Papers
Topics
Authors
Recent
2000 character limit reached

P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF

Published 23 May 2024 in cs.CR and cs.NI | (2405.14970v1)

Abstract: Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network. However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time. In this paper, we propose P4Control, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate. P4Control introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate. This is achieved through: (1) an in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies; (2) a lightweight eBPF-based primitive deployed on hosts for tracking intra-host information flows. P4Control also provides an expressive policy framework for specifying DIFC policies against different attack scenarios. We conduct extensive evaluations to show that P4Control can effectively prevent cross-host attacks in real time, while maintaining line-rate network performance and imposing minimal overhead on the network and host machines. It is also noteworthy that P4Control can facilitate the realization of a zero trust architecture through its fine-grained least-privilege network access control.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (70)
  1. CrowdStrike, “Lateral movement,” 2023. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/lateral-movement/
  2. Colonial, “The great data heist: The 21st century’s biggest data breaches,” 2020. [Online]. Available: https://www.colonialsurety.com/the-great-data-heist-the-21st-centurys-biggest-data-breaches-blog/
  3. “The netfilter.org "iptables" project.” [Online]. Available: https://www.netfilter.org/projects/iptables/index.html
  4. “Snort.” [Online]. Available: https://www.snort.org/
  5. “Ipv6 flow label specification ietf rfc6437.” [Online]. Available: https://www.rfc-editor.org/rfc/rfc6437
  6. S. Ma, X. Zhang, and D. Xu, “Protracer: Towards practical provenance tracing by alternating between logging and tainting,” in NDSS, 2016.
  7. S. T. King and P. M. Chen, “Backtracking intrusions,” SIGOPS Oper. Syst. Rev., p. 223–236.
  8. M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakrishnan, “SLEUTH: Real-time attack scenario reconstruction from COTS audit data,” in USENIX Security, 2017, pp. 487–504.
  9. P. Fang, P. Gao, C. Liu, E. Ayday, K. Jee, T. Wang, Y. F. Ye, Z. Liu, and X. Xiao, “Back-propagating system dependency impact for attack investigation,” in USENIX Security, 2022, pp. 2461–2478.
  10. P. Gao, X. Xiao, Z. Li, F. Xu, S. R. Kulkarni, and P. Mittal, “AIQL: Enabling efficient attack investigation from system monitoring data,” in USENIX ATC, 2018, pp. 113–125.
  11. Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, “Rain: Refinable attack investigation with on-demand inter-process information flow tracking,” in CCS, 2017, p. 377–390.
  12. Y. Ji, S. Lee, M. Fazzini, J. Allen, E. Downing, T. Kim, A. Orso, and W. Lee, “Enabling refinable Cross-Host attack investigation with efficient data flow tagging and tracking,” in USENIX Security, 2018, pp. 1705–1722.
  13. A. Gehani and D. Tariq, “Spade: Support for provenance auditing in distributed environments,” in Middleware, 2012, pp. 101–120.
  14. M. N. Hossain, S. Sheikhi, and R. Sekar, “Combating dependence explosion in forensic analysis using alternative tag propagation semantics,” in IEEE S&P, 2020, pp. 1139–1155.
  15. A. C. Myers and B. Liskov, “A decentralized model for information flow control,” ACM SIGOPS OSR, pp. 129–142, 1997.
  16. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris, “Information flow control for standard os abstractions,” ACM SIGOPS OSR, pp. 321–334, 2007.
  17. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres, “Making information flow explicit in histar,” CACM, pp. 93–101, 2011.
  18. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris, “Labels and event processes in the asbestos operating system,” SIGOPS OSR, p. 17–30, 2005.
  19. N. Zeldovich, S. Boyd-Wickizer, and D. Mazières, “Securing distributed systems with information flow control,” in USENIX NSDI, 2008, p. 293–308.
  20. W. Cheng, D. R. Ports, D. Schultz, V. Popic, A. Blankstein, J. Cowling, D. Curtis, L. Shrira, and B. Liskov, “Abstractions for usable information flow control in aeolus,” in USENIX ATC, 2012, pp. 139–151.
  21. I. Papagiannis and P. Pietzuch, “Cloudfilter: Practical control of sensitive data propagation to the cloud,” in CCSW, 2012, p. 97–102.
  22. V. Pappas, V. P. Kemerlis, A. Zavou, M. Polychronakis, and A. D. Keromytis, “Cloudfence: Data flow tracking as a cloud service,” in RAID, 2013, pp. 411–431.
  23. P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker, “P4: Programming protocol-independent packet processors,” SIGCOMM CCR, p. 87–95, 2014.
  24. “ebpf official website.” [Online]. Available: https://ebpf.io/
  25. T. OConnor, W. Enck, W. M. Petullo, and A. Verma, “Pivotwall: Sdn-based information flow control,” in SOSR, 2018, pp. 1–14.
  26. J. Sonchack, D. Loehr, J. Rexford, and D. Walker, “Lucid: A language for control in the data plane,” in SIGCOMM, 2021, p. 731–747.
  27. “Intel® tofino™ programmable ethernet switch asic.” [Online]. Available: https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-series.html
  28. A. W. and O. M., “Operationally transparent cyber datase,” 2020. [Online]. Available: https://github.com/FiveDirections/OpTC-data
  29. “P4Control source code.” [Online]. Available: https://github.com/peng-gao-lab/p4control
  30. M. Zhang, G. Li, S. Wang, C. Liu, A. Chen, H. Hu, G. Gu, Q. Li, M. Xu, and J. Wu, “Poseidon: Mitigating volumetric ddos attacks with programmable switches,” in NDSS, 2020.
  31. Z. Liu, H. Namkung, G. Nikolaidis, J. Lee, C. Kim, X. Jin, V. Braverman, M. Yu, and V. Sekar, “Jaqen: A High-Performance Switch-Native approach for detecting and mitigating volumetric DDoS attacks with programmable switches,” in USENIX Security, 2021, pp. 3829–3846.
  32. J. Xing, W. Wu, and A. Chen, “Ripple: A programmable, decentralized Link-Flooding defense against adaptive adversaries,” in USENIX Security, 2021, pp. 3865–3881.
  33. H. Zhou, S. Hong, Y. Liu, X. Luo, W. Li, and G. Gu, “Mew: Enabling large-scale and dynamic link-flooding defenses on programmable switches,” in IEEE S&P, 2023, pp. 3178–3192.
  34. J. Xing, Q. Kang, and A. Chen, “NetWarden: Mitigating network covert channels while preserving performance,” in USENIX Security, 2020, pp. 2039–2056.
  35. Q. Kang, L. Xue, A. Morrison, Y. Tang, A. Chen, and X. Luo, “Programmable In-Network security for context-aware BYOD policies,” in USENIX Security, 2020, pp. 595–612.
  36. D. E. Bell, L. J. La Padula et al., “Secure computer system: Unified exposition and multics interpretation,” Mitre Corporation Bedford, MA, 1976.
  37. K. J. Biba, “Integrity considerations for secure computer systems,” Mitre Corporation Bedford, MA, 1976.
  38. D. E. Denning, “A lattice model of secure information flow,” CACM, pp. 236–243, 1976.
  39. A. Nadkarni, B. Andow, W. Enck, and S. Jha, “Practical DIFC enforcement on android,” in USENIX Security, 2016, pp. 1119–1136.
  40. R. Paccagnella, P. Datta, W. U. Hassan, A. Bates, C. Fletcher, A. Miller, and D. Tian, “Custos: Practical tamper-evident auditing of operating systems using trusted execution,” in NDSS, 2020.
  41. A. Ahmad, S. Lee, and M. Peinado, “Hardlog: Practical tamper-proof system auditing using a novel audit device,” in IEEE S&P, 2022, pp. 1791–1807.
  42. J. H. Saltzer and M. D. Schroeder, “The protection of information in computer systems,” Proc. IEEE, pp. 1278–1308, 1975.
  43. “Intel® tofino 2 12.8 tbps, 20 stage, 4 pipelines.” [Online]. Available: https://www.intel.com/content/www/us/en/products/sku/218648/intel-tofino-2-12-8-tbps-20-stage-4-pipelines/specifications.html
  44. “Intel® tofino™ 3 intelligent fabric processors.” [Online]. Available: https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-05/tofino-3-intelligent-fabric-processors-brief.pdf
  45. K. Lakshminarayanan, A. Rangarajan, and S. Venkatachary, “Algorithms for advanced packet classification with ternary cams,” in SIGCOMM, 2005, p. 193–204.
  46. T. Høiland-Jørgensen, J. D. Brouer, D. Borkmann, J. Fastabend, T. Herbert, D. Ahern, and D. Miller, “The express data path: Fast programmable packet processing in the operating system kernel,” in CoNEXT, 2018, p. 54–66.
  47. NordLayer, “What is network segmentation: a complete guide.” [Online]. Available: https://nordlayer.com/learn/network-security/network-segmentation/
  48. N. Foster, R. Harrison, M. J. Freedman, C. Monsanto, J. Rexford, A. Story, and D. Walker, “Frenetic: A network programming language,” in ICFP, 2011, p. 279–291.
  49. C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker, “Composing software defined networks,” in USENIX NSDI, 2013, pp. 1–13.
  50. M. Vallentin, V. Paxson, and R. Sommer, “VAST: A unified platform for interactive network forensics,” in NSDI, 2016, pp. 345–362.
  51. T. Yu, S. K. Fayaz, M. P. Collins, V. Sekar, and S. Seshan, “Psi: Precise security instrumentation for enterprise networks.” in NDSS, 2017.
  52. D. Storm, “Medjack: Hackers hijacking medical devices to create backdoors in hospital networks,” 2015. [Online]. Available: https://www.computerworld.com/article/2932371/medjack-hackers-hijacking-medical-devices-to-create-backdoors##-in-hospital-networks.html
  53. P. Kazemian, G. Varghese, and N. McKeown, “Header space analysis: Static checking for networks,” in USENIX NSDI, 2012, pp. 113–126.
  54. “Behavioral model (bmv2).” [Online]. Available: https://github.com/p4lang/behavioral-model
  55. A. Botta, A. Dainotti, and A. Pescapè, “A tool for the generation of realistic network workload for emerging networking scenarios,” Comput. Netw., pp. 3531–3547, 2012.
  56. “Det (extensible) data exfiltration toolkit,” 2019. [Online]. Available: https://github.com/PaulSec/DET
  57. NIST, “Cve-2004-2687 detail,” 2008. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2004-2687
  58. R. Miao, H. Zeng, C. Kim, J. Lee, and M. Yu, “Silkroad: Making stateful layer-4 load balancing fast and cheap using switching asics,” in SIGCOMM, 2017, p. 15–28.
  59. V. Vasudevan, A. Phanishayee, H. Shah, E. Krevat, D. G. Andersen, G. R. Ganger, G. A. Gibson, and B. Mueller, “Safe and effective fine-grained tcp retransmissions for datacenter communication,” in SIGCOMM, 2009, p. 303–314.
  60. MITRE, “Cve-2022-2905,” 2022. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2905
  61. S. Y. Lim, X. Han, and T. Pasquier, “Unleashing unprivileged ebpf potential with dynamic sandboxing,” in Workshop on eBPF and Kernel Extensions, 2023.
  62. J. Corbet, “Finer-grained bpf tokens.” [Online]. Available: https://lwn.net/Articles/947173/
  63. T. W. House, “Executive order on improving the nation’s cybersecurity,” 2021. [Online]. Available: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  64. E. O. of the President, “Moving the u.s. government toward zero trust cybersecurity principles,” 2022. [Online]. Available: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
  65. G. Zhou, Z. Liu, C. Fu, Q. Li, and K. Xu, “An efficient design of intelligent network data plane,” in USENIX Security, 2023, pp. 6203–6220.
  66. B. Turkovic, F. Kuipers, N. van Adrichem, and K. Langendoen, “Fast network congestion detection and avoidance using p4,” in NEAT, 2018, p. 45–51.
  67. Y. Li, R. Miao, C. Kim, and M. Yu, “FlowRadar: A better NetFlow for data centers,” in USENIX NSDI, 2016, pp. 311–324.
  68. P. Gao, X. Xiao, D. Li, Z. Li, K. Jee, Z. Wu, C. H. Kim, S. R. Kulkarni, and P. Mittal, “SAQL: A stream-based query system for real-time abnormal system behavior detection,” in USENIX Security, 2018, pp. 639–656.
  69. P. Gao, F. Shao, X. Liu, X. Xiao, Z. Qin, F. Xu, P. Mittal, S. R. Kulkarni, and D. Song, “Enabling efficient cyber threat hunting with cyber threat intelligence,” in ICDE, 2021, pp. 193–204.
  70. T. Pasquier, X. Han, T. Moyer, A. Bates, O. Hermant, D. Eyers, J. Bacon, and M. Seltzer, “Runtime analysis of whole-system provenance,” in CCS, 2018, pp. 1601–1616.
Citations (1)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (3)

  1. Osama Bajaber 
  2. Bo Ji 
  3. Peng Gao 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 1 tweet with 1 like about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free