AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018 Workshop on SecSoN Heedo Kang, Seungwon Shin, Vinod Yegneswaran*, Shalini Ghosh*, Phillip Porras* KAIST, SRI International*
Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 2
Backg kgrou ound Software Defined Networking(SDN)? Control Plane (Network Control) ……… App 1 App 2 App 3 App N • Network decoupling North-bound Interface • Network control and forwarding functions Core Services Storage South-bound Interface • Programmable network • Flexible and dynamic network control SDN Controller • Innovative network service • Potential abuse • SDN controller API can be abused by SDN app • Entire resources can be manipulated Data Plane (Forwarding Function) 3
Backg kgrou ound Abusing SDN controller API • Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, “DELTA: A Security Assessment Framework for Software-Defined Networks”, NDSS 2017. • Changhoon Yoon, Seungsoo Lee, “Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?”, Blackhat 2016. • Seungsoo Lee, Changhoon Yoon and Seungwon Shin. “The smaller, the shrewder: a simple malicious application can kill an entire SDN environment”, SDN-NFV Security 2016. • Shin, Seungwon, et al. "Rosemary: A robust, secure, and high-performance network operating system." CCS 2014. 4
Backg kgrou ound Existing SDN permission systems • SE-Floodlight • Porras, Phillip A., et al. "Securing the Software Defined Network Control Layer." NDSS 2015. • Role based access control (for only Data-Plane related resources) • SDNShield • Wen, Xitao, et al. "SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets." DSN 2016. • Permission & policy based access control (for only Data-Plane related resources) • Security-Mode ONOS • Changhoon Yoon, et al. "A Security-Mode for Carrier-Grade SDN Controllers", ACSAC 2017. • Permission based access control (for all resources) 5
Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 6
Motivation 1. Automation deficiency (i) analysis To build SDN permission system.. List of SDN Resources(assets) (i) Analyze what resources(assets) should be protected (ii) Inpsect (ii) Inspect what resources are accessed by each APIs SDN Controller (iii) Design permission model SDN Security source code expert API Map (iv) Implement permission system (API - Assets & action) (iv) Implement (iii) Design APP_WRITE should be checked! This is WRITE action! Example of human error existed in Security-Mode ONOS Permission Permission system model
Motivation 2. Portability deficiency • Procedure for building SDN permission system • Too complicated task • Error prone • Existing SDN permission systems • Tightly coupled with SDN controller implementation • e.g ) SE-Floodlight (Floodlight), Security-Mode ONOS (ONOS) • Cannot be ported to any other controller 8
Motivation 3. Flexbility deficiency • Different security requirements Our network needs fine- Our network needs fine- grained access control over grained access control only topology resource . over all resources Bob Alice (Network operator) (Network operator) • Existing SDN permission systems • Permission model is fixed 9
Challenges es ● Ultimate goal • Suggest new automated permission generation and verification system for SDN ● Summary of challenges • Automation ⁃ Automatically generate permission model for SDN controller • Portability ⁃ Independently designed and implemented from specific SDN controller implementation • Flexibility ⁃ Provide way to flexibly generate permission model 10
Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 11
AEGIS Des Design gn ● Overview Invoked API • Static Engine (execute before run-time) APP 1 APP 2 APP 3 APP N information Automatically generates permission Northbound APIs model SDN controller Various NLP techniques Controller Static Dynamic • Dynamic Engine (execute on run-time) API Document Engine Engine Decision Verifies if application has right permissions to execute API Permission Permission model model policy Network (API-Permission mappings) AEGIS Hooking & Code injection technique Operator Input Output 12
AEGIS Des Design gn ● Static Engine Controller API Document Controller API Document, Network Permission model policy, Operator • Consists of seven modules Static Controller Input ⁃ API Document Parser API Document Intermediate Engine ⁃ Preprocessor processor Output ⁃ Semantic Role Labeler API Document Dependency ⁃ Intermediate processor Parser Analyzer ⁃ Dependency Analyzer SDN Asset Map Preprocessor ⁃ SDN Asset Map Generator Generator ⁃ API-Permission Mapping Constructor Semantic Role API-Permission Labeler Mapping Constructor • Takes controller API document & SDN Asset Map Permission model policy permission model policy as inputs • Generates permission model as output Permission model (API-Permission mappings) 13
AEGIS Des Design gn ● API document Parser Extract following features from API document ONOS controller API document ⁃ Package path ⁃ Class name ⁃ API name ⁃ API description SDN controller API document API document Parser API = org.onosproject.net.flow.FlowRuleService.getFlowRuleCount Description = Returns the number of flow rules in the system. 14
AEGIS Des Design gn ● Preprocessor • Replace all uppercase letters with lowercase letters • Remove special characters Returns the number of flow rules in the system. • Inject fake subject Preprocessor • Converge entity n-grams into one word It read the number of flow_rule in the system • Change verb into three types of action word ⁃ e.g) ・ obtain, fetch, get, find, check …… -> read ・ Send, create, remove, add, unregister ……-> write ・ Invoke, activate, stop, perform……-> execute 15
AEGIS Des Design gn ● Semantic Role Labeler • Classifies description into semantic constituents ⁃ Object contains resources that API access It read the number of flow_rule in the system • Investigates classified object Semantic Role Labeler Starts with to-infinitive or gerund? Re-classifies object sentence (S It) (V read) (O the number of flow_rule in the system) eg.) It attempts to assign leadership for a topic to a specified node (S It) (V attempts) (O to assign leadership for a topic to a specified node) (S It) (V assign) (O leadership for a topic to a specified node) Re-classify 16
AEGIS Des Design gn ● Intermediate processor • Tags Part of speeches(POS) the number of flow_rule in the system ⁃ e.g. ) ~ flow_rule) (NN/ in) ~ (IN/ Intermediate processor • Removes determiner words ⁃ e.g. ) the number of ~ (NN/ number) (IN/ of) (NN/ flow_rule) (IN/ in) (NN/ system) • Converts word to stem of the word ⁃ e.g. ) ~ devices 17
AEGIS Des Design gn ● Dependency Analyzer • Analyzes relationships between each word ⁃ Dependency parsing (NN/ number) (IN/ of) (NN/ flow_rule) (IN/ in) (NN/ system) root (Root-0, number-1) Dependency case(flow_rule-3, of-2) Example: Analyzer nmod:of(number-1, flow_rule-3) case(system-5, in-4) system nmod:in(number-1, system-5) READ , org.onosproject.net.flow.FlowRuleService. flow_rule getFlowRuleCount ⁃ Extract set of nominal modifier(nmod) relation number Asset linked-list ⁃ Generates asset-linked list Based on predefined rules Tag API path & action 18
AEGIS Des Design gn ● SDN Asset Map Generator Integrates all asset-linked list • • Flexible permission model generation ⁃ Pruning map based on permission model policy ・ e.g ) Remove STATSTIC node and move tags to PORT node ● API-permission Mapping Constructor Creates permission type • • By concatenating node name from each starting node to root node and action word Maps each generated permission type to API path • ONOS Asset map 19
AEGIS Des Design gn ● Permission model Example of ONOS API – permission mappings 20
AEGIS Des Design gn ● Dynamic Engine Manifest.xml Network (Declared permissions) • Consists of four modules Operator Dynamic ⁃ API Hooker Engine Input Application granted ⁃ Permission Enforcer permissions Permission SDN App Output ⁃ Permission Checker Permission Checker Enforcer ……. Permission model ⁃ Injector Decision (API-Permission mappings) …... Injector API Hooker • Takes permission model and SDN App invoked API information as inputs Invoked API Security information Exception Access SDN Northbound APIs • Generates and injects SDN Resources (Assets) security exception code as output SDN Controller 21
Recommend
More recommend