| dc.contributor.author | Weintraub, Ben | |
| dc.contributor.author | Kim, Jiwon | |
| dc.contributor.author | Tao, Ran | |
| dc.contributor.author | Nita-Rotaru, Cristina | |
| dc.contributor.author | Okhravi, Hamed | |
| dc.contributor.author | Tian, Dave (Jing) | |
| dc.contributor.author | Ujcich, Benjamin | |
| dc.date.accessioned | 2025-01-28T13:45:00Z | |
| dc.date.available | 2025-01-28T13:45:00Z | |
| dc.date.issued | 2024-12-02 | |
| dc.identifier.isbn | 979-8-4007-0636-3 | |
| dc.identifier.uri | https://hdl.handle.net/1721.1/158083 | |
| dc.description | CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA | en_US |
| dc.description.abstract | Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed in the network and implement the desired behavior.
We discovered that current IBN specifications and implementations do not specify that flow rule installation orderings should be enforced, which leads to temporal vulnerabilities where, for a limited time, attackers can exploit indeterminate connectivity behavior to gain unauthorized network access.
In this paper, we analyze the causes of such temporal vulnerabilities and their security impacts with a representative case study via the ONOS IBN implementation. We devise the Phantom Link attack and demonstrate a working exploit to highlight the security impacts. To defend against such attacks, we propose Spotlight, a detection method that can alert a system administrator of risky intent updates prone to exploitable temporal vulnerabilities. Spotlight is effective in identifying risky updates using realistic network topologies and policies. We show that Spotlight can detect risky updates in a mean time of 0.65 seconds for topologies of over 1,300 nodes. | en_US |
| dc.publisher | ACM|Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security | en_US |
| dc.relation.isversionof | https://doi.org/10.1145/3658644.3670301 | en_US |
| dc.rights | Creative Commons Attribution | en_US |
| dc.rights.uri | https://creativecommons.org/licenses/by/4.0/ | en_US |
| dc.source | Association for Computing Machinery | en_US |
| dc.title | Exploiting Temporal Vulnerabilities for Unauthorized Access in Intent-based Networking | en_US |
| dc.type | Article | en_US |
| dc.identifier.citation | CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA | en_US |
| dc.contributor.department | Lincoln Laboratory | en_US |
| dc.identifier.mitlicense | PUBLISHER_CC | |
| dc.eprint.version | Final published version | en_US |
| dc.type.uri | http://purl.org/eprint/type/ConferencePaper | en_US |
| eprint.status | http://purl.org/eprint/status/NonPeerReviewed | en_US |
| dc.date.updated | 2025-01-01T08:48:51Z | |
| dc.language.rfc3066 | en | |
| dc.rights.holder | The author(s) | |
| dspace.date.submission | 2025-01-01T08:48:51Z | |
| mit.license | PUBLISHER_CC | |
| mit.metadata.status | Authority Work and Publication Information Needed | en_US |
