Inferring Firewall Rules by Cache Side-channel Analysis in Network Function Virtualization

Youngjoo Shin, Dongyoung Koo, Junbeom Hur

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Network function virtualization takes advantage of virtualization technology to achieve flexibility in network service provisioning. However, it comes at the cost of security risks caused by cache side-channel attacks on virtual machines. In this study, we investigate the security impact of these attacks on virtualized network functions. In particular, we propose a novel cache-based reconnaissance technique against virtualized Linux-based firewalls. The proposed technique has significant advantages in the perspective of attackers. First, it enhances evasiveness against intrusion detection owing to the ability of source spoofing. Second, it allows inference on a wide variety of filtering rules. During experiment in VyOS, the proposed method could infer the firewall rules with an accuracy of more than 90% by using only a few dozen packets. We also present countermeasures to mitigate cache-based attacks on virtualized network functions.

Original languageEnglish
Title of host publicationINFOCOM 2020 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1798-1807
Number of pages10
ISBN (Electronic)9781728164120
DOIs
Publication statusPublished - 2020 Jul
Event38th IEEE Conference on Computer Communications, INFOCOM 2020 - Toronto, Canada
Duration: 2020 Jul 62020 Jul 9

Publication series

NameProceedings - IEEE INFOCOM
Volume2020-July
ISSN (Print)0743-166X

Conference

Conference38th IEEE Conference on Computer Communications, INFOCOM 2020
Country/TerritoryCanada
CityToronto
Period20/7/620/7/9

Keywords

  • Cache side-channel analysis
  • Firewall reconnaissance
  • Network function virtualization

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Inferring Firewall Rules by Cache Side-channel Analysis in Network Function Virtualization'. Together they form a unique fingerprint.

Cite this