The goal of this project is to improve the accountability of network infrastructure by adapting the idea of
remote attestation to network elements like switches and network interfaces.
The adaptation of this idea involves having network elements generate verifiable evidence about their configuration and state, and using that evidence to check whether those elements are behaving as intended.
For follow-up work directed at programmable network testbeds, see the CREASE project.
Position paper
Programmability of network hardware can also be abused to undermine the security of hardware and that of its unwitting users. Remote Attestation (RA) is a class of techniques to provide integrity assurance to remote users of resources such as hardware, OSs and applications. This position paper considers how RA can be used to enable dynamic assessments of network security characteristics through automated generation, collection, and evaluation of rigorous evidence of trustworthiness.
Presented at HotNets 2022:
Paper
Early prototype of an Attestation-capable Switch
Alexander Wolosewicz developed a novel prototype based on the ideas in the HotNets paper. Along the way, he encountered the interesting kind of technical problems that show up when implementing a new idea, and came up with solutions for this prototype. This prototype is based on a fork of the open-source BMv2 reference software switch, and it run can any P4 program that the original BMv2 switch can.
Developed during an Independent Study (CS597) project at Illinois Tech:
Repo
Testbed Evaluation of an Attestation-capable Switch
This work evaluates Alexander's attestation-capable switch in two testbeds: (1) a local university testbed, and (2) the FABRIC testbed. This evaluation was carried out to check the correctness of the behavior of the switch, and to measure the throughput that the switch can handle. In addition to evaluating the switch, this work served to demo the switch and our evaluation setup.
Presented at INDIS 2023 (Best Demo Award):
Abstract
Slides
Video
SmartNIC-based Remote Attestation
Hyunsuk Bang developed a novel prototype for network-based remote attestation that treats a network switch as a black box. It uses smart NICs in the network to provide and check evidence based on polling the switch's configuration. This approach to adapting RA for the network is intended to explore how to adapt third-party, existing switch hardware and software to use remote attestation without a forklift upgrade. During this project, Hyunsuk was co-mentored by Chris Neely from AMD-Xilinx.
Developed during the Applications of Programmable Networking course and subsequently during an Independent Study (CS597) project at Illinois Tech:
Repo
Demo + poster prepared for FABRIC KNIT8 (Runner-up Best Poster):
Poster
Video
Applying Network-based Remote Attestation to 5G
Alexander continued improving his switch prototype and applied it to a 5G scenario that recreates the "Athens Affair", to study how in-network attestation could detect unexpected configurations early in a modern telecom environment. Alexander gave an early talk about this work at the ACM student society at IIT, and used the FABRIC testbed to test and demo this scenario. For the 5G component, Alexander was co-mentored by Ashok Sunder Rajan from Intel.
Demo + poster prepared for FABRIC KNIT8:
Poster
Video