Network service providers need to deploy network equipment such as firewalls, domain name servers (DNSs), load balancers, routers, and switches at the consumers’ premises to deliver a network service. These network hardware devices may connect many computers with different operating systems and protocols, which increases the complexity of network infrastructure [
1,
2]. In addition, TSPs may require deploying additional network equipment to cover the consumers’ needs [
3], which expands the network infrastructure and increases the operational expenditure (OpEx) and the capital expenditures (CapEx), making managing the network infrastructure a cumbersome process [
4]. The heterogeneity of these pieces of equipment also makes it difficult to have a secure network environment.
A different paradigm has emerged in the network industry that developed the network infrastructure and its service delivery. Network Function Virtualization (NFV) takes advantage of virtualization to deliver virtual network functions, i.e., virtual firewalls, virtual switches, etc. It promises independence in hardware and software development, because they are not integrated with each other, and reduces the OpEx, the CapEx, and even the total cost of ownership (TCO) [
5,
6]. NFV also ensures a sharable and scalable network environment in which many NFV consumers can share and scale the network resources provided by TSPs according to their requirements. We consider here TSPs as NFV providers.
Although NFV promises many benefits, as mentioned previously, it leads to security issues [
7,
8]. NFV providers are required to undertake substantial efforts to ensure a secure NFV service environment. To provide a secure NFV service, we need to study and understand the possible threats. In [
9], we looked at the main security threats in NFV and the possible countermeasures to these threats. In this survey, we classified the vulnerabilities and mapped them to their possible threats. Here, we use misuse patterns to describe one of these threats, the threat of maliciously modifying non-control data. Misuse patterns are used to describe how an attack is carried out from the point of view of the attacker [
10]. They also define the environment in which the attack can be carried out, the possible countermeasures to mitigate it, and the forensic information that could be used to trace the attack once it happens [
10]. The patterns are part of an ongoing catalog that can be used by system designers to consider security aspects when building an NFV system.
The threat of modifying non-control data has been studied in various systems. In [
11], the authors demonstrated real-world applications vulnerable to such attacks to show how non-control data attacks are realistic. In [
12], the authors described some possible cases of kernel non-control data attacks. In [
13], a data-oriented programming technique was used to construct non-control data attacks on nine applications. The authors also used a dataflow stitching technique to generate data-oriented exploits that led to non-control data attacks. Another scenario of a non-control data attack is explained in [
14], in which a memory corruption vulnerability was leveraged. Although many researchers have explained the possibility of this threat, no one in the literature has used patterns to analyze the threat of non-control data in an NFV system. Patterns have proved convenient to describe the threats in several environments, such as cloud [
15], IoT [
16], and VoIP [
17].
2. Background
2.1. Network Function Virtualization
NFV transforms the traditional network architecture from a static architecture that comprises physical hardware to an agile one that provides network functions as software running in virtual machines (VMs). Decoupling the network functions from its dedicated hardware and emulating them to virtual servers will result in the following benefits [
19]:
-
Flexibility: The network will be provided as a software service, ensuring flexible and faster deployment;
-
Elasticity: NFV consumers will be able to dynamically scale the network resources;
-
Extensibility: It would be possible to dynamically add more network services within the network service;
-
Faster deployment: The network service will be configured faster.
The European Telecommunication Standards Institute (ETSI) introduced the first architecture of NFV, shown in
Figure 1 [
20]. It consists of three main components: the network function virtualization infrastructure (NFVI), virtualized network functions (VNFs), and NFV management and orchestration (MANO).
Figure 1. NFV Reference Architecture Framework [
20].
The NFV infrastructure is the foundation platform for the network service and contains hardware resources (storage, CPU, network, etc.); virtualized resources (virtual storage, virtual CPU, virtual network, etc.); and the virtualization layer, which contains the hypervisor. The hypervisor, also called the virtual machine manager (VMM), deploys VMs, emulates the necessary resources, and allows for resource sharing, while also ensuring isolation among them [
21].
Further, VNFs are software implementations of the network functions that are deployed on the NFVI. A single VNF may contain several components (VNFCs), which are software components of a VNF, or may contain only one network function in order to maintain its scalability. VNFs are hosted by VMs [
22] or even a container [
23].
The third component is the NFV MANO, which covers the lifecycle management and orchestration of the virtual network service. It contains three management units: the virtualized infrastructure manager (VIM), responsible for managing the interaction between the VNFs and the NFVI resources; the VNF manager, which manages and monitors the VNF resources; and the NFV orchestrator (NFVO), which provisions the necessary resources for the network service.
2.2. Patterns
A pattern is a solution to a recurrent problem in a given context. Patterns embody abstractions and provide common vocabularies for system designers. Their solutions are suggestions, not plug-ins [
19], which means that they are prototypes and there are many ways to instantiate a pattern. There are several types of patterns, intended for specific design purposes. Design and architectural patterns are used to build the functional aspects of extendable systems [
24]. Security patterns are used to build secure systems by defining a way of controlling vulnerabilities or stopping specific attacks [
10]. Threat patterns describe the steps of an attack that could lead to several misuses [
25]. Misuse patterns are used to describe, from the attacker’s perspective, a generic method of attacking a system by exploiting a vulnerability. They also describe the environment in which an attack may be performed, the possible countermeasures to mitigate it, and the method to find forensic information to trace the attack once it happens [
10].
Patterns are described using templates; each template is different based on the type of pattern. For example, a misuse pattern template contains countermeasures, consequences, and forensic sections that are not available in a design pattern template. We use the Pattern-Oriented Software Architecture (POSA) template as we consider it more suitable for describing security aspects [
10]. The descriptions of patterns may be written in textual language, and their solutions are usually shown in Unified Modeling Language (UML).
2.3. Modifying Non-Control Threat
Most security threats are related to altering the control flow of the targeted system, either by injecting a code or by reusing existing code such as return and call instructions [
26,
27]. It mainly refers to the data loaded in the processing counter during program execution, in which the attacker exploits, for instance, a memory corruption vulnerability, such as buffer overflow or integer overflow, to compromise the system [
28,
29]. It has been indicated that threats related to non-control data are also possible in real-world applications and are closely equivalent to control data threats [
11,
30]. Non-control data attacks do not affect the control flow of a system; instead, they are carried out by altering the non-control data of a targeted program, such as configuration data, decision-making data, user identity data, and user input [
29]. There are also other critical non-control data in the kernel level susceptible to an attack, such as user privilege data, resource utilization data, and service policy data [
12,
31].
The threat of modifying non-control data is also possible in the virtualization environment. The hypervisor is being used as a virtualization layer in many systems, including Network Function Virtualization (NFV) [
32], due to its ability to enable resource sharing and, at the same time, ensure isolation among virtual machines. Since hypervisors have a smaller code base, it has been assumed that they and the VMs running on top of them are secure [
33,
34,
35,
36]. However, some hypervisors indeed are quite complex and have large lines of codes. For instance, Xen contains more than 900K lines of codes [
37]. Kernel-based Virtual Machine (KVM) contains around 850K lines of codes [
38]. Continuing bug and exploit reports indicate that hypervisors are not secured, as has been assumed [
39,
40,
41,
42], and neither are non-control data, which are considered an exploitable attack vector [
12,
13,
31].