Inferring Firewall Rules by Cache Side-channel Analysis in Network Function Virtualization

Youngjoo Shin, Dongyoung Koo, Junbeom Hur

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    6 Citations (Scopus)

    Abstract

    Network function virtualization takes advantage of virtualization technology to achieve flexibility in network service provisioning. However, it comes at the cost of security risks caused by cache side-channel attacks on virtual machines. In this study, we investigate the security impact of these attacks on virtualized network functions. In particular, we propose a novel cache-based reconnaissance technique against virtualized Linux-based firewalls. The proposed technique has significant advantages in the perspective of attackers. First, it enhances evasiveness against intrusion detection owing to the ability of source spoofing. Second, it allows inference on a wide variety of filtering rules. During experiment in VyOS, the proposed method could infer the firewall rules with an accuracy of more than 90% by using only a few dozen packets. We also present countermeasures to mitigate cache-based attacks on virtualized network functions.

    Original languageEnglish
    Title of host publicationINFOCOM 2020 - IEEE Conference on Computer Communications
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages1798-1807
    Number of pages10
    ISBN (Electronic)9781728164120
    DOIs
    Publication statusPublished - 2020 Jul
    Event38th IEEE Conference on Computer Communications, INFOCOM 2020 - Toronto, Canada
    Duration: 2020 Jul 62020 Jul 9

    Publication series

    NameProceedings - IEEE INFOCOM
    Volume2020-July
    ISSN (Print)0743-166X

    Conference

    Conference38th IEEE Conference on Computer Communications, INFOCOM 2020
    Country/TerritoryCanada
    CityToronto
    Period20/7/620/7/9

    Bibliographical note

    Publisher Copyright:
    © 2020 IEEE.

    Keywords

    • Cache side-channel analysis
    • Firewall reconnaissance
    • Network function virtualization

    ASJC Scopus subject areas

    • General Computer Science
    • Electrical and Electronic Engineering

    Fingerprint

    Dive into the research topics of 'Inferring Firewall Rules by Cache Side-channel Analysis in Network Function Virtualization'. Together they form a unique fingerprint.

    Cite this