automated discovery of cross plane event based
play

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in - PowerPoint PPT Presentation

May 10, 2023 •135 likes •605 views

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking Benjamin E. Ujcich 1 , Samuel Jero 2 , Richard Skowyra 2 , Steven R. Gomez 2 , Adam Bates 1 , William H. Sanders 1 , and Hamed Okhravi 2 1 University

  1. Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking Benjamin E. Ujcich 1 , Samuel Jero 2 , Richard Skowyra 2 , Steven R. Gomez 2 , Adam Bates 1 , William H. Sanders 1 , and Hamed Okhravi 2 1 University of Illinois at Urbana - Champaign, 2 MIT Lincoln Laboratory 2020 Network and Distributed System Security Symposium (NDSS) February 25, 2020 San Diego, CA, USA

  2. SDN is Everywhere! 2

  3. Network “Appification” 3

  4. Network “Appification” Do apps work well together? 4

  5. Network “Appification” How can they be exploited? 5

  6. Cross - Plane Vulnerabilities Reactive Event - Based Control Plane CONTROL PLANE DATA PLANE Flow rule Packets from configuration hosts SDN data SDN data plane input plane output 6

  7. Cross - Plane Vulnerabilities Event App event dispatch listener SDN data plane SDN data plane … input (e.g., output (e.g., packets) flow rules) App event listener Reactive Event - Based Control Plane 7

  8. Cross - Plane Vulnerabilities Event App event dispatch listener Event App event … dispatch listener SDN data plane App event SDN data plane … input (e.g., listener output (e.g., packets) flow rules) App event listener … Reactive Event - Based Control Plane 8

  9. Cross - Plane Vulnerabilities Event … App event dispatch listener Event App event API … dispatch listener call SDN data plane App event SDN data plane … input (e.g., listener output (e.g., packets) flow rules) App event listener … Reactive Event - Based Control Plane 9

  10. Cross - Plane Vulnerabilities: Exploitation Target: New Event Vector: Spoofed flow rules; … App event dispatch packets via removal of old listener Event malware flow rules App event API … dispatch listener call SDN data plane App event SDN data plane … input (e.g., listener output (e.g., packets) flow rules) App event listener … Malicious Insight: Missing event handling information can be exploited flow 10

  11. Data Plane Hosts as Attack Vectors § Cross - app study led to App 2 App 3 App 1 explore hosts as attackers Northbound § Discovered ONOS data plane SDN API Controller firewall vulnerability à CONTROL PLANE arbitrary lateral DATA PLANE Southbound API Maliciously movement crafted § Reported to ONOS traffic Access developers (CVE 2018 - 12691) control bypassed 11

  12. Anatomy of an Exploit 1. The access control app ( acl ) is activated and registers for any host events (A). acl app fwd app ONOS Controller ACL Rules Host Flow A Manager Manager CONTROL PLANE DATA PLANE Southbound API Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 12

  13. Anatomy of an Exploit 1. The access control app ( acl ) is activated and registers for any host events (A). The network operator adds access control policies (B). acl app AclRule B fwd app object ONOS Controller ACL Rules 10.0.0.1 à 10.0.0.2, Host Flow A DENY Manager Manager CONTROL PLANE DATA PLANE Southbound API Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 13

  14. Anatomy of an Exploit 2. Host 1 sends a syntactically correct but semantically invalid ICMP packet with host 1’s MAC address into the data plane. acl app fwd app ONOS Controller ACL Rules AclRule Host Flow Manager Manager CONTROL PLANE DATA PLANE Southbound API Switch ICMP Echo Request (1) Flow table IP src: 0.0.0.0 Host 2 Host 1 IP dst: 255.255.255.255 (victim) Port Port MAC src: 00:00:00:00:00:01 (malicious) 1 2 IP: 10.0.0.2 14

  15. Anatomy of an Exploit 3. ONOS sees the packet (A) acl app fwd app ONOS Controller ACL Rules AclRule Host Flow Manager Manager CONTROL PLANE A ICMP Echo DATA PLANE Southbound API Request (1) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 15

  16. Anatomy of an Exploit 3. ONOS sees the packet (A) and registers a new host with its MAC address but not IP address (B). acl app fwd app ONOS Controller ACL Rules Host object B AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [none] CONTROL PLANE A ICMP Echo DATA PLANE Southbound API Request (1) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 16

  17. Anatomy of an Exploit 3. ONOS sees the packet (A) and registers a new host with its MAC address but not IP address (B). It generates a HOST_ADDED event (C). C HostEvent object acl app HOST_ADDED fwd app ONOS Controller ACL Rules Host object B AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [none] CONTROL PLANE A ICMP Echo DATA PLANE Southbound API Request (1) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 17

  18. Anatomy of an Exploit 4. The acl app sees the HOST_ADDED event (A) A HostEvent object acl app HOST_ADDED fwd app ONOS Controller ACL Rules Host object AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [none] CONTROL PLANE ICMP Echo DATA PLANE Southbound API Request (1) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 18

  19. Anatomy of an Exploit 4. The acl app sees the HOST_ADDED event (A) and host (B), but since the host doesn’t have an IP, the app does not insert flow deny rules. A HostEvent object acl app HOST_ADDED fwd app ONOS Controller ACL Rules B Host object AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [none] CONTROL PLANE ICMP Echo DATA PLANE Southbound API Request (1) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 19

  20. Anatomy of an Exploit 4. The acl app sees the HOST_ADDED event (A) and host (B), but since the host doesn’t have an IP, the app does not insert flow deny rules. AclManager.java processing host events AclManager.java handling new host events ✕ ✓ No IP addresses ✕ Never gets called 20

  21. Anatomy of an Exploit 5. Host 1 attempts to send regular traffic to its desired victim destination (host 2). Since no matching flows exist, ONOS handles the packet. acl app fwd app ONOS Controller ACL Rules Host object AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [none] CONTROL PLANE DATA PLANE Southbound API Switch ICMP Echo Request (2) Flow table IP src: 10.0.0.1 Host 2 Host 1 IP dst: 10.0.0.2 (victim) Port Port MAC src: 00:00:00:00:00:01 (malicious) 1 2 IP: 10.0.0.2 21

  22. Anatomy of an Exploit 6. ONOS registers host 1’s new IP address (A) acl app fwd app ONOS Controller ACL Rules Host object A AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [ 10.0.0.1 ] CONTROL PLANE ICMP Echo DATA PLANE Southbound API Request (2) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 22

  23. Anatomy of an Exploit 6. ONOS registers host 1’s new IP address (A) as a HOST_UPDATED event (B). acl does not handle HOST_UPDATED events, so it does nothing. B HostEvent object acl app HOST_UPDATED fwd app ONOS Controller ACL Rules Host object A AclRule MAC: Host Flow 00:00:00:00:00:01 Manager Manager IPs: [ 10.0.0.1 ] CONTROL PLANE ICMP Echo DATA PLANE Southbound API Request (2) Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 23

  24. Anatomy of an Exploit 6. ONOS registers host 1’s new IP address (A) as a HOST_UPDATED event (B). acl does not handle HOST_UPDATED events, so it does nothing. AclManager.java processing host events AclManager.java handling new host events HOST_UPDATED ✕ events not handled ✕ Never gets ✕ Never gets called called 24

  25. Anatomy of an Exploit 7. The packet gets sent to a second app (A) acl app A fwd app ONOS Controller ACL Rules Host object AclRule ICMP Echo MAC: Host Flow Request (2) 00:00:00:00:00:01 Manager Manager IPs: [10.0.0.1] CONTROL PLANE DATA PLANE Southbound API Switch Flow table Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 25

  26. Anatomy of an Exploit 7. The packet gets sent to a second app (A), which instantiates the flow (allow) rule (B) acl app A fwd app ONOS Controller ACL Rules Host object B AclRule ICMP Echo MAC: Host Flow Request (2) 00:00:00:00:00:01 Manager Manager IPs: [10.0.0.1] CONTROL PLANE FlowRule object Selector: 10.0.0.1 à 10.0.0.2 DATA PLANE Southbound API Treatment: send out port 2 Switch ICMP Echo Flow table Request (2) Host 1 Host 2 (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 26

  27. Anatomy of an Exploit 7. The packet gets sent to a second app (A), which instantiates the flow (allow) rule (B) and allows host 1 to communicate with host 2 (C). acl app A fwd app ONOS Controller ACL Rules Host object B AclRule ICMP Echo MAC: Host Flow Request (2) 00:00:00:00:00:01 Manager Manager IPs: [10.0.0.1] CONTROL PLANE FlowRule object Selector: 10.0.0.1 à 10.0.0.2 DATA PLANE Southbound API Treatment: send out port 2 Switch ICMP Echo Flow table Request (2) Host 1 Host 2 C (malicious) (victim) Port Port 1 2 IP: 10.0.0.1 IP: 10.0.0.2 27

  28. What Makes This Challenging? No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Event-consistent smoothing and Introduction automated picking in CRS-based 3D CRS stack

Event-consistent smoothing and Introduction automated picking in CRS-based 3D CRS stack

75 th SEG Annual Meeting, Houston 2005 Klver & Mann Event-consistent smoothing and Introduction automated picking in CRS-based 3D CRS stack Velocity determination seismic imaging NIP waves CRS tomography Workflow Tilman Klver and

1.05k views • 68 slides
Home Learning Event NSS Discovery: National benchmarking February 2020 What is NSS Discovery?

Home Learning Event NSS Discovery: National benchmarking February 2020 What is NSS Discovery?

Hospital at Home Learning Event NSS Discovery: National benchmarking February 2020 What is NSS Discovery? NSS Discovery is a management information system that provides approved users with access to a range of comparative health

579 views • 8 slides
Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * , Abdulmajeed Alameer * , Phil McMinn + , William G. J. Halfond * * University of Southern California, USA + University of Sheffield, UK Work supported

989 views • 62 slides
Semantic Flow Augmentation for the Automated Discovery of Organizational Relationships Chris

Semantic Flow Augmentation for the Automated Discovery of Organizational Relationships Chris

Semantic Flow Augmentation for the Automated Discovery of Organizational Relationships Chris Strasburg*, Harris T Lin, Nikolas Kinkel The Ames Laboratory {cstras,htlin,nskinkel}@ameslab.gov * - Presenting Relationship Discovery Why does

247 views • 22 slides
Open Discovery : Automated Docking of Ligands to Proteins and Molecular Simulation Gareth Price

Open Discovery : Automated Docking of Ligands to Proteins and Molecular Simulation Gareth Price

Open Discovery : Automated Docking of Ligands to Proteins and Molecular Simulation Gareth Price Computational MiniProject Open Discovery Aims + Achievements Produce a high-throughput protocol to screen a library of chemical compounds

334 views • 20 slides
Automated one-loop matching with Match Maker Jos Santiago Based on: C. Anastasiou, A.

Automated one-loop matching with Match Maker Jos Santiago Based on: C. Anastasiou, A.

HEFT 2017 Lumley Castle, May 23, 2017 Automated one-loop matching with Match Maker Jos Santiago Based on: C. Anastasiou, A. Carmona, A. Lazopoulos, J.S. (to appear) After the discovery of the Higgs, the LHC has turned into New Physics

326 views • 21 slides
Event Calculus and Answer Set Programming Joohyung Lee Automated Reasoning Group School of

Event Calculus and Answer Set Programming Joohyung Lee Automated Reasoning Group School of

Event Calculus and Answer Set Programming Joohyung Lee Automated Reasoning Group School of Computing, Informatics and Decision Systems Engineering Arizona State University KOCSEA 2009 (Based on IJCAI 2007, 2009 Papers) Knowledge in Action

568 views • 32 slides
NMOS IS-04 Discovery and Registration Chris Gil & SMPTE Event hosted by Atos Cristian

NMOS IS-04 Discovery and Registration Chris Gil & SMPTE Event hosted by Atos Cristian

NMOS IS-04 Discovery and Registration Chris Gil & SMPTE Event hosted by Atos Cristian Recoseanu 25 October 2018 Introduction Why do we need NMOS? AMWA NMOS Specifications Discovery and Registration Connection Management Event &

1.27k views • 40 slides
Machine-Learning & AI-based Approaches for GPCR Bioactive Ligand Discovery Sebastian Raschka,

Machine-Learning & AI-based Approaches for GPCR Bioactive Ligand Discovery Sebastian Raschka,

Cambridge Healthtech Institute's 14th Annual GPCR-Based Drug Discovery Discovery on Target Conference September 19, 2019 | Boston, MA https://www.discoveryontarget.com/GPCR-drug-discovery Machine-Learning & AI-based Approaches for GPCR

411 views • 38 slides
Automated Cross-Slope and Drainage Path Method AASHTO TECHNOLOGY IMPLEMENTATION GROUP

Automated Cross-Slope and Drainage Path Method AASHTO TECHNOLOGY IMPLEMENTATION GROUP

AASHTO Automated Cross-Slope and Drainage Path Method AASHTO TECHNOLOGY IMPLEMENTATION GROUP Presentation Outline: Contributing factors to Hydroplaning Traditional and Automated Survey Methods Multi-Purpose Survey Vehicle (MPSV) and

757 views • 37 slides
Improving Test Case Generation for Web Applications Using Automated Interface Discovery William

Improving Test Case Generation for Web Applications Using Automated Interface Discovery William

Improving Test Case Generation for Web Applications Using Automated Interface Discovery William G.J. Halfond and Alessandro Orso Georgia Institute of Technology Web Application Overview Request Web http://host?login=alice&pin=1234

892 views • 40 slides
Motivations Automated Text Mining and Vast Quantities of Text Available Knowledge Discovery

Motivations Automated Text Mining and Vast Quantities of Text Available Knowledge Discovery

A Visual Approach to Motivations Automated Text Mining and Vast Quantities of Text Available Knowledge Discovery Scientific Literature News Articles and Blogs Doctoral Dissertation by Email Andrey A. Puretskiy

336 views • 7 slides
Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule

Automated Productivity Based Automated Productivity Based Schedule Animation (APBSA) Schedule Animation (APBSA) Gokhan Gelisen, PhD Cand, PE Cost Manager Polytechnic Institute of NYU / Skanska USA Civil Inc. How to Improve Productivity?

395 views • 35 slides
An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in

An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in

1 An Automated, Cross-Layer Instrumentation Framework for Diagnosing Performance Problems in Distributed Applications By Emre Ates 1 , Lily Sturmann 2 , Mert Toslali 1 , Orran Krieger 1 , Richard Megginson 2 , Ayse K. Coskun 1 , and Raja

404 views • 38 slides
1 Technologies in Drug Discovery Chemistry Lab based HPC MD-based Simulations Expensive

1 Technologies in Drug Discovery Chemistry Lab based HPC MD-based Simulations Expensive

1 Technologies in Drug Discovery Chemistry Lab based HPC MD-based Simulations Expensive Inexpensive Protracted Very fast Difficult Useful for early stages HPC in Drug Discovery 2 In silico Screening Complements

252 views • 14 slides
Measurements of flow harmonics with the event plane and cumulant methods from the ATLAS

Measurements of flow harmonics with the event plane and cumulant methods from the ATLAS

1 Measurements of flow harmonics with the event plane and cumulant methods from the ATLAS experiment Quark Matter 2012 - 2012-08-17 Washington DC Tomasz Bold, AGH UST Krakow for the ATLAS Collaboration 2 Topics covered Integrated

460 views • 18 slides
DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate Gabrielle Viala @pwissenlit 2019 Yarden Shafir @yarden_shafir About Yarden Shafir Software Engineer at CrowdStrike Circusing most of

776 views • 42 slides
Container Performance Analysis Brendan Gregg bgregg@neIlix.com October 29November 3, 2017 |

Container Performance Analysis Brendan Gregg bgregg@neIlix.com October 29November 3, 2017 |

Container Performance Analysis Brendan Gregg bgregg@neIlix.com October 29November 3, 2017 | San Francisco, CA www.usenix.org/lisa17 #lisa17 Take Aways IdenNfy boPlenecks: 1. In the host vs container, using system metrics 2. In

1.07k views • 69 slides
Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Insecure.Org Insecure.Org Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM Insecure.Org Insecure.Org Scan Goals Collect empirical data and use it to enhance Nmap

558 views • 45 slides
Networking for Containerized Clouds Daehyeok Kim Tianlong Yu 1 , Hongqiang Liu 3 , Yibo Zhu 4 ,

Networking for Containerized Clouds Daehyeok Kim Tianlong Yu 1 , Hongqiang Liu 3 , Yibo Zhu 4 ,

FreeFlow: Software-based Virtual RDMA Networking for Containerized Clouds Daehyeok Kim Tianlong Yu 1 , Hongqiang Liu 3 , Yibo Zhu 4 , Jitu Padhye 2 , Shachar Raindel 2 Chuanxiong Guo 4 , Vyas Sekar 1 , Srinivasan Seshan 1 Carnegie Mellon

835 views • 25 slides
CS6 Practical System Skills Fall 2019 edition Leonhard Spiegelberg lspiegel@cs.brown.edu

CS6 Practical System Skills Fall 2019 edition Leonhard Spiegelberg lspiegel@cs.brown.edu

CS6 Practical System Skills Fall 2019 edition Leonhard Spiegelberg lspiegel@cs.brown.edu Recap Last lecture: - bash scripting - exit codes / status codes / return codes 0 success, else failure - && and II - [ and test -

1.24k views • 58 slides
ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub:

ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub:

ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub: tima Twitter: appnelgroup THE ANSIBLE WAY 2 COMPLEXITY KILLS PRODUCTIVITY That's not just a marketing slogan. We really mean it and believe that.

922 views • 38 slides
HM HMIS P Projec ect M Monitoring May 2020 2020 Nastacia Moore, C4 Innovations Brian

HM HMIS P Projec ect M Monitoring May 2020 2020 Nastacia Moore, C4 Innovations Brian

HM HMIS P Projec ect M Monitoring May 2020 2020 Nastacia Moore, C4 Innovations Brian Roccapriore, The Cloudburst Group 1 Webina nar I Instruc uctions ons Webinar will last about 60 minutes Access to recorded version

1.07k views • 35 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides

More recommend