Detalhes bibliográficos
| Ano de defesa: |
2021 |
| Autor(a) principal: |
Oliveira, Guilherme Bueno De |
| Orientador(a): |
Cordeiro, Weverton Luis da Costa |
| Banca de defesa: |
Não Informado pela instituição |
| Tipo de documento: |
Dissertação
|
| Tipo de acesso: |
Acesso aberto |
| Idioma: |
por |
| Instituição de defesa: |
Não Informado pela instituição
|
| Programa de Pós-Graduação: |
Não Informado pela instituição
|
| Departamento: |
Não Informado pela instituição
|
| País: |
Não Informado pela instituição
|
| Palavras-chave em Português: |
|
| Palavras-chave em Inglês: |
|
| Link de acesso: |
http://hdl.handle.net/10183/249074
|
Resumo: |
Virtualization has become an important enabler of several concepts, like cloud computing, network function virtualization, and virtual networks, helping foster innovation and tackle the network ossification that lasted for decades. With programmable data planes following the path of virtualization, existing solutions to deliver the notion of virtual programmable switches fall short in providing effective abstractions of switches that could be managed independently and securely. To bridge this gap, we present PvS, a system for running multiple Programmable Virtual Switches that satisfies these requirements. In our work, we focus on the control engine abstraction, responsible for managing virtual switches running in an underlying hardware (e.g., NetFPGA) and for providing compatible management interfaces with the control plane of a Software Defined Network (SDN). With PvS, we also concentrate on a potential security vulnerability regarding virtual switches, which is the “poisoning” between control plane applications (Cross-App Poisoning, or CAP, attacks) by a malicious control plane app, using virtual switches as proxy for the attack. To this end, we devise an Information Flow Control (IFC) enforcement solution to virtual switches (vIFC), to detect information flow violations from a malicious application to legitimate ones in the control plane through virtual switches. We experimented PvS using virtual switches running in a NetFPGA SUME, and assessed its effectiveness to securely manage virtual instances and prevent information flow violation in the control plane. We analyzed the operational impact of CAP attacks and the protection capabilities that vIFC provides by defending virtual switches considering two use cases: a Reactive Forwarding app, and the Inband Telemetry app. Our evaluation provides evidence that PvS is effective in providing secure manageability and detect attacks like the Cross-App Poisoning (CAP), while not incurring significant overhead. |
