TY - GEN
T1 - Adversarial exploitation of P4 data planes
AU - Black, Conor
AU - Scott-Hayward, Sandra
PY - 2021/6/30
Y1 - 2021/6/30
N2 - Programmable data planes can support flexible and feature-rich networks. However, the network operator must have confidence that the network data plane correctly implements the specified policies. To address this, data plane testing and verification mechanisms have been proposed, which, in general, trust the data plane devices to behave faithfully. A few current solutions recognise that one or more of the network devices maybe under the control of a malicious adversary but do not address either the enhanced capabilities or motivations of an attacker in a modern P4-programmable data plane. Furthermore, the ability of an attacker to utilise these enhanced capabilities in an exploit has not been investigated. In this paper, we address this knowledge gap by means of a case study in which we assume the role of an attacker in an open-source implementation of a P4-programmable software switch and attempt a range of methods to exploit the program running on that switch. We find that attacks that exploit both the programmability and statefulness of the P4 switch are indeed possible, and discuss the impact of our findings with proposals for future adversarial data plane verification mechanisms to address this new threat model.
AB - Programmable data planes can support flexible and feature-rich networks. However, the network operator must have confidence that the network data plane correctly implements the specified policies. To address this, data plane testing and verification mechanisms have been proposed, which, in general, trust the data plane devices to behave faithfully. A few current solutions recognise that one or more of the network devices maybe under the control of a malicious adversary but do not address either the enhanced capabilities or motivations of an attacker in a modern P4-programmable data plane. Furthermore, the ability of an attacker to utilise these enhanced capabilities in an exploit has not been investigated. In this paper, we address this knowledge gap by means of a case study in which we assume the role of an attacker in an open-source implementation of a P4-programmable software switch and attempt a range of methods to exploit the program running on that switch. We find that attacks that exploit both the programmability and statefulness of the P4 switch are indeed possible, and discuss the impact of our findings with proposals for future adversarial data plane verification mechanisms to address this new threat model.
M3 - Conference contribution
SN - 9781728190419
BT - Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - IEEE/IFIP International Symposium on Integrated Network Management 2021
Y2 - 17 May 2021 through 21 May 2021
ER -