NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack

Alaa Oqaily; L.T. Sudershan; Yosr Jarraya; Suryadipta Majumdar; Mengyuan Zhang; Makan Pourzandi; Lingyu Wang; Mourad Debbabi

doi:10.1109/CloudCom49646.2020.00003

NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack

Alaa Oqaily, L.T. Sudershan, Yosr Jarraya, Suryadipta Majumdar, Mengyuan Zhang, Makan Pourzandi, Lingyu Wang, Mourad Debbabi

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Network Functions Virtualization (NFV) enables agile and cost-effective deployment of multi-tenant network services on top of a cloud infrastructure. However, the multi-tenant and multilevel nature of NFV may lead to novel security challenges, such as stealthy attacks exploiting potential inconsistencies between different levels of the NFV stacks. Consequently, the security compliance of a multilevel NFV stack cannot be sufficiently established using existing solutions, which typically focus on one level. Moreover, the naive approach of separately verifying every level could be expensive or even infeasible. In this paper, we propose, NFVGuard, the first multilevel approach to the formal security verification of NFV stacks. Our key idea is to conduct the security verification at only one level, and then assure that verification result for other levels by verifying the consistency between adjacent levels. We integrate NFVGuard with OpenStack/Tacker, a popular platform for the NFV deployment, and experimentally evaluate its effectiveness.

Original language	English
Title of host publication	Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020
Publisher	IEEE Computer Society
Pages	33-40
ISBN (Electronic)	9780738143767
DOIs	https://doi.org/10.1109/CloudCom49646.2020.00003
Publication status	Published - 1 Dec 2020
Externally published	Yes
Event	12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020 - Bangkok, Thailand Duration: 14 Dec 2020 → 17 Dec 2020

Publication series

Name	Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom
ISSN (Print)	2330-2194
ISSN (Electronic)	2330-2186

Conference

Conference	12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020
Country/Territory	Thailand
City	Bangkok
Period	14/12/20 → 17/12/20

Access to Document

10.1109/CloudCom49646.2020.00003

Persistent URL (handle)

Persistent link

Cite this

Oqaily, A., Sudershan, L. T., Jarraya, Y., Majumdar, S., Zhang, M., Pourzandi, M., Wang, L., & Debbabi, M. (2020). NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack. In Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020 (pp. 33-40). Article 9407318 (Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom). IEEE Computer Society. https://doi.org/10.1109/CloudCom49646.2020.00003

Oqaily, Alaa ; Sudershan, L.T. ; Jarraya, Yosr et al. / NFVGuard : Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack. Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020. IEEE Computer Society, 2020. pp. 33-40 (Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom).

@inproceedings{b1f534399b6b4e758ddd5ca869b0a8e9,

title = "NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack",

abstract = "Network Functions Virtualization (NFV) enables agile and cost-effective deployment of multi-tenant network services on top of a cloud infrastructure. However, the multi-tenant and multilevel nature of NFV may lead to novel security challenges, such as stealthy attacks exploiting potential inconsistencies between different levels of the NFV stacks. Consequently, the security compliance of a multilevel NFV stack cannot be sufficiently established using existing solutions, which typically focus on one level. Moreover, the naive approach of separately verifying every level could be expensive or even infeasible. In this paper, we propose, NFVGuard, the first multilevel approach to the formal security verification of NFV stacks. Our key idea is to conduct the security verification at only one level, and then assure that verification result for other levels by verifying the consistency between adjacent levels. We integrate NFVGuard with OpenStack/Tacker, a popular platform for the NFV deployment, and experimentally evaluate its effectiveness.",

author = "Alaa Oqaily and L.T. Sudershan and Yosr Jarraya and Suryadipta Majumdar and Mengyuan Zhang and Makan Pourzandi and Lingyu Wang and Mourad Debbabi",

year = "2020",

month = dec,

day = "1",

doi = "10.1109/CloudCom49646.2020.00003",

language = "English",

series = "Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom",

publisher = "IEEE Computer Society",

pages = "33--40",

booktitle = "Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020",

note = "12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020 ; Conference date: 14-12-2020 Through 17-12-2020",

}

Oqaily, A, Sudershan, LT, Jarraya, Y, Majumdar, S, Zhang, M, Pourzandi, M, Wang, L & Debbabi, M 2020, NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack. in Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020., 9407318, Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom, IEEE Computer Society, pp. 33-40, 12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020, Bangkok, Thailand, 14/12/20. https://doi.org/10.1109/CloudCom49646.2020.00003

NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack. / Oqaily, Alaa; Sudershan, L.T.; Jarraya, Yosr et al.
Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020. IEEE Computer Society, 2020. p. 33-40 9407318 (Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - NFVGuard

T2 - 12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020

AU - Oqaily, Alaa

AU - Sudershan, L.T.

AU - Jarraya, Yosr

AU - Majumdar, Suryadipta

AU - Zhang, Mengyuan

AU - Pourzandi, Makan

AU - Wang, Lingyu

AU - Debbabi, Mourad

PY - 2020/12/1

Y1 - 2020/12/1

N2 - Network Functions Virtualization (NFV) enables agile and cost-effective deployment of multi-tenant network services on top of a cloud infrastructure. However, the multi-tenant and multilevel nature of NFV may lead to novel security challenges, such as stealthy attacks exploiting potential inconsistencies between different levels of the NFV stacks. Consequently, the security compliance of a multilevel NFV stack cannot be sufficiently established using existing solutions, which typically focus on one level. Moreover, the naive approach of separately verifying every level could be expensive or even infeasible. In this paper, we propose, NFVGuard, the first multilevel approach to the formal security verification of NFV stacks. Our key idea is to conduct the security verification at only one level, and then assure that verification result for other levels by verifying the consistency between adjacent levels. We integrate NFVGuard with OpenStack/Tacker, a popular platform for the NFV deployment, and experimentally evaluate its effectiveness.

AB - Network Functions Virtualization (NFV) enables agile and cost-effective deployment of multi-tenant network services on top of a cloud infrastructure. However, the multi-tenant and multilevel nature of NFV may lead to novel security challenges, such as stealthy attacks exploiting potential inconsistencies between different levels of the NFV stacks. Consequently, the security compliance of a multilevel NFV stack cannot be sufficiently established using existing solutions, which typically focus on one level. Moreover, the naive approach of separately verifying every level could be expensive or even infeasible. In this paper, we propose, NFVGuard, the first multilevel approach to the formal security verification of NFV stacks. Our key idea is to conduct the security verification at only one level, and then assure that verification result for other levels by verifying the consistency between adjacent levels. We integrate NFVGuard with OpenStack/Tacker, a popular platform for the NFV deployment, and experimentally evaluate its effectiveness.

UR - http://www.scopus.com/inward/record.url?scp=85105819353&partnerID=8YFLogxK

U2 - 10.1109/CloudCom49646.2020.00003

DO - 10.1109/CloudCom49646.2020.00003

M3 - Conference contribution

T3 - Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom

SP - 33

EP - 40

BT - Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020

PB - IEEE Computer Society

Y2 - 14 December 2020 through 17 December 2020

ER -

Oqaily A, Sudershan LT, Jarraya Y, Majumdar S, Zhang M, Pourzandi M et al. NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack. In Proceedings - 2020 IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020. IEEE Computer Society. 2020. p. 33-40. 9407318. (Proceedings of the International Conference on Cloud Computing Technology and Science, CloudCom). doi: 10.1109/CloudCom49646.2020.00003

NFVGuard: Verifying the Security of Multilevel Network Functions Virtualization (NFV) Stack

Abstract

Publication series

Conference

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this