Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturer...Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.展开更多
This paper proposes a formal method which is used to model and analyze network devices such as touters. It is based on an algebraic process called “ACSR-VP”, which enhances the original CCS algebraic process by inco...This paper proposes a formal method which is used to model and analyze network devices such as touters. It is based on an algebraic process called “ACSR-VP”, which enhances the original CCS algebraic process by incorporating the notions of time, resource requirements, dynamic prioritization, and synchronization. Therefore, although there are many formal methods to analyze the timed concurrency system, ACSR-VP, due to its prominent features, is best fit for analysis of a resource bounded real-time system. This paper extends ACSR-VP to EACSR-VP, which is more adaptive to the features of network devices and specializes in analyzing this kind of embedded system. EACSR-VP adds the notion of n-way communication which allows more than two processes to participate in synchronization. It also enhances value-passing capabilities which make for more flexible specifications. Finally, specifications, verification and analysis methods with EACSR-VP are introduced by a case study of router with multiple input queues.展开更多
Crystal optics and fiber grating technology are two of the most important optical fiber device technologies. In this paper, we report several new devices developed in Accelink for WDM networks application.
Owing to advanced storage and communication capabilities today, smart devices have become the basic interface between individuals and their surrounding environment. In particular, massive devices connect to one other ...Owing to advanced storage and communication capabilities today, smart devices have become the basic interface between individuals and their surrounding environment. In particular, massive devices connect to one other directly in a proximity area, thereby enabling abundant Proximity Services(Pro Se), which can be classified into two categories: public safety communication and social discovery. However, two challenges impede the quick development and deployment of Pro Se applications. From the viewpoint of networking, no multi-hop connectivity functionality component can be directly operated on commercially off-the-shelf devices, and from the programming viewpoint, an easily reusable development framework is lacking for developers with minimal knowledge of the underlying communication technologies and connectivity. Considering these two issues, this paper makes a twofold contribution. First, a multi-hop mesh networking based on Bluetooth Low Energy(BLE) is implemented,in which a proactive routing mechanism with link-quality(i.e., received signal strength indication) assistance is designed. Second, a Pro Se development framework called BLE Mesh is designed and implemented, which can provide significant benefits for application developers, framework maintenance professionals, and end users. Rich application programming interfaces can help developers to build Pro Se apps easily and quickly. Dependency inversion principle and template method pattern allow modules in BLE Mesh to be loosely coupled and easy to maintain and update. Callback mechanism enables modules to work smoothly together and automation processes such as registration, node discovery, and messaging are employed to offer nearly zero-configuration for end users.Finally, based on the designed Pro Se development kit, a public safety communications app called Quote Send App is built to distribute emergency information in close area without Internet access. The process illustrates the easy usability of BLE Mesh to develop Pro Se apps.展开更多
基金This work is supported in part by Chinese National Natural Science Foundation(61802394,U1836209,62032010)Strategic Priority Research Program of theCAS(XDC02040100)。
文摘Network function virtualization provides programmable in-network middlewares by leveraging virtualization tech-nologies and commodity hardware and has gained popularity among all mainstream network device manufacturers.Yet it is challenging to apply coverage-guided fuzzing,one of the state-of-the-art vulnerability discovery approaches,to those virtualized network devices,due to inevitable integrity protection adopted by those devices.In this paper,we propose a coverage-guided fuzzing framework NDFuzz for virtualized network devices with a novel integrity protec-tion bypassing method,which is able to distinguish processes of virtualized network devices from hypervisors with a carefully designed non-intrusive page global directory inference technique.We implement NDFuzz atop of two black-box fuzzers and evaluate NDFuzz with three representative network protocols,SNMP,DHCP and NTP,on nine popular virtualized network devices.NDFuzz obtains an average 36%coverage improvement in comparison with its black-box counterparts.NDFuzz discovers 2 O-Day vulnerabilities and 11-Day vulnerability with coverage guidance while the black-box fuzzer can find only one of them.All discovered vulnerabilities are confirmed by corresponding vendors.
文摘This paper proposes a formal method which is used to model and analyze network devices such as touters. It is based on an algebraic process called “ACSR-VP”, which enhances the original CCS algebraic process by incorporating the notions of time, resource requirements, dynamic prioritization, and synchronization. Therefore, although there are many formal methods to analyze the timed concurrency system, ACSR-VP, due to its prominent features, is best fit for analysis of a resource bounded real-time system. This paper extends ACSR-VP to EACSR-VP, which is more adaptive to the features of network devices and specializes in analyzing this kind of embedded system. EACSR-VP adds the notion of n-way communication which allows more than two processes to participate in synchronization. It also enhances value-passing capabilities which make for more flexible specifications. Finally, specifications, verification and analysis methods with EACSR-VP are introduced by a case study of router with multiple input queues.
文摘Crystal optics and fiber grating technology are two of the most important optical fiber device technologies. In this paper, we report several new devices developed in Accelink for WDM networks application.
基金supported by the National Natural Science Foundation of China(No.61171092)Jiangsu Educational Bureau Project(No.14KJA510004)NUPTSFs(Nos.NY215177 and NY217089)
文摘Owing to advanced storage and communication capabilities today, smart devices have become the basic interface between individuals and their surrounding environment. In particular, massive devices connect to one other directly in a proximity area, thereby enabling abundant Proximity Services(Pro Se), which can be classified into two categories: public safety communication and social discovery. However, two challenges impede the quick development and deployment of Pro Se applications. From the viewpoint of networking, no multi-hop connectivity functionality component can be directly operated on commercially off-the-shelf devices, and from the programming viewpoint, an easily reusable development framework is lacking for developers with minimal knowledge of the underlying communication technologies and connectivity. Considering these two issues, this paper makes a twofold contribution. First, a multi-hop mesh networking based on Bluetooth Low Energy(BLE) is implemented,in which a proactive routing mechanism with link-quality(i.e., received signal strength indication) assistance is designed. Second, a Pro Se development framework called BLE Mesh is designed and implemented, which can provide significant benefits for application developers, framework maintenance professionals, and end users. Rich application programming interfaces can help developers to build Pro Se apps easily and quickly. Dependency inversion principle and template method pattern allow modules in BLE Mesh to be loosely coupled and easy to maintain and update. Callback mechanism enables modules to work smoothly together and automation processes such as registration, node discovery, and messaging are employed to offer nearly zero-configuration for end users.Finally, based on the designed Pro Se development kit, a public safety communications app called Quote Send App is built to distribute emergency information in close area without Internet access. The process illustrates the easy usability of BLE Mesh to develop Pro Se apps.
