EAGER: USBRCCR: Collaborative: Securing Networks in the Programmable Data Plane Era

EAGER：USBRCCR：协作：确保可编程数据平面时代的网络安全

• 批准号: 1740911
• 负责人: Kirill Levchenko
• 金额: $ 20万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1740911&HistoricalAwards=false
• 关键词: EAGER; USBRCCR; Collaborative; Securing; Networks

Recent advances in software-defined networking (SDN) and programmable data planes allow datacenter and enterprise network operators to quickly deploy new protocols, customize network behavior, and develop innovative services. These advances promise to improve and streamline network operations, improving the quality of service provided to end users. However programmable data planes also introduce new complexities to network management, notably, ensuring that the network satisfies critical security properties. Current network verification and analysis tools cannot handle these complex new networks. This work aims to address three important problems at the intersection of networking and computer security: First, the work proposes to develop new techniques that allow operators to verify that their network satisfies security properties like tenant isolation in a cloud hosting environment. Second, this work proposes to use the data plane to implement a security mechanism to enforce security properties, an approach that complements verification as a way to ensure correct network behavior. Finally, the work proposes to develop new security services that leverage the capabilities of a programmable data plane. Results of the proposed work will promote the adoption of more secure and flexible next-generation networks by providing operators the tools necessary to verify and enforce critical network security properties. As programmable data planes are poised to transform modern the architecture of modern networks, the proposed work will advance the current state of the art in networking by extending verification and enforcement techniques to programmable data plane networks, for which neither network verification nor security policy mechanisms currently exist. To do so, investigators will transform data plane programs, expressed in P4, into assertions suitable for analysis using existing network verification tools based on SMT solvers. Investigators will also develop a security kernel implemented as a P4 data plane program to enforce network-wide security properties at run time. Finally, this work will also develop new data plane services that will enable a new class of security functions to be deployed in the network in order to improve the overall security of computer networks.

软件定义网络（SDN）和可编程数据平面的最新进展使数据中心和企业网络运营商可以快速部署新协议，自定义网络行为并开发创新服务。这些进步有望改善和简化网络操作，改善提供给最终用户的服务质量。但是，可编程数据平面还为网络管理引入了新的复杂性，尤其是确保网络满足关键安全属性。当前的网络验证和分析工具无法处理这些复杂的新网络。这项工作旨在解决网络和计算机安全交集的三个重要问题：首先，该工作提议开发新技术，使操作员可以验证其网络满足诸如云托管环境中的租户隔离之类的安全属性。其次，这项工作建议使用数据平面实施安全机制来强制安全属性，该方法将验证作为确保正确网络行为的一种方法。最后，这项工作建议开发新的安全服务，以利用可编程数据平面的功能。拟议工作的结果将通过为操作员提供验证和执行关键网络安全属性所需的工具来促进采用更安全和灵活的下一代网络。由于可编程数据平面有望改变现代现代网络的架构，因此拟议的工作将通过将验证和执行技术扩展到可编程数据平面网络，而网络验证和当前既不存在安全策略机制。为此，调查人员将在P4中表达的数据平面程序转换为适合使用基于SMT求解器的现有网络验证工具分析的断言。调查人员还将开发一个安全内核，该安全内核作为P4数据平面程序实施，以在运行时执行网络范围的安全属性。最后，这项工作还将开发新的数据平面服务，该服务将使新的安全功能可以在网络中部署，以改善计算机网络的整体安全性。

项目成果

Uncovering Bugs in P4 Programs with Assertion-based Verification

• DOI: 10.1145/3185467.3185499
• 发表时间: 2018-03
• 期刊: Proceedings of the Symposium on SDN Research
• 作者: Lucas Freire;M. Neves;Lucas Leal;Kirill Levchenko;A. E. S. Filho;M. Barcellos

Dynamic Property Enforcement in Programmable Data Planes

• DOI: 10.1109/tnet.2021.3068339
• 发表时间: 2021-08
• 期刊: IEEE/ACM Transactions on Networking
• 作者: M. Neves;B. Huffaker;Kirill Levchenko;M. Barcellos

Verification of P4 Programs in Feasible Time Using Assertions

使用断言在可行时间内验证 P4 程序

• DOI: 10.1145/3281411.3281421
• 发表时间: 2018
• 期刊: Proceedings of the International Conference on emerging Networking EXperiments and Technologies
• 作者: Neves, Miguel;Freire, Lucas;Schaeffer-Filho, Alberto;Barcellos, Marinho
• 通讯作者: Barcellos, Marinho