BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

Jero, Samuel; Bu, Xiangyu; Nita-Rotaru, Cristina; Okhravi, Hamed; Skowyra, Richard; Fahmy, Sonia

doi:10.1007/978-3-319-66332-6_14

Cited by 34 publications

(31 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have provided a few automated analysis and test frameworks [45], [46], [47], [48] to find potential vulnerabilities in SDN applications and other components. SHIELD [45] provides an automated framework to efficiently conduct static analysis of SDN applications, which requires source codes of applications and well-defined malicious behavior to find malicious applications.…”

Section: Related Workmentioning

confidence: 99%

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Cao¹,

Xie²,

Sun³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

show abstract

Section: Related Workmentioning

confidence: 99%

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Cao¹,

Xie²,

Sun³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Defenses to date, such as control plane causality tracking [59], [62], trusted data plane identities [26], and timingbased link fabrication prevention [57], are useful in preventing specific classes of attacks but are not designed for vulnerability discovery because they track specific execution traces as they occur rather than all possible execution traces prior to runtime. Current SDN vulnerability tools, such as BEADS [25] and DELTA [34], rely on fuzzing techniques that do not easily capture complex event-based vulnerabilities.…”

Section: B Sdn Security Challengesmentioning

confidence: 99%

“…DELTA [34], BEADS [25], and STS [55] use fuzzing to generate data plane inputs, but the space of potential inputs is complex for large and complex event-driven controllers. NICE [11] models basic control plane semantics (e.g., flow rule installation ordering) and uses the generated state space to perform concrete symbolic (i.e., concolic) execution to find bugs; however, even for simple single apps, the approach does not scale well.…”

Section: Event-driven Architecturesmentioning

confidence: 99%

“…Although tools have been developed to perform vulnerability discovery in SDNs with fuzz testing [25], [34], concurrency detection [66], and code analysis [32], [33], we are not aware of any tools that are designed specifically to aid developers and practitioners in the understanding of global event use and in the identification of unhandled event vulnerabilities at design and testing time. Forensic SDN tools [62], [59] provide causal explanations of past executions but do not identify vulnerabilities ahead of time.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Ujcich¹,

Jero²,

Skowyra³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Software-defined networking (SDN) achieves a programmable control plane through the use of logically centralized, event-driven controllers and through network applications (apps) that extend the controllers' functionality. As control plane decisions are often based on the data plane, it is possible for carefully crafted malicious data plane inputs to direct the control plane towards unwanted states that bypass network security restrictions (i.e., cross-plane attacks). Unfortunately, because of the complex interplay among controllers, apps, and data plane inputs, at present it is difficult to systematically identify and analyze these cross-plane vulnerabilities. We present EVENTSCOPE, a vulnerability detection tool that automatically analyzes SDN control plane event usage, discovers candidate vulnerabilities based on missing event-handling routines, and validates vulnerabilities based on data plane effects. To accurately detect missing event handlers without ground truth or developer aid, we cluster apps according to similar event usage and mark inconsistencies as candidates. We create an event flow graph to observe a global view of events and control flows within the control plane and use it to validate vulnerabilities that affect the data plane. We applied EVENTSCOPE to the ONOS SDN controller and uncovered 14 new vulnerabilities. 1 An SDN controller service or app often consists of multiple functional units, which we call components. A functional unit ends at an API boundary or event dispatch.

show abstract

“…The output of our method is a Malicious Tenant List. A response module can manage and quarantine malicious tenants in the entire network by changing the flow table strategy . Figure depicts the steps and Figure illustrates the components of the proposed approach.…”

Section: Proposed Educational Approachmentioning

confidence: 99%

Teaching software‐defined network security through malicious tenant detection

Abazari

Esposito

Takabi

et al. 2019

Internet Technology Letters

View full text Add to dashboard Cite

Software‐Defined Networking (SDN) has radically changed how we manage our network, increasing flexibility, and enabling network programmability. Providing security for tenants is one of the most significant issues in SDN. In this paper, our goal is to introduce with an educational use case, four types of attack vectors associated with malicious tenants that seriously challenge the SDN foundation. We also provide suggestions to teach how to investigate the mitigation of these techniques against the attacks. Our solution, to be tested in the classroom, introduce an approach that utilizes several concepts, such as a topological graph to detect malicious tenants. Unlike other methods to teach how to secure SDNs, our proposed approach teaches how to detect and secure a system without requiring any changes to the underlying protocols.

show abstract

BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

Cited by 34 publications

References 26 publications

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Teaching software‐defined network security through malicious tenant detection

Contact Info

Product

Resources

About