NFV Attestation Survey Xitao Wen
Attestation Architecture Excerpted from  “Principles of remote attestation” in International Journal of Information Security, 10(2):63–81, 2011.
Chain of Trust • Trusted booting: TPM -> BIOS -> Boot Loader -> OS • Former entity measures the integrity of binary and config of latter entity, and sign the hash in a certificate • A sequence of certificates are provided to appraiser as evidence of system integrity • Appraiser verifies hashes with a list of trustworthy implementations/configs
Trust Base • Service • Endorsement key • Memory curtaining • Data sealing • Implementation • Hardware: Trust Platform Module (TPM), measurement hardware • Software: Secure kernel, secure hypervisor
Attestation Service Provider (ASP) 1. Most based on code execution Attestation • BIND : critical code only; bind data/code integrety • Pioneer : no hardware trust base • Schellekens et al. : use TPM for fewer constraints • Nexus : hypervisor-style seperation • Three categories • Integrity attestation (earliest) • Property-based Attestation • Behavior-based Attestation  2. Specific Purpose Attestation • CoPilot  • Gu et al. 
Property-based Attestation (PBA) • ASP signs properties rather than binary hashes • How to Determining Properties? • Delegation : delegate hash-property mapping to a trusted third party • Behavior control : behavior-based access control or measurement • Code analysis : semantic code analysis • Extend trust chain to verify the trustworthiness of property measurement • Enhanced boot loader 
PBA – Behavior Control • Attest the behavior of security policies • Usage control policy model  • Dynamic OS properties  • Verify security policies based on behavior modeling • Enforcement mechanism also needs attestation
PBA – Code Analysis •  extends Java VM to conduct byte-code analysis and attestation •  proposes attest properties via proof-carrying code
Attestation in NFV, Cloud and Virtual Networks All workshop papers, no real implementations, just high-level ideas • Verifiable NFO  • Framework to verify functionality, performance and accounting for NFV • Very high-level roadmap • TCCP  • Framework to ensure confidentiality and integrity of computation in cloud • Depends on trusted VM monitor and trusted coordinator • Simply apply attestation to cloud environment • Accountability in hosted virtual network  • Account software integrity and functionality • Two approaches • Violation detection with measurement • Verify software integrity with attestation SDN/NFV Verification has some work on policy correctness [21-31]
Uniqueness in NFV/SDN Environment • Network policies + network functions • Service composition/chaining • Multiple distributed VNFs
Properties to Attest in NFV/SDN • Correctness of NFV functionality  • Policy correctness and enforcement • Guaranteed traversal for packets • Correct order of service chains • Virtual Network Function (VNF) state consistency • Intra-VNF property • Inter-VNF property  • VNF version compatibility in a service chain • Performance monitoring (throughput, latency) • Resource accounting (memory, bw, CPU cycles) • Traffic confidentiality (seems impossible to prevent…)
Potential Topics • For the unique properties, what info and system support are needed? • SDN policy, controller, OS, network traffic, NFV software • Two levels: read / write • Focus more on systems than PL. • What verification/attestation tools can be used? (Bo) • What NFV code can be used? (Bo) • Load balancer, security middleboxes, cache, TCP performance enhancer/acceleration, Web Content Optimization (WCO)
NFV/SDN Attestation Architecture Attestation Procedure: 0. Trust establishment 1. Attestation request 2. Measurement setup 3. Measurement collection 4. Attestation report SDN Controller 1. Attestation request Trusted Delegate 4. Attestation report Client attester 3. Measurement collection 2. Measurement setup Internet Client network Data path Trusted measurement points Control path SDN switch Secure attestation channel
Trusted Measurement Points • VNF monitoring module in VM hypervisor • Check VNF binary/config before launching • Monitor runtime config change • Measure flow and utility statistics • Process FlowTag  • Trusted module in SDN switch agent or SDN controller • Take snapshot of rules • Setup rules for measurement tasks • Data-plane logging/injection points • Insert testing packets • Log trajectory and timestamp of testing packets
Per-property Verification Technique • VNF correctness (use existing tech) • Attest binary/config of VNF • Verify functionality of binary/config offline • Policy correctness • Conduct incremental header space analysis on flow table snapshot (use existing tech) • Inject test traces to test data-plane behavior • Rule property • Order, priority -> test explosion problem! • Dependency graph for rescue? • Incremental testing, depends on # of sub-space? • VNF state consistency • Asymmetric routing lead to inconsistent forwarding for a security VNF • Strong/eventual consistency • Fast and efficient attestation/detection of such problem • Formulate as certain version of model checking? State machine inference?
Per-property Verification Technique • Version compatibility • Combine VNF version with external compatibility information • Checked by trusted delegate • Performance monitoring • Latency: time sample packet at NFV hypervisor • Throughput: measured by hypervisor • Resource accounting • Depend on trusted hypervisor module • Traffic confidentiality • In network: encryption? • On NFV: Terra ?
Reference  G. Coker, J. Guttman, P. Loscocco, A. Herzog, J. Millen, B. OHanlon, J. Ramsdell, A. Segall, J. Sheehy, and B. Sniffen. Principles of remote attestation. International Journal of Information Security, 10(2):63–81, 2011.  Shi, E., Perrig, A., Van Doorn, L.: BIND: a time-of-use attestation service for secure distributed systems. SOSP ‘05  Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P. Pioneer: verifying integrity and guaranteeing execution of code on legacy platforms. SOSP ’05  Schellekens, D., Wyseur, B., Preneel, B.: Remote attestation on legacy operating systems with trusted platform modules. Electron. Notes Theor. Comput. Sci. 197(1), 59–72 (2008)  Shieh, A., Williams, D., Sirer, E., Schneider, F.B.: Nexus: a new operating system for trustworthy computing. SOSP ’05  Petroni, N.L. Jr., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot—a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium, pp. 179–194. USENIX (2004)  Gu, L., Ding, X., Deng, R.H., Xie, B., Mei, H.: Remote attetation on program execution. In: STC ’08  SeyedKavehFayazbakhsh, Michael K Reiter, Vyas Sekar, Verifiable Network Function Outsourcing: Requirements, Challenges, and Roadmap. HotMiddlebox ’13  Santos, N., Gummadi, K. P., & Rodrigues, R. (2009, June). Towards trusted cloud computing. HotCloud ‘09 (pp. 3-3).  Keller, E., Lee, R. B., & Rexford, J. (2009, August). Accountability in hosted virtual networks. In Proceedings of the 1st ACM workshop on Virtualized infrastructure systems and architectures (pp. 29-36). ACM.
Reference  Haldar, V., Chandra, D., & Franz, M. (2004, May). Semantic remote attestation: a virtual machine directed approach to trusted computing. In USENIX Virtual Machine Research and Technology Symposium (Vol. 2004).  Chen, L., Landfermann, R., Löhr, H., Rohe, M., Sadeghi, A. R., & Stüble, C. (2006, November). A protocol for property-based attestation. In ACM STC ‘06.  A.-R. Sadeghi and C. Stuble. Property-based attestation for computing platforms: Caring about properties, not mechanisms. In ACM SIGSAC ‘04  J. Poritz, M. Schunter, E.V. Herreweghen, and M. Waidner. Property attestation — scalable and privacy-friendly security assessment of peer computers, IBM Research Report RZ 3548, 2004  Alam, M., Zhang, X., Nauman, M., Ali, T., & Seifert, J. P. (2008, June). Model-based behavioral attestation. In Proceedings of the 13th ACM symposium on Access control models and technologies (pp. 175-184). ACM  G. C. Necula and P. Lee. The design and implementation of a certifying compiler. In PLDI’98  Xiao-Yong Li, Chang xiang Shen, and Xiao-Dong Zuo. An Efficient Attestation for Trustworthiness of Computing Platform. In IIH-MSP, pages 625–630, 2006  Kil, C., Sezer, E. C., Azab, A. M., Ning, P., & Zhang, X. (2009, June). Remote attestation to dynamic system properties: Towards providing complete system integrity evidence. In DSN'09.  Kühn, U., Selhorst,M., Stüble, C.: Realizing property-based attestation and sealing with commonly available hard- and software. In: STC ’07  J. Marchesini, S. Smith, O. Wild, A. Barsamian, and J. Stabiner. Open-source applications of TCPA hardware. In ACSAC’04
Reference  M. Dobrescu and K. Argyraki. Software Dataplane Verification. In NSDI, 2014  Fayaz, S. K., Tobioka, Y., Chaki, S., & Sekar, V. (2014). BUZZ: Testing Context-Dependent Policies in Stateful Data Planes (CMU-CyLab-14-013).  Panda, A., Lahav, O., Argyraki, K., Sagiv, M., & Shenker, S. (2014). Verifying Isolation Properties in the Presence of Middleboxes. arXiv preprint arXiv:1409.7687.  A. Guha, M. Reitblatt, and N. Foster. Machine-verified network controllers. In PLDI’13  P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In NSDI, 2013.  P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: Static checking for networks. In NSDI, 2012.  A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: Verifying network-wide invariants in real time. In NSDI’13  T. Nelson, A. D. Ferguson, M. J. G. Scheer, and S. Krishnamurthi. A balance of power: Expressive, analyzable controller programming. NSDI, 2014.  D. Sethi, S. Narayana, and S. Malik. Abstractions for model checking sdn controllers. In FMCAD, 2013  R. Skowyra, A. Lapets, A. Bestavros, and A. Kfoury. A verification platform for sdn-enabled applications. In HiCoNS, 2013
Reference  H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra: Divide and Conquer to Verify Forwarding Tables in Huge Networks. In NSDI, 2014.  SoudehGhorbani and Brighten Godfrey. Towards Correct Network Virtualization. In HotSDN’14.  Seyed K. Fayaz, Vyas Sekar. Testing Stateful and Dynamic Data Planes with FlowTest. In HotSDN’14.  S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags. In Proc. NSDI, 2014.  T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. In SOSP’03.