The Finest Penetration Testing Framework for Software-Defined Networks

Transcription

1 The Finest Penetration Testing Framework for Software-Defined Networks Seungsoo Lee, Jinwoo Kim, Seungwon Woo and Seungwon Shin {lss365, jinwoo.kim, seungwonwoo,

2 Seungwon Shin - Associate Professor of EE dept. at KAIST About us - Leading Network and System Security Lab. Seungsoo Lee Jinwoo Kim Seungwon Woo - PhD student at KAIST - PhD student at KAIST - Master student at KAIST 2

3 Contents 1. Motivation of DELTA 2. Software-Defined Networking (SDN) SDN & OpenFlow basics Security of SDN 3. DELTA framework Architecture Attack case demonstrations 4. Final remarks 3

4 Motivation of DELTA Why needed? Software-defined Networking (SDN) are still prone to security threats We need to run security tests against our SDNs But, manually testing each attack is time consuming and annoying job DELTA can AUTOMATICALLY Construct an SDN security test environment (i) Reproduce the known attacks (ii) Find new attacks by randomizing SDN control flows (i.e., OpenFlow) 4

5 Limitations of Traditional Networks Image source: Expensive network/security devices (CAPEX) Increased complexity of network management (OPEX) Proprietary firmware Specialized hardware Complicated maintenance Manual configuration 5

6 Software-defined Networking (SDN) Separation & Centralization of the control plane Control Plane SDN controller OpenFlow: A de-facto standard SDN protocol Host A Control Plane Data Plane Control Plane Data Plane Control Plane Data Plane Control Plane Data Plane Host C Host B 6

7 SDN: New opportunities Flexible service customization Various network functions in SDN APPs SW2 H-A SW1 SW4 H-B SW3 Global network view H-C SDN controller DHCP, Firewall, DDoS detector, and etc. New opportunities Global network view + SDN APPs = Intelligent & innovative network/security services Automated network management Host A OpenFlow OpenFlow OpenFlow OpenFlow Host B 7 Global network view + APPs + Dynamic network control = PROGRAMMABLE NETWORK!! Host C

8 OpenFlow A De-facto standard protocol in SDN Maintained by Open Networking Foundation Supported by 120+ industrial members Version timeline OpenFlow 1.0 Single table Fixed 12 tuple match field OpenFlow 1.2 Role change IPv6 OpenFlow 1.4 Synchronized Table Default Port to 6653 Dec Feb Dec Apr Aug Jan OpenFlow 1.1 Multi-table Group-table OpenFlow 1.3 Long term release: 1.3.1, 1.3.2, Meters OpenFlow 1.5 Egress Table Packet Type Aware Pipeline 8

9 22 message types Flow table structure OpenFlow 1.0 HELLO PACKET_IN FLOW_MOD Header fields, actions and counters Fixed 12 match PKT fields Forward packet Per-table, to controller per-flow, or per-port ports and per queue If matched, perform actions Drop and packet update Packet OpenFlow counters and byte counters Modify fields 32 bits version type length xid (transaction identifier) Body OpenFlow Structure Header Fields (i.e., Match fields) InPort EthSrc EthDst EthType VLANID VLANPri IPSrc IPDst IPProto IPToS TCP/UDP SrcPort TCP/UDP DstPort Actions Counters Flow Table Structure 9

10 OpenFlow 1.0: Basic Operation SDN controller PKT PACKET_IN HELLO FLOW_MOD HELLO 1 2 PKT Host A ( ) OpenFlow Host B ( ) Header Fields (i.e., Match fields) Priority InPort EthSrc EthDst EthType VLANID VLANPri IPSrc IPDst IPProto IPToS TCP/UDP SrcPort TCP/UDP DstPort Actions Counters 10 [InPort]: 1, [EthType]: 0x0800, [IPDst]: Forward 2 P: 1, 0, B: 64 0 Flow Table Structure 10

11 OpenFlow 1.0 vs. OpenFlow 1.3 OpenFlow 1.0 Released in Dec message types Single controller Single flow table Fixed 12 tuple match fields OpenFlow 1.3 Released in Apr message types Multiple controllers Multiple flow tables Extensible match (OXM) Group table Meter table Instruction (action set) 11

12 SDN adoption: Enterprise Source: /deutsche-telekom-touts-benefits-software-based-ran Source: att-to-join-verizon-in-working-with-kt-on-nfv-sdn-and-5g/2017/06/ Source: 12

13 SDN adoption: Military Source: Source: 13

14 But, what about SECURITY? 14

15 Attention to SECURITY has been growing! Keywords: SDN & Security 9720 BlackHat USA 15 Briefing BlackHat USA 16 Briefing BlackHat USA 17 Briefing BlackHat USA 17 Arsenal Paper Counts * Google scholar [scholar.google.com] 15

16 Attack Vectors in SDN architecture SDN controller Control plane Control channel OpenFlow OpenFlow OpenFlow OpenFlow Data plane 16

17 Attack Examples FLOW_MOD PACKET_IN PACKET_IN PACKET_IN FLOW_MOD FLOW_MOD SDN controller FLOW_MOD PACKET_IN PACKET_IN PACKET_IN FLOW_MOD FLOW_MOD Control plane Control channel SW2 SW1 SW4 (e.g., Packet-In Flooding attack) SW3 (e.g., Eavesdropping attack) OpenFlow OpenFlow OpenFlow OpenFlow Data plane (e.g., Flow Rule Flooding attack) 17

18 SDN Vulnerability Genome Project [1] [A-5] Control Message Abuse [A-6] Northbound API Abuse Application Plane [A-2] Service Chain Interference [A-1] Packet-In Flooding App Northbound API App [A-7] Resource Exhaustion [A-9] System Command Execution [A-3] Internal Storage Manipulation Control plane [A-8] System Variable Manipulation Network Operating System [A-4] Control Message Manipulation SDN Controller Control Channel SDN SDN Southbound API Control Plane Control Channel Firmware Flow Table Software Hardware [B-1] Eavesdrop [B-2] Man-In-The-Middle [A-10] Network Topology Poisoning [C-1] Flow Rule Flooding [C-3] Control Message Manipulation [C-2] Firmware Abuse Data Plane Control channel Data plane [1] Yoon, Changhoon, et al. "Flow wars: Systemizing the attack surface and defenses in software-defined networks." IEEE/ACM Transactions on Networking 6 (2017):

19 Network admin s concerns Any more vulnerabilities? 19

20 Don t worry, run DELTA DELTA: A Security Assessment Framework for SDN Automating a working process Finding new attacks Supporting diverse SDN components Covering many attack cases 20

21 DELTA: System Design DELTA control channel App Agent. App 2 App 3 Core APIs DB SDN controller Agent Manager Channel Agent Network hub Host Agent OpenFlow OpenFlow OpenFlow OpenFlow Host B Host A 21

22 DELTA: System Design Agent Manager Agent Manager The Control tower Remotely controls the agents deployed to the target network Leverages different agents to perform various security test cases Analyzes the test results collected from the agents 22

23 DELTA: System Design App Agent. Application Agent SDN applications that conduct attack procedures as instructed by the manager Implements the known malicious functions as an application agent library Includes fuzzing modules that randomize the SDN control flows 23

24 Channel Agent DELTA: System Design Located between the controller and the switch Includes fuzzing modules that sniff and modify the unencrypted SDN control messages Mimics a dummy controller / switch Channel Agent 24

25 DELTA: System Design Host Agent A legitimate network host participating in the target SDN Generates network traffic as instructed by the agent manager ( e.g. DDoS, LLDP injection etc. ) Checks the connectivity to other hosts Host Agent 25

26 Automated Operation App Agent App B. Core APIs App C DB SDN controller Agent Manager Channel Agent 1. Select reproducing known test case or finding unknown test case 2. Instruct each agent to conduct the test Automating a working process OpenFlow Host Agent 3. Collect the result of the test from each agent 4. Notify the result Network hub OpenFlow Host A OpenFlow Host B OpenFlow 26

27 SDN Control Flow Fuzzing Find NEW security holes in SDN (i.e., OpenFlow protocol based) Define three types of control flow operations 1. Symmetric control flow: Req. & Res. message pair 2. Asymmetric control flow: One-way message 3. Intra-controller control flow: between applications and core services App A Core Services ECHO_RES FLOW_MOD App B App C SDN controller RES MSG MSG REQ DB ECHO_REQ PACKET_IN OpenFlow 27

28 Operational State Diagram To find new vulnerabilities, 1. Infer thecurrent state of the controller 2. Manipulate the control flow sequence or the input values ee send HELLO receive HELLO send FEATURES_REQ receive FEATURES_RES S1 S2 S3 S4 R send STATS_REQ S8 receive STATS_RES S9 deliver to applications send GET_CONFIG_REQ S5 receive GET_CONFIG_RES S6 send SET_CONFIG S7 update topology receive PORT_STATUS A1 update topology Rr send ECHO_REQ S10 receive ECHO_RES A3 update topology send VENDOR receive VENDOR send FLOW_MOD S12 S* S13 send BARRIER_REQ receive BARRIER_RES S14 S15 receive PACKET_IN deliver to applications A2 update internal send FLOW_MOD update internal flow tables flow tables Intra-controller flow transitions à I* A4 receive FLOW_REMOVED update internal flow tables A5 A* send PACKET_OUT send PORT_MOD update internal flow tables A6 à Asymmetric flow transitions send PACKET_OUT S11 à Symmetric flow transitions A7 update internal flow tables I2 28 I1

29 Identifying Current State of Controller PACKET_IN App Agent App A App C Agent Manager DB Receive PACKET_IN Send FLOW_MOD PACKET_IN SDN controller FLOW_MOD R A2 A3 A4 Channel Agent Deliver to applications OpenFlow 29

30 Randomizing Symmetric Control Flow Sequence send HELLO receive HELLO send FEATURES_REQ receive FEATURES_RES S1 S2 S3 S4 send GET_CONFIG_REQ S5 receive GET_CONFIG_RES send SET_CONFIG S6 S7 R SDN controller HELLO OpenFlow SDN controller Channel Agent HELLO OpenFlow HELLO HELLO FEATURE_REQ FEATURE_REQ FEATURE_RES GET_CONFIG_REQ GET_CONFIG_RES GET_CONFIG_RES SET_CONFIG SET_CONFIG 30

31 Randomizing Asymmetric Control Flow Sequence App Agent. (2) App App A D App App B C App App C B App App D A Packet-IN Notifier Core Services DB R A3 SDN controller receive PACKET_IN A2 deliver to applications (1) PACKET_IN Host A OpenFlow Host B 31

32 Randomizing Input Values Between an SDN controller and an SDN switch Between SDN applications App A Core Services App Agent. App C DB 9 Findingnew attacks FLOW_MOD SDN controller PACKET_IN Channel Agent e.g.) ADD (0x0000) à (Undefined) (0xFFFF) OpenFlow 32

33 Implementation Program languages: Java / Python [LOC]

34 Supported SDN Components Supports four different SDN controllers 4 open source controllers (ONOS, OpenDaylight, Floodlight and Ryu!) ONOS OpenDaylight Floodlight Ryu Version Hydrogen Helium... Oxygen Release Date 6/5/15 9/18/ /2/18 2/4/14 9/29/ /22/18 12/8/14 12/30/14 4/17/15 2/7/16 7/1/18 Supported OpenFlow v1.0 and v1.3 supported (HW and SW) Supporting diverse SDN components Vendor OpenFlow Version Pica8 P , 1.3 Arista Networks 7050-T HPE E G-2SFP+ 1.0 Linux Foundation Collaborative Project OpenV 1.0,

35 Web-based UI Live test queue: Configuration and log pane: Test case inventory: 35

36 Configuration and Log Pane 36

37 Test Case Inventory Test set 1: Data plane security OpenFlow messages from a controller to a switch Test set 2: Control plane security OpenFlow messages from a switch to a controller Test set 3: Advanced security 40+ Covering many attack cases Sophisticated security tests exploiting a variety of vulnerabilities e.g., SDN applications exploiting SDN controllers architectural vulnerabilities

38 Let s start DEMO time! 38

39 Demonstration Test environments 1 KNOWN attack for Floodlight 2 NEW attacks for ONOS, OpenDaylight 39

40 Test Environments Firewall App Forwarding App Core Services DB SDN controller Network hub Host Agent A B Normal Host B 40

41 Test Environments App Agent. Firewall App Core Services Agent Manager Forwarding App DB SDN controller Channel Agent Network hub Host Agent A B Normal Host B 41

42 Event Subscription in SDN An SDN controller maintains an event subscription list Packet-In events are processed according to a priority PACKET_IN Packet-IN Subscription List Load balancer App PACKET_IN Topology Manager Core Services Firewall App DB 1. Load balancer 2. Topology Manager 3. Firewall App PACKET_IN SDN Controller A PKT OpenFlow B 42

43 Attack Strategy: Smash the subscription! manipulate the Packet-In, and deliver it to the next PACKET_IN 2 The application refers the wrong value 3 Malicious App Topology Manager SDN controller Firewall App 1 Modify the priority Packet-IN Subscription Core Services List 1. Malicious Load balancer App 2. Topology Manager 3. Firewall App DB SDN Controller 43

44 DEMO 1: Packet-In Data Forge attack Agent Manager in_port: 1 reason: Packet-IN NoMatch 3 Notifier DATA: 1. Link Discovery App PKT 3. Device Manager App 4. Firewall App 2. Topology Channel Manager AgentApp Host Agent 7. DELTA App Agent PKT 1 Packet-IN Message 6 A App Agent. 5 PACKET_IN Topology Manager 2 Core Services Packet-IN Message SDN controller in_port: 1 reason: Packet-IN NoMatch Notifier DATA: 1. DELTA Network App hub Agent 4 2. Topology PACKET_IN (empty) Manager App 3. Device Manager App 4. Firewall App 7. Link Discovery App Host B B Firewall App DB The NULL SW1 app AM point Instructs agent instructs delivers exception removes modifies a the Packet-In host app occurred the agent data priority message and to field randomize generate the of to switch the message, controller a the packet connections sequence and then are of the closed hands packet-in it over subscription to the next one list 44

45 DEMO 1: Packet-In Data Forge attack 45

46 DEMO 1: Packet-In Data Forge attack Feasible to Floodlight 1.1 Why? BRING ME APIs!!! SDN applications granted powerful authority How to defend? Policy-based access control to SDN applications e.g., Security-Mode ONOS [1] [1] 46

47 Databases in OpenDaylight OpenDaylight (ODL) manages two types of databases DB Config Proactive and persistent rules, Non-volatile memory Operational Reactive and temporary rules Volatile memory 47

48 Attack Strategy: Exploit the config. DB ODL refers the configuration DB, when handshaking with a switch Attacker Malicious App Core Services 1 Inject a malformed rule to DB 4 Access the DB Config 2 Cut the channel temporarily 3 Ask a handshake MITM Proxy HELLO OpenFlow 48

49 DEMO 2: Malformed Flow Rule Generation 1 App Agent Agent Manager. Firewall App Forwarding App Core Services 3 Config SDN controller 5 Network hub Channel Agent 2 ID IN Match Action F2 1 HA to B GROUP [NULL] HELLO OF 1.3 Host Agent 2 1 A (OF 1.0) B (OF 1.0) 1 2 AM instructs the app agent to a malformed 54 The switch 3 app agent tries makes to connect a malformed to themake flow controller rule including NULLrule group action A fails INFINITELY channel agent to disconnect the flow switch A Normal Host B 49

50 DEMO 2: Malformed Flow Rule Generation 50

51 DEMO 2: Malformed Flow Rule Generation Feasible to OpenDaylight oxygen (latest version) Why? Improper exception handling in the handshake process Absence of malformed flow rule management How to defend? Detecting the infinite failures and resolving root causes Filtering an input that has incompatible fields 51

52 Flow Synchronization in ONOS ONOS synchronizes the internal flow tables with switches using flow statistics Consistency is periodically and strongly investigated Controller s Flow Table Forwarding App Core Services FLOW_RULE Are they same with me? ID DPID Match Action A1 A HA to B FWD 1 DB Make a rule FLOW_MOD STATS_REQ STATS_RES s Flow Table IN Match Action OpenFlow 1 HA to B FWD 1 52

53 Attack Strategy: Exploit the synchronization! If consistency is broken, ONOS removes and reinstalls everything Let s break the consistency by installing a malformed flow rule Controller s Flow Table Malicious App 1 Inject an invalid flow rule ID DPID Match Action A1 A * FWD Core Services 3 Get a flow statistics Compare it with the original DB 4 Reinstall them! 2 Install a wrong flow rule s Flow Table IN Match Action 1 HA to B FWD OpenFlow 53

54 DEMO 3: Infinite Flow Rule Synchronization 2 App Agent. Firewall App Forwarding App Agent Manager Core Services DB 5 6 Host Agent IN Src Dst Action 1 HA B FWD 2 2 B HA FWD FWD Channel Agent 4 A SDN controller FLOW_ADD Network hub 1 B Send Repeat Instruct Make Delete Host a Agent a flow ALL this App flow every rule communicates Agent overflowed rules including 5 to seconds generate the with outport switch the Host number B a and malformed abnormal then retry flow outport to install rulenumber 3 ID IN Src Dst Action A1 1 HA B FWD 2 A2 2 B HA FWD 1 B1 3 B HA FWD 2 B2 4 HA B FWD 1 A FWD Normal Host B IN Src Dst Action 1 HA B FWD 2 2 B HA FWD 1 54

55 DEMO 3: Infinite Flow Rule Synchronization / 50 58

56 DEMO 3: Infinite Flow Rule Synchronization Feasible to ONOS 1.13 (latest version) Why? Careless range check against to field values Meaningless flow synchronization How to defend? Thorough range check in critical fields Root cause analysis of synchronization failures 56

57 Summary of NEW attack cases No. Attack Name ControlFlow Type Controller 1 Malformed Flow Rule Generation 1 Intra-Controller Flow OpenDaylight 2 Malformed Flow Rule Generation 2 Intra-ControllerFlow ONOS 3 Flow Rule Inconsistency 1 Asymmetric Flow ONOS 4 Flow Rule Inconsistency 2 Asymmetric Flow Floodlight 5 Flow Rule Inconsistency 3 Asymmetric Flow ONOS 6 Infinite Flow Rule Synchronization 1 Asymmetric Flow ONOS 7 Infinite Flow Rule Synchronization 2 Asymmetric Flow ONOS 8 Flow Rule ID Spoofing 1 Asymmetric Flow Floodlight 9 Flow Rule ID Spoofing 2 Asymmetric Flow Floodlight 57

58 Final Remarks Although SDN offers significant benefits as a next-gen networking, a lot of work still needs to be done to improve the security of SDN. DELTA helps to verify the security of SDN architecture thoroughly. DELTA fuzzing techniques enable us to discover new vulnerabilities. DELTA is now available as an open source project, so anyone can join us! ( 58

59 Q&A Thanks to Changhoon Yoon and Haney Kang for helping us make the slides J 59

60 Acknowledgement This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(msit) (No , SDN security technology development) And also, this work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(msip) (No. B , Global SDN/NFV OpenSource Software Core Module/Function Development) 60