Upload
priyanka-aash
View
93
Download
0
Embed Size (px)
Citation preview
ATTACKINGSDNINFRASTRUCTURE:AREWEREADYFORTHENEXT-GENNETWORKING?
Changhoon Yoon,SeungsooLee{chyoon87,lss365}@kaist.ac.kr
1. Aboutus
2. Software-definedNetworking(SDN)?
3. AttackingSDNInfrastructure• Scenario:AttackingSoftware-DefinedDataCenter(SDDC)
• Vulnerabilities
4. RecentworkonSDNsecurity
5. Conclusion
Contents
Aboutus
Seungsoo Lee- PhDstudentatKAIST- ProjectDELTA
- AssistantProfessorofEEdept.atKAIST- ResearchAssociateofOpenNetworkingFoundation(ONF)
- LeadingNetworkandSystemSecurityLab.
Changhoon Yoon- PhDstudentatKAIST- ProjectSM-ONOS
http://nss.kaist.ac.kr
Seungwon Shin
• Toocomplicated• ControlplaneisimplementedwithcomplicatedS/WandASIC• Unstable,increasedcomplexityinmanagement
• Closedplatform• Vendorspecific
• Hardtomodify(nearlyimpossible)• Hardtoaddnewfunctionalities• Barriertoinnovation
• Newproposal:SoftwareDefinedNetworking(SDN)• Separatethecontrolplanefromthedataplane
TraditionalNetworking
ControlPlane
DataPlane
LegacyNetworkDevice
WhatisSoftwareDefinedNetworking(SDN)?
Northbound Interface
CoreServices
Southbound Interface
Storage
App1 App2 App3 AppN
SDN Controller
DataPlane
ControlPlane• Centralizednetworkmanagement• Viaglobalnetworkview
• Programmablenetwork• Flexibleanddynamicnetworkcontrol• useful, innovativeSDNapplications
• CAPEX,OPEXreduction• Commodityserversandswitches
BasicSDNoperation
Controller
L2Forwarding
HostA HostB
SDNSwitchFlowTable
HostAà HostB FWDMATCH ACTION
DataCenterNetworkDesign
Servers
Leaf
Edge
Spine
Border Leaf
East-WestTraffic
• Today’sDataCenterinvolvesaLOTofVirtualMachines(VMs)• “Leaf-Spine”Design
• Suitableforhandling“East-West”traffic;lowlatency&bottlenecks• Remainingchallenges
• Increasedcomplexity– frequentVMmigrations,alargenumberoflinks• Expensivetoscale&maintain
Software-DefinedDataCenter(SDDC)
Servers
Leaf
SDDCControl Plane
Edge
Spine
Border Leaf
Distributed NOSNode #1
Distributed NOSNode #2
Distributed NOSNode #3
• Highlyavailable&scalablecontrolplane• DistributedSDNcontroller
• VMstohostcontrollernodes
• Lowcomplexity• Globalnetworkview+Networkprogrammability
• Lowcost• Commodity servers&switches• Centralized&automatedmanagement
AttackVectors
Misconfiguration- DirectaccesstocriticalSDNcomponents- CLI/GUI/SSHetc.
Malware- Maliciouslibraries/SDNapplications
Insider(tenant)attacks- DoS/Controlplanesaturationattack
againsttheNOScluster- TopologyPoisoning
DCN Admin/Operator
Servers
Leaf
SDDCControl Plane
Edge
Spine
Border Leaf
Distributed NOSNode #1
Distributed NOSNode #2
Distributed NOSNode #3
Build environment
Update, deploy
Update, deploy
• OpenSourceSDNController(NOS)implementations• OpenNetworkOperatingSystem(ONOS)&OpenDaylight (ODL)
• Cutting-edge,distributednetworkoperatingsystems(NOS)• Provide base design for commercial SDN controllerproducts
• BrocadeSDNController[1]:ODL-based• BothareMavenprojects• BothrunonKaraf OSGi container
SDNControlPlaneComponents
[1]http://www.brocade.com/en/products-services/software-networking/sdn-controllers-applications/sdn-controller.html
AttackVector:Misconfiguration• Remotelyaccessibleinterfaces• RemoteSSHtoNOShostmachines• Karaf containerCLI• WebConsole,GUI• RESTAPI
• Defenses• Followthesecurityguidelineavailablehere:
• http://docs.opendaylight.org/en/latest/getting-started-guide/security_considerations.html• Changingdefaultcredentials• Properlyconfiguring Firewallpoliciestoblockremoteaccess
AttackVector:Malware
• Malwareinfectionatbuild-time
• Malwareinfectionatruntime
• CompromisingSDNControlPlaneatBuild-time
AttackVector:Malware1
Build environment
MavenRepository
SDN controller source coderepository
Automaticallyfetch required components
Fetch source code Build
SDN controller projectsource
Maven project build
DeployableSDN controller package
Deployment environmentDistributed NOS
Node #1Distributed NOS
Node #2Distributed NOS
Node #3
Configuration
Compromisedbuild machine- Manipulated hostsfile- Manipulated mavenrepo. setting- Etc.
Compromisedbuild env.network- DNScachepoisoningattack- ARPspoofingattack- Etc.
Rogue maven repository
Rogue SDN controllersource code
repository
Deployment environment
Distributed NOS Node #1
Controller
Southbound API
Core Services
Northbound API
App1 App 2 App 3 App 4 App 5
Distributed NOSNode #2
Distributed NOSNode #3
• CompromisingSDNControlPlaneat Runtime
AttackVector:Malware2
CLI
RESTAPI
GUI
DCN Admin/Operator
SocialEngineeringattacks- Phishing(Spamming,DistributionviaWeb(Blogs,SNS,etc.)
Repackaging&Redistributing
CaninstallSDNappsatruntime
MaliciousApp
• Malicioustenants• Controlplanesaturationattack(DoS)againsttheNOScluster[1]• TopologyPoisoning[2]
AttackVectors:Insider(tenant)attacks
Servers
Leaf
SDDCControl Plane
Edge
Spine
Border Leaf
Distributed NOSNode #1
Distributed NOSNode #2
Distributed NOSNode #3
[1]Shin,Seungwon,andGuofei Gu."Attackingsoftware-defined networks:Afirst feasibilitystudy." ProceedingsofthesecondACMSIGCOMMworkshoponHot topics insoftwaredefinednetworking.ACM,2013.[2]Hong,Sungmin,etal."PoisoningNetworkVisibility inSoftware-Defined Networks:NewAttacksandCountermeasures." NDSS.2015.
AttackScenario1
Build environment
SDN controller projectsource
Maven project build
DeployableSDN controller package
Deploymentenvironment Distributed NOS
Node #1Distributed NOS
Node #2Distributed NOS
Node #3
Rogue Maven Repository
reverse shell
Inject a rogue NOS node to the cluster
CompromisingSDNcontrolplaneatbuildtimetolauncharbitrarySDNcontrollernodeinjectionattack
AttackScenario2CompromisingSDNcontrolplaneatruntimetolaunchstealthnetworkperformanceattack
Download
DCN Admin/Operator
Third-Party SDNAPP Store
Deploymentenvironment
Distributed NOSNode #1
Distributed NOSNode #2
Distributed NOSNode #3
Stealthily degrade the network performance!
Deploy
Manipulate the Leaf-Spine fabric to affect the overall network performance
DCN
TheVulnerabilities(selectedfromthescenario)
1. NoSystemIntegrityProtection2. NoauthenticationofNOSclusternodes3. Noapplicationaccesscontrol4. SwitchDeviceFirmwareAbuse5. Packet-INFlooding6. ControlMessageManipulation7. Eavesdrop8. InternalStorageManipulation9. ….
Wantmore?
Visithttp://sdnsecurity.org !!(willopenin09/2016)
Vulnerability1.Nosystemintegrityprotection
• Thereisnosystemintegrityprotection forNOScomponents
• IntegrityoftheCORENOScomponentsmustbeguaranteed
• PossibleDefenses
- Codesigning
- Integrityprotectionmechanisms(e.g.checksum) Distributed NOSNode #1
Distributed NOSNode #2
Distributed NOSNode #3
Maven project build
DeployableSDN controller package
Configuration
SD-WAN
ExternalBGP Routers
ExternalBGP Routers
ExternalBGP Routers
ExternalBGP Routers
Distributed NOSNode #1
Distributed NOSNode #2
Los Angeles AS
NewYork AS
San Francisco AS
Florida AS
Vulnerability2.NoauthenticationofNOSclusternodes
MaliciousNOSNode
• PossibleDefense
- PKI-basedauthenticationfortheNOScomponents
• Themaliciousnodecancompletelytakeoverthecontroloftheentirecontrolplaneandthenetwork
Vulnerability3.Noapplicationaccesscontrol
Distributed NOS Node #1
SDN-SW 1 SDN-SW 3 SDN-SW 5
SDN-SW 6SDN-SW 4SDN-SW 2
SDN-SW 7 SDN-SW 9
SDN-SW 10SDN-SW 8
Distributed NOS cluster
Controller
Southbound API
Core Services
Northbound API
App1 App 2 App 3 App 4DCN Admin/Operator
Distributed NOSNode #3
Distributed NOSNode #2
Data Plane
MaliciousApp
CLI
SSH
RESTAPI
GUI
[CP-3] Flow Rule Flooding[CP-2] Flow Table Manipulation
[CP-1] Service Chain Interference
[CP-5] Resource Exhaustion
[CP-6] System Variable Manipulation
[CP-4] Controller Shutdown
[CP-7] Internal Storage Manipulation
[CP-8] Application Eviction
[CP-8] Switch Firmware Abuse
• PossibleDefense
- Policy-basedaccesscontrolforSDNapplication
• SDNapplicationsaregrantedverypowerfulauthority;needtolimit
MATCH ACTIONSoftwareTable
Vulnerability4.Switchdevicefirmwareabuse
App1 AppN
OpenFlowSwitch
HostA HostB
Controller
HardwareTable
IP.HOSTA->IP.HOSTBIP.HOSTB->IP.HOSTA
OUT:FW1OUT:FW2
MATCH ACTION• Packetmatchingstrategy:
Hardware-basedvs.Software-based
App2
• Thestrategydependsonthevendororthefirmwareversion
[1]HP.HPSwitch SoftwareOpenFlow Administrator's GuideK/KA/WB15.14
HP3800SwitchMatchChart[1]
Hardwarematch
Softwarematch
Vulnerability4.Switchdevicefirmwareabuse
App1 MaliciousApp AppN
OpenFlowSwitch
HostA HostB
Controller
HardwareTable
IP.HOSTA->IP.HOSTBIP.HOSTB->IP.HOSTA
OUT:FW1OUT:FW2
MATCH ACTION
• OverrideIPmatchingflowruleswithMACmatchingflowrules!
FLOW_MODOUT:FW1OUT:FW2
MATCH ACTIONSoftwareTable
MAC.HOSTA->MAC.HOSTBMAC.HOSTB->MAC.HOSTA
Latency
FLOW_MOD
Networkperformancedegradation
a
2a
X2
• PossibleDefense
- Flowruleconflictdetection&arbitration
• Delta(collaboratewithONF)isanewSDNsecurityevaluationframeworkwithtwomainfunctions[1]:1. Automaticallyinstantiatesknownattackcases
againstSDNelementsacrossdiverseenvironments2. Assistsinuncoveringunknownsecurity
problemswithinanSDNdeployment
SDNSecurityAssessment: ProjectDELTA
[1]http://opensourcesdn.org/projects/project-delta-sdn-security-evaluation-framework/
Northbound Interface
CoreServices
Southbound Interface
Storage
AppAgent App2 AppN
SDN Controller
ChannelAgent
HostAgentAgentManager
WebUI
• Security-ModeONOS• InspiredbyMobileapplicationsecuritymechanisms• ConstrainsONOS(SDN)applications’behavior
• Asecuritypolicyperapp• Detectsandblockssecuritypolicyviolationsatruntime
SDNApplicationsecuritypolicyenforcement
SB API
Core
NB API
OSGi protection domain
Admin Service
ONOS NB-API permission checker
ONOS App 1Policyfile
OSGi protection domain
ONOS App 2Policyfile
Device Manager Host Manager
Service
Provider Service Provider Registry
Providers
Protocols
Network Elements
Security Manager
grantpermissions
A
B B
C
Bundle-level RBACA
App-level RBACB
API-level permission-based ACC
parse
SDNSecurity.org• WetrytodiscoverSDNspecificvulnerabilitiesanddevotetosystematizingandcharacterizingallrelatedpoints.• Currently,wehave 8 on-goingprojectsand 8 finishedprojects.
Application Plane
Control Plane
Data PlaneSDN Switch SDN Switch
SDN Controller
Switch Firmware
HardwareSoftwareFlow Table
Network Operating System
App
Southbound API
Northbound API
App
[A-5] Control Message Abuse
Control Channel
Control Channel
[A-6] Northbound API Abuse
[A-3] Internal Storage Manipulation[A-1] Packet-In Flooding
[A-2] Service Chain Interference
[A-4] Control Message Manipulation
[A-7] Resource Exhaustion
[A-8] System Variable Manipulation
[A-9] System Command Execution
[B-1] Eavesdrop
[B-2] Man-In-The-Middle
[C-1] Flow Rule Flooding
[C-2] Firmware Abuse
[C-3] Control Message Manipulation
[A-10] Network Topology Poisoning
http://sdnsecurity.org
SDNVulnerabilityGenomeProject
(willopenin09/2016)
Finalremarks
• Arewereadyforthenext-gennetworking?
• No,notyetatleastfromasecuritypointofview
• A LOT ofworkstillneedstobedonetoimprovethesecurityofSDN.
• Yoururgentattentionisneeded!
Thankyou