skip to main content
10.1145/3548606.3560568acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

NeVerMore: Exploiting RDMA Mistakes in NVMe-oF Storage Applications

Published: 07 November 2022 Publication History

Abstract

This paper presents a security analysis of the InfiniBand architecture, a prevalent RDMA standard, and NVMe-over-Fabrics (NVMe-oF), a prominent protocol for industrial disaggregated storage that exploits RDMA protocols to achieve low-latency and high-bandwidth access to remote solid-state devices. Our work, NeVerMore, discovers new vulnerabilities in RDMA protocols that unveils several attack vectors on RDMA-enabled applications and the NVMe-oF protocol, showing that the current security mechanisms of the NVMe-oF protocol do not address the security vulnerabilities posed by the use of RDMA. In particular, we show how an unprivileged user can inject packets into any RDMA connection created on a local network controller, bypassing security mechanisms of the operating system and its kernel, and how the injection can be used to acquire unauthorized block access to NVMe-oF devices. Overall, we implement four attacks on RDMA protocols and seven attacks on the NVMe-oF protocol and verify them on the two most popular implementations of NVMe-oF: SPDK and the Linux kernel. To mitigate the discovered attacks we propose multiple mechanisms that can be implemented by RDMA and NVMe-oF providers.

References

[1]
2021. eBPF official website. https://ebpf .io/. [Accessed 20-Aug-2022].
[2]
2021. Open Fabrics Enterprise Distribution (OFED) Performance Tests. https: //github.com/linux-rdma/perftest. [Accessed 20-Aug-2022].
[3]
2021. RDMA core userspace libraries and daemons. https://github.com/linux- rdma/rdma-core/. [Accessed 20-Aug-2022].
[4]
2021. Serial ATA International Organization (SATA-IO). https://sata-io.org/. [Accessed 20-Aug-2022].
[5]
2021. Storage Performance Development Kit v21.07. https://spdk.io/. [Accessed 20-Aug-2022].
[6]
2021. tcpdump and libpcap. https://www.tcpdump.org/. [Accessed 20-Aug-2022].
[7]
2022. The number generator of the RDMA-CM kernel module. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/infiniband/core/cm.c?h=v5.18.5#n842. [Accessed 20-Aug-2022].
[8]
InfiniBand Trade Association et al. 2020. The InfiniBand Architecture Specification 1.4. https://www.infinibandta.org/ibta-specification/.
[9]
Tim Bisson, Ke Chen, Changho Choi, Vijay Balakrishnan, and Yang-suk Kee. 2018. Crail-KV: A High-Performance Distributed Key-Value Store Leveraging Native KV-SSDs over NVMe-oF. In Proceedings of the 37th IEEE International Performance Computing and Communications Conference (IPCC'18). IEEE Computer Society, 1--8. https://doi.org/10.1109/PCCC.2018.8710776
[10]
Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, and David Walker. 2014. P4: Programming Protocol-Independent Packet Processors. SIGCOMM Comput. Commun. Rev., Vol. 44, 3 (jul 2014), 87--95. https://doi.org/10.1145/2656877.2656890
[11]
, Broadcom. 2018. Stingray PS225 2x25Gb High-Performance Data Center Smart NIC. https://docs.broadcom.com/doc/PS225-PB. [Accessed 20-Aug-2022].
[12]
Wei Cao, Zhenjun Liu, Peng Wang, Sen Chen, Caifeng Zhu, Song Zheng, Yuhui Wang, and Guoqing Ma. 2018. PolarFS: An Ultra-Low Latency and Failure Resilient Distributed File System for Shared Storage Cloud Database. Proceedings of the VLDB Endowment, Vol. 11, 12 (Aug. 2018), 1849--1862. https://doi.org/10.14778/3229863.3229872
[13]
Linux Kernel Documentation. 2021. Huge pages. https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt. [Accessed 20-Aug-2022].
[14]
Aleksandar Dragojević, Dushyanth Narayanan, Miguel Castro, and Orion Hodson. 2014. FaRM: Fast Remote Memory. In Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI'14). USENIX Association, 401--414.
[15]
Simpson et al. 1996. PPP Challenge Handshake Authentication Protocol (CHAP). Internet-Draft RFC 1994. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc1994
[16]
Gabriel Haas, Michael Haubenschild, and Viktor Leis. 2020. Exploiting Directly-Attached NVMe Arrays in DBMS. In Proceedings of the 10th Conference on Innovative Data Systems Research (CIDR'20).
[17]
NVM Express Inc. 2021a. NVM Express Base Specification, Revision 2.0a. https://nvmexpress.org/developers/nvme-specification/.
[18]
NVM Express Inc. 2021b. NVM Express over Fabrics, Revision 1.1a. https://nvmexpress.org/developers/nvme-of-specification/.
[19]
V. Kashyap. 2006. IP over InfiniBand (IPoIB) Architecture. Internet-Draft RFC 4392. Internet Engineering Task Force. https://www.ietf.org/rfc/rfc4392.txt
[20]
Linux kernel developers. 2021. The Linux NVMe driver. https://github.com/torvalds/linux/tree/master/drivers/nvme. [Accessed 20-Aug-2022].
[21]
The kernel development community. 2020. RDMA Controller. https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/rdma.html. [Accessed 20-Aug-2022].
[22]
Ana Klimovic, Heiner Litz, and Christos Kozyrakis. 2017. ReFlex: Remote Flash $approx$ Local Flash. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'17). Association for Computing Machinery, 345--359. https://doi.org/10.1145/3037697.3037732
[23]
Huy Nguyen. 2021. ConnectX-6DX/Bluefield-2 IPsec HW Full Offload Configuration Guide. https://support.mellanox.com/s/article/ConnectX-6DX-Bluefield-2-IPsec-HW-Full-Offload-Configuration-Guide. [Accessed 20-Aug-2022].
[24]
Boris Pismenny. 2018. IPsec RoCEv2. https://linux-ipsec.org/wp-content/uploads/slides/2018/RoCE-BP.pdf. [Accessed 20-Aug-2022].
[25]
Hannes Reinecke. 2021. nvme: In-band authentication support. https://lwn.net/Articles/868868/. [Accessed 20-Aug-2022].
[26]
Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Technical Report RFC 8446. Network Working Group.
[27]
Rami Rosen. 2013. Linux Kernel Networking: Implementation and Theory 1st ed.). Apress, USA.
[28]
Benjamin Rothenberger, Konstantin Taranov, Adrian Perrig, and Torsten Hoefler. 2021. ReDMArk: Bypassing RDMA Security Mechanisms. In Proceedings of the 30th USENIX Security Symposium (USENIX Security'21). USENIX Association.
[29]
Seagate. 2021. Serial Attached SCSI (SAS). https://www.seagate.com/staticfiles/support/disc/manuals/Interface%20manuals/100293071c.pdf. [Accessed 20-Aug-2022].
[30]
Anna Kornfeld Simpson, Adriana Szekeres, Jacob Nelson, and Irene Zhang. 2020. Securing RDMA for High-Performance Datacenter Storage Systems. In Proceedings of the 12th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud'20). USENIX Association.
[31]
Pure Storage. 2021. Pure Storage FlashArray//X. https://www.purestorage.com/content/dam/pdf/en/datasheets/ds-flasharray-x.pdf. [Accessed 20-Aug-2022].
[32]
Patrick Stuedi, Animesh Trivedi, Jonas Pfefferle, Ana Klimovic, Adrian Schuepbach, and Bernard Metzler. 2019. Unification of Temporary Storage in the NodeKernel Architecture. In Proceedings of the 2019 USENIX Annual Technical Conference (USENIX ATC'19). USENIX Association, 767--782.
[33]
Konstantin Taranov, Benjamin Rothenberger, Adrian Perrig, and Torsten Hoefler. 2020. sRDMA -- Efficient NIC-based Authentication and Encryption for Remote Direct Memory Access. In Proceedings of the 2020 USENIX Annual Technical Conference (USENIX ATC'20). USENIX Association, 691--704.
[34]
Mellanox Technologies. 2015. RDMA Aware Networks Programming User Manual, Revision 1.7. https://docs.nvidia.com/networking/display/RDMAAwareProgrammingv17/RDMAAwareNetworksProgrammingUserManual.
[35]
Mellanox Technologies. 2019. Mellanox Introduces Breakthrough NVMe SNAP Technology to Simplify Composable Storage. https://nvidianews.nvidia.com/news/mellanox-introduces-breakthrough-nvme-snapTM-technology-to-simplify-composable-storage. [Accessed 20-Aug-2022].
[36]
Mellanox Technologies. 2020. Mellanox BlueField SmartNIC. http://www.mellanox.com/related-docs/prod_adapter_cards/PB_BlueField_Smart_NIC.pdf. [Accessed 20-Aug-2022].
[37]
Shin-Yeh Tsai, Mathias Payer, and Yiying Zhang. 2019. Pythia: remote oracles for the masses. In Proceedings of the 28th USENIX Security Symposium (USENIX Security'19). USENIX Association, 693--710.
[38]
Xilinx. 2021. Stand Alone NVMeOF Acceleration Solution. https://www.xilinx.com/content/dam/xilinx/publications/solution-briefs/NVMe-oF%20SolutionBrief%20V5.pdf. [Accessed 20-Aug-2022].
[39]
Jiarong Xing, Kuo-Feng Hsu, Yiming Qiu, Ziyang Yang, Hongyi Liu, and Ang Chen. 2021. Bedrock: Programmable Network Support for Secure RDMA Systems. In Proceedings of the 31th USENIX Security Symposium (USENIX Security'22). USENIX Association.
[40]
Xiantao Zhang, Xiao Zheng, Zhi Wang, Hang Yang, Yibin Shen, and Xin Long. 2020. High-Density Multi-Tenant Bare-Metal Cloud. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems (Lausanne, Switzerland) (ASPLOS '20). Association for Computing Machinery, 483--495. https://doi.org/10.1145/3373376.3378507

Cited By

View all
  • (2024)SEC-RDMA: a scheme to enhance security for RDMA one-sided operationsThird International Conference on High Performance Computing and Communication Engineering (HPCCE 2023)10.1117/12.3026425(22)Online publication date: 9-Feb-2024
  • (2024)Offloading NVMe over Fabrics (NVMe-oF) to SmartNICs on an at-scale Distributed Testbed2024 IEEE 10th International Conference on Network Softwarization (NetSoft)10.1109/NetSoft60951.2024.10588915(316-318)Online publication date: 24-Jun-2024
  • (2024)Empowering Cloud Computing With Network Acceleration: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2024.337753126:4(2729-2768)Online publication date: Dec-2025
  • Show More Cited By

Index Terms

  1. NeVerMore: Exploiting RDMA Mistakes in NVMe-oF Storage Applications

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
      November 2022
      3598 pages
      ISBN:9781450394505
      DOI:10.1145/3548606
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 07 November 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. nvme-of security
      2. rdma security
      3. rdma spoofing
      4. spdk

      Qualifiers

      • Research-article

      Funding Sources

      • European High-Performance Computing Joint Undertaking

      Conference

      CCS '22
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)134
      • Downloads (Last 6 weeks)9
      Reflects downloads up to 20 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)SEC-RDMA: a scheme to enhance security for RDMA one-sided operationsThird International Conference on High Performance Computing and Communication Engineering (HPCCE 2023)10.1117/12.3026425(22)Online publication date: 9-Feb-2024
      • (2024)Offloading NVMe over Fabrics (NVMe-oF) to SmartNICs on an at-scale Distributed Testbed2024 IEEE 10th International Conference on Network Softwarization (NetSoft)10.1109/NetSoft60951.2024.10588915(316-318)Online publication date: 24-Jun-2024
      • (2024)Empowering Cloud Computing With Network Acceleration: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2024.337753126:4(2729-2768)Online publication date: Dec-2025
      • (2023)Design and Optimization of a Distributed File System Based on RDMAApplied Sciences10.3390/app1315867013:15(8670)Online publication date: 27-Jul-2023

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media