SUCCESS Lab

SUCCESS Lab

NextSec: Zero-Trust, Programmable and Verifiable Security Transformation for NextG

INTRODUCTION

The research objective of the proposal is to address the challenges in the secure composition of microservices in the pervasive, distributed user-to-edge-to-cloud continuum of NextG network systems. The timeliness of NextG and the application on essential, life-critical services such as autonomous vehicles or telesurgery easily complicate the security and reliability requirements with dynamically varying demands. New challenges emerge such as the gap toward secure-by-design microservices, lack of programmable, zero-trust security primitives, and the complexity of verifying the multi-faceted security properties across a massive amount of microservices.

This project proposes a revolutionary construct of secure architecture for NextG, and a resulting frame- work called NextSec. The project consists of three research thrusts: Thrust I introduces the role of Security Transformers, a static and deploy-phase entity which transforms microservices into ones embedded with the defined security properties, including system, programming language, network, data-plane and control-plane properties. Thrust II adds the programming interfaces to the transformed microservices, to allow flexible and dynamic specification of security responses and security apps, with fine-grained visibility of system contexts and zero trust support. Thrust III extends the verification method of Maximal Causality Reduction (MCR) to verify the logical ordering of security properties, path-sensitive information flows across microservices, and the appropriate composition of security properties. The framework will be evaluated on Texas A&M Commercial 4G/5G Advanced Wireless Application Research Environment (AWARE) testbed, to show the compatibility, security, and performance benefit of the NextSec construct, with verification supported by the proposed MCR framework.

PIs

  • PI: Guofei Gu (Texas A&M University)
  • Co-PIs: Jeff Huang, Chia-Che Tsai, Walt Magnussen (Texas A&M University)

Publications

  • Hocheol Nam, Daehyun Lim, Huancheng Zhou, Guofei Gu, Min Suk Kang. “On the Security Risks of Memory Adaptation and Augmentation in Data-plane DoS Mitigation.”  In Proc. of the Network and Distributed System Security Symposium (NDSS’26), February 2026.
  • Huancheng Zhou and Guofei Gu. “Securing Networks with Programmable Data Planes: Opportunities and Challenges. ” In IEEE Security & Privacy (Magazine), 2025 [pdf]
  • Rupam Patir, Qiqing Huang, Keyan Guo, Wanda Guo, Guofei Gu, Haipeng Cai, Hongxin Hu. “Towards LLM-Assisted Vulnerability Detection and Repair for Open-Source 5G UE Implementations.” In Proc. of the 2025 NDSS Workshop on Security and Privacy of Next-Generation Networks (FutureG), 2025.
  • Qingxiao Xu, Jeff Huang Optimizing Type Migration for LLM-Based C-to-Rust Translation: A Data Flow Graph Approach. In Proc. of the 14th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP ’25), 2025
  • Sungkeun Kim, Khanh Nguyen, Chia-Che Tsai, Jaewoo Lee, Abdullah Muzahid, Eun Jung Kim, “Enhancing Program Analysis with Deterministic Distinguishable Calling Context”, In Proceedings of the 34th ACM SIGPLAN International Conference on Compiler Construction (CC’25), Las Vegas, Nevada, United States, March 2025.
  • Huancheng Zhou and Guofei Gu. “Cerberus: Enabling Efficient and Effective In-Network Monitoring on Programmable Switches.” In Proc. of the 45th IEEE Symposium on Security and Privacy (S&P’24), May 2024. 
  • Fangfei Yang, Bumjin Im, Weijie Huang, Kelly Kaoudis, Anjo Vahldiek-Oberwagner, Chia-Che Tsai, Nathan Dautenhahn, “Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation”, In Proceedings of the 33rd USENIX Security Symposium (Security’24), Philadelphia, PA, USA, August 2024.
  • Vasudha Devarakonda, Aleksandr Earnest, Chia-Che Tsai. “SoK: Virtualization Challenges and Techniques in Serverless Computing.” In Proc. of the 2nd Workshop on Hot Topics in System Infrastructure (HotInfra’24), 2024
  • Farabi Mahmud, Sungkeun Kim, Harpreet Singh Chawla, EJ Kim, Chia-Che Tsai, Abdullah Muzahid, “Attack of the Knights:Non Uniform Cache Side Channel Attack.” in Proceedings of the 39th Annual Computer Security Applications Conference (ACSAC’23), December 2023.
  • Lei Xu, Yangyong Zhang, Phakpoom Chinprutthiwong, and Guofei Gu. “Automatic Synthesis of Network Security Services: A First Step.” In Proc. of the 32nd International Conference on Computer Communication and Networks (ICCCN’23), Hawaii, USA, July 2023. (Invited paper) [pdf] [bib]
  • Huancheng Zhou, Sungmin Hong, Yangyang Liu, Xiapu Luo, Weichao Li, Guofei Gu. “Mew: Enabling Large-Scale and Dynamic Link-Flooding Defenses on Programmable Switches.” In Proc. of the 44th IEEE Symposium on Security and Privacy (S&P’23), May 2023. [pdf] [bib] (Release info)
  • Sungmin Hong, Lei Xu, Jianwei Huang, Hongda Li, Hongxin Hu, Guofei Gu. “SysFlow: Towards a Programmable Zero Trust Framework for System Security.” In IEEE Transactions on Information Forensics and Security (TIFS), 2023. [pdf] [bib] (Release info)

Source Code

  • Cerberus: an efficient and effective in-network security monitoring system built on top of programmable switches. Cerberus is able to support running multiple concurrent in-network monitoring tasks on a single P4 switch. The source code is available here.
  • SysFlow: an innovative programmable system security framework to enable unified, dynamic, and fine-grained Zero Trust security control for system resources. Source code is released at https://github.com/successlab/sysflow.
  • Mew: A new P4-based memory-efficient and runtime adaptable link-flooding defense system! The source code is available here.
  • NesTEE: an intra-process isolation mechanism for microservices on confidential computing platforms.

Sponsors