delta: a security assessment framework for so9ware-defined ... · delta: a security assessment...
TRANSCRIPT
DELTA: A Security Assessment Framework for So9ware-Defined Networks SEUNGSOO LEE†, CHANGHOON YOON†, CHANHEE LEE†, SEUNGWON SHIN†, VINOD YEGNESWARAN‡, PHILLIP PORRAS‡
† KAIST ‡SRI INTERNATIONAL
/23
Outline
1. BackgroundandMo2va2on2. SystemDesign3. BlackboxFuzzing4. Implementa=on5. Evalua=on6. Conclusion
2
/23
What is So9ware-defined Networking? ● SoCwareDefinedNetworking(SDN)• Separatethecontrolplanefromthedataplane
● Centralizednetworkmanagement• Viaglobalnetworkview● Programmablenetwork• Flexibleanddynamicnetworkcontrol• Useful,innova=veSDNapplica=ons● OpenFlowprotocol• Ade-factostandard
NetworkDeviceControlPlane
DataPlane
ControlPlane
DataPlane
ControlPlane
DataPlane
ControlPlane
DataPlane
SDNController
3
/23
● EventListenerUnsubscrip=onaSack[1]
MoSvaSng Example
CoreServices
MaliciousApp
Packet-INNo2fier
SDNController
Firewall LoadBalancer L2Forwarding
LoadBalancerL2Forwarding
PACKET_IN
4
PACKET_IN PACKET_IN
HostA HostBSDNSwitch
(1)(2)
(3)
(4)
(5)
(6)
[1]hSp://sdnsecurity.org/vulnerability/ASackList.html
/23
A network operator wants to know …
5
IsmySDNsecure?
• Whichvulnerabili2esexistnow?• Howtoreproduceeachtestcase?• Anymorevulnerabili2es?• …
ASecurityAssessmentFrameworkforSo?ware-DefinedNetworks
/23
DELTA: A Security Assessment Framework for SDN
6
ReproducingKnownAFackCases
FindingUnknownASackCases
SecurityAssessmentFrameworkforSDN
● WeproposeaSDNpenetra=onframeworkthatcan…1. CoverasmanyaVackscenariosaspossible2. Behighlyautomated,tominimizethehumanexper=seand=me
necessarytoconducttes=ng3. Beinter-operablewithadiversesetofSDNcomponents
20
/23
DELTA: A Security Assessment Framework for SDN
7
ReproducingKnownASackCases
FindingUnknownAFackCases
SecurityAssessmentFrameworkforSDN
● DELTAcanassistinfindingunknownaSackcases• Byadop=ngblackboxfuzzingtechniques
● Whattarget?• SDNcontrolflows(i.e.,OpenFlowmessages)
7
/23
System Design ● KeycomponentsofDELTA
8
Out-of-band,dedicatedDELTAcontrolnetwork
● Agentmanager
• The“Controltower”• Remotelycontrolstheagentsdeployedtothetargetnetwork
• Leveragesdifferentagentstoperformvarioussecuritytestcases
• Analyzesthetestresultscollectedfromtheagents
● Applica=onagent
• SDNapplica=onsthatconductaSackproceduresasinstructedbythemanager
• Theknownmaliciousfunc2onsareimplementedasanapplica=onagentlibrary
• Fuzzingmodules(controlflowsequenceandinputvalue)
● Channelagent
• Islocatedbetweenthecontrollerandtheswitch• Sniffsandmodifiestheunencryptedcontrolmessages
• Fuzzingmodules(controlflowsequenceandinputvalue)
● Hostagent
• Alegi=matenetworkhostpar=cipa=nginthetargetSDN
• Generatesnetworktrafficasinstructedbytheagentmanager• e.g.DDoS,LLDPinjec=onetc.
/23
Basic OperaSon ● Procedureforgenera=ngknownandunknowntestcases
9
1.Selectreproducingknowntestcaseorfindingunknowntestcase
2.Instructeachagenttoconductthetest
3.Collecttheresultofthetestfromeachagent
4.No2fytheresult
OpenFlowMessages
FuzzingModules
FuzzingModules
/23
Blackbox Fuzzing ● Tomoreefficientlyandsystema2callyrandomizecontrolflows(i.e.,OpenFlowmessages)
● Definethreetypesofcontrolflowopera=ons• Symmetriccontrolflow• Asymmetriccontrolflow• Intra-controllercontrolflow
10
SDNcontrollerSDNSwitch
REQ
RES
MSG
MSG
MSG
Coreservices(e.g.,topologymanager)
SDNApplica2onSDNApplica2ons
/23
OperaSonal State Diagram
1. Inferringcurrentstate2. Manipula=ngthecontrolflowsequenceorinputvalues
11
r
S1 S2 S3 S4receive HELLOsend HELLO send FEATURES_REQ receive FEATURES_RES
S5send GET_CONFIG_REQ
S6receive GET_CONFIG_RES
S7send SET_CONFIG
I1
update topology
A1receive PORT_STATUS
S8send STATS_REQS9receive STATS_RES
A3
update topology
deliver to applications
update topology
A2receive PACKET_IN deliver to applications
A4
send FLOW_MOD
S14
A7
send PACKET_OUT
S15receive BARRIER_RESsend BARRIER_REQ
I2send PACKET_OUT
update internal flow tablesupdate internal
flow tables
update internal flow tables
A5receive FLOW_REMOVED update internal flow tables
S10send ECHO_REQ S11receive ECHO_RES
R
eE
S12 S13send VENDOR receive VENDOR
A6send PORT_MOD update internal flow tables
send FLOW_MOD
àSymmetricflowtransiSons
àAsymmetricflowtransiSons
àIntra-controllerflowtransiSons
Sx
Ax
Ix
/23
Randomizing Control Flow Sequence ● Inthecaseofsymmetriccontrolflows
12
S1 S2 S3 S4receive HELLOsend HELLO send FEATURES_REQ receive FEATURES_RES
S5send GET_CONFIG_REQ
S6receive GET_CONFIG_RES
S7send SET_CONFIG
R
SDNSwitchSDNcontroller HELLO
HELLO
FEATURE_REQ
FEATURE_RES
GET_CONFIG_REQ
GET_CONFIG_RES
SET_CONFIG
/23
● Inthecaseofasymmetriccontrolflows
CoreServicesPacket-INNo2fier
AppA
Randomizing Control Flow Sequence
13
A3
A2receive PACKET_IN deliver to applications
R
SDNSwitch
SDNcontroller
SDNSwitchHostA HostB
AppB AppC AppD
(1)Message
(2)
AppD AppC AppB AppA
/23
Randomizing Input Values ● BetweenanSDNcontrollerandanSDNswitch● Betweenapplica=ons
14
A3
A2receive PACKET_IN deliver to applications
A4
R
send FLOW_MOD
SDNSwitch
SDNcontroller
FLOW_MOD
e.g.)ADD(0x0000)à(Undefined)(0x0005)
/23
ImplementaSon ● SupportsfourdifferentSDNcontrollers• 3opensourcecontrollers(ONOS,OpenDaylight,andFloodlight)• 1commercialcontroller
● OpenFlowv1.0andv1.3supported
15
ONOS OpenDaylight Floodlight AcommercialoneVersion 1.2 1.3 1.4 1.5 Hydrogen Helium Lithium Beryllium 0.91 1.0 1.1 1.2 2.3.0ReleaseDate 6/5/159/18/1512/16/153/10/16 2/4/14 9/29/14 6/29/15 2/22/16 12/8/14 12/30/144/17/152/7/16 2016Supported ✓ ✓ ✓ ✓ ✓ ✓ ✓ - ✓ ✓ ✓ ✓ ✓
<SupportedapplicaSonagents>
/23
EvaluaSon
1. Fuzz-tes2ngEffec2veness(FindingunknownaSacks)
2. TestCoverageandFlexibility(ReproducingknownaSacks)
16
/23
Use Case 1: Finding Unknown A]acks ● Howtodetectavulnerability• Basedondefinedtestcriteria
● Effec2venessoffuzztes=ng• 7unknownaVackcasesfound
17
1. Acontrollercrash2. Anapplica=oncrash3. Internal-storagepoisoning4. Aswitchdisconnec=on5. Switch-performancedowngrade6. Error-packetgenera=on7. Inter-hostcommunica=on
disconnec=on<TestCriteria>
<UnknownaFackclassificaSon>
UnknownAFackName Flow TargetSequenceandData-Forge Asymmetric FloodlightStats-Payload-Manipula=on Symmetric Floodlight,OpenDaylightEcho-Reply-Payload-Manipula=on Symmetric OpenDaylightService-Unregistra=on Intro-controller OpenDaylightFlow-Rule-Obstruc=on Intro-controller ONOSHost-Tracking-Neutraliza=on Intro-controller ONOSLink-Discovery-Neutraliza=on Intro-controller Floodlight
/23
Use Case 1: Finding Unknown A]acks ● SequenceandData-ForgeASack• Target:asymmetriccontrolflowandFloodlightv1.2
18
Switch SwitchHost Agent
Agent Manager
Normal Host
Channel Agent
TopologyManager
OtherApplications
Core ServicesPACKET_INNotifier
Floodlight Instance
OtherServices
Controller
Network Hub
FuzzingModules
AppAgent
LinkDiscovery
Network Hub
1.SelectAsymmetriccontrolflow
Switch SwitchHost Agent
Agent Manager
Normal Host
Channel Agent
TopologyManager
OtherApplications
Core ServicesPACKET_INNotifier
Floodlight Instance
OtherServices
Controller
Network Hub
FuzzingModules
AppAgent
Network Hub3.Randomizethecontrolflowsequencefirst4.Generatepackets5.RandomizethecontentsofthePACKET_INmessage
PAKCET_IN
ModifiedPAKCET_IN
2.Startfuzztes=ng
/23
Use Case 1: Finding Unknown A]acks ● ResultsoftheSequenceandData-ForgeaSackexperiment(Floodlightv1.2)
19
1. Acontrollercrash2. Anapplica=oncrash3. Internal-storagepoisoning4. AswitchdisconnecSon5. Switch-performancedowngrade6. Inter-hostcommunica=on
disconnec=on7. Error-packetgenera=on
<TestCriteria>
/23
Use Case 2: Reproducing Known A]acks [1] FlowType AFack
CodeAFackName Controller
ONOS OpenDaylight FloodlightSymmetricFlows SF-1 SwitchTableFlooding X X O
SF-2 SwitchIden=fica=onSpoofing X O OSF-3 MalformedControlMessage X O OSF-4 ControlMessageManipula=on O O O
AsymmetricFlows AF-1 ControlMessageDrop O O OAF-2 ControlMessageInfiniteLoop O O OAF-3 PACKET_INFlooding O O OAF-4 FlowRuleFlooding O O OAF-5 FlowRuleModifica=on O O OAF-6 SwitchFirmwareMisuse O O OAF-7 FlowTableClearance O O OAF-8 Eavesdrop O O OAF-9 Man-In-The-Middle O O O
Intra-controllerFlows
CF-1 InternalStorageMisuse O O OCF-2 Applica=onEvic=on O O N/ACF-3 EventListenerUnsubscrip=on N/A O O
NonFlowOpera2ons
NF-1 SystemCommandExecu=on O X ONF-2 MemoryExhaus=on X O ONF-3 CPUExhaus=on X O ONF-4 SystemVariableManipula=on O O O
20[1]hSp://sdnsecurity.org/vulnerability/ASackList.html
O:SuccessfulX:UnsuccessfulN/A:Notavailable
/23
Use Case 2: Reproducing Known A]acks
● FlexibilityofDELTA• 3opensourcecontrollersand1commercialcontroller• Forexample:Applica=onEvic=onASack
21
ACTIVE
INACTIVE
/23
Conclusion ● Wecategorizeknownvulnerabili=esthatcanmisleadnetwork
opera=onsintothreecontrolflowtypesandnonflowopera=ons● Weproposeanautomatedsecurityassessmentframeworkfor
SDNcapableofreproducingthosevulnerabili=es● Weincorporateblackboxfuzzingtechniquesintoourframework
todetectnewunknownaVackscenarios● Weshowtheflexibilityofsystemdesignbyevalua=ngitagainst
threepopularopen-sourceSDNcontrollersandthecommercialcontroller
● DELTAisnowavailableasonOFFICIALONFSponsoredOpenSourceProjecthVps://github.com/OpenNetworkingFounda2on/delta
22
/23
Appendix: Performance
24
ControlFlowType AverageRunningTimeAsymmetricControlFlow 82.5secSymmetricControlFlow 80.4secIntra-controllerControlFlow 75.2sec
AFackName ControllerONOS ODL Floodlight
SwitchTableFlooding - - 5400secSwitchIden=fica=onSpoofing 16.09sec 16.34sec 15.96secMalformedControlMessage 21.50sec 12.33sec 11.09secControlMessageManipula=on 28.10sec 19.27sec 18.60secControlMessageDrop 12.55sec 8.47sec 3.13secControlMessageInfiniteLoop 3.38sec 8.12sec 3.21secPACKET_INFlooding 12.59sec 17.79sec 11.96secFlowRuleFlooding 43.65sec 23.28sec 43.20secFlowRuleModifica=on 40.43sec 40.24sec 20.35secSwitchFirmwareMisuse 20.52sec 20.25sec 20.20secFlowTableClearance 20.60sec 20.32sec 20.17secEavesdrop 33.62sec 33.18sec 33.14secMan-In-The-Middle 17.80sec 17.19sec 7.88secInternalStorageMisuse 2.60sec 3.14sec 2.14secApplica=onEvic=on 22.57sec 13.33sec N/AEventListenerUnsubscrip=on N/A 13.22sec 13.11secSystemCommandExecu=on 0.028sec 0.095sec 0.127secMemoryExhaus=on 23.54sec 23.20sec 23.16secCPUExhaus=on 23.43sec 23.36sec 23.35secSystemVariableManipula=on 3.39sec 4.86sec 3.17secTotal 346.38sec 317.98sec 274.84sec
FindingunknownaFackmicrobenchmark
ReproducingknownaFacksmicrobenchmark
About5minutes