Don't Yank My Chain: Auditable NF Service Chaining

Auditing is a crucial component of network security practices in organizations with sensitive information, such as banks and hospitals. Unfortunately, network function virtualization (NFV) is viewed as incompatible with auditing practices which verify that security functions operate correctly. In this paper, we bring the benefits of NFV to security-sensitive environments with the design and implementation of AuditBox. AuditBox not only makes NFV compatible with auditing, but also provides stronger guarantees than traditional auditing procedures. In traditional auditing, administrators test the system for correctness on a schedule, e.g., once per month. In contrast, AuditBox continuously self-monitors for correct behavior, proving runtime guarantees that the system remains in compliance with policy goals. Furthermore, AuditBox remains compatible with traditional auditing practices by providing sampled logs which still allow auditors to inspect system behavior manually. AuditBox achieves its goals by combining trusted execution environments with a lightweight verified routing protocol (VRP). Despite the complexity of routing policies for service-function chains relative to traditional routing, AuditBox’s protocol introduces 72-80% fewer bytes of overhead per packet (in a 5-hop service chain) and provides 61-67% higher goodput than prior work on VRPs designed for the Internet.

[1]  Yajin Zhou,et al.  LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed , 2017, CCS.

[2]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[3]  Katerina J. Argyraki,et al.  A Formally Verified NAT , 2017, SIGCOMM.

[4]  Anat Bremler-Barr,et al.  OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions , 2016, SIGCOMM.

[5]  Rebecca Steinert,et al.  Metron: NFV Service Chains at the True Speed of the Underlying Hardware , 2018, NSDI.

[6]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[7]  Katerina J. Argyraki,et al.  Verifying Reachability in Networks with Mutable Datapaths , 2016, NSDI.

[8]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[9]  Xin Zhang,et al.  Secure and Scalable Fault Localization under Dynamic Traffic Patterns , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[11]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[12]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[13]  Katerina J. Argyraki,et al.  Retroactive Packet Sampling for Traffic Receipts , 2019, Proc. ACM Meas. Anal. Comput. Syst..

[14]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[15]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[16]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[17]  K. K. Ramakrishnan,et al.  OpenNetVM: A Platform for High Performance Network Service Chains , 2016, HotMiddlebox@SIGCOMM.

[18]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[19]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[20]  Katerina J. Argyraki,et al.  Software dataplane verification , 2014, NSDI.

[21]  Adrian Perrig,et al.  EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet , 2020, USENIX Security Symposium.

[22]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[23]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[24]  Nikhil Swamy,et al.  EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[25]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[26]  Tianlong Yu,et al.  BUZZ: Testing Context-Dependent Policies in Stateful Networks , 2016, NSDI.

[27]  K. K. Ramakrishnan,et al.  Microboxes: high performance NFV with customizable, asynchronous TCP stacks and dynamic subscriptions , 2018, SIGCOMM.

[28]  Aditya Akella,et al.  Automated Verification of Customizable Middlebox Properties with Gravel , 2020, NSDI.

[29]  Xin Zhang,et al.  Packet-dropping adversary identification for data plane security , 2008, CoNEXT '08.

[30]  Carlos Pignataro,et al.  Network Service Header (NSH) , 2018, RFC.

[31]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[32]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[33]  Sujata Garera,et al.  Challenges in teaching a graduate course in applied cryptography , 2009, SGCS.

[34]  Andreas Haeberlen,et al.  NetReview: Detecting When Interdomain Routing Goes Wrong , 2009, NSDI.

[35]  Katerina J. Argyraki,et al.  Verifiable network-performance measurements , 2010, CoNEXT.

[36]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[37]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[38]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[39]  Yih-Chun Hu,et al.  Mechanized Network Origin and Path Authenticity Proofs , 2014, CCS.

[40]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[41]  Scott Shenker,et al.  NetBricks: Taking the V out of NFV , 2016, OSDI.

[42]  Xin Zhang,et al.  Network fault localization with small TCB , 2011, 2011 19th IEEE International Conference on Network Protocols.

[43]  Yuan Xiao,et al.  SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution , 2018, ArXiv.

[44]  Hani Jamjoom,et al.  Stateless Network Functions , 2015, HotMiddlebox@SIGCOMM.

[45]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[46]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[47]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[48]  Limin Jia,et al.  NetSMC: A Custom Symbolic Model Checker for Stateful Network Verification , 2020, NSDI.

[49]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[50]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[51]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.

[52]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[53]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[54]  David A. McGrew Efficient authentication of large, dynamic data sets using Galois/counter mode (GCM) , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[55]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[56]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[57]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[58]  Xin Zhang,et al.  ShortMAC: Efficient Data-Plane Fault Localization , 2012, NDSS.

[59]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[60]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[61]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[62]  George Candea,et al.  Verifying software network functions with no verification expertise , 2019, SOSP.

[63]  Scott Shenker,et al.  E2: a framework for NFV applications , 2015, SOSP.

[64]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..