Abstract

Virtualization of networks has recently attracted enormous interest as an enabler of high-performance, cost-effective, scalable, and reliable communication services (e.g., 5G). However, these advantages are accompanied by issues such as increased attack surface, software bugs, lack of visibility, and lack of control over in-the-cloud virtualized networks. These issues pose the risk of integrity breaches of virtualized networks preventing them from providing services as intended by their owners (i.e., network service providers). Therefore, to reap the benefits of virtualized networks, appropriate integrity verification mechanisms must be deployed to detect any integrity breaches that may arise due to these issues. On one hand, it is often challenging to find mechanisms to perform such verification under the constraints of limited access and high-scalability requirements of contemporary communication services, while, on the other hand, potential attacks are getting more and more sophisticated (e.g., attack on the underlying infrastructure, zero-day attacks, and runtime attacks). To that end, existing works can be mainly divided into two categories: pre-deployment and runtime. Firstly, existing pre-deployment approaches are applied before the deployment of virtualized networks and therefore, are unable to detect any breach of integrity at runtime. Secondly, existing runtime approaches require access to data that are typically unavailable to owners of virtualized network services. Moreover, even when such data are made available, collecting these data requires intrusive techniques that affect the performance and scalability of network services. In this thesis, we overcome all the above limitations of existing works by looking beyond what is possible with traditional direct observation-based approaches and focusing on the indirect effects of the attacks (a.k.a., side-channels). We propose a side-channel based integrity verification system that offers a practical and scalable approach without requiring access to data that are typically unavailable. For this purpose, we organize our work into three main phases. In the first phase, we propose an approach to verify the integrity of virtualized network function (VNF) chains; where the proposed system verifies a wide range of integrity breaches of VNF chains, such as, VNF bypassing, packet dropping, and packet injection without requiring access to the underlying cloud infrastructure on which the VNFs are deployed. In the second phase, we propose a mechanism to detect functional integrity breaches of the virtualized network functions (VNF) caused by code injection (through the exploitation of vulnerabilities at different levels of the virtualization ecosystem). Thus, the first two phases combined can provide overall integrity verification by guaranteeing that the components (i.e., VNFs) are working properly both collectively (i.e., packets are being forwarded properly through the service chains) and individually (i.e., each VNF is providing exactly the same functionality as intended). Finally, in the third phase, we improve the above solutions to become more efficient and resilient against adaptive attempts to deceive our mechanisms by proposing a continuous verification technique. In summary, this thesis contributes towards enhancing the comprehensiveness, practicality, and security of integrity verification for virtualized networks.