on Precise Realtime Software Access and Control of Wired Networks - - PowerPoint PPT Presentation

on precise realtime software access and
SMART_READER_LITE
LIVE PREVIEW

on Precise Realtime Software Access and Control of Wired Networks - - PowerPoint PPT Presentation

Mar 11, 2023 365 likes •697 views

Forensics in the SoNIC Project on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim Weatherspoon Cornell University International Workshop on Trustworthiness, Accountability, and Forensics in the Cloud

slide-1
SLIDE 1

Forensics in the SoNIC Project

  • n Precise Realtime Software Access and

Control of Wired Networks

Ki Suh Lee, Han Wang, Hakim Weatherspoon Cornell University International Workshop on Trustworthiness, Accountability, and Forensics in the Cloud (TAFC) June 6, 2013

slide-2
SLIDE 2
  • The promise of the Cloud

– A computer utility; a commodity – Catalyst for technology economy – Revolutionizing for health care, financial systems, scientific research, and society

The Rise of Cloud Computing

SEATTLE

slide-3
SLIDE 3
  • The promise of the Cloud

– ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The Rise of Cloud Computing

NIST Cloud Definition

SEATTLE

slide-4
SLIDE 4
  • The promise of the Cloud

– ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

NIST Cloud Definition

SEATTLE

The Rise of Cloud Computing

slide-5
SLIDE 5
  • The promise of the Cloud

– ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

  • How can we exploit the network for forensics, evidence,

and accountability?

– Public clouds: Bandwidth, availability – Private and hybrid clouds: exfiltration of data (covert channels)

The Rise of Cloud Computing

NIST Cloud Definition

slide-6
SLIDE 6

6/14/2013 6

Goal Understand how to use the network to forensically account for and measure service level agreements in cloud How to detect and/or prevent exfiltration of data from (private) clouds

SoNIC DARPA MRC 2013

slide-7
SLIDE 7

Forensic Evidence via network interpacket delay

  • Interpacket delay
  • Important metric for network forensic evidence

– Can be improved with access to the PHY

6/14/2013 SoNIC NSDI 2013 7

Packet Generation Packet Capture Characterization Estimating bandwidth Detecting timing channel Increasing Throughput IPG Packet i Packet i+1 IPD Application Transport Network Data Link Physical

slide-8
SLIDE 8
  • Valuable information: Idle characters

– Can provide precise timing base for control

  • Each bit is ~97 ps wide

6/14/2013 SoNIC NSDI 2013 8

IPG Packet i Packet i+1 IPD Application Transport Network Data Link Physical

Forensic Evidence via network interpacket delay

slide-9
SLIDE 9
  • Valuable information: Idle characters

– Can provide precise timing base for control

  • Each bit is ~97 ps wide

6/14/2013 SoNIC NSDI 2013 9

Packet Generation Packet Capture Detecting timing channel Packet i Packet i+1 12 /I/s = 100bits = 9.7ns Application Transport Network Data Link Physical IPG One Idle character (/I/) = 7~8 bits Estimating bandwidth

Forensic Evidence via network interpacket delay

Characterization

slide-10
SLIDE 10
  • Valuable information in PHY: Idle characters
  • Issue1: The PHY is simply a black box

– No interface from NIC or OS – Valuable information is invisible (discarded)

  • Issue2: Limited access to hardware

.

6/14/2013 10

Application Transport Network Data Link Physical IPG Packet i Packet i+1 Packet i+2 Packet i Packet i+1 Packet i+2 Packet i Packet i+1 Packet i+2 Packet i Packet i+1 Packet i+2 Packet i Packet i+1

SoNIC DARPA MRC 2013

Forensic Evidence via network interpacket delay

slide-11
SLIDE 11

6/14/2013 11

  • Goal: Control every bit in software in realtime

– Enable research on PHY covert challenge

  • Challenge

– Requires unprecedented software access to the PHY

Application Transport Network Data Link Physical IPG Packet i Packet i+1 IPD

SoNIC DARPA MRC 2013

Forensic Evidence via network interpacket delay

slide-12
SLIDE 12
  • Implements the PHY in software

– Enabling control and access to every bit in realtime – With commodity components – Thus, enabling novel network research

SoNIC: Precise Realtime Software Access and Control of Wired Networks, Ki Suh Lee, Han Wang and Hakim Weatherspoon, Appears in NSDI, April 2013

SoNIC: Software-defined Network Interface Card

6/14/2013 12

Application Transport Network Data Link Physical IPG Packet i Packet i+1 IPD

SoNIC DARPA MRC 2013

slide-13
SLIDE 13

Outline

  • Introduction
  • Examples of Forensic Evidence

– Available bandwidth estimation – PHY Covert Timing Channel

  • SoNIC: Software-defined Network Interface Card
  • Concluding Remarks

6/14/2013 13 SoNIC DARPA MRC 2013

slide-14
SLIDE 14

SoNIC

6/14/2013 SoNIC DARPA MRC 2013 14

slide-15
SLIDE 15
  • Estimate available bandwidth

– Traffic sent, packet trains: – Traffic received after going through bottleneck:

  • Accurate available bandwidth estimation requires PHY
  • Inter-packet gaps are invisible to higher layers, but not

SoNIC

Packet Interpacket gap

6/14/2013 15 SoNIC

Forensic Evidence: Bandwidth Estimation

slide-16
SLIDE 16

Outline

  • Introduction
  • Examples of Forensic Evidence

– Available bandwidth estimation – PHY Covert Timing Channel

  • SoNIC: Software-defined Network Interface Card
  • Concluding Remarks

6/14/2013 16 SoNIC DARPA MRC 2013

slide-17
SLIDE 17

Forensic Evidence: Covert Timing Channel

  • Embedding signals into interpacket gaps.

– Large gap: ‘1’ – Small gap: ‘0’

  • Covert timing channel by modulating IPGs at 100ns

6/14/2013 17

Packet i Packet i+1 Packet i Packet i+1

  • Overt channel at 3 Gbps
  • Covert channel at 250 kbps
  • Over 4-hops with < 1% BER

SoNIC DARPA MRC 2013

slide-18
SLIDE 18

Forensic Evidence: Covert Timing Channel

6/14/2013 18

0.2 0.4 0.6 0.8 1 500 1500 2500 3500 4500 0.2 0.4 0.6 0.8 1 500 1500 2500 3500 4500 0.2 0.4 0.6 0.8 1 500 1500 2500 3500 4500 SoNIC 0.2 0.4 0.6 0.8 1 500 1500 2500 3500 4500 SoNIC Kernel

‘1’: 3562 + 128 /I/s ‘0’: 3562 – 128 /I/s ‘1’: 3562 + a /I/s ‘0’: 3562 – a /I/s ‘0’ ‘1’

Interpacket delays (ns)

  • Modulating IPGs at 100ns scale (=128 /I/s), over 4 hops

3562 /I/s 3562 - 128 /I/s 3562 + 128 /I/s

CDF

BER = 0.37%

SoNIC DARPA MRC 2013

slide-19
SLIDE 19

Forensic Evidence: Covert Timing Channel

6/14/2013 19

0.2 0.4 0.6 0.8 1 500 1500 2500 3500 4500

Interpacket delays (ns)

  • Prevent Covert Timing Channels?

3562 /I/s

CDF

SoNIC DARPA MRC 2013

slide-20
SLIDE 20

6/14/2013 20

  • Router/ Switch Signatures
  • Different Routers and switches have different response function.
  • Improve simulation model of switches and routers.
  • Detect switch and router model in real network.

1e-06 1e-05 0.0001 0.001 0.01 0.1 1 5000 10000 15000 20000 Frequency (normalized) Interpacket gap (bits) 1e-06 1e-05 0.0001 0.001 0.01 0.1 1 5000 10000 15000 20000 Frequency (normalized) Interpacket gap (bits) 1e-06 1e-05 0.0001 0.001 0.01 0.1 1 5000 10000 15000 20000 Frequency (normalized) Interpacket gap (bits)

Cisco 4948 Cisco 6509 IBM BNT G8264R 1500 byte packets @ 6Gbps

Forensic Evidence: Covert Timing Channel

SoNIC DARPA MRC 2013

slide-21
SLIDE 21

Outline

  • Introduction
  • Demo: PHY Covert Timing Channel
  • SoNIC: Software-defined Network Interface Card
  • Concluding Remarks

6/14/2013 21 SoNIC DARPA MRC 2013

slide-22
SLIDE 22

10GbE Network Stack

6/14/2013 22

Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Data

/S/ /D/ /D/ /D/ /D/ /T/ /E/

Data L3 Hdr Data L3 Hdr L2 Hdr Data L3 Hdr L2 Hdr Gap Eth Hdr CRC Preamble

011010010110100101101001011010010110100101101001011010010110100101101 Encode Scrambler Gearbox

PMA 64 bit 2 bit syncheader 16 bit 10.3125 Gigabits /S/ /D/ /D/ /D/ /D/ /T/ /E/ Idle characters (/I/)

SoNIC DARPA MRC 2013

slide-23
SLIDE 23

10GbE Network Stack

6/14/2013 23

Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Data

/S/ /D/ /D/ /D/ /D/ /T/ /E/

Data L3 Hdr Data L3 Hdr L2 Hdr Data L3 Hdr L2 Hdr Gap Eth Hdr CRC Preamble

011010010110100101101001011010010110100101101001011010010110100101101 Encode Scrambler Gearbox

PMA

Commodity NIC

SW HW Packet i Packet i+1 Packet i Packet i+1

SoNIC DARPA MRC 2013

slide-24
SLIDE 24

10GbE Network Stack

6/14/2013 24

Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Data

/S/ /D/ /D/ /D/ /D/ /T/ /E/

Data L3 Hdr Data L3 Hdr L2 Hdr Data L3 Hdr L2 Hdr Gap Eth Hdr CRC Preamble

011010010110100101101001011010010110100101101001011010010110100101101 Encode Scrambler Gearbox

PMA

SoNIC NetFPGA

Packet i Packet i+1 SW HW Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Encode Scrambler Gearbox

PMA SW HW

SoNIC DARPA MRC 2013

slide-25
SLIDE 25

SoNIC Design

6/14/2013 25

Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Data

/S/ /D/ /D/ /D/ /D/ /T/ /E/

Data L3 Hdr Data L3 Hdr L2 Hdr Data L3 Hdr L2 Hdr Gap Eth Hdr CRC Preamble

011010010110100101101001011010010110100101101001011010010110100101101 Encode Scrambler Gearbox

PMA

SoNIC

SW HW

SoNIC DARPA MRC 2013

slide-26
SLIDE 26

SoNIC Design and Architecture

6/14/2013 26

Physical 64/66b PCS PMA PMD

Encode Scrambler Gearbox Decode Descrambler Blocksync

Data Link Network Transport Application

Data

/S/ /D/ /D/ /D/ /D/ /T/ /E/

Data L3 Hdr Data L3 Hdr L2 Hdr Data L3 Hdr L2 Hdr Gap Eth Hdr CRC Preamble

011010010110100101101001011010010110100101101001011010010110100101101 Encode Scrambler Gearbox

PMA

SoNIC

SW HW

TX MAC TX PCS

Kernel

APP RX MAC RX PCS

Userspace

APP

Hardware

Gearbox Transceiver Blocksync Transceiver SFP+

SoNIC DARPA MRC 2013

slide-27
SLIDE 27

SoNIC Design: Interface and Control

  • Hardware control: ioctl syscall
  • I/O : character device interface
  • Sample C code for packet generation and capture

6/14/2013 27

1: #include "sonic.h" 2: 3: struct sonic_pkt_gen_info info = { 4: .mode = 0, 5: .pkt_num = 1000000000UL, 6: .pkt_len = 1518, 7: .mac_src = "00:11:22:33:44:55", 8: .mac_dst = "aa:bb:cc:dd:ee:ff", 9: .ip_src = "192.168.0.1", 10: .ip_dst = "192.168.0.2", 11: .port_src = 5000, 12: .port_dst = 5000, 13: .idle = 12, 14: }; 15: 16: /* OPEN DEVICE*/ 17: fd1 = open(SONIC_CONTROL_PATH, O_RDWR); 18: fd2 = open(SONIC_PORT1_PATH, O_RDONLY); 19: /* CONFIG SONIC CARD FOR PACKET GEN*/ 20: ioctl(fd1, SONIC_IOC_RESET) 21: ioctl(fd1, SONIC_IOC_SET_MODE, PKT_GEN_CAP) 22: ioctl(fd1, SONIC_IOC_PORT0_INFO_SET, &info) 23 24: /* START EXPERIMENT*/ 25: ioctl(fd1, SONIC_IOC_START) 26: // wait till experiment finishes 27: ioctl(fd1, SONIC_IOC_STOP) 28: 29: /* CAPTURE PACKET */ 30: while ((ret = read(fd2, buf, 65536)) > 0) { 31: // process data 32: } 33: 34: close(fd1); 35: close(fd2);

SoNIC DARPA MRC 2013

slide-28
SLIDE 28

Contributions

  • Network Research

– Unprecedented access to the PHY with commodity hardware – A platform for cross-network-layer research – Can improve network research applications

  • Engineering

– Precise control of interpacket gaps (delays) – Design and implementation of the PHY in software – Novel scalable hardware design – Optimizations / Parallelism

  • Status

– Measurements in large scale: DCN, GENI, 40 GbE

6/14/2013 28 SoNIC DARPA MRC 2013

slide-29
SLIDE 29

Concluding Remarks

  • The network is at the center of the cloud

– SoNIC gives precise realtime software access and control of the network – Necessary for forensics, evidence, and accountability of network/cloud

  • Network is useful to validate SLAs

– Accurate bandwidth estimation – Characterize/profile/fingerprint network components

  • Need to understand entire network stack to protect data

– Demonstrate: Covert Timing Channel – 4 hops, 250kbps, less than 1% BER

  • Status

– SoNIC in large scale: DURIP, GENI, 40 GbE – http://sonic.cs.cornell.edu – SoNIC is available Open Source.

6/14/2013 29 SoNIC DARPA MRC 2013

slide-30
SLIDE 30
  • Cloud Networking

– SoNIC in NSDI 2013 – Wireless DC in ANCS 2012 (best paper) and NetSlice in ANCS 2012 – Bifocals in IMC 2010 and DSN 2010 – Maelstrom in ToN 2011 and NSDI 2008 – Chaired Tudor Marian’s PhD 2010 (now at Google)

  • Cloud Computation & Vendor Lock-in

– Plug into the Supercloud in IEEE Internet Computing-2013 – Supercloud/Xen-Blanket in EuroSys-2012 and HotCloud-2011 – Overdriver in VEE-2011 – Chaired Dan William’s PhD 2012 (now at IBM)

  • Cloud Storage

– Gecko in FAST 2013 / HotStorage 2012 – RACS in SOCC-2010 – SMFS in FAST 2009 – Antiquity in EuroSys 2007 / NSDI 2006 – Chaired Lakshmi Ganesh’s PhD 2011 (now at UT Austin)

My Contributions

slide-31
SLIDE 31

Thank you!

http://sonic.cs.cornell.edu