TY - GEN
T1 - MINOS
T2 - 50th ACM Turing Conference - China, ACM TUR-C 2017
AU - Xu, Lei
AU - Xu, Ke
AU - Shen, Meng
AU - Ren, Kui
AU - Fan, Jingyuan
AU - Guan, Chaowen
AU - Chen, Wen Long
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/5/12
Y1 - 2017/5/12
N2 - Programmable routers are emerging as a promising alternative which facilitates the deployment of new network technologies, for example, software-defined networking; meanwhile, theirs programmability and openness also bring risks of security vulnerabilities. Prior work has concentrated on code security and encryption to improve router action honesty. In this paper, we exploit the feasibility of regulating actions on run-time dataplanes by detecting unexpected packet processing operations, which finally provides an honest and backdoor-proof router to operators. The main challenge is to monitor and regulate the action of router dataplane in dynamic runtime environment. Hence we propose Minos, a framework to regulate router actions on dataplanes. Minos takes Action Identifier (AID) as input to perform lookups in a pre-defined white list called Regulated Action Table (RAT), and it finally verifies that the action is (ab)normal. In the end, Minos achieves a pair of irreconcilable goals for security, i.e., costs and effectiveness. We implement and evaluate Minos on Click and DPDK, separately. And our evaluation results show that Minos captures mal-actions with 2 mega-byte spatial costs and no more than 9% performance loss in both Click and DPDK.
AB - Programmable routers are emerging as a promising alternative which facilitates the deployment of new network technologies, for example, software-defined networking; meanwhile, theirs programmability and openness also bring risks of security vulnerabilities. Prior work has concentrated on code security and encryption to improve router action honesty. In this paper, we exploit the feasibility of regulating actions on run-time dataplanes by detecting unexpected packet processing operations, which finally provides an honest and backdoor-proof router to operators. The main challenge is to monitor and regulate the action of router dataplane in dynamic runtime environment. Hence we propose Minos, a framework to regulate router actions on dataplanes. Minos takes Action Identifier (AID) as input to perform lookups in a pre-defined white list called Regulated Action Table (RAT), and it finally verifies that the action is (ab)normal. In the end, Minos achieves a pair of irreconcilable goals for security, i.e., costs and effectiveness. We implement and evaluate Minos on Click and DPDK, separately. And our evaluation results show that Minos captures mal-actions with 2 mega-byte spatial costs and no more than 9% performance loss in both Click and DPDK.
KW - Minos
KW - Router actions
KW - Router security
UR - http://www.scopus.com/inward/record.url?scp=85021216406&partnerID=8YFLogxK
U2 - 10.1145/3063955.3063996
DO - 10.1145/3063955.3063996
M3 - Conference contribution
AN - SCOPUS:85021216406
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the ACM Turing 50th Celebration Conference - China, ACM TUR-C 2017
PB - Association for Computing Machinery
Y2 - 12 May 2017 through 14 May 2017
ER -