Programmable In-network Security (Poise)
Poise, or Programmable In-network Security, aims to rethink how to make our future networks fundamentally more secure.
Our observation is that many network-based attacks should be mitigated inside the network (instead of at endpoints),
but traditional networks can only support simple defenses because they lack programmability.
With programmable switches, we can now develop attack detection algorithms in hardware to process every single packet at high speed.
Upon detecting an attack, the defense can directly take actions at the switch without involving a software controller.
Our vision for Poise is to transform the network into a "programmable defense infrastructure" that can support security as routing.
Concretely, a Poise switch not only forwards traffic, but also applies
to it a wide range of defenses; a Poise network not only routes traffic end-to-end, but also swaps
defenses along the paths in and out as needed to mitigate attacks. Attacks with mixed vectors would trigger concurrent defenses,
and attacks that rapidly change would be met with equally fast defense swapping. In its full force, Poise would toggle a wide
array of defenses rapidly on and off as traffic flows through, mitigating attacks in real time.
We're taking three steps to realize this Poise vision, as detailed below.
1. The switch as a defense platform
Our first step is to transform a programmable switch into a defense platform that runs a wide range of "defense apps".
The key challenge lies in the limited programming model and resources in a network switch. Our key solution is to
leverage software/hardware codesign, which divides a defense app into a hardware component that needs to be invoked
per packet, a software component that only needs to be involved per batch, and an interface that permits bi-directional
NetWarden [USENIX Security 2020]
outlines design principles for software/hardware codesign for network security applications.
It applies these design principles to a concrete use case: mitigating network covert channels.
Poise [USENIX Security 2020]
is an advanced access control system for "context-aware" security.
Poise comes with a high-level policy language, with which users can easily specify a wide range of context-aware policies. Our compiler then
generates switch programs that implement these policies entirely in hardware.
Poseidon [NDSS 2020]
is a programmable defense system against volumetric DDoS attacks. It has a resource management
mechanism that generates optimized mappings from defenses to the defense resources---both programmable
switches and server-based defense software.
NetHCF [ICNP 2019]
is a defense system that detects and filters spoofed traffic at programmable switches. It relies on the mapping
from source addresses and the TTL values (i.e., hopcount-based filtering) to recognize potential spoofing.
2. The network as a defense fleet
Our next step aims to transform a programmable network into a defense fleet, by architecting the individual defenses developed in the
first step into the network paths, and synchronizing them for network-wide attack detection and mitigation. The key challenge
we need to tackle is decentralization: the defenses need to synchronize their local views and decisions with each other without
going through a central controller.
FastFlex [HotNets 2019]
outlines the approach that we're taking to this decentralized defense design. It proposes the abstraction of a
multimode data plane, which normally operates in an optimal mode, but can enter and exit defense modes at RTT timescales
3. Securing the defenses
Last but not least, Poise seeks to ensure that the individual defenses, as well as their composition, are themselves secure
against attacks. We are developing program analysis techniques to understand potential risks in the defenses and mitigate them.
Automated attack discovery [CSET 2019]
describes a new class of attack vectors to systems that rely on programmable switches, and outlines steps towards
discovering the attack vectors automatically.
Mitigating Network Covert Channels while Preserving Performance
Jiarong Xing, Qiao Kang, and Ang Chen
USENIX Security 2020 [PDF] [Code]
Programmable In-Network Security for Context-aware BYOD Policies
Qiao Kang, Lei Xue, Adam Morrison, Yuxin Tang, Ang Chen, and Xiapu Luo
USENIX Security 2020 [PDF] [Code]
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches
Menghao Zhang, Guanyu Li, Shicheng Wang, Chang Liu, Ang Chen, Hongxin Hu, Guofei Gu, Qi Li, Mingwei Xu, and Jianping Wu
NDSS 2020 [PDF]
- Architecting Programmable Data Plane Defenses into the Network with FastFlex
Jiarong Xing, Wenqing Wu, and Ang Chen
HotNets 2019 [PDF]
- NetHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering
Guanyu Li, Menghao Zhang, Chang Liu, Xiao Kong, Ang Chen, Guofei Gu, and Haixin Duan
ICNP 2019 [PDF]
- Automated Attack Discovery in Data Plane Systems
Qiao Kang, Jiarong Xing, and Ang Chen
CSET 2019 [PDF]
- NetWarden: Mitigating Network Covert Channels without Performance Loss
Jiarong Xing, Adam Morrison, and Ang Chen
HotCloud 2019 [PDF]
- Enforcing Context-Aware BYOD Policies with In-Network Security
Adam Morrison, Lei Xue, Ang Chen, and Xiapu Luo
HotCloud 2018 [PDF]