Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?

Presented at Black Hat USA 2016, Aug. 4, 2016, 5 p.m. (25 minutes).

Software-Defined Networking (SDN), by decoupling the control logic from the closed and proprietary implementations of traditional network devices, allows researchers and practitioners to design new innovative network functions/protocols in a much easier, more flexible, and powerful way. This technology has gained significant attentions from both industry and academia, and it is now at its adoption stage. When considering the adoption of SDN, the security vulnerability assessment is an important process that must be conducted against any system before the deployment and arguably the starting point toward making it more secure.

In this briefing, we explore the attack surface of SDN by actually attacking each layer of SDN stack. The SDN stack is generally composed of control plane, control channel and data plane: The control plane implementations, which are commonly known as SDN controllers or Network OS, implementations are commonly developed and distributed as an open-source project. Of those various Network OS implementations, we attack the most prevalent ones, OpenDaylight (ODL) [1] and Open Network Operating System (ONOS) [2]. These Network OS projects are both actively led by major telecommunication and networking companies, and some of the companies have already deployed them to their private cloud or network [3, 4]. For the control channel, we also attack a well-known SDN protocol [5], OpenFlow. In the case of the data plane, we test some OpenFlow-enabled switch device products from major vendors, such as HP and Pica8.

Of the attacks that we disclose in this briefing, we demonstrate some of the most critical attacks that directly affect the network (service) availability or confidentiality. For example, one of the attack arbitrarily uninstalls crucial SDN applications running on an ODL(or ONOS) cluster, such as routing, forwarding, or even security service applications. Another attack directly manipulates logical network topology maintained by an ODL(or ONOS) cluster to cause network failures. In addition, we also introduce some of the SDN security projects. We briefly go over the design and implementation of Project Delta, which is an official open-source SDN penetration testing tool pushed forward by Open Networking Foundation Security group, and Security-Mode ONOS, a security extension that protects the core of ONOS from the possible threats of untrusted third-party applications.

References [1] Medved, Jan, et al. "Opendaylight: Towards a model-driven sdn controller architecture." 2014 IEEE 15th International Symposium on. IEEE, 2014. [2] Berde, Pankaj, et al. "ONOS: towards an open, distributed SDN OS."Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014. [3] Jain, Sushant, et al. "B4: Experience with a globally-deployed software defined WAN." ACM SIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, 2013. [4] CORD: ReĀ­inventing Central Offices for Efficiency and Agility. http://opencord.org (2016). [5] OpenFlow. OpenFlow Switch Specification version 1.1.0. Tech. rep., 2011. http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf.


Presenters:

  • Changhoon Yoon - KAIST
    Changhoon Yoon is a PhD student at KAIST (School of Computing) in South Korea. He is working with Dr. Seungwon Shin at Network and System Security Laboratory, and his research interests primarily lie in the area of network security including Software-Defined Networking (SDN) and Network Function Virtualization (NFV) security. He is currently leading Security-Mode ONOS project, which is a collaborative project with the researchers from ON.LAB and SRI International to design and implement a security extension for ONOS, and he is also participating in other SDN security projects, such as SDN WAN security project and etc. In addition, he has presented "Security-Mode ONOS" at ONS 2016, and he published several research papers on SDN security at a major journal and a workshop.
  • Seungsoo Lee - KAIST
    Seungsoo Lee is a Ph.D. student in the Graduate School of Information Security at KAIST working with Dr. Seungwon Shin in Network and System Security (NSS) Laboratory. He received his B.S. degree in Computer Science from Soongsil University in Korea. He received his M.S. degree in Information Security from KAIST. His research interests include secure and robust SDN controller, and protecting SDN environments from threats.

Links:

Similar Presentations: