Defeating Data Plane Attacks With Program Obfuscation.

Data plane switches in software-defined networks are increasingly recognised as potential targets for attack, with recent exploits showing their vulnerability to full compromise. The serious consequences of such a breach have prompted the design of compromise detection mechanisms, which monitor switch forwarding behaviour at runtime to ensure that it has not been altered by an attack. However, such defences cannot achieve full coverage in stateful, programmable data planes, creating an opportunity for an attacker to evade detection by carefully editing a switch's forwarding program to mishandle a small subset of packets. To exploit this opportunity and avoid detection, an attacker must analyse and edit the program's behaviour within a narrow time window, which is possible when the data plane is defined by a uBPF program compiled from P4, due to the predictable compilation process. In this work, we aim to invalidate this analysis-guided attack technique with targeted obfuscation of P4-uBPF programs that increases the analysis complexity. We find that, by inserting additional program paths and syntactic dependencies between variables, we can force an attacker to analyse a higher proportion of program instructions and carry out time-consuming SMT solving to find valid program paths, rendering the previous attack technique infeasible. Furthermore, by applying our identified program optimisations, program performance can often be maintained after obfuscation. In evaluating our work, we identify the potential to improve our solution by tailoring obfuscations to individual program paths.