Securing the Router Infrastructure of the Internet
ABSTRACT
The Internet represents essential communication infrastructure that needs to be protected from malicious attacks. Many existing attacks (and corresponding defenses) focus on end-‐systems connected to the Internet. Our work shows that a new type of “in-‐network” attack may emerge by exploiting vulnerabilities in the packet processing systems of routers inside the network. This project proposes a novel approach to providing fundamental security capabilities in these packet-‐ processing systems that can defend against such attacks. Our main idea is to expand packet-‐processing systems to include monitoring subsystems that can verify correct operation. Since computer networks operate using well-‐defined protocols, it is possible to define the “correct operation” of a system a priori. Using this information, a monitor can determine when a packet processor deviates from a sequence of operation that is considered to be correct or when a router deviates from its expected input/output behavior. The results from our work will provide a novel approach to addressing security vulnerabilities within the networking infrastructure itself. The proposed system may be deployed in next-‐generation networks (e.g., in the NSF GENI project) to assess the practical impact of defending network infrastructure.
Award ID: 1115999