Hongyan Liu,Xiang Chen,Yi Shen,Qun Huang,Zhengyan Zhou,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iwqos57198.2023.10188714

2023-01-01

Abstract:In programmable networks, some networking systems coordinate data plane switches to realize in-network functions (e.g., in-band network telemetry). However, the vulnerabilities of inter-device coordination are still largely unknown and neglected, which is highly concerning given the increasing popularity of this paradigm. In this paper, we identify three attack scenarios built upon such vulnerabilities, where attackers mislead the behaviors of networking systems that exploit inter-device coordination to execute in-network functions. We implement 20 existing networking systems on Tofino-based switches and a simulator, and attack these systems with the identified attacks. The experimental results indicate that our attacks significantly interfere with the normal operations of the selected networking systems, e.g., the cache hit rate of NetCache drops 38%. Our analysis also demonstrates that none of existing methods can fully mitigate our attacks since they fail to verify the packets for inter-device coordination.

Pengju Ren,Michel A.Kinsy,Mengjiao Zhu,Shreeya Khadka,Mihailo Isakov,Aniruddh Ramrakhyani,Tushar Krishna,Nanning Zheng

DOI: https://doi.org/10.48550/arXiv.1702.02313

2017-02-08

Abstract:To avoid packet loss and deadlock scenarios that arise due to faults or power gating in multicore and many-core systems, the network-on-chip needs to possess resilient communication and load-balancing properties. In this work, we introduce the Fashion router, a self-monitoring and self-reconfiguring design that allows for the on-chip network to dynamically adapt to component failures. First, we introduce a distributed intelligence unit, called Self-Awareness Module (SAM), which allows the router to detect permanent component failures and build a network connectivity map. Using local information, SAM adapts to faults, guarantees connectivity and deadlock-free routing inside the maximal connected subgraph and keeps routing tables up-to-date. Next, to reconfigure network links or virtual channels around faulty/power-gated components, we add bidirectional link and unified virtual channel structure features to the Fashion router. This version of the router, named Ex-Fashion, further mitigates the negative system performance impacts, leads to larger maximal connected subgraph and sustains a relatively high degree of fault-tolerance. To support the router, we develop a fault diagnosis and recovery algorithm executed by the Built-In Self-Test, self-monitoring, and self-reconfiguration units at runtime to provide fault-tolerant system functionalities. The Fashion router places no restriction on topology, position or number of faults. It drops 54.3-55.4% fewer nodes for same number of faults (between 30 and 60 faults) in an 8x8 2D-mesh over other state-of-the-art solutions. It is scalable and efficient. The area overheads are 2.311% and 2.659% when implemented in 8x8 and 16x16 2D-meshes using the TSMC 65nm library at 1.38GHz clock frequency.

Hardware Architecture

Diksha Goel

2023-09-22

Abstract:With the burgeoning advancements of computing and network communication technologies, network infrastructures and their application environments have become increasingly complex. Due to the increased complexity, networks are more prone to hardware faults and highly susceptible to cyber-attacks. Therefore, for rapidly growing network-centric applications, network resilience is essential to minimize the impact of attacks and to ensure that the network provides an acceptable level of services during attacks, faults or disruptions. In this regard, this thesis focuses on developing effective approaches for enhancing network resilience. Existing approaches for enhancing network resilience emphasize on determining bottleneck nodes and edges in the network and designing proactive responses to safeguard the network against attacks. However, existing solutions generally consider broader application domains and possess limited applicability when applied to specific application areas such as cyber defense and information diffusion, which are highly popular application domains among cyber attackers. This thesis aims to design effective, efficient and scalable techniques for discovering bottleneck nodes and edges in the network to enhance network resilience in cyber defense and information diffusion application domains. We first investigate a cyber defense graph optimization problem, i.e., hardening active directory systems by discovering bottleneck edges in the network. We then study the problem of identifying bottleneck structural hole spanner nodes, which are crucial for information diffusion in the network. We transform both problems into graph-combinatorial optimization problems and design machine learning based approaches for discovering bottleneck points vital for enhancing network resilience.

Cryptography and Security,Machine Learning

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Qi Li,Xinhao Deng,Zhuotao Liu,Yuan Yang,Xiaoyue Zou,Qian Wang,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2022.3142995

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network Function Virtualization (NFV) is a new networking paradigm to enable dynamic network function deployment in networks. Existing studies focused on optimized function deployment and management in NFV. Unfortunately, these studies did not well address the problem of efficient security function enforcement in networks, which is the goal of deploying network functions (NFs), i.e., for real-time security function enforcement on the traffic, since optimal function deployment does not mean efficient security function enforcement on network traffic. In particular, they incurred significant NF enforcement cost. In order to address this issue, in this paper, we propose ${\textsf {FuncE}}$ that aims to solve the efficient real-time security function enforcement problem by developing unified dynamic flow and function scheduling. We formulate the problem as an integer linear programming problem and prove that it is NP-hard. We tackle the problem by decomposing it and developing heuristics to achieve near-optimal solutions. We conduct comprehensive experiments by using real topologies to demonstrate the effectiveness of the ${\textsf {FuncE}}$ design. The experimental results demonstrate that ${\textsf {FuncE}}$ achieves near-optimal network function enforcement, which incurs over 100 times less latency than the existing the optimal solver. In particular, compared to the state-of-art defenses, ${\textsf {FuncE}}$ processes the same number of candidate flows using over 50% less VNFs, while ensuring the same level of function enforcement.

computer science, theory & methods,engineering, electrical & electronic

Yadong Zhou,Kaiyue Chen,Junjie Zhang,Junyuan Leng,Yazhe Tang

DOI: https://doi.org/10.1155/2018/4760632

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:As the most competitive solution for next-generation network, SDN and its dominant implementation OpenFlow are attracting more and more interests. But besides convenience and flexibility, SDN/OpenFlow also introduces new kinds of limitations and security issues. Of these limitations, the most obvious and maybe the most neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, we proposed a novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN/OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full. To the best of our knowledge, this is the first proposed inference attack model of this kind for SDN/OpenFlow. We implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework can infer the network parameters (flow table capacity and usage) with an accuracy of 80% or higher. We also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel flow table architecture. These findings give us a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.

Abhishek Savaliya,Rutvij H Jhaveri,Qin Xin,Saad Alqithami,Sagar Ramani,Tariq Ahamed Ahanger

DOI: https://doi.org/10.3934/mbe.2021411

2021-09-22

Abstract:Industrial Cyber-Physical Systems (CPSs) require flexible and tolerant communication networks to overcome commonly occurring security problems and denial-of-service such as links failure and networks congestion that might be due to direct or indirect network attacks. In this work, we take advantage of Software-defined networking (SDN) as an important networking paradigm that provide real-time fault resilience since it is capable of global network visibility and programmability. We consider OpenFlow as an SDN protocol that enables interaction between the SDN controller and forwarding plane of network devices. We employ multiple machine learning algorithms to enhance the decision making in the SDN controller. Integrating machine learning with network resilience solutions can effectively address the challenge of predicting and classifying network traffic and thus, providing real-time network resilience and higher security level. The aim is to address network resilience by proposing an intelligent recommender system that recommends paths in real-time based on predicting link failures and network congestions. We use statistical data of the network such as link propagation delay, the number of packets/bytes received and transmitted by each OpenFlow switch on a specific port. Different state-of-art machine learning models has been implemented such as logistic regression, K-nearest neighbors, support vector machine, and decision tree to train these models in normal state, links failure and congestion conditions. The models are evaluated on the Mininet emulation testbed and provide accuracies ranging from around 91-99% on the test data. The machine learning model with the highest accuracy is utilized in the intelligent recommender system of the SDN controller which helps in selecting resilient paths to achieve a better security and quality-of-service in the network. This real-time recommender system helps the controller to take reactive measures to improve network resilience and security by avoiding faulty paths during path discovery and establishment.

Rami Puzis,Hadar Polad,Bracha Shapira

DOI: https://doi.org/10.48550/arXiv.1903.02601

2019-03-07

Abstract:Before executing an attack, adversaries usually explore the victim's network in an attempt to infer the network topology and identify vulnerabilities in the victim's servers and personal computers. Falsifying the information collected by the adversary post penetration may significantly slower lateral movement and increase the amount of noise generated within the victim's network. We investigate the effect of fake vulnerabilities within a real enterprise network on the attacker performance. We use the attack graphs to model the path of an attacker making its way towards a target in a given network. We use combinatorial optimization in order to find the optimal assignments of fake vulnerabilities. We demonstrate the feasibility of our deception-based defense by presenting results of experiments with a large scale real network. We show that adding fake vulnerabilities forces the adversary to invest a significant amount of effort, in terms of time and exploitability cost.

Cryptography and Security,Artificial Intelligence

Abhijeet Sahu,Patrick Wlazlo,Nastassja Gaudet,Ana Goulart,Edmond Rogers,Katherine Davis

2023-06-27

Abstract:Electric power delivery relies on a communications backbone that must be secure. SCADA systems are essential to critical grid functions and include industrial control systems (ICS) protocols such as the Distributed Network Protocol-3 (DNP3). These protocols are vulnerable to cyber threats that power systems, as cyber-physical critical infrastructure, must be protected against. For this reason, the NERC Critical Infrastructure Protection standard CIP-005-5 specifies that an electronic system perimeter is needed, accomplished with firewalls. This paper presents how these electronic system perimeters can be optimally found and generated using a proposed meta-heuristic approach for optimal security zone formation for large-scale power systems. Then, to implement the optimal firewall rules in a large scale power system model, this work presents a prototype software tool that takes the optimization results and auto-configures the firewall nodes for different utilities in a cyber-physical testbed. Using this tool, firewall policies are configured for all the utilities and their substations within a synthetic 2000-bus model, assuming two different network topologies. Results generate the optimal electronic security perimeters to protect a power system's data flows and compare the number of firewalls, monetary cost, and risk alerts from path analysis.

Systems and Control

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1502.01240

2015-02-04

Cryptography and Security

Abstract:Security metrics serve as a powerful tool for organizations to understand the effectiveness of protecting computer networks. However majority of these measurement techniques don't adequately help corporations to make informed risk management decisions. In this paper we present a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Zhen Cao,Tom Tong Jing,Jinjun Xiong,Yu Hu,Zhe Feng,Lei He,Xian-Long Hong

DOI: https://doi.org/10.1109/tcad.2008.917590

IF: 2.9

2008-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:This paper presents a fast and accurate solution, namely Fashion, to routability-driven global routing problem. Fashion is based on two efficient yet effective techniques: 1) dynamic pattern routing (DPR) and 2) movable-segment-driven DPR. These two techniques enable Fashion to explore large solution space to achieve high routability with low time complexity. Compared with BoxRouter, Fashion has a shorter wire length and reduces overflow and runtime by 5 and 15 times, respectively. Compared with FastRoute, Fashion has similar runtime but 90% smaller overflow and 1.9% shorter wire length. Fashion is significantly better than Labyrinth and Fengshui in terms of overflow, wire length, and runtime.

Noga Agmon,Asaf Shabtai,Rami Puzis

DOI: https://doi.org/10.1145/3317549.3323411

2019-04-12

Abstract:The Internet of things (IoT) has become an integral part of our life at both work and home. However, these IoT devices are prone to vulnerability exploits due to their low cost, low resources, the diversity of vendors, and proprietary firmware. Moreover, short range communication protocols (e.g., Bluetooth or ZigBee) open additional opportunities for the lateral movement of an attacker within an organization. Thus, the type and location of IoT devices may significantly change the level of network security of the organizational network. In this paper, we quantify the level of network security based on an augmented attack graph analysis that accounts for the physical location of IoT devices and their communication capabilities. We use the depth-first branch and bound (DFBnB) heuristic search algorithm to solve two optimization problems: Full Deployment with Minimal Risk (FDMR) and Maximal Utility without Risk Deterioration (MURD). An admissible heuristic is proposed to accelerate the search. The proposed method is evaluated using a real network with simulated deployment of IoT devices. The results demonstrate (1) the contribution of the augmented attack graphs to quantifying the impact of IoT devices deployed within the organization on security, and (2) the effectiveness of the optimized IoT deployment.

Cryptography and Security

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1501.01901

2015-01-08

Cryptography and Security

Abstract:Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Orly Stan,Ron Bitton,Michal Ezrets,Moran Dadon,Masaki Inokuchi,Ohta Yoshinobu,Yagyu Tomohiko,Yuval Elovici,Asaf Shabtai

DOI: https://doi.org/10.1109/tdsc.2020.3041999

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:An attack graph is a method used to enumerate the possible paths that an attacker can take in the organizational network. MulVAL is a known open-source framework used to automatically generate attack graphs. MulVAL's default modeling has two main shortcomings. First, it lacks the ability to represent network protocol vulnerabilities, and thus it cannot be used to model common network attacks, such as ARP poisoning. Second, it does not support advanced types of communication, such as wireless and bus communication, and thus it cannot be used to model cyber-attacks on networks that include IoT devices or industrial components. In this article, we present an extended network security model for MulVAL that: (1) considers the physical network topology, (2) supports short-range communication protocols, (3) models vulnerabilities in the design of network protocols, and (4) models specific industrial communication architectures. Using the proposed extensions, we were able to model multiple attack techniques including: spoofing, man-in-the-middle, and denial of service attacks, as well as attacks on advanced types of communication. We demonstrate the proposed model in a testbed which implements a simplified network architecture comprised of both IT and industrial components.

computer science, information systems, software engineering, hardware & architecture

Gengshen Lin,Mianxiong Dong,Kaoru Ota,Jianhua Li,Wu Yang,Jun Wu

DOI: https://doi.org/10.1109/icc.2019.8761217

2019-01-01

Abstract:Software-defined networking (SDN) allows the smart grid to be centrally controlled and managed by decoupling the control plane from the data plane, but it also expands attack surface for attackers. Existing studies about the security of SDN-enabled smart grid (SDSG) mainly focused on static methods such as access control and identity authentication, which is vulnerable to attackers that carefully probe the system. As the attacks become more variable and complex, there is an urgent need for dynamic defense methods. In this paper, we propose a security function virtualization (SFV) based moving target defense of SDSG which makes the attack surface constantly changing. First, we design a dynamic defense mechanism by migrating virtual security function (VSF) instances as the traffic state changes. The centralized SDN controller is re-designed for global status monitoring and migration management. Moreover, we formalize the VSF instances migration problem as an integer nonlinear programming problem with multiple constraints and design a pre-migration algorithm to prevent VSF instances' resources from being exhausted. Simulation results indicate the feasibility of the proposed scheme.

Yong Yang,Buhong Wang,Jiwei Tian,Peng Luo

DOI: https://doi.org/10.3390/electronics13132664

IF: 2.9

2024-01-01

Electronics

Abstract:With the continuous development of the civil aviation industry toward digitalization and intelligence, the closed architecture of traditional air traffic information networks struggles to meet the rapidly growing demands for air traffic services. Network function virtualization (NFV) is one of the key technologies that can address the rigidity of traditional air traffic information networks. NFV technology has facilitated the flexible deployment of air traffic services, but it has also expanded the attack surface of the network. In addressing the network attack risks faced by service function chains (SFCs) in NFV environments, a SFC protection method based on honeypots and backup technology (PBHB) is proposed to reduce the resource cost of protecting air traffic information networks while enhancing network security. Initially, PBHB utilizes the TAPD algorithm to deploy the primary VNFs as closely as possible to the shortest path between the source and destination endpoints, thus aiming to reduce SFC latency and save bandwidth resource costs. Subsequently, the RAHDR algorithm is employed to install honeypot VNFs in each physical platform that is at risk of side-channel attacks, thus updating the deployment status of honeypot VNFs in real time based on the VNF lifecycle in order to offer primary protection for SFCs. Lastly, the BDMPE algorithm was used to calculate the backup scheme with the highest protection efficiency to implement secondary protection for the SFCs that still do not meet the security requirements. Through experiments, the maximum backup limit for SFCs in PBHB was determined, confirming its satisfactory performance across various SFC arrival rates. Furthermore, performance comparisons with other SFC protection methods revealed that PBHB achieves optimizations in resources cost while ensuring SFC security and latency.

Andres Meza,Ryan Kastner

DOI: https://doi.org/10.48550/arXiv.2304.08263

2023-04-13

Abstract:Security graphs model attacks, defenses, mitigations, and vulnerabilities on computer networks and systems. With proper attributes, they provide security metrics using standard graph algorithms. A hyperflow graph is a register-transfer level (RTL) hardware security graph that facilitates security verification. A hyperflow graph models information flows and is annotated with attributes that allow security metrics to measure flow paths, flow conditions, and flow rates. Hyperflow graphs enable the understanding of hardware vulnerabilities related to confidentiality, integrity, and availability, as shown on the OpenTitan hardware root of trust under several threat models.

Cryptography and Security,Hardware Architecture

Huaxing Zhu,Chi Zhang,Jose Emmanuel Ramirez-Marquez,Su Wu,Ral Monroy,Raul Monroy

DOI: https://doi.org/10.1109/jsyst.2020.3039466

IF: 4.802

2021-06-01

IEEE Systems Journal

Abstract:It is paramount to ensure the resilience of networked critical infrastructures, which are vital for the economic development and our daily requirements but threatened by intentional attacks. For this purpose, their protection before and restoration after intentional attacks are of great significance. Moreover, in order to keep the prescribed demand continuously satisfied, postdisruption flow redistribution is also necessary. However, due to the severity of intentional attacks, certain components may need to be overloaded as a result of the redistribution and, thus, the network reliability is influenced. To minimize such influence, we first present a new metric of resilience to reflect the incurred reliability changes. Then, a trilevel optimization model integrating protection, restoration, and adaptive flow redistribution to maximize the network resilience is proposed. To deal with the complexity of the proposed problem, an evolutionary algorithm is employed with necessary adaption.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Wenkai Dai,Klaus-Tycho Foerster,David Fuchssteiner,Stefan Schmid

DOI: https://doi.org/10.1145/3597200

2023-05-12

ACM Transactions on Modeling and Performance Evaluation of Computing Systems

Abstract:Emerging reconfigurable data centers introduce unprecedented flexibility in how the physical layer can be programmed to adapt to current traffic demands. These reconfigurable topologies are commonly hybrid, consisting of static and reconfigurable links, enabled by e.g. an Optical Circuit Switch (OCS) connected to top-of-rack switches in Clos networks. Even though prior work has showcased the practical benefits of hybrid networks, several crucial performance aspects are not well understood. For example, many systems enforce artificial segregation of the hybrid network parts, leaving money on the table. In this paper, we study the algorithmic problem of how to jointly optimize topology and routing in reconfigurable data centers, in order to optimize a most fundamental metric, maximum link load. The complexity of reconfiguration mechanisms in this space is unexplored at large, especially for the following cross-layer network-design problem: given a hybrid network and a traffic matrix, jointly design the physical layer and the flow routing in order to minimize the maximum link load. We chart the corresponding algorithmic landscape in our work, investigating both un-/splittable flows and (non-)segregated routing policies. A topological complexity classification of the problem reveals NP-hardness in general for network topologies that are trees of depth at least two, in contrast to the tractability on trees of depth one. We moreover prove that the problem is not submodular for all these routing policies, even in multi-layer trees. However, networks that can be abstracted by a single packet switch (e.g., nonblocking Fat-Tree topologies) can be optimized efficiently, and we present optimal polynomial-time algorithms accordingly. We complement our theoretical results with trace-driven simulation studies, where our algorithms can significantly improve the network load in comparison to the state of the art.

Kaihui Gao,Shuai Wang,Kun Qian,Dan Li,Rui Miao,Bo Li,Yu Zhou,Ennan Zhai,Chen Sun,Jiaqi Gao,Dai Zhang,Binzhang Fu,Frank Kelly,Dennis Cai,Hongqiang Harry Liu,Yan Li,Hongwei Yang,Tao Sun

DOI: https://doi.org/10.1109/tnet.2022.3224617

2023-01-01

Abstract:In modern multi-tenant data centers, each tenant desires reassuring dependability from the virtualized network fabric – bandwidth guarantee with work conservation, bounded tail latency and resilient reachability. However, the slow convergence of prior works under network dynamics and uncertainties can hardly provide the dependability for tenants. Further, state-of-the-art load balance schemes are guarantee-agnostic and bring great risks on breaking bandwidth guarantee, which is overlooked in prior works. In this paper, we propose vFab, a dependable virtualized fabric framework which can (1) quickly detect network failure in data plane, (2) explicitly select proper paths for all flows, and (3) converge to ideal bandwidth allocation at sub-millisecond. The core idea of vFab is to leverage the programmable data plane to build a fusion of an active edge (e.g., NIC) and an informative core (e.g., switch), where the core sends link status and tenant information to the edge via telemetry to help the latter make a timely and accurate decision on path selection and traffic admission. We fully implement vFab with commodity SmartNICs and programmable switches. Extensive evaluations show that vFab can keep bandwidth guarantee with high bandwidth utilization, low and bounded latency, and resilient reachability under various network scenarios with limited overhead. Application-level experiments show that vFab can improve QPS by $2.4\times $ and cut tail latency by $10\times $ compared to the alternatives.