Securing P4 Programs by Information Flow Control

TL;DR

This paper introduces a security type system for P4 programs that uses information flow control to prevent data leakage, formalizes its soundness, and demonstrates its effectiveness through a prototype implementation.

Contribution

It presents a novel security type system combining security types with interval analysis for P4, formalizes and proves its soundness, and evaluates a prototype tool, Tap4s.

Findings

Successfully detects security violations in P4 programs.

Guarantees noninterference for well-typed programs.

Prototype demonstrates practical effectiveness in real use cases.

Abstract

Software-Defined Networking (SDN) has transformed network architectures by decoupling the control and data-planes, enabling fine-grained control over packet processing and forwarding. P4, a language designed for programming data-plane devices, allows developers to define custom packet processing behaviors directly on programmable network devices. This provides greater control over packet forwarding, inspection, and modification. However, the increased flexibility provided by P4 also brings significant security challenges, particularly in managing sensitive data and preventing information leakage within the data-plane. This paper presents a novel security type system for analyzing information flow in P4 programs that combines security types with interval analysis. The proposed type system allows the specification of security policies in terms of input and output packet bit fields rather than program variables. We formalize this type system and prove it sound, guaranteeing that well-typed programs satisfy noninterference. Our prototype implementation, Tap4s, is evaluated on several use cases, demonstrating its effectiveness in detecting security violations and information leakages.