TY - GEN
T1 - Inferring Firewall Rules by Cache Side-channel Analysis in Network Function Virtualization
AU - Shin, Youngjoo
AU - Koo, Dongyoung
AU - Hur, Junbeom
N1 - Funding Information:
This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government(MSIT) (No.2019-0-00533, Research on CPU vulnerability detection and validation), (No.2017-0-00184, Self-Learning Cyber Immune Technology Development).
Publisher Copyright:
© 2020 IEEE.
PY - 2020/7
Y1 - 2020/7
N2 - Network function virtualization takes advantage of virtualization technology to achieve flexibility in network service provisioning. However, it comes at the cost of security risks caused by cache side-channel attacks on virtual machines. In this study, we investigate the security impact of these attacks on virtualized network functions. In particular, we propose a novel cache-based reconnaissance technique against virtualized Linux-based firewalls. The proposed technique has significant advantages in the perspective of attackers. First, it enhances evasiveness against intrusion detection owing to the ability of source spoofing. Second, it allows inference on a wide variety of filtering rules. During experiment in VyOS, the proposed method could infer the firewall rules with an accuracy of more than 90% by using only a few dozen packets. We also present countermeasures to mitigate cache-based attacks on virtualized network functions.
AB - Network function virtualization takes advantage of virtualization technology to achieve flexibility in network service provisioning. However, it comes at the cost of security risks caused by cache side-channel attacks on virtual machines. In this study, we investigate the security impact of these attacks on virtualized network functions. In particular, we propose a novel cache-based reconnaissance technique against virtualized Linux-based firewalls. The proposed technique has significant advantages in the perspective of attackers. First, it enhances evasiveness against intrusion detection owing to the ability of source spoofing. Second, it allows inference on a wide variety of filtering rules. During experiment in VyOS, the proposed method could infer the firewall rules with an accuracy of more than 90% by using only a few dozen packets. We also present countermeasures to mitigate cache-based attacks on virtualized network functions.
KW - Cache side-channel analysis
KW - Firewall reconnaissance
KW - Network function virtualization
UR - http://www.scopus.com/inward/record.url?scp=85090265258&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM41043.2020.9155449
DO - 10.1109/INFOCOM41043.2020.9155449
M3 - Conference contribution
AN - SCOPUS:85090265258
T3 - Proceedings - IEEE INFOCOM
SP - 1798
EP - 1807
BT - INFOCOM 2020 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 38th IEEE Conference on Computer Communications, INFOCOM 2020
Y2 - 6 July 2020 through 9 July 2020
ER -