Modeling NFV Deployment to Identify the Cross-Level Inconsistency Vulnerabilities

By providing network functions through software running on standard hardware, Network Functions Virtualization (NFV) brings many benefits, such as increased agility and flexibility with reduced costs, as well as additional security concerns. Although existing works have examined various security issues of NFV, such as vulnerabilities in VNF software and DoS, there has been little effort on a security issue that is intrinsic to NFV, i.e., as an NFV environment typically involves multiple abstraction levels, the inconsistency that may arise between different levels can potentially be exploited for security attacks. In this paper, we propose the first NFV deployment model to capture the deployment aspects of NFV at different abstraction levels, which is essential for an in-depth study of the inconsistencies between such levels. Based on the model and an implemented NFV testbed, we present concrete attack scenarios in which the inconsistencies are exploited to attack the network functions in a stealthy manner. Finally, we study the feasibility of detecting the inconsistencies through verification.