Proceedings of the Symposium on SDN Research 2018
DOI: 10.1145/3185467.3185468
|View full text |Cite
|
Sign up to set email alerts
|

Taking Control of SDN-based Cloud Systems via the Data Plane

Abstract: Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and "software-defined" manner. This paper raises the alarm on the security implications of virtual switches. In particular, we show that virtual switches not only increase the attack surface of the cloud, but virtual switch vulnerabilities can also lead to attacks of much higher impact compared to traditional switches. We present a systematic security analysis and identify four de… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
32
0
2

Year Published

2019
2019
2024
2024

Publication Types

Select...
5
1
1

Relationship

1
6

Authors

Journals

citations
Cited by 46 publications
(34 citation statements)
references
References 50 publications
0
32
0
2
Order By: Relevance
“…eBPF thus protects the users against unexpected memory error or stack buffer overflow bugs. The bug reported in [29] can be avoided using this mechanism. Despite of these restrictions, eBPF has been proven to be sufficiently expressive to write packet processing code, together with extensions described below.…”
Section: Packet Processing Protectionmentioning
confidence: 99%
See 3 more Smart Citations
“…eBPF thus protects the users against unexpected memory error or stack buffer overflow bugs. The bug reported in [29] can be avoided using this mechanism. Despite of these restrictions, eBPF has been proven to be sufficiently expressive to write packet processing code, together with extensions described below.…”
Section: Packet Processing Protectionmentioning
confidence: 99%
“…In 2018, Thimmaraju et al [29] report that existing software switches used as an NFV backend have vulnerability where attackers can hijack the entire network within minutes. They demonstrate this by injecting a malicious packet that causes a buffer overflow in the MPLS parser of the Open vSwitch data path [23].…”
Section: Introductionmentioning
confidence: 99%
See 2 more Smart Citations
“…Direct attacks on the cloud network infrastructure are less known; there has been work on fuzzing the data plane with considerable success [51,73] and compromising SDN controllers [7]. Denial of service using algorithmic complexity attacks [2,14,16,54] on the network data plane usually works by exploiting a vulnerable algorithm/data structure that is already in the targeted binary; e.g., [77] shows cache-collision attacks against the Linux IP stack and [20] targets stateful firewalls.…”
Section: Related Workmentioning
confidence: 99%