Abstract
Data plane switches in software-defined networks are increasingly recognised as potential targets for attack, with recent exploits showing their vulnerability to full compromise. The serious consequences of such a breach have prompted the design of compromise detection mechanisms, which monitor switch forwarding behaviour at runtime to ensure that it has not been altered by an attack. However, such defences cannot achieve full coverage in stateful, programmable data planes, creating an opportunity for an attacker to evade detection by carefully editing a switch's forwarding program to mishandle a small subset of packets. To exploit this opportunity and avoid detection, an attacker must analyse and edit the program's behaviour within a narrow time window, which is possible when the data plane is defined by a uBPF program compiled from P4, due to the predictable compilation process. In this work, we aim to invalidate this analysis-guided attack technique with targeted obfuscation of P4-uBPF programs that increases the analysis complexity. We find that, by inserting additional program paths and syntactic dependencies between variables, we can force an attacker to analyse a higher proportion of program instructions and carry out time-consuming SMT solving to find valid program paths, rendering the previous attack technique infeasible. Furthermore, by applying our identified program optimisations, program performance can often be maintained after obfuscation. In evaluating our work, we identify the potential to improve our solution by tailoring obfuscations to individual program paths.
Original language | English |
---|---|
Number of pages | 13 |
Journal | IEEE Transactions on Dependable and Secure Computing |
Early online date | 19 May 2023 |
DOIs | |
Publication status | Early online date - 19 May 2023 |
Keywords
- Data plane security
- Obfuscation
- P4
- SDN
- SMT
- Static Analysis
- uBPF
ASJC Scopus subject areas
- General Computer Science
- Electrical and Electronic Engineering
Fingerprint
Dive into the research topics of 'Defeating data plane attacks with program obfuscation'. Together they form a unique fingerprint.Student theses
-
Mitigating data plane device compromise in programmable networks
Black, C. (Author), Scott-Hayward, S. (Supervisor) & Sezer, S. (Supervisor), Jul 2023Student thesis: Doctoral Thesis › Doctor of Philosophy
File