant isolation in a cloud hosting environment. Second, this work proposes to use the data plane to implement a security mechanism to enforce security properties, an approach that complements verification as a way to ensure correct network behavior. Finally, the work proposes to develop new security services that leverage the capabilities of a programmable data plane. Results of the proposed work will promote the adoption of more secure and flexible next-generation networks by providing operators the tools necessary to verify and enforce critical network security properties. As programmable data planes are poised to transform modern the architecture of modern networks, the proposed work will advance the current state of the art in networking by extending verification and enforcement techniques to programmable data plane networks, for which neither network verification nor security policy mechanisms currently exist. To do so, investigators will transform data plane programs, expressed in P4, into assertions suitable for analysis using existing network verification tools based on SMT solvers. Investigators will also develop a security kernel implemented as a P4 data plane program to enforce network-wide security properties at run time. Finally, this work will also develop new data plane services that will enable a new class of security functions to be deployed in the network in order to improve the overall security of computer networks.

软件定义网络（SDN）和可编程数据平面的最新进展使数据中心和企业网络运营商能够快速部署新协议、自定义网络行为并开发创新服务。这些进步有望改善和简化网络运营，提高向最终用户提供的服务质量。然而，可编程数据平面也给网络管理带来了新的复杂性，特别是确保网络满足关键的安全属性。目前的网络验证和分析工具无法处理这些复杂的新网络。这项工作旨在解决网络和计算机安全交叉点的三个重要问题：首先，这项工作提出开发新技术，允许运营商验证其网络满足云托管环境中的租户隔离等安全属性。其次，这项工作建议使用数据平面来实现安全机制来强制执行安全属性，这种方法补充了验证，作为确保正确网络行为的一种方式。最后，这项工作建议开发新的安全服务，利用可编程数据平面的功能。拟议工作的结果将通过为运营商提供必要的工具来验证和实施关键的网络安全属性，促进采用更安全和更灵活的下一代网络。由于可编程数据平面正准备改变现代网络的体系结构，因此所提出的工作将通过将验证和实施技术扩展到可编程数据平面网络来推进当前网络技术的发展，目前既不存在网络验证也不存在安全策略机制。为此，研究人员将把P4中表示的数据平面程序转换为适合使用基于SMT求解器的现有网络验证工具进行分析的断言。调查人员还将开发一个安全内核，作为P4数据平面程序实现，以在运行时强制执行网络范围的安全属性。最后，这项工作还将开发新的数据平面服务，使一类新的安全功能能够部署在网络中，以提高计算机网络的整体安全性。

项目成果

Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

• DOI: 10.1007/978-3-030-00470-5_8
• 发表时间: 2018-09
• 作者: Menghao Zhang;Guanyu Li;Lei Xu;J. Bi;G. Gu;Jia-Ju Bai

NETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering

• DOI: 10.1109/icnp.2019.8888057
• 发表时间: 2019-10
• 期刊: 2019 IEEE 27th International Conference on Network Protocols (ICNP)
• 作者: G. Li;Menghao Zhang;Chang Liu;Xiao Kong;Ang Chen;G. Gu;Haixin Duan

Effective Topology Tampering Attacks and Defenses in Software-Defined Networks

• DOI: 10.1109/dsn.2018.00047
• 发表时间: 2018-06
• 期刊: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: R. Skowyra;Lei Xu;G. Gu;V. Dedhia;Thomas Hobson;Hamed Okhravi;James Landry

Unexpected Data Dependency Creation and Chaining: A New Attack to SDN

• DOI: 10.1109/sp40000.2020.00017
• 发表时间: 2020-05
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: Feng Xiao;Jinquan Zhang;Jianwei Huang;G. Gu;Dinghao Wu;Peng Liu

Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era

• DOI: 10.1145/3243734.3243749
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Haopei Wang;Guangliang Yang;Phakpoom Chinprutthiwong;Lei Xu;Yangyong Zhang;G. Gu