openflow a security analysis
play

OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 - PowerPoint PPT Presentation

Introduction Approach Results Recommendations Conclusion OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 Rowan Kl 1 rkloeti@alumni.ethz.ch ETH Zurich 2 vkotroni@tik.ee.ethz.ch ETH Zurich 3 paul.smith@ait.ac.at AIT


  1. Introduction Approach Results Recommendations Conclusion OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 Rowan Kl¨ 1 rkloeti@alumni.ethz.ch ETH Zurich 2 vkotroni@tik.ee.ethz.ch ETH Zurich 3 paul.smith@ait.ac.at AIT Austrian Institute of Technology GmbH 07.10.2013 ICNP NPSec 2013, G¨ ottingen, Germany 1 / 36

  2. Introduction Approach Results Recommendations Conclusion Outline Introduction 1 Objectives SDN and OpenFlow Approach 2 Attack Model STRIDE Attack Trees Combining the Approaches Experimental Setup Results 3 Security Analysis Empirical Testing Recommendations 4 Conclusion 5 2 / 36

  3. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion Objectives Security analysis of OpenFlow protocol and networks Focus on v1.0.0, but extensible/adaptable methodology Develop model Analyze model Describe attacks Empirically demonstrate one or more security issues Develop setup to enable this empirical demonstration Suggest potential fixes and mitigations for security issues 3 / 36

  4. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion Why OpenFlow Security Analysis? OpenFlow started as a largely academic endeavour But has recently seen increasing deployment in production systems: Google’s OpenFlow WAN Cisco, Juniper, HP products Adoption by cloud hosts and service providers But why security? No official security analysis of the protocol itself Research is just catching up (see HotSDN 2013 program) Security is extremely important for production systems, but can be overlooked 4 / 36

  5. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion SDN and OpenFlow 101 Software Defined Networks (SDNs) separate data plane and control plane Header Fields OpenFlow implements SDN: Counters Switch implements data plane Actions Controller implements control plane Switch and controller connected with secure channel over control network Controller installs flow rules on switch Flow rule header fields match packet headers Packets matching a flow rule have actions performed on them 5 / 36

  6. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Attack Model Three scenarios Attacker controls a single client Attacker controls multiple clients Attacker has access to control network The first scenario is given greatest consideration Scenarios where attacker has access to actual secure channel are not considered This would involve compromising SSL or TLS, which is outside the scope of this work 6 / 36

  7. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup STRIDE Security modeling methodology Types of vulnerabilities modeled Client by the method[3]: Request Reply S poofing T ampering Web application R epudiation I nformation Disclosure D enial of Service and E levation of Privilege Query Results Use data flow diagrams to uncover potential vulnerabilities Database Models how external data enters into and propagates Figure : Data flow diagram through system 7 / 36

  8. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Attack Trees Used to describe and analyze Get root access attacks Based on fault tree analysis [4] Represent prerequisites for Social attacks Dictionary Exploit engineering attack vulnerability Leaf nodes represent actions or events These propagate through AND and OR gates Find Develop Execute vulnerability exploit attack Root node is objective Can calculate various metrics if values for leaf nodes are Figure : Attack tree known 8 / 36

  9. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup From STRIDE DFDs to Attack Trees Data flow diagrams show us potential vulnerabilities They show us which components present an attack surface Attack trees allow these to be developed into practical attacks A given objective may have multiple attack paths Attack trees help to analyze and optimise attack paths These two approaches are complementary 9 / 36

  10. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Experimental Setup Mininet is a virtual network emulation environment Based on Linux network namespaces Runs Open vSwitch (virtual OpenFlow switch) Can emulate performance constraints Bandwidth Latency and jitter This is required to simulate attacks Forms the basis of test environment Use POX as a controller 10 / 36

  11. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Setup Schematics h1-1 h2-1 h1-1 h2-1 h1 s1 s1 h2 h1-2 h1-2 s1 s1 s2 s2 h2-2 h1 h2 h1-2 h1-2 h2-2 c0 c0 h1-3 h1-3 c0 c0 h2-3 h2-3 Figure : Network topology for Figure : Network topology for Denial of Service attack Information Disclosure attack demonstration demonstration 11 / 36

  12. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service I Received packet from 1 Received packet Interface 1 Input buffer 1 Sent packet to 1 Transmitted packet Packet to process OpenFlow Output buffer 1 Module Remove/modify packet Get state/event Transmit packet Set state/action Packet sample Controller-to-switch message Forwarded/Enqueued packet Data path Secure Channel Read flow table Modify flow table Asynchronous message Forwarded/Enqueued packet Read flow table Update counter Remove/modify packet Output buffer 2 Flow table Packet to process Transmitted packet Denial of Service Received packet from 2 Information Disclosure Received packet Interface 2 Input buffer 2 Tampering Sent packet to 2 Figure : Data flow diagram of switch 12 / 36

  13. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service II Set state/action OpenFlow Secure Module Channel Transmit packet Get state/event Packet sample Data path Read Modify Read flow table Update counter Flow table Denial of Service Information Disclosure Tampering Figure : Close-up of data flow diagram 13 / 36

  14. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service III Denial of service Against switch Against controller Against Decision process Against OpenFlow Exploit security hole Against OpenFlow Interface and data Against Flow table Against Input buffer in controller (if Module flow Asynchronous present) message Locate security hole in Perform Develop exploit Identify which controller Obtain access processor flow rules are software to multiple intensive tasks created without client interfaces on several wildcards connections Attack OpenFlow Attack controller Interface and OpenFlow Interface Asynchronous directly message Identify which Generate flow rules are extremely high created without traffic load on Generate very high wildcards interface rate of new flows on several interfaces Perform regular Identify which Generate very Generate very Obtain access denial of Obtain access flow rules are high traffic load high traffic load to management service attack to multiple created without on each on interface network against client interfaces wildcards interface controller Identify exact Identify hash Cause hash form of flow function used collisions on table entries for flow table flow table Figure : Denial of Service attack tree with attack path highlighted 14 / 36

  15. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service IV Denial of service Against switch Against Flow table Identify which Generate very flow rules are high traffic created load on without interface wildcards Figure : Close-up of highlighted attack path 15 / 36

  16. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Information Disclosure I Denial of Service Information Disclosure Tampering Controller-to-switch message Set state/action Get policy OpenFlow Decision Policy Administrator Interface Asynchronous message Get state/event Read policy Write policy Set value Write log Write log Get value Read log Administration Log interface Set configuration Get configuration Figure : Data flow diagram of controller 16 / 36

  17. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Information Disclosure II Denial of Service Information Disclosure Tampering Controller-to-switch message Set state/action OpenFlow Switch Decision Interface Get state/event Asynchronous message Figure : Close-up of data flow diagram 17 / 36

Recommend


More recommend