P4CONTROL: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF
Abstract
Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network.
However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time.
In this paper, we propose P4CONTROL, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate.
P4CONTROL introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate.
This is achieved through:
- An in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies.
- A lightweight eBPF-based primitive deployed on hosts for tracking intra-host information flows.
P4CONTROL also provides an expressive policy framework for specifying DIFC policies against different attack scenarios.
We conduct extensive evaluations to show that P4CONTROL can effectively prevent cross-host attacks in real time, while maintaining line-rate network performance and imposing minimal overhead on the network and host machines.
It is also noteworthy that P4CONTROL can facilitate the realization of a zero trust architecture through its finegrained least-privilege network access control.
Authors
All are of Virginia Tech