|
|
- 2018
范式路由器:规范路由器数据层的动态行为
|
Abstract:
随着模块化可编程路由器越来越普遍,路由器面临的安全问题也越来越严峻。该文提出范式路由器,通过对模块化的数据层进行编码和预组合,达到对路由器数据层的动态监控和规范。该文对每个数据层行为标记一个行为标识(action identifier,AID),同时将合法AID预先存入范式表(regulated action table,RAT)。在路由器运行时,所有动态行为都被RAT校验,保证行为可信。该文用Click路由器和数据层开发包(data plane development kit,DPDK)路由器分别部署了范式路由器。实验结果表明:范式路由器仅占用了2 MB的空间和10%以下的带宽性能,同时捕获了所有数据层的恶意行为。
Abstract:Router security has become more important with the increasing number of programmable routers. This paper presents a pattern router that codes the modularized dataplane and pre-combines the result to monitor and regulate the dynamic actions in the dataplane. This method uses an action identifier (AID) for each action in the dataplane and puts the normal AID into a regulated action table (RAT) before running the router. When the router is working, all the dynamic actions are verified by the RAT to secure the honesty of each action. The pattern router was implemented in a Click router and in a data plane development kit (DPDK) router with tests showing that the pattern router occupies only 2 MB and uses less than 10% of the bandwidth to capture all the abnormal actions in the dataplane.
| [1] | ZHANG Y, PAXSON V. Detecting backdoors[C]//Proceedings of the 9th Conference on USENIX Security Symposium. Denver:USENIX Association Berkeley, 2000:12-12. |
| [2] | SPARKS S, EMBLETON S, ZOU C C. A chipset level network backdoor:Bypassing host-based firewall & IDS[C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. Sydney:ACM, 2009:125-134. |
| [3] | DUGA J, ELLIOTT S, MAH B A, et al. Iperf[Z/OL].[2018-01-15]. https://iperf.fr/. |
| [4] | YANG T, XIE G G, LI Y B, et al. Guarantee IP lookup performance with FIB explosion[C]//Proceedings of the 2014 ACM SIGCOMM Conference. Chicago, USA:ACM, 2014:39-50. |
| [5] | MALTZ D A, XIE G, ZHAN J, et al. Routing design in operational networks:A look from the inside[C]//Proceedings of the 2004 ACM SIGCOMM Conference. Portland, USA:ACM, 2004:27-40. |
| [6] | DOBRESCU M, ARGYRAKI K. Software dataplane verification[C]//Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation. Seattle:USENIX Association Berkeley, 2014:101-114. |
| [7] | KIM T H, BASESCU C, JIA L, et al. Lightweight source authentication and path validation[C]//ACM SIGCOMM. Chicago:ACM New York, 2014:271-282. |
| [8] | APPENZELLER G, KESLASSY I, MCKEOWN N. Sizing router buffers[C]//Proceedings of the 2004 ACM SIGCOMM Conference. Portland, USA:ACM, 2004:281-292. |
| [9] | MOJO66. Backdoor found in arcadyan-based Wi-Fi routers[Z/OL].[2018-01-15]. http://it.slashdot.org/story/12/04/26/1411229/backdoor-found-in-arcadyan-based-wifi-routers. |
| [10] | JC. RuggedCom-backdoor accounts in my SCADA network? you don't say…[Z/OL].[2018-01-15]. http://seclists.org/fulldisclosure/2012/Apr/277. |
| [11] | COSTIN A, ZADDACH J, FRANCILLON A, et al. A Large-scale analysis of the security of embedded firmwares[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. San Diego:USENIX Association Berkeley, 2014:95-110. |
| [12] | GOODIN D. Malicious cisco router backdoor found on 79 more devices, 25 in the US[Z/OL].[2018-01-15]. https://arstechnica.com/information-technology/2015/09/malicious-cisco-router-backdoor-found-on-79-more-devices-25-in-the-us/. |
| [13] | GOODIN D. Cisco routers in at least 4 countries infected by highly stealthy backdoor[Z/OL].[2018-01-15]. https://arstechnica.com/information-technology/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/. |
| [14] | HIGGINS P, KRISHNAN R. DEFCON router hacking contest reveals 15 major vulnerabilities[Z/OL].[2018-01-15]. https://www.eff.org/ru/node/82002. |
| [15] | Spirent. Spirent packet generator[Z/OL].[2018-01-15]. http://www.spirent.com/Products/TestCenter. |
| [16] | ABADI M, BUDIU M, ERLINGSSON U, et al. Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria:ACM New York, 2005:340-353. |
| [17] | PAXSON V. End-to-end routing behavior in the Internet[J]. IEEE/ACM Transactions on Networking, 1997, 5(5):601-615. |
| [18] | XU K, CHEN W L, LIN C, et al. Towards practical reconfigurable router:A software component development approach[J]. IEEE Network, 2014, 28(5):74-80. |
| [19] | NSA/CSSM 1-52. Prism project[Z/OL].[2018-01-15]. https://nsa.gov1.info/dni/prism.html. |
| [20] | MALTZ D A, ZHAN J, XIE G, et al. Structure preserving anonymization of router configuration data[C]//Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. Taormina:ACM, 2004:239-244. |
