Abstract
Software-defined networking has revolutionised network management with a new network architecture, where the previously distributed control software is decoupled from the underlying data plane forwarding devices and logically centralised, allowing these forwarding devices to be configured by programs running on a central controller. In recent years, this principle of network programmability has been extended to the forwarding devices themselves, with the development of new programmable switches, which can be configured to implement stateful, protocol-independent data plane programs using high-level languages, such as P4.This new architecture has profound implications for the runtime verification of data plane forwarding behaviour. On the one hand, the logically centralised control structure enables faster, better-coordinated anomaly detection through the central collection and processing of statistics from forwarding devices. However, programmability and statefulness in the data plane significantly expand the range of potential behaviours that must be reasoned about by verification tools, limiting their scalability. This limitation is exacerbated when anomalous behaviour is caused by malicious manipulation of data plane devices, which can include the addition of arbitrary new behaviours to a data plane program. Such attacks render heuristics commonly used by data plane monitoring systems (e.g. enumeration of known program paths) unreliable, as the class of packets affected by malicious edits is unknown to the network operator. As a result, accurate, well-targeted attacks may go undetected.
The focus of this thesis is on these subtle attacks in P4-programmable data planes, where an attacker compromises a P4 data plane device and alters its forwarding behaviour by adding new paths to its forwarding program. From an offensive perspective, the feasibility of implementing this attack without detection is demonstrated. Firstly, it is shown how an attacker in control of a P4-programmable forwarding device can spoof responses to monitoring requests from the control plane to hide malicious program alterations. Then, to demonstrate the ability of an attacker to evade state-of-the-art runtime monitoring, a static analysis of P4 programs compiled to BPF bytecode is presented, which ensures the accuracy of malicious program alterations that selectively forward previously dropped packets. Given the low likelihood of detection of this attack by existing runtime monitoring tools, a new obfuscation-based attack mitigation is proposed, which aims to prevent timely and accurate analysis of P4 programs by prospective attackers, limiting their ability to make accurate malicious edits.
Date of Award | Jul 2023 |
---|---|
Original language | English |
Awarding Institution |
|
Sponsors | Engineering & Physical Sciences Research Council |
Supervisor | Sandra Scott-Hayward (Supervisor) & Sakir Sezer (Supervisor) |