The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - Nov.-Dec. (2012 vol.9)
pp: 798-810
Danai Chasaki , University of Massachusetts, Amherst
Tilman Wolf , University of Massachusetts, Amherst
ABSTRACT
Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate—to our knowledge the first—practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.
INDEX TERMS
Program processors, Routing protocols, Computer crime, Internet, Network security, Embedded systems, embedded system security, Network security, network attack, programmable router, network processor, processing monitor
CITATION
Danai Chasaki, Tilman Wolf, "Attacks and Defenses in the Data Plane of Networks", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 6, pp. 798-810, Nov.-Dec. 2012, doi:10.1109/TDSC.2012.50
REFERENCES
[1] W. Eatherton, "The Push of Network Processing to the Top of the Pyramid," Proc. ACM/IEEE Symp. Architectures for Networking and Comm. Systems (ANCS), Oct. 2005.
[2] Q. Wu, D. Chasaki, and T. Wolf, "Implementation of a Simplified Network Processor," Proc. IEEE Int'l Conf. High Performance Switching and Routing (HPSR), pp. 7-13, June 2010.
[3] J.W. Lockwood, N. McKeown, G. Watson, G. Gibb, P. Hartke, J. Naous, R. Raghuraman, and J. Luo, "NetFPGA-An Open Platform for Gigabit-Rate Network Switching and Routing," Proc. IEEE Int'l Conf. Microelectronic Systems Education (MSE '07), pp. 160-161, June 2007.
[4] E. Kohler, R. Morris, B. Chen, J. Jannotti, and M.F. Kaashoek, "The Click Modular Router," ACM Trans. Computer Systems, vol. 18, no. 3, pp. 263-297, Aug. 2000.
[5] N.C. Hutchinson and L.L. Peterson, "The x-Kernel: An Architecture for Implementing Network Protocols," IEEE Trans. Software Eng., vol. 17, no. 1, pp. 64-76, Jan. 1991.
[6] L. Ruf, K. Farkas, H. Hug, and B. Plattner, "Network Services on Service Extensible Routers," Proc. Seventh Ann. Int'l Working Conf. Active Networking (IWAN '05), Nov. 2005.
[7] T. Anderson, L. Peterson, S. Shenker, and J. Turner, "Overcoming the Internet Impasse through Virtualization," Computer, vol. 38, no. 4, pp. 34-41, Apr. 2005.
[8] J.S. Turner, P. Crowley, J. DeHart, A. Freestone, B. Heller, F. Kuhns, S. Kumar, J. Lockwood, J. Lu, M. Wilson, C. Wiseman, and D. Zar, "Supercharging PlanetLab: A High Performance, Multi-Application, Overlay Network Platform," SIGCOMM '07: Proc. Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm., pp. 85-96, Aug. 2007.
[9] A. Bavier, N. Feamster, M. Huang, L. Peterson, and J. Rexford, "In VINI Veritas: Realistic and Controlled Network Experimentation," SIGCOMM '06: Proc. Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm., pp. 3-14, Aug. 2006.
[10] Intel Second Generation Network Processor, Intel Corporation, http://www.intel.com/design/network/products npfamily/, 2005.
[11] NP-3-30-Gigabit Network Processor with Integrated Traffic Management, EZchip Technologies Ltd., Yokneam, Israel, http:/www. ezchip.com/, May 2007.
[12] APP3300 Family of Advanced Comm. Processors, LSI Corporation, http:/www.lsi.com/, Aug. 2007.
[13] OCTEON Plus CN58XX 4 to 16-Core MIPS64-Based SoCs, Cavium Networks, Mountain View, CA, 2008.
[14] The Cisco QuantumFlow Processor: Cisco's Next Generation Network Processor, Cisco Systems, Inc., San Jose, CA, Feb. 2008.
[15] A. Feldmann, "Internet Clean-Slate Design: What and Why?" SIGCOMM Computer Comm. Rev., vol. 37, no. 3, pp. 59-64, July 2007.
[16] Future INternet Design, Nat'l Science Foundation, http:/www.nets-find.net/, 2012.
[17] Global Environment for Network Innovation, Nat'l Science Foundation, http:/www.geni.net/, 2012.
[18] J.S. Turner and D.E. Taylor, "Diversifying the Internet," Proc. IEEE GLOBECOM, vol. 2, Nov. 2005.
[19] D. Geer, "Malicious Bots Threaten Network Security," Computer, vol. 38, no. 1, pp. 18-20, Jan. 2005.
[20] J.C. Mogul, "Simple and Flexible Datagram Access Controls for UNIX-Based Gateways," Proc. USENIX Conf., pp. 203-221, June 1989.
[21] The Open Source Network Intrusion Detection System, Snort, http:/www.snort.org, 2004.
[22] S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol," Network Working Group, RFC 2401, Nov. 1998.
[23] A. Cui, Y. Song, P.V. Prabhu, and S.J. Stolfo, "Brave New World: Pervasive Insecurity of Embedded Network Devices," Proc. 12th Int'l Symp. Recent Advances in Intrusion Detection (RAID), pp. 378-380, Sept. 2009.
[24] S. Mao and T. Wolf, "Hardware Support for Secure Processing in Embedded Systems," IEEE Trans. Computers, vol. 59, no. 6, pp. 847-854, June 2010.
[25] D. Chasaki and T. Wolf, "Design of a Secure Packet Processor," Proc. ACM/IEEE Symp. Architectures for Networking and Comm. Systems (ANCS), Oct. 2010.
[26] S. Parameswaran and T. Wolf, "Embedded Systems Security - An Overview," Design Automation for Embedded Systems, vol. 12, no. 3, pp. 173-183, Sept. 2008.
[27] E. Haugh and M. Bishop, "Testing C Programs for Buffer Overflow Vulnerabilities," Proc. Network and Distributed System Security Symp. (NDSS), Feb. 2003.
[28] T.-C. Chiueh and F.-H. Hsu, "Rad: A Compile-Time Solution to Buffer Overflow Attacks," Proc. 21st Int'l Conf. Distributed Computing Systems (ICDSC), pp. 409-417, Apr. 2001.
[29] K.-S. Lhee and S.J. Chapin, "Type-Assisted Dynamic Buffer Overflow Detection," Proc. 11th USENIX Security Symp., pp. 81-88, Aug. 2002.
[30] J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. Network and Distributed System Security Symp. (NDSS), Feb. 2003.
[31] D. Moore, C. Shannon, and J. Brown, "Code-Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Second ACM SIGCOMM Workshop Internet Measurement (IMW '02), pp. 273-284, Nov. 2002.
[32] D. Chasaki, Q. Wu, and T. Wolf, "Attacks on Network Infrastructure," Proc. IEEE 20th Int'l Conf. Computer Comm. and Networks (ICCCN), Aug. 2011.
[33] T. Wolf, "Challenges and Applications for Network-Processor-Based Programmable Routers," Proc. IEEE Sarnoff Symp., Mar. 2006.
[34] R.C. Seacord, Secure Coding in C and C++, firstst ed. Addison-Wesley Professional, 2005.
[35] H. Balakrishnan, H.S. Rahul, and S. Seshan, "An Integrated Congestion Management Architecture for Internet Hosts," SIGCOMM: Proc. Conf. Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 175-187, Sept. 1999.
[36] S. Rhoads, Plasma - Most MIPS I(TM) Opcodes, http://www. opencores.orgproject,plasma, 2001.
[37] The OpenBSD 3.3 Release, OpenBSD, http://www.openbsd.org33.html, May 2003.
[38] H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-Libc without Function Calls (on the x86)," Proc. 14th ACM Conf. Computer and Comm. Security (CCS), pp. 552-561, Oct. 2007.
[39] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning, "On the Expressiveness of Return-into-Libc Attacks," Proc. 14th Int'l Conf. Recent Advances in Intrusion Detection, pp. 121-141, Sept. 2011.
[40] D. Chasaki, Q. Wu, and T. Wolf, "Inferring Packet Processing Behavior Using Input/Output Monitors," Proc. ACM/IEEE Symp. Architectures for Networking and Communication Systems (ANCS), pp. 91-92, Oct. 2011.
34 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool