摘要: Programmable routers are emerging as a promising alternative which facilitates the deployment of new network technologies, for example, software-defined networking; meanwhile, theirs programmability and openness also bring risks security vulnerabilities. Prior work has concentrated on code encryption to improve router action honesty. In this paper, we exploit feasibility regulating actions run-time dataplanes by detecting unexpected packet processing operations, finally provides an honest backdoor-proof operators. The main challenge is monitor regulate dataplane in dynamic runtime environment. Hence propose Minos, framework dataplanes. Minos takes Action Identifier (AID) input perform lookups pre-defined white list called Regulated Table (RAT), it verifies that (ab)normal. end, achieves pair irreconcilable goals security, i.e., costs effectiveness. We implement evaluate Click DPDK, separately. And our evaluation results show captures mal-actions with 2 mega-byte spatial no more than 9% performance loss both DPDK.
acm.org
sci-hub.se 参考文章(18)
Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, Geoff Pike, Enforcing forward-edge control-flow integrity in GCC & LLVM usenix security symposium. pp. 941- 955 ,(2014)
Nick McKeown, Isaac Keslassy, Guido Appenzeller, Sizing router buffers ,(2005)
David A. Maltz, Jibin Zhan, Geoffrey Xie, Hui Zhang, G�sli Hj�lmt�sson, Albert Greenberg, Jennifer Rexford, Structure preserving anonymization of router configuration data internet measurement conference. pp. 239- 244 ,(2004) , 10.1145/1028788.1028819
Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, M. Frans Kaashoek, The click modular router ACM Transactions on Computer Systems. ,vol. 18, pp. 263- 297 ,(2000) , 10.1145/354871.354874
John Criswell, Nathan Dautenhahn, Vikram Adve, KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels ieee symposium on security and privacy. pp. 292- 307 ,(2014) , 10.1109/SP.2014.26
Ke Xu, Wenlong Chen, Chuang Lin, Mingwei Xu, Dongchao Ma, Yi Qu, Toward a practical reconfigurable router: a software component development approach IEEE Network. ,vol. 28, pp. 74- 80 ,(2014) , 10.1109/MNET.2014.6915443
Sherri Sparks, Shawn Embleton, Cliff C. Zou, A chipset level network backdoor Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS '09. pp. 125- 134 ,(2009) , 10.1145/1533057.1533076
David Naylor, Matthew K. Mukerjee, Peter Steenkiste, Balancing accountability and privacy in the network acm special interest group on data communication. ,vol. 44, pp. 75- 86 ,(2014) , 10.1145/2619239.2626306
Tiffany Hyun-Jin Kim, Cristina Basescu, Limin Jia, Soo Bum Lee, Yih-Chun Hu, Adrian Perrig, Lightweight source authentication and path validation acm special interest group on data communication. ,vol. 44, pp. 271- 282 ,(2014) , 10.1145/2619239.2626323
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti, Control-flow integrity Proceedings of the 12th ACM conference on Computer and communications security - CCS '05. pp. 340- 353 ,(2005) , 10.1145/1102120.1102165