Managing and securing programmable virtual switches with PvS
Autor(a) principal: | |
---|---|
Data de Publicação: | 2021 |
Tipo de documento: | Dissertação |
Idioma: | por |
Título da fonte: | Biblioteca Digital de Teses e Dissertações da UFRGS |
Texto Completo: | http://hdl.handle.net/10183/249074 |
Resumo: | Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead. |
id |
URGS_b189d35cd44517c01467981224f18789 |
---|---|
oai_identifier_str |
oai:www.lume.ufrgs.br:10183/249074 |
network_acronym_str |
URGS |
network_name_str |
Biblioteca Digital de Teses e Dissertações da UFRGS |
repository_id_str |
1853 |
spelling |
Oliveira, Guilherme Bueno DeCordeiro, Weverton Luis da CostaAzambuja, José Rodrigo Furlanetto de2022-09-16T05:02:57Z2021http://hdl.handle.net/10183/249074001126578Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead.A virtualização se tornou um importante habilitador de vários conceitos em rede, como computação em nuvem, virtualização de função de rede e redes virtuais, ajudando a promover a inovação e enfrentar a “ossificação de redes” que durou décadas. Com planos de dados programáveis seguindo o caminho da virtualização, nota-se que as soluções existentes para entregar a noção de switches programáveis virtuais não fornecem abstrações eficazes de switches que possam ser gerenciados de forma segura e independente. Para preencher essa lacuna, apresentamos o PvS, um sistema para executar vários switches virtuais programáveis e que satisfaz esses requisitos. Em nosso trabalho, nos concentramos na abstração do mecanismo de controle, responsável por gerenciar switches virtuais em execução em um hardware subjacente (por exemplo, NetFPGA) e por fornecer interfaces de gerenciamento compatíveis com o plano de controle de uma Rede Definida por Software (Software Defined Networking, SDN). Com o PvS, também nos concentramos em uma vulnerabilidade de segurança potencial em relação aos switches virtuais, que é o “envenenamento” de uma app do plano de controle por outra app maliciosa (ataques Cross-App Poisoning, ou CAP), usando switches virtuais como proxy para o ataque. Para este fim, desenvolvemos uma solução de aplicação de Controle de Fluxo de Informações (Information Flow Control, IFC) para switches virtuais (vIFC), para detectar violações de fluxo de informações de um app malicioso para apps legítimos no plano de controle via switches virtuais. O PvS foi avaliado considerando switches virtuais em execução em um NetFPGA SUME e avaliou-se sua eficácia para gerenciar com segurança as instâncias de switches virtuais e evitar a violação do fluxo de informações no plano de controle. Analisamos o impacto operacional dos ataques CAP e os recursos de proteção que o vIFC fornece ao defender switches virtuais considerando dois casos de uso: um app de encaminhamento reativo e o app de telemetria in-band. A avaliação realizada oferece evidências de que o PvS é capaz de fornecer capacidade de gerenciamento segura e detectar ataques cibernéticos como o Cross-App Poisoning (CAP), sem incorrer em sobrecarga significativa para o plano de controle ou para os switches virtuais.application/pdfporRedes Definidas por SoftwarePlano de Dados ProgramáveisvirtualizaçãoFpgaInformation flow control (IFC)Data provenanceManaging and securing programmable virtual switches with PvSGerenciando e protegendo switches virtuais programáveis com PvS info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisUniversidade Federal do Rio Grande do SulInstituto de InformáticaPrograma de Pós-Graduação em ComputaçãoPorto Alegre, BR-RS2021mestradoinfo:eu-repo/semantics/openAccessreponame:Biblioteca Digital de Teses e Dissertações da UFRGSinstname:Universidade Federal do Rio Grande do Sul (UFRGS)instacron:UFRGSTEXT001126578.pdf.txt001126578.pdf.txtExtracted Texttext/plain170356http://www.lume.ufrgs.br/bitstream/10183/249074/2/001126578.pdf.txt0b9c8fbf458fb15dc7648d81b33ab4fcMD52ORIGINAL001126578.pdfTexto completo (inglês)application/pdf1615833http://www.lume.ufrgs.br/bitstream/10183/249074/1/001126578.pdfc820719effb5303c7950c66bc8603e76MD5110183/2490742024-04-03 06:43:57.842273oai:www.lume.ufrgs.br:10183/249074Biblioteca Digital de Teses e Dissertaçõeshttps://lume.ufrgs.br/handle/10183/2PUBhttps://lume.ufrgs.br/oai/requestlume@ufrgs.br||lume@ufrgs.bropendoar:18532024-04-03T09:43:57Biblioteca Digital de Teses e Dissertações da UFRGS - Universidade Federal do Rio Grande do Sul (UFRGS)false |
dc.title.pt_BR.fl_str_mv |
Managing and securing programmable virtual switches with PvS |
dc.title.alternative.en.fl_str_mv |
Gerenciando e protegendo switches virtuais programáveis com PvS |
title |
Managing and securing programmable virtual switches with PvS |
spellingShingle |
Managing and securing programmable virtual switches with PvS Oliveira, Guilherme Bueno De Redes Definidas por Software Plano de Dados Programáveis virtualização Fpga Information flow control (IFC) Data provenance |
title_short |
Managing and securing programmable virtual switches with PvS |
title_full |
Managing and securing programmable virtual switches with PvS |
title_fullStr |
Managing and securing programmable virtual switches with PvS |
title_full_unstemmed |
Managing and securing programmable virtual switches with PvS |
title_sort |
Managing and securing programmable virtual switches with PvS |
author |
Oliveira, Guilherme Bueno De |
author_facet |
Oliveira, Guilherme Bueno De |
author_role |
author |
dc.contributor.author.fl_str_mv |
Oliveira, Guilherme Bueno De |
dc.contributor.advisor1.fl_str_mv |
Cordeiro, Weverton Luis da Costa |
dc.contributor.advisor-co1.fl_str_mv |
Azambuja, José Rodrigo Furlanetto de |
contributor_str_mv |
Cordeiro, Weverton Luis da Costa Azambuja, José Rodrigo Furlanetto de |
dc.subject.por.fl_str_mv |
Redes Definidas por Software Plano de Dados Programáveis virtualização Fpga |
topic |
Redes Definidas por Software Plano de Dados Programáveis virtualização Fpga Information flow control (IFC) Data provenance |
dc.subject.eng.fl_str_mv |
Information flow control (IFC) Data provenance |
description |
Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead. |
publishDate |
2021 |
dc.date.issued.fl_str_mv |
2021 |
dc.date.accessioned.fl_str_mv |
2022-09-16T05:02:57Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10183/249074 |
dc.identifier.nrb.pt_BR.fl_str_mv |
001126578 |
url |
http://hdl.handle.net/10183/249074 |
identifier_str_mv |
001126578 |
dc.language.iso.fl_str_mv |
por |
language |
por |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Biblioteca Digital de Teses e Dissertações da UFRGS instname:Universidade Federal do Rio Grande do Sul (UFRGS) instacron:UFRGS |
instname_str |
Universidade Federal do Rio Grande do Sul (UFRGS) |
instacron_str |
UFRGS |
institution |
UFRGS |
reponame_str |
Biblioteca Digital de Teses e Dissertações da UFRGS |
collection |
Biblioteca Digital de Teses e Dissertações da UFRGS |
bitstream.url.fl_str_mv |
http://www.lume.ufrgs.br/bitstream/10183/249074/2/001126578.pdf.txt http://www.lume.ufrgs.br/bitstream/10183/249074/1/001126578.pdf |
bitstream.checksum.fl_str_mv |
0b9c8fbf458fb15dc7648d81b33ab4fc c820719effb5303c7950c66bc8603e76 |
bitstream.checksumAlgorithm.fl_str_mv |
MD5 MD5 |
repository.name.fl_str_mv |
Biblioteca Digital de Teses e Dissertações da UFRGS - Universidade Federal do Rio Grande do Sul (UFRGS) |
repository.mail.fl_str_mv |
lume@ufrgs.br||lume@ufrgs.br |
_version_ |
1810085596399403008 |