Abstract
Network function virtualization takes advantage of virtualization technology to achieve flexibility in network service provisioning. However, it comes at the cost of security risks caused by cache side-channel attacks on virtual machines. In this study, we investigate the security impact of these attacks on virtualized network functions. In particular, we propose a novel cache-based reconnaissance technique against virtualized Linux-based firewalls. The proposed technique has significant advantages in the perspective of attackers. First, it enhances evasiveness against intrusion detection owing to the ability of source spoofing. Second, it allows inference on a wide variety of filtering rules. During experiment in VyOS, the proposed method could infer the firewall rules with an accuracy of more than 90% by using only a few dozen packets. We also present countermeasures to mitigate cache-based attacks on virtualized network functions.
| Original language | English |
|---|---|
| Title of host publication | INFOCOM 2020 - IEEE Conference on Computer Communications |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 1798-1807 |
| Number of pages | 10 |
| ISBN (Electronic) | 9781728164120 |
| DOIs | |
| Publication status | Published - 2020 Jul |
| Event | 38th IEEE Conference on Computer Communications, INFOCOM 2020 - Toronto, Canada Duration: 2020 Jul 6 → 2020 Jul 9 |
Publication series
| Name | Proceedings - IEEE INFOCOM |
|---|---|
| Volume | 2020-July |
| ISSN (Print) | 0743-166X |
Conference
| Conference | 38th IEEE Conference on Computer Communications, INFOCOM 2020 |
|---|---|
| Country/Territory | Canada |
| City | Toronto |
| Period | 20/7/6 → 20/7/9 |
Bibliographical note
Publisher Copyright:© 2020 IEEE.
Keywords
- Cache side-channel analysis
- Firewall reconnaissance
- Network function virtualization
ASJC Scopus subject areas
- General Computer Science
- Electrical and Electronic Engineering