Managing and securing programmable virtual switches with PvS

Detalhes bibliográficos
Autor(a) principal: Oliveira, Guilherme Bueno De
Data de Publicação: 2021
Tipo de documento: Dissertação
Idioma: por
Título da fonte: Biblioteca Digital de Teses e Dissertações da UFRGS
Texto Completo: http://hdl.handle.net/10183/249074
Resumo: Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead.
id URGS_b189d35cd44517c01467981224f18789
oai_identifier_str oai:www.lume.ufrgs.br:10183/249074
network_acronym_str URGS
network_name_str Biblioteca Digital de Teses e Dissertações da UFRGS
repository_id_str 1853
spelling Oliveira, Guilherme Bueno DeCordeiro, Weverton Luis da CostaAzambuja, José Rodrigo Furlanetto de2022-09-16T05:02:57Z2021http://hdl.handle.net/10183/249074001126578Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead.A virtualização se tornou um importante habilitador de vários conceitos em rede, como computação em nuvem, virtualização de função de rede e redes virtuais, ajudando a promover a inovação e enfrentar a “ossificação de redes” que durou décadas. Com planos de dados programáveis seguindo o caminho da virtualização, nota-se que as soluções existentes para entregar a noção de switches programáveis virtuais não fornecem abstrações eficazes de switches que possam ser gerenciados de forma segura e independente. Para preencher essa lacuna, apresentamos o PvS, um sistema para executar vários switches virtuais programáveis e que satisfaz esses requisitos. Em nosso trabalho, nos concentramos na abstração do mecanismo de controle, responsável por gerenciar switches virtuais em execução em um hardware subjacente (por exemplo, NetFPGA) e por fornecer interfaces de gerenciamento compatíveis com o plano de controle de uma Rede Definida por Software (Software Defined Networking, SDN). Com o PvS, também nos concentramos em uma vulnerabilidade de segurança potencial em relação aos switches virtuais, que é o “envenenamento” de uma app do plano de controle por outra app maliciosa (ataques Cross-App Poisoning, ou CAP), usando switches virtuais como proxy para o ataque. Para este fim, desenvolvemos uma solução de aplicação de Controle de Fluxo de Informações (Information Flow Control, IFC) para switches virtuais (vIFC), para detectar violações de fluxo de informações de um app malicioso para apps legítimos no plano de controle via switches virtuais. O PvS foi avaliado considerando switches virtuais em execução em um NetFPGA SUME e avaliou-se sua eficácia para gerenciar com segurança as instâncias de switches virtuais e evitar a violação do fluxo de informações no plano de controle. Analisamos o impacto operacional dos ataques CAP e os recursos de proteção que o vIFC fornece ao defender switches virtuais considerando dois casos de uso: um app de encaminhamento reativo e o app de telemetria in-band. A avaliação realizada oferece evidências de que o PvS é capaz de fornecer capacidade de gerenciamento segura e detectar ataques cibernéticos como o Cross-App Poisoning (CAP), sem incorrer em sobrecarga significativa para o plano de controle ou para os switches virtuais.application/pdfporRedes Definidas por SoftwarePlano de Dados ProgramáveisvirtualizaçãoFpgaInformation flow control (IFC)Data provenanceManaging and securing programmable virtual switches with PvSGerenciando e protegendo switches virtuais programáveis com PvS info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisUniversidade Federal do Rio Grande do SulInstituto de InformáticaPrograma de Pós-Graduação em ComputaçãoPorto Alegre, BR-RS2021mestradoinfo:eu-repo/semantics/openAccessreponame:Biblioteca Digital de Teses e Dissertações da UFRGSinstname:Universidade Federal do Rio Grande do Sul (UFRGS)instacron:UFRGSTEXT001126578.pdf.txt001126578.pdf.txtExtracted Texttext/plain170356http://www.lume.ufrgs.br/bitstream/10183/249074/2/001126578.pdf.txt0b9c8fbf458fb15dc7648d81b33ab4fcMD52ORIGINAL001126578.pdfTexto completo (inglês)application/pdf1615833http://www.lume.ufrgs.br/bitstream/10183/249074/1/001126578.pdfc820719effb5303c7950c66bc8603e76MD5110183/2490742024-04-03 06:43:57.842273oai:www.lume.ufrgs.br:10183/249074Biblioteca Digital de Teses e Dissertaçõeshttps://lume.ufrgs.br/handle/10183/2PUBhttps://lume.ufrgs.br/oai/requestlume@ufrgs.br||lume@ufrgs.bropendoar:18532024-04-03T09:43:57Biblioteca Digital de Teses e Dissertações da UFRGS - Universidade Federal do Rio Grande do Sul (UFRGS)false
dc.title.pt_BR.fl_str_mv Managing and securing programmable virtual switches with PvS
dc.title.alternative.en.fl_str_mv Gerenciando e protegendo switches virtuais programáveis com PvS
title Managing and securing programmable virtual switches with PvS
spellingShingle Managing and securing programmable virtual switches with PvS
Oliveira, Guilherme Bueno De
Redes Definidas por Software
Plano de Dados Programáveis
virtualização
Fpga
Information flow control (IFC)
Data provenance
title_short Managing and securing programmable virtual switches with PvS
title_full Managing and securing programmable virtual switches with PvS
title_fullStr Managing and securing programmable virtual switches with PvS
title_full_unstemmed Managing and securing programmable virtual switches with PvS
title_sort Managing and securing programmable virtual switches with PvS
author Oliveira, Guilherme Bueno De
author_facet Oliveira, Guilherme Bueno De
author_role author
dc.contributor.author.fl_str_mv Oliveira, Guilherme Bueno De
dc.contributor.advisor1.fl_str_mv Cordeiro, Weverton Luis da Costa
dc.contributor.advisor-co1.fl_str_mv Azambuja, José Rodrigo Furlanetto de
contributor_str_mv Cordeiro, Weverton Luis da Costa
Azambuja, José Rodrigo Furlanetto de
dc.subject.por.fl_str_mv Redes Definidas por Software
Plano de Dados Programáveis
virtualização
Fpga
topic Redes Definidas por Software
Plano de Dados Programáveis
virtualização
Fpga
Information flow control (IFC)
Data provenance
dc.subject.eng.fl_str_mv Information flow control (IFC)
Data provenance
description Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead.
publishDate 2021
dc.date.issued.fl_str_mv 2021
dc.date.accessioned.fl_str_mv 2022-09-16T05:02:57Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10183/249074
dc.identifier.nrb.pt_BR.fl_str_mv 001126578
url http://hdl.handle.net/10183/249074
identifier_str_mv 001126578
dc.language.iso.fl_str_mv por
language por
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Biblioteca Digital de Teses e Dissertações da UFRGS
instname:Universidade Federal do Rio Grande do Sul (UFRGS)
instacron:UFRGS
instname_str Universidade Federal do Rio Grande do Sul (UFRGS)
instacron_str UFRGS
institution UFRGS
reponame_str Biblioteca Digital de Teses e Dissertações da UFRGS
collection Biblioteca Digital de Teses e Dissertações da UFRGS
bitstream.url.fl_str_mv http://www.lume.ufrgs.br/bitstream/10183/249074/2/001126578.pdf.txt
http://www.lume.ufrgs.br/bitstream/10183/249074/1/001126578.pdf
bitstream.checksum.fl_str_mv 0b9c8fbf458fb15dc7648d81b33ab4fc
c820719effb5303c7950c66bc8603e76
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
repository.name.fl_str_mv Biblioteca Digital de Teses e Dissertações da UFRGS - Universidade Federal do Rio Grande do Sul (UFRGS)
repository.mail.fl_str_mv lume@ufrgs.br||lume@ufrgs.br
_version_ 1800309203102859264

Registros relacionados