Programmable In-network Security (Poise)


Project overview (NSF CNS-1942219)

poise







Poise, or Programmable In-network Security, aims to rethink how to make our future networks fundamentally more secure. Our observation is that many network-based attacks should be mitigated inside the network (instead of at endpoints), but traditional networks can only support simple defenses because they lack programmability. With programmable switches, we can now develop attack detection algorithms in hardware to process every single packet at high speed. Upon detecting an attack, the defense can directly take actions at the switch without involving a software controller. Our vision for Poise is to transform the network into a "programmable defense infrastructure" that can support security as routing.

Concretely, a Poise switch not only forwards traffic, but also applies to it a wide range of defenses; a Poise network not only routes traffic end-to-end, but also swaps defenses along the paths in and out as needed to mitigate attacks. Attacks with mixed vectors would trigger concurrent defenses, and attacks that rapidly change would be met with equally fast defense swapping. In its full force, Poise would toggle a wide array of defenses rapidly on and off as traffic flows through, mitigating attacks in real time.

We're taking three steps to realize this Poise vision, as detailed below.

1. The switch as a defense platform

Our first step is to transform a programmable switch into a defense platform that runs a wide range of "defense apps". The key challenge lies in the limited programming model and resources in a network switch. Our key solution is to leverage software/hardware codesign, which divides a defense app into a hardware component that needs to be invoked per packet, a software component that only needs to be involved per batch, and an interface that permits bi-directional communications.

  • NetWarden [USENIX Security 2020] outlines design principles for software/hardware codesign for network security applications. It applies these design principles to a concrete use case: mitigating network covert channels.

  • Poise [USENIX Security 2020] is an advanced access control system for "context-aware" security. Poise comes with a high-level policy language, with which users can easily specify a wide range of context-aware policies. Our compiler then generates switch programs that implement these policies entirely in hardware.

  • Poseidon [NDSS 2020] is a programmable defense system against volumetric DDoS attacks. It has a resource management mechanism that generates optimized mappings from defenses to the defense resources---both programmable switches and server-based defense software.

  • NetHCF [ICNP 2019] is a defense system that detects and filters spoofed traffic at programmable switches. It relies on the mapping from source addresses and the TTL values (i.e., hopcount-based filtering) to recognize potential spoofing.

    2. The network as a defense fleet

    Our next step aims to transform a programmable network into a defense fleet, by architecting the individual defenses developed in the first step into the network paths, and synchronizing them for network-wide attack detection and mitigation. The key challenge we need to tackle is decentralization: the defenses need to synchronize their local views and decisions with each other without going through a central controller.

  • FastFlex [HotNets 2019] outlines the approach that we're taking to this decentralized defense design. It proposes the abstraction of a multimode data plane, which normally operates in an optimal mode, but can enter and exit defense modes at RTT timescales upon attacks.

    3. Securing the defenses

    Last but not least, Poise seeks to ensure that the individual defenses, as well as their composition, are themselves secure against attacks. We are developing program analysis techniques to understand potential risks in the defenses and mitigate them.

  • Automated attack discovery [CSET 2019] describes a new class of attack vectors to systems that rely on programmable switches, and outlines steps towards discovering the attack vectors automatically.

    Publications

    • Mitigating Network Covert Channels while Preserving Performance
      Jiarong Xing, Qiao Kang, and Ang Chen
      USENIX Security 2020 [PDF] [Code]

    • Programmable In-Network Security for Context-aware BYOD Policies
      Qiao Kang, Lei Xue, Adam Morrison, Yuxin Tang, Ang Chen, and Xiapu Luo
      USENIX Security 2020 [PDF] [Code]

    • Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches
      Menghao Zhang, Guanyu Li, Shicheng Wang, Chang Liu, Ang Chen, Hongxin Hu, Guofei Gu, Qi Li, Mingwei Xu, and Jianping Wu
      NDSS 2020 [PDF]

    • Architecting Programmable Data Plane Defenses into the Network with FastFlex
      Jiarong Xing, Wenqing Wu, and Ang Chen
      HotNets 2019 [PDF]

    • NetHCF: Enabling Line-rate and Adaptive Spoofed IP Traffic Filtering
      Guanyu Li, Menghao Zhang, Chang Liu, Xiao Kong, Ang Chen, Guofei Gu, and Haixin Duan
      ICNP 2019 [PDF]

    • Automated Attack Discovery in Data Plane Systems
      Qiao Kang, Jiarong Xing, and Ang Chen
      CSET 2019 [PDF]

    • NetWarden: Mitigating Network Covert Channels without Performance Loss
      Jiarong Xing, Adam Morrison, and Ang Chen
      HotCloud 2019 [PDF]

    • Enforcing Context-Aware BYOD Policies with In-Network Security
      Adam Morrison, Lei Xue, Ang Chen, and Xiapu Luo
      HotCloud 2018 [PDF]