ABSTRACT
Emerging software-defined networks and programmable dataplanes promise to render communication networks more dependable, overcoming today’s manual and error-prone approach to operate networks. Indeed, programmable dataplanes such as P4 provide great opportunities for improving network performance and developing innovative security features, by allowing programmers to reconfigure and tailor switches towards their needs. However, extending programmability to the dataplane also introduces new threat models. In this paper, using a systematic security analysis, we identify a particularly worrisome vulnerability: the automated program compilers which lie at the core of programmable dataplanes. The dataplane compilers introduce a risk of persistent threats which are covert and hard to detect, and may be exploited for large-scale attacks, affecting many devices. Our main contribution is P4Fuzz, a compiler fuzzer to find bugs and vulnerabilities in P4 compilers, in an efficient and automated manner. We discuss the challenges involved in designing such a compiler fuzzer for P4, present our fuzzing and taming algorithms, and report on experiments with our prototype implementation, considering the standard compilers of BMv2, eBPF, and NetFPGA. Our experiments confirm that P4Fuzz is able to generate and test the validity of dozens of P4 programs per minute. Using P4Fuzz, we also successfully found several bugs which have been acknowledged and fixed by the community.
- Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger, and David Walker. 2014. NetKAT: Semantic foundations for networks. In ACM SIGPLAN Notices, Vol. 49. ACM, 113–126.Google Scholar
- Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. 2014. P4: Programming Protocol-independent Packet Processors. SIGCOMM Comput. Commun. Rev. 44, 3 (July 2014), 87–95.Google ScholarDigital Library
- Mihai Budiu. 2019. Programming networks with P4. In VMware Research Blog.Google Scholar
- Marco Canini, Daniele Venzano, Peter Peresini, Dejan Kostic, and Jennifer Rexford. 2012. A NICE way to test OpenFlow applications. In Proc. 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI).Google Scholar
- Yang Chen, Alex Groce, Chaoqiang Zhang, Weng-Keen Wong, Xiaoli Z. Fern, Eric Eide, and John Regehr. 2013. Taming compiler fuzzers. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2013). 197–208. https://doi.org/10.1145/2462156.2462173Google ScholarCross Ref
- Tooska Dargahi, Alberto Caponi, Moreno Ambrosin, Giuseppe Bianchi, and Mauro Conti. 2017. A survey on the security of stateful SDN data planes. IEEE Communications Surveys & Tutorials 19, 3 (2017), 1701–1725.Google ScholarDigital Library
- Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. 2015. SPHINX: Detecting Security Attacks in Software-Defined Networks. In Proc. Annual Network & Distributed System Security Symposium (NDSS), Vol. 15. 8–11.Google ScholarCross Ref
- Lucas Freire, Miguel C. Neves, Lucas Leal, Kirill Levchenko, Alberto E. Schaeffer Filho, and Marinho P. Barcellos. 2018. Uncovering Bugs in P4 Programs with Assertion-based Verification. In Proceedings of the Symposium on SDN Research (SOSR 2018). 4:1–4:7. https://doi.org/10.1145/3185467.3185499Google ScholarDigital Library
- Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. 2015. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures.. In Proc. Annual Network & Distributed System Security Symposium (NDSS), Vol. 15. 8–11.Google ScholarCross Ref
- Changhoon Kim, Anirudh Sivaraman, Naga Katta, Antonin Bas, Advait Dixit, and Lawrence J Wobker. 2015. In-band network telemetry via programmable dataplanes. In Proc. ACM SIGCOMM.Google Scholar
- Rowan Kloti, Vasileios Kotronis, and Paul Smith. 2013. Openflow: A security analysis. In Network Protocols (ICNP), 2013 21st IEEE International Conference on. IEEE, 1–6.Google ScholarCross Ref
- Diego Kreutz, Fernando Ramos, and Paulo Verissimo. 2013. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 55–60.Google ScholarDigital Library
- Andres Nötzli, Jehandad Khan, Andy Fingerhut, Clark Barrett, and Peter Athanas. 2018. p4pktgen: Automated Test Case Generation for P4 Programs. In Proceedings of the Symposium on SDN Research (SOSR 2018). 5:1–5:7. https://doi.org/10.1145/3185467.3185497Google ScholarDigital Library
- Diana Andreea Popescu, Gianni Antichi, and Andrew W Moore. 2017. Enabling fast hierarchical heavy hitter detection using programmable data planes. In Proc. Symposium on SDN Research (SOSR). ACM, 191–192.Google ScholarDigital Library
- Fabian Ruffy, Tao Wang, and Anirudh Sivaraman. 2020. Gauntlet: Finding Bugs in Compilers for Programmable Packet Processing. In USENIX OSDI.Google Scholar
- Sandra Scott-Hayward, Gemma O’Callaghan, and Sakir Sezer. 2013. SDN security: A survey. In Future Networks and Services (SDN4FNS), 2013 IEEE SDN For. IEEE, 1–7.Google ScholarCross Ref
- Bhargava Shastry, Markus Leutner, Tobias Fiebig, Kashyap Thimmaraju, Fabian Yamaguchi, Konrad Rieck, Jean-Pierre Seifert Stefan Schmid, and Anja Feldmann. 2017. Static Program Analysis as a Fuzzing Aid. In Proc. 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID).Google ScholarCross Ref
- Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. 2013. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proc. ACM SIGSAC Conference on Computer & Communications Security (CCS). 413–424.Google ScholarDigital Library
- Seung Won Shin, Phillip Porras, Vinod Yegneswara, Martin Fong, Guofei Gu, and Mabry Tyson. 2013. Fresco: Modular composable security services for software-defined networks. In Proc. 20th Annual Network & Distributed System Security Symposium (NDSS).Google Scholar
- Anirudh Sivaraman, Changhoon Kim, Ramkumar Krishnamoorthy, Advait Dixit, and Mihai Budiu. 2015. Dc. p4: Programming the forwarding plane of a data-center switch. In Proc. ACM SIGCOMM Symposium on Software Defined Networking Research (SOSR). ACM.Google ScholarDigital Library
- Michael Sutton, Adam Greene, and Pedram Amini. 2007. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley.Google ScholarDigital Library
- The P4 Language Consortium. 2017. P416 Language Specification. Published online (Version 1.0.0). https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.html Last accessed: 3 August 2018.Google Scholar
- The P4 Language Consortium. 2018. P4 Language and Related Specifications. https://p4.org/p4-spec/. Accessed: 2018-05-29.Google Scholar
- K. Thimmaraju, L. Schiff, and S. Schmid. 2017. Outsmarting Network Security with SDN Teleportation. In Proc. IEEE European Symposium on Security and Privacy (EuroSP). 563–578.Google Scholar
- Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking Control of SDN-based Cloud Systems via the Data Plane. In Proc. ACM Symposium on SDN Research (SOSR).Google ScholarDigital Library
- Ken Thompson. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (1984), 761–763.Google ScholarDigital Library
- Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2011). 283–294. https://doi.org/10.1145/1993498.1993532Google ScholarDigital Library
Recommendations
A programmable and scalable openflow switch using heterogeneous soc platforms
HotSDN '14: Proceedings of the third workshop on Hot topics in software defined networkingThis work presents a hardware-software co-design approach of an OpenFlow switch using a state-of-the-art heterogeneous System-on-chip (SoC) platform. Specifically, we implement the OpenFlow switch on a Xilinx Zynq ZC706 board. The Xilinx Zynq SoC family ...
QuickFuzz: an automatic random fuzzer for common file formats
Haskell '16Fuzzing is a technique that involves testing programs using invalid or erroneous inputs. Most fuzzers require a set of valid inputs as a starting point, in which mutations are then introduced. QuickFuzz is a fuzzer that leverages QuickCheck-style ...
Comments