In-network protocol verification
We have pursued our work on verify that hosts are behave according to a protocol specification by monitoring their communication at the network level. Indeed, network protocols can be subject to attacks due to non-compliant or misbehaving end-hosts that exploit protocol vulnerabilities. At the application layer, protocol verification has been used to reveal potential vulnerabilities. Once exposed, protocol vulnerabilities can be patched with some effort. However, patching at scale becomes very challenging when the concerned protocol lies at the core of the Internet
and affects primary services. For example, TCP’s evolution over time didn’t address security issues to maintain backward compatibility and some attacks abusing TCP congestion mechanisms still exist. We use this fundamental protocol as example for our research in defeating protocol abuse at data-plane level, i.e. directly within the network on switches. In a nutshell, we proposed to use Extended Finite-State Machine (EFSM) for modeling a protocol behavior to monitor and a method to map this EFSM to a P4 program adhering to its restricted computing model. P4 is current de facto framework (programming language and architecture) for programming programmable (hardware) switch data-plane. We performed experimental evaluation demonstrating the effectiveness of the proposed method.
The results show that our solution successfully mitigates unfair bandwidth sharing caused by TCP-related attacks. Results have been published in IFIP Networking 2020 and IEEE TNSM 2021.
Scheduling for VNF Microservice Architecture
Wehave extended our work entitled UNiS: a User-space Non-intrusive Workflow-aware VNF Scheduler that is: (i) user-space: works at the user-space and does not require any kernel modification; (ii) non-intrusive: does not require VNFs to be built with any UNiS specific library or to implement any specific scheduling logic; and (iii) workflow-aware: maintains SFC processing order while scheduling VNFs.
In an extended version published in IEEE transactions on cloud computing, in-depth evaluation has been realized in addition to propose and discuss alternative implementations.
