P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF

TL;DR

P4Control introduces a network-level DIFC framework that tightly constrains end-to-end information flows across multiple hosts by combining in-network per-flow enforcement on programmable switches with a lightweight eBPF host agent. The NetCL policy language enables expressive, priority-based DIFC policies that are compiled into switch configurations and updated at runtime without disrupting traffic, while a TrackerID taint mechanism supports fine-grained tracking of sensitive files. Empirical evaluation demonstrates real-time cross-host attack prevention at near line-rate on 100 Gbps switches, with minimal impact on benign traffic and manageable host overhead, and shows significant improvements over SDN-based approaches in confinement precision and defense responsiveness. The work advances practical zero-trust networking by enabling scalable, distributed DIFC enforcement in the data plane, with potential extensions to broader host confinement and dynamic multi-switch deployments.

Abstract

Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network. However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time. In this paper, we propose P4Control, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate. P4Control introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate. This is achieved through: (1) an in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies; (2) a lightweight eBPF-based primitive deployed on hosts for tracking intra-host information flows. P4Control also provides an expressive policy framework for specifying DIFC policies against different attack scenarios. We conduct extensive evaluations to show that P4Control can effectively prevent cross-host attacks in real time, while maintaining line-rate network performance and imposing minimal overhead on the network and host machines. It is also noteworthy that P4Control can facilitate the realization of a zero trust architecture through its fine-grained least-privilege network access control.

Figures (16)

• Figure 1: (a) A real-world attack scenario: while the firewall can block any direct connections (indicated by the grey dashed arrow) from the external network to a protected server, Server1, by exploiting intermediate hosts, the attacker can successfully bypass the firewall and reach its final target with four inter-host information flows (indicated by the red arrows) and multiple intra-host information flows (indicated by the orange arrows). (b) An illustration of the defense workflow of P4Control deployed in a network of programmable switches: P4Control parses DIFC labels (indicated in the yellow boxes) to precisely correlate and confine information flows across hosts and blocks cross-host attack traffic in real time based on the priority-ordered DIFC policies.
• Figure 2: Protocol independent switch architecture
• Figure 3: Overall architecture of P4Control
• Figure 4: Headers of DIFC-labeled network packet
• Figure 5: In-network packet processing workflow