EAGER: USBRCCR: Collaborative: Securing Networks in the Programmable Data Plane Era

EAGER：USBRCCR：协作：确保可编程数据平面时代的网络安全

• 批准号: 1740791
• 负责人: Guofei Gu
• 金额: $ 10万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1740791&HistoricalAwards=false
• 关键词: EAGER; USBRCCR; Collaborative; Securing; Networks

Recent advances in software-defined networking (SDN) and programmable data planes allow datacenter and enterprise network operators to quickly deploy new protocols, customize network behavior, and develop innovative services. These advances promise to improve and streamline network operations, improving the quality of service provided to end users. However programmable data planes also introduce new complexities to network management, notably, ensuring that the network satisfies critical security properties. Current network verification and analysis tools cannot handle these complex new networks. This work aims to address three important problems at the intersection of networking and computer security: First, the work proposes to develop new techniques that allow operators to verify that their network satisfies security properties like tenant isolation in a cloud hosting environment. Second, this work proposes to use the data plane to implement a security mechanism to enforce security properties, an approach that complements verification as a way to ensure correct network behavior. Finally, the work proposes to develop new security services that leverage the capabilities of a programmable data plane. Results of the proposed work will promote the adoption of more secure and flexible next-generation networks by providing operators the tools necessary to verify and enforce critical network security properties. As programmable data planes are poised to transform modern the architecture of modern networks, the proposed work will advance the current state of the art in networking by extending verification and enforcement techniques to programmable data plane networks, for which neither network verification nor security policy mechanisms currently exist. To do so, investigators will transform data plane programs, expressed in P4, into assertions suitable for analysis using existing network verification tools based on SMT solvers. Investigators will also develop a security kernel implemented as a P4 data plane program to enforce network-wide security properties at run time. Finally, this work will also develop new data plane services that will enable a new class of security functions to be deployed in the network in order to improve the overall security of computer networks.

软件定义网络 (SDN) 和可编程数据平面的最新进展使数据中心和企业网络运营商能够快速部署新协议、定制网络行为并开发创新服务。这些进步有望改善和简化网络运营，提高为最终用户提供的服务质量。然而，可编程数据平面也给网络管理带来了新的复杂性，特别是确保网络满足关键的安全属性。当前的网络验证和分析工具无法处理这些复杂的新网络。这项工作旨在解决网络和计算机安全交叉点的三个重要问题：首先，这项工作建议开发新技术，允许运营商验证其网络是否满足云托管环境中的租户隔离等安全属性。其次，这项工作建议使用数据平面来实现安全机制来强制执行安全属性，这是一种补充验证的方法，以确保正确的网络行为。最后，这项工作建议开发利用可编程数据平面功能的新安全服务。拟议工作的结果将通过为运营商提供验证和实施关键网络安全属性所需的工具来促进更安全、更灵活的下一代网络的采用。由于可编程数据平面准备改变现代网络的架构，因此所提出的工作将通过将验证和执行技术扩展到可编程数据平面网络来推进当前网络技术的发展，目前可编程数据平面网络既不存在网络验证，也不存在安全策略机制。为此，研究人员将以 P4 表示的数据平面程序转换为适合使用基于 SMT 求解器的现有网络验证工具进行分析的断言。研究人员还将开发一个作为 P4 数据平面程序实现的安全内核，以在运行时强制执行网络范围的安全属性。最后，这项工作还将开发新的数据平面服务，使新型安全功能能够在网络中部署，以提高计算机网络的整体安全性。

项目成果

Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

• DOI: 10.1007/978-3-030-00470-5_8
• 发表时间: 2018-09
• 作者: Menghao Zhang;Guanyu Li;Lei Xu;J. Bi;G. Gu;Jia-Ju Bai

NETHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering

• DOI: 10.1109/icnp.2019.8888057
• 发表时间: 2019-10
• 期刊: 2019 IEEE 27th International Conference on Network Protocols (ICNP)
• 作者: G. Li;Menghao Zhang;Chang Liu;Xiao Kong;Ang Chen;G. Gu;Haixin Duan

Effective Topology Tampering Attacks and Defenses in Software-Defined Networks

• DOI: 10.1109/dsn.2018.00047
• 发表时间: 2018-06
• 期刊: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: R. Skowyra;Lei Xu;G. Gu;V. Dedhia;Thomas Hobson;Hamed Okhravi;James Landry

Unexpected Data Dependency Creation and Chaining: A New Attack to SDN

• DOI: 10.1109/sp40000.2020.00017
• 发表时间: 2020-05
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: Feng Xiao;Jinquan Zhang;Jianwei Huang;G. Gu;Dinghao Wu;Peng Liu

Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era

• DOI: 10.1145/3243734.3243749
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Haopei Wang;Guangliang Yang;Phakpoom Chinprutthiwong;Lei Xu;Yangyong Zhang;G. Gu