Upload File

delta: a security assessment framework for so9ware-defined ... · delta: a security assessment...

  • Home
  • Documents
  • DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE
24
DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE LEE†, SEUNGWON SHIN†, VINOD YEGNESWARAN‡, PHILLIP PORRAS‡ † KAIST ‡SRI INTERNATIONAL

Upload: others

Post on 29-May-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE LEE†, SEUNGWON SHIN†, VINOD YEGNESWARAN‡, PHILLIP PORRAS‡

† KAIST ‡SRI INTERNATIONAL

Page 2: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Outline

1.   BackgroundandMo2va2on2.  SystemDesign3.  BlackboxFuzzing4.  Implementa=on5.  Evalua=on6.  Conclusion

2

Page 3: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

What is So9ware-defined Networking? ●  SoCwareDefinedNetworking(SDN)•  Separatethecontrolplanefromthedataplane

●  Centralizednetworkmanagement•  Viaglobalnetworkview●  Programmablenetwork•  Flexibleanddynamicnetworkcontrol•  Useful,innova=veSDNapplica=ons●  OpenFlowprotocol•  Ade-factostandard

NetworkDeviceControlPlane

DataPlane

ControlPlane

DataPlane

ControlPlane

DataPlane

ControlPlane

DataPlane

SDNController

3

Page 4: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

●  EventListenerUnsubscrip=onaSack[1]

MoSvaSng Example

CoreServices

MaliciousApp

Packet-INNo2fier

SDNController

Firewall LoadBalancer L2Forwarding

LoadBalancerL2Forwarding

PACKET_IN

4

PACKET_IN PACKET_IN

HostA HostBSDNSwitch

(1)(2)

(3)

(4)

(5)

(6)

[1]hSp://sdnsecurity.org/vulnerability/ASackList.html

Page 5: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

A network operator wants to know …

5

IsmySDNsecure?

•  Whichvulnerabili2esexistnow?•  Howtoreproduceeachtestcase?•  Anymorevulnerabili2es?•  …

ASecurityAssessmentFrameworkforSo?ware-DefinedNetworks

Page 6: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

DELTA: A Security Assessment Framework for SDN

6

ReproducingKnownAFackCases

FindingUnknownASackCases

SecurityAssessmentFrameworkforSDN

●  WeproposeaSDNpenetra=onframeworkthatcan…1.  CoverasmanyaVackscenariosaspossible2.  Behighlyautomated,tominimizethehumanexper=seand=me

necessarytoconducttes=ng3.  Beinter-operablewithadiversesetofSDNcomponents

20

Page 7: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

DELTA: A Security Assessment Framework for SDN

7

ReproducingKnownASackCases

FindingUnknownAFackCases

SecurityAssessmentFrameworkforSDN

●  DELTAcanassistinfindingunknownaSackcases•  Byadop=ngblackboxfuzzingtechniques

●  Whattarget?•  SDNcontrolflows(i.e.,OpenFlowmessages)

7

Page 8: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

System Design ●  KeycomponentsofDELTA

8

Out-of-band,dedicatedDELTAcontrolnetwork

●  Agentmanager

•  The“Controltower”•  Remotelycontrolstheagentsdeployedtothetargetnetwork

•  Leveragesdifferentagentstoperformvarioussecuritytestcases

•  Analyzesthetestresultscollectedfromtheagents

●  Applica=onagent

•  SDNapplica=onsthatconductaSackproceduresasinstructedbythemanager

•  Theknownmaliciousfunc2onsareimplementedasanapplica=onagentlibrary

•  Fuzzingmodules(controlflowsequenceandinputvalue)

●  Channelagent

•  Islocatedbetweenthecontrollerandtheswitch•  Sniffsandmodifiestheunencryptedcontrolmessages

•  Fuzzingmodules(controlflowsequenceandinputvalue)

●  Hostagent

•  Alegi=matenetworkhostpar=cipa=nginthetargetSDN

•  Generatesnetworktrafficasinstructedbytheagentmanager•  e.g.DDoS,LLDPinjec=onetc.

Page 9: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Basic OperaSon ●  Procedureforgenera=ngknownandunknowntestcases

9

1.Selectreproducingknowntestcaseorfindingunknowntestcase

2.Instructeachagenttoconductthetest

3.Collecttheresultofthetestfromeachagent

4.No2fytheresult

OpenFlowMessages

FuzzingModules

FuzzingModules

Page 10: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Blackbox Fuzzing ●  Tomoreefficientlyandsystema2callyrandomizecontrolflows(i.e.,OpenFlowmessages)

●  Definethreetypesofcontrolflowopera=ons•  Symmetriccontrolflow•  Asymmetriccontrolflow•  Intra-controllercontrolflow

10

SDNcontrollerSDNSwitch

REQ

RES

MSG

MSG

MSG

Coreservices(e.g.,topologymanager)

SDNApplica2onSDNApplica2ons

Page 11: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

OperaSonal State Diagram

1.  Inferringcurrentstate2.  Manipula=ngthecontrolflowsequenceorinputvalues

11

r

S1 S2 S3 S4receive HELLOsend HELLO send FEATURES_REQ receive FEATURES_RES

S5send GET_CONFIG_REQ

S6receive GET_CONFIG_RES

S7send SET_CONFIG

I1

update topology

A1receive PORT_STATUS

S8send STATS_REQS9receive STATS_RES

A3

update topology

deliver to applications

update topology

A2receive PACKET_IN deliver to applications

A4

send FLOW_MOD

S14

A7

send PACKET_OUT

S15receive BARRIER_RESsend BARRIER_REQ

I2send PACKET_OUT

update internal flow tablesupdate internal

flow tables

update internal flow tables

A5receive FLOW_REMOVED update internal flow tables

S10send ECHO_REQ S11receive ECHO_RES

R

eE

S12 S13send VENDOR receive VENDOR

A6send PORT_MOD update internal flow tables

send FLOW_MOD

àSymmetricflowtransiSons

àAsymmetricflowtransiSons

àIntra-controllerflowtransiSons

Sx

Ax

Ix

Page 12: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Randomizing Control Flow Sequence ●  Inthecaseofsymmetriccontrolflows

12

S1 S2 S3 S4receive HELLOsend HELLO send FEATURES_REQ receive FEATURES_RES

S5send GET_CONFIG_REQ

S6receive GET_CONFIG_RES

S7send SET_CONFIG

R

SDNSwitchSDNcontroller HELLO

HELLO

FEATURE_REQ

FEATURE_RES

GET_CONFIG_REQ

GET_CONFIG_RES

SET_CONFIG

Page 13: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

●  Inthecaseofasymmetriccontrolflows

CoreServicesPacket-INNo2fier

AppA

Randomizing Control Flow Sequence

13

A3

A2receive PACKET_IN deliver to applications

R

SDNSwitch

SDNcontroller

SDNSwitchHostA HostB

AppB AppC AppD

(1)Message

(2)

AppD AppC AppB AppA

Page 14: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Randomizing Input Values ●  BetweenanSDNcontrollerandanSDNswitch●  Betweenapplica=ons

14

A3

A2receive PACKET_IN deliver to applications

A4

R

send FLOW_MOD

SDNSwitch

SDNcontroller

FLOW_MOD

e.g.)ADD(0x0000)à(Undefined)(0x0005)

Page 15: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

ImplementaSon ●  SupportsfourdifferentSDNcontrollers•  3opensourcecontrollers(ONOS,OpenDaylight,andFloodlight)•  1commercialcontroller

●  OpenFlowv1.0andv1.3supported

15

ONOS OpenDaylight Floodlight AcommercialoneVersion 1.2 1.3 1.4 1.5 Hydrogen Helium Lithium Beryllium 0.91 1.0 1.1 1.2 2.3.0ReleaseDate 6/5/159/18/1512/16/153/10/16 2/4/14 9/29/14 6/29/15 2/22/16 12/8/14 12/30/144/17/152/7/16 2016Supported ✓ ✓ ✓ ✓ ✓ ✓ ✓ - ✓ ✓ ✓ ✓ ✓

<SupportedapplicaSonagents>

Page 16: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

EvaluaSon

1.   Fuzz-tes2ngEffec2veness(FindingunknownaSacks)

2.   TestCoverageandFlexibility(ReproducingknownaSacks)

16

Page 17: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Use Case 1: Finding Unknown A]acks ●  Howtodetectavulnerability•  Basedondefinedtestcriteria

●  Effec2venessoffuzztes=ng•  7unknownaVackcasesfound

17

1.  Acontrollercrash2.  Anapplica=oncrash3.  Internal-storagepoisoning4.  Aswitchdisconnec=on5.  Switch-performancedowngrade6.  Error-packetgenera=on7.  Inter-hostcommunica=on

disconnec=on<TestCriteria>

<UnknownaFackclassificaSon>

UnknownAFackName Flow TargetSequenceandData-Forge Asymmetric FloodlightStats-Payload-Manipula=on Symmetric Floodlight,OpenDaylightEcho-Reply-Payload-Manipula=on Symmetric OpenDaylightService-Unregistra=on Intro-controller OpenDaylightFlow-Rule-Obstruc=on Intro-controller ONOSHost-Tracking-Neutraliza=on Intro-controller ONOSLink-Discovery-Neutraliza=on Intro-controller Floodlight

Page 18: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Use Case 1: Finding Unknown A]acks ●  SequenceandData-ForgeASack•  Target:asymmetriccontrolflowandFloodlightv1.2

18

Switch SwitchHost Agent

Agent Manager

Normal Host

Channel Agent

TopologyManager

OtherApplications

Core ServicesPACKET_INNotifier

Floodlight Instance

OtherServices

Controller

Network Hub

FuzzingModules

AppAgent

LinkDiscovery

Network Hub

1.SelectAsymmetriccontrolflow

Switch SwitchHost Agent

Agent Manager

Normal Host

Channel Agent

TopologyManager

OtherApplications

Core ServicesPACKET_INNotifier

Floodlight Instance

OtherServices

Controller

Network Hub

FuzzingModules

AppAgent

Network Hub3.Randomizethecontrolflowsequencefirst4.Generatepackets5.RandomizethecontentsofthePACKET_INmessage

PAKCET_IN

ModifiedPAKCET_IN

2.Startfuzztes=ng

Page 19: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Use Case 1: Finding Unknown A]acks ●  ResultsoftheSequenceandData-ForgeaSackexperiment(Floodlightv1.2)

19

1.  Acontrollercrash2.  Anapplica=oncrash3.  Internal-storagepoisoning4.   AswitchdisconnecSon5.  Switch-performancedowngrade6.  Inter-hostcommunica=on

disconnec=on7.  Error-packetgenera=on

<TestCriteria>

Page 20: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Use Case 2: Reproducing Known A]acks [1] FlowType AFack

CodeAFackName Controller

ONOS OpenDaylight FloodlightSymmetricFlows SF-1 SwitchTableFlooding X X O

SF-2 SwitchIden=fica=onSpoofing X O OSF-3 MalformedControlMessage X O OSF-4 ControlMessageManipula=on O O O

AsymmetricFlows AF-1 ControlMessageDrop O O OAF-2 ControlMessageInfiniteLoop O O OAF-3 PACKET_INFlooding O O OAF-4 FlowRuleFlooding O O OAF-5 FlowRuleModifica=on O O OAF-6 SwitchFirmwareMisuse O O OAF-7 FlowTableClearance O O OAF-8 Eavesdrop O O OAF-9 Man-In-The-Middle O O O

Intra-controllerFlows

CF-1 InternalStorageMisuse O O OCF-2 Applica=onEvic=on O O N/ACF-3 EventListenerUnsubscrip=on N/A O O

NonFlowOpera2ons

NF-1 SystemCommandExecu=on O X ONF-2 MemoryExhaus=on X O ONF-3 CPUExhaus=on X O ONF-4 SystemVariableManipula=on O O O

20[1]hSp://sdnsecurity.org/vulnerability/ASackList.html

O:SuccessfulX:UnsuccessfulN/A:Notavailable

Page 21: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Use Case 2: Reproducing Known A]acks

●  FlexibilityofDELTA•  3opensourcecontrollersand1commercialcontroller•  Forexample:Applica=onEvic=onASack

21

ACTIVE

INACTIVE

Page 22: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Conclusion ●  Wecategorizeknownvulnerabili=esthatcanmisleadnetwork

opera=onsintothreecontrolflowtypesandnonflowopera=ons●  Weproposeanautomatedsecurityassessmentframeworkfor

SDNcapableofreproducingthosevulnerabili=es●  Weincorporateblackboxfuzzingtechniquesintoourframework

todetectnewunknownaVackscenarios●  Weshowtheflexibilityofsystemdesignbyevalua=ngitagainst

threepopularopen-sourceSDNcontrollersandthecommercialcontroller

●  DELTAisnowavailableasonOFFICIALONFSponsoredOpenSourceProjecthVps://github.com/OpenNetworkingFounda2on/delta

22

Page 23: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Q&A

23

Page 24: DELTA: A Security Assessment Framework for So9ware-Defined ... · DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE

/23

Appendix: Performance

24

ControlFlowType AverageRunningTimeAsymmetricControlFlow 82.5secSymmetricControlFlow 80.4secIntra-controllerControlFlow 75.2sec

AFackName ControllerONOS ODL Floodlight

SwitchTableFlooding - - 5400secSwitchIden=fica=onSpoofing 16.09sec 16.34sec 15.96secMalformedControlMessage 21.50sec 12.33sec 11.09secControlMessageManipula=on 28.10sec 19.27sec 18.60secControlMessageDrop 12.55sec 8.47sec 3.13secControlMessageInfiniteLoop 3.38sec 8.12sec 3.21secPACKET_INFlooding 12.59sec 17.79sec 11.96secFlowRuleFlooding 43.65sec 23.28sec 43.20secFlowRuleModifica=on 40.43sec 40.24sec 20.35secSwitchFirmwareMisuse 20.52sec 20.25sec 20.20secFlowTableClearance 20.60sec 20.32sec 20.17secEavesdrop 33.62sec 33.18sec 33.14secMan-In-The-Middle 17.80sec 17.19sec 7.88secInternalStorageMisuse 2.60sec 3.14sec 2.14secApplica=onEvic=on 22.57sec 13.33sec N/AEventListenerUnsubscrip=on N/A 13.22sec 13.11secSystemCommandExecu=on 0.028sec 0.095sec 0.127secMemoryExhaus=on 23.54sec 23.20sec 23.16secCPUExhaus=on 23.43sec 23.36sec 23.35secSystemVariableManipula=on 3.39sec 4.86sec 3.17secTotal 346.38sec 317.98sec 274.84sec

FindingunknownaFackmicrobenchmark

ReproducingknownaFacksmicrobenchmark

About5minutes


Software Defined Satellite Cloud RAN

Delta VFD-A User Manual - Delta AC Drives - Delta VFD

A Dirac’s delta Function - Springer978-3-540-28841... · 2017-08-25 · A Dirac’s delta Function The 1-d delta function, δ(x), is defined through a limiting procedure so that

Mathematical Structures Defined by Identitiesusers.uoa.gr/~pkrikel/Mathematical Structures... · Mathematical Structures Defined by Identities Constantin M. Petridi, 11 Apollonos

Your Smile Is Covered - Delta Dental · 2020. 5. 5. · You’ll know your copayments, and your out-of-pocket costs are clearly defined before treatment begins. • No deductibles

Delta Delta meter info

Delta Delta+ 90 XFA

Delta Academy - Delta Electronics

SANsymphony™ Software-Defined Storage Plattform

“Operator-defined Classification Tree Algorithms for

Delta Adaptive Delta and Delta Sigma Modulation ...cgibp.com/data/lab_manual/Delta Adaptive Delta and Delta Sigma... · Modulation/Demodulation Trainer ST2105 Operating Manual

DELTA: A Security Assessment Framework for Software-Defined ...nss.kaist.ac.kr/papers/delta_ndss16.pdf · DELTA: A Security Assessment Framework for Software-Defined Networks Seungsoo

“Meat Perfection Defined”

SDX: A Software Defined Internet Exchange

SECTION 3 Delta Cartridge Valves · SECTION 3 Delta Cartridge Valves Make Model Page Delta Delta Delta Delta Continential Delta Delta Eurofluid ... Pressure Controls …

By Chanhee My eyes slowly opened and I wondered why it was so bright

OpenSIP: Toward Software-Defined SIP Networking

How Pension Rules Affect Work and Contribution …...whose retirement benefits are defined benefit not defined contribution. Under a defined benefit plan, the retirement benefits

Chapter 8: Recursion - Ryerson · PDF fileRecursively Defined Sequences • As mentioned in 4.1, a sequence can be defined using recursion. This means that the k-th terms is defined

SDDC Software Defined Data Center Studienarbeit

CHAPTER 6: DELTA PROTECTION COMMISSION AND DELTA ......6.2 DELTA STEWARDSHIP COUNCIL (DSC) 6.2.1 DSC’s Delta Plan The Delta Stewardship Council’s Delta Plan is a comprehensive,

Delta Delta Delta

A Helmholtz’ Theorem€¦ · B The Dirac Delta Function B.1 The One-Dimensional Dirac Delta Function The Dirac delta function [1] in one-dimensional space may be defined by the

Flexible and Scalable Software Defined Radio

MiddlePolice: Toward Enforcing Destination-Defined Policies ...mdbailey.ece.illinois.edu/publications/ccs16_middlepolice.pdf · MiddlePolice: Toward Enforcing Destination-Defined

Alpha Tau Omega | Beta Theta Pi | Delta Tau Delta | Delta Upsilon Phi … · 2017-08-20 · Alpha Tau Omega | Beta Theta Pi | Delta Tau Delta | Delta Upsilon Phi Delta Theta | Phi

User-defined functions in spreadsheets

WOOF: user defined news recommendation system

DELTA V Advantage DELTA V Plus - Faculty Websites · DELTA V Advantage DELTA V Plus 2 DELTA V Advantage | DELTA V Plus The Next Generation Isotope Ratio MS The DELTA V isotope ratio

Software-Defined Sphere Decoding for

RouteFlow: Migración al Software Defined Networking

BYLAWS OF DELTA DELTA DELTA FRATERNITY

DELTA 12 / DELTA 20

Delta Delta Delta

Sample Lease - Delta Tau Delta