Automated Discovery of Cross - Plane Event - Based Vulnerabilities in - - PowerPoint PPT Presentation

automated discovery of cross plane event based
SMART_READER_LITE
LIVE PREVIEW

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in - - PowerPoint PPT Presentation

May 10, 2023 135 likes •609 views

Automated Discovery of Cross - Plane Event - Based Vulnerabilities in Software - Defined Networking Benjamin E. Ujcich 1 , Samuel Jero 2 , Richard Skowyra 2 , Steven R. Gomez 2 , Adam Bates 1 , William H. Sanders 1 , and Hamed Okhravi 2 1 University

slide-1
SLIDE 1

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Benjamin E. Ujcich1, Samuel Jero2, Richard Skowyra2, Steven R. Gomez2, Adam Bates1, William H. Sanders1, and Hamed Okhravi2

2020 Network and Distributed System Security Symposium (NDSS) February 25, 2020 San Diego, CA, USA

1 University of Illinois at Urbana-Champaign, 2 MIT Lincoln Laboratory

slide-2
SLIDE 2

2

SDN is Everywhere!

slide-3
SLIDE 3

Network “Appification”

3

slide-4
SLIDE 4

Network “Appification”

4

Do apps work well together?

slide-5
SLIDE 5

Network “Appification”

5

How can they be exploited?

slide-6
SLIDE 6

Cross-Plane Vulnerabilities

6

SDN data plane output SDN data plane input

Reactive Event-Based Control Plane

Packets from hosts Flow rule configuration

CONTROL PLANE DATA PLANE

slide-7
SLIDE 7

Cross-Plane Vulnerabilities

7

App event listener SDN data plane

  • utput (e.g.,

flow rules) SDN data plane input (e.g., packets) App event listener

Event dispatch Reactive Event-Based Control Plane

slide-8
SLIDE 8

Cross-Plane Vulnerabilities

8

App event listener SDN data plane

  • utput (e.g.,

flow rules) SDN data plane input (e.g., packets) App event listener

Event dispatch

App event listener App event listener

… …

Reactive Event-Based Control Plane Event dispatch

slide-9
SLIDE 9

Cross-Plane Vulnerabilities

9

App event listener SDN data plane

  • utput (e.g.,

flow rules) SDN data plane input (e.g., packets) App event listener

Event dispatch

App event listener App event listener

… … …

Reactive Event-Based Control Plane Event dispatch API call

slide-10
SLIDE 10

Cross-Plane Vulnerabilities: Exploitation

10

App event listener SDN data plane

  • utput (e.g.,

flow rules) SDN data plane input (e.g., packets) App event listener

Event dispatch

App event listener App event listener

… … …

Vector: Spoofed packets via malware Target: New flow rules; removal of old flow rules Event dispatch API call Malicious information flow

Insight: Missing event handling can be exploited

slide-11
SLIDE 11

§ Cross-app study led to explore hosts as attackers § Discovered ONOS data plane firewall vulnerability à arbitrary lateral movement § Reported to ONOS developers (CVE 2018-12691)

Data Plane Hosts as Attack Vectors

11

SDN Controller

CONTROL PLANE

App 1 App 2 App 3

Southbound API Northbound API

Maliciously crafted traffic Access control bypassed

DATA PLANE

slide-12
SLIDE 12
  • 1. The access control app (acl) is activated and registers for any host

events (A).

Anatomy of an Exploit

12

ONOS Controller Flow Manager Host Manager Switch Flow table fwd app Southbound API

A

acl app ACL Rules Port 1 Port 2 CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-13
SLIDE 13
  • 1. The access control app (acl) is activated and registers for any host

events (A). The network operator adds access control policies (B).

Anatomy of an Exploit

13

ONOS Controller Flow Manager Host Manager Switch Flow table fwd app Southbound API

B A

acl app ACL Rules

AclRule

  • bject

10.0.0.1 à 10.0.0.2, DENY

Port 1 Port 2 CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-14
SLIDE 14

Host 2 (victim) IP: 10.0.0.2

  • 2. Host 1 sends a syntactically correct but semantically invalid ICMP packet

with host 1’s MAC address into the data plane.

Anatomy of an Exploit

14

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Host 1 (malicious) Port 1 Port 2

ICMP Echo Request (1) IP src: 0.0.0.0 IP dst: 255.255.255.255 MAC src: 00:00:00:00:00:01

Flow Manager Flow table CONTROL PLANE DATA PLANE

slide-15
SLIDE 15
  • 3. ONOS sees the packet (A)

Anatomy of an Exploit

15

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (1)

Flow Manager

A

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-16
SLIDE 16
  • 3. ONOS sees the packet (A) and registers a new host with its MAC address

but not IP address (B).

Anatomy of an Exploit

16

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (1)

Flow Manager

B A

Host object MAC: 00:00:00:00:00:01 IPs: [none]

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-17
SLIDE 17
  • 3. ONOS sees the packet (A) and registers a new host with its MAC address

but not IP address (B). It generates a HOST_ADDED event (C).

Anatomy of an Exploit

17

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (1)

Flow Manager

B A C

Host object MAC: 00:00:00:00:00:01 IPs: [none] HostEvent object HOST_ADDED

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-18
SLIDE 18
  • 4. The acl app sees the HOST_ADDED event (A)

Anatomy of an Exploit

18

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (1)

Flow Manager

A

Host object MAC: 00:00:00:00:00:01 IPs: [none] HostEvent object HOST_ADDED

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-19
SLIDE 19
  • 4. The acl app sees the HOST_ADDED event (A) and host (B), but since the

host doesn’t have an IP, the app does not insert flow deny rules.

Anatomy of an Exploit

19

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2 Flow Manager

B A

Host object MAC: 00:00:00:00:00:01 IPs: [none] HostEvent object HOST_ADDED

Flow table

ICMP Echo Request (1)

CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-20
SLIDE 20
  • 4. The acl app sees the HOST_ADDED event (A) and host (B), but since the

host doesn’t have an IP, the app does not insert flow deny rules.

Anatomy of an Exploit

20

AclManager.java processing host events AclManager.java handling new host events

No IP addresses Never gets called

✕ ✕

slide-21
SLIDE 21

Host 2 (victim) IP: 10.0.0.2

  • 5. Host 1 attempts to send regular traffic to its desired victim destination

(host 2). Since no matching flows exist, ONOS handles the packet.

Anatomy of an Exploit

21

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Host 1 (malicious) Port 1 Port 2

ICMP Echo Request (2) IP src: 10.0.0.1 IP dst: 10.0.0.2 MAC src: 00:00:00:00:00:01

Flow Manager Flow table

Host object MAC: 00:00:00:00:00:01 IPs: [none]

CONTROL PLANE DATA PLANE

slide-22
SLIDE 22
  • 6. ONOS registers host 1’s new IP address (A)

Anatomy of an Exploit

22

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (2)

Flow Manager

A

Host object MAC: 00:00:00:00:00:01 IPs: [10.0.0.1]

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-23
SLIDE 23
  • 6. ONOS registers host 1’s new IP address (A) as a HOST_UPDATED event

(B). acl does not handle HOST_UPDATED events, so it does nothing.

Anatomy of an Exploit

23

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (2)

Flow Manager

A B

Host object MAC: 00:00:00:00:00:01 IPs: [10.0.0.1] HostEvent object HOST_UPDATED

Flow table CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-24
SLIDE 24
  • 6. ONOS registers host 1’s new IP address (A) as a HOST_UPDATED event

(B). acl does not handle HOST_UPDATED events, so it does nothing.

Anatomy of an Exploit

24

AclManager.java processing host events AclManager.java handling new host events

HOST_UPDATED events not handled

Never gets called

Never gets called

slide-25
SLIDE 25
  • 7. The packet gets sent to a second app (A)

Anatomy of an Exploit

25

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (2)

Flow Manager

Host object MAC: 00:00:00:00:00:01 IPs: [10.0.0.1]

Flow table

A

CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-26
SLIDE 26
  • 7. The packet gets sent to a second app (A), which instantiates the flow

(allow) rule (B)

Anatomy of an Exploit

26

ONOS Controller Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (2)

Flow Manager

Host object MAC: 00:00:00:00:00:01 IPs: [10.0.0.1]

Flow table

A

FlowRule object Selector: 10.0.0.1 à 10.0.0.2 Treatment: send out port 2

B

ICMP Echo Request (2)

CONTROL PLANE DATA PLANE

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-27
SLIDE 27
  • 7. The packet gets sent to a second app (A), which instantiates the flow

(allow) rule (B) and allows host 1 to communicate with host 2 (C).

Anatomy of an Exploit

27

ONOS Controller CONTROL PLANE DATA PLANE Host Manager Switch fwd app Southbound API acl app ACL Rules

AclRule

Port 1 Port 2

ICMP Echo Request (2)

Flow Manager

Host object MAC: 00:00:00:00:00:01 IPs: [10.0.0.1]

Flow table

A

FlowRule object Selector: 10.0.0.1 à 10.0.0.2 Treatment: send out port 2

B C

ICMP Echo Request (2)

Host 1 (malicious) IP: 10.0.0.1 Host 2 (victim) IP: 10.0.0.2

slide-28
SLIDE 28

28

No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane

What Makes This Challenging?

slide-29
SLIDE 29

What Makes This Challenging?

29

No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane

EVENTSCOPE

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in SDN

slide-30
SLIDE 30

What Makes This Challenging?

30

No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane

EVENTSCOPE

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in SDN

Found 14 new vulnerabilities

slide-31
SLIDE 31

31

No ground truth about what events ought to be handled Cluster apps according to similar functionality Multiple entry points for code analysis Not all event handling can affect the data plane

EVENTSCOPE Solution

slide-32
SLIDE 32

32

SDN app code SDN controller code

Candidate Vulnerability Generator

Missing Event Types 1 2 3

1 2 3

API definition

Host event kind

  • HOST_ADDED
  • HOST_REMOVED
  • HOST_UPDATED
  • HOST_MOVED

Link event kind

  • LINK_ADDED
  • LINK_REMOVED
  • LINK_UPDATED

L3 routing app L2 forwarding app Category 1 Event types of Host event kind Event types of Link event kind Category 2 Firewall app

EVENTSCOPE App Event Use

slide-33
SLIDE 33

33

SDN app code SDN controller code

Candidate Vulnerability Generator

Missing Event Types 1 2 3

1 2 3

API definition

EVENTSCOPE App Event Use

Apps Similarity

slide-34
SLIDE 34

EVENTSCOPE Solution

34

No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane Abstract event flow with graphical model

slide-35
SLIDE 35

35

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

API definition

App 1 Host event listener App 2 Host event listener Component 2 Host event listener Component 1 Packet event listener

Use event listeners of components and apps as entry points

EVENTSCOPE Event Flow Graph

slide-36
SLIDE 36

36

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

API definition

App 1 Host event listener App 2 Host event listener Component 2 Host event listener Component 1 Packet event listener

Dispatching Host event to all Host listeners

HOST_ADDED HOST_REMOVED HOST_UPDATED etc...

Link event dispatchers and event listeners

EVENTSCOPE Event Flow Graph

slide-37
SLIDE 37

37

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

API definition

App 1 Host event listener App 2 Host event listener Component 2 Host event listener Component 1 Packet event listener Host service

getHosts() READ Dispatching Host event to all Host listeners

HOST_ADDED HOST_REMOVED HOST_UPDATED etc...

Add API calls to relevant control plane objects

FlowRule service

addFlow() WRITE

EVENTSCOPE Event Flow Graph

slide-38
SLIDE 38

38

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

API definition

App 1 Host event listener App 2 Host event listener Component 2 Host event listener Component 1 Packet event listener Host service

getHosts() READ Dispatching Host event to all Host listeners

HOST_ADDED HOST_REMOVED HOST_UPDATED etc...

Identify API calls where data plane inputs and outputs

  • ccur

FlowRule service

addFlow() WRITE

DATA PLANE OUTPUTS

(e.g., switch flow rules)

DATA PLANE INPUTS

(e.g., packets from hosts)

EVENTSCOPE Event Flow Graph

slide-39
SLIDE 39

EVENTSCOPE Solution

39

No ground truth about what events ought to be handled Multiple entry points for code analysis Not all event handling can affect the data plane Trace viable control paths in event flow graph

slide-40
SLIDE 40

40

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

Vulnerability Validator

Data Plane In Data Plane Out

API definition

Access control app Host event listener App Host event listener Component Host event listener Host Manager Packet event listener FlowRule service HOST_ADDED HOST_ADDED HOST_REMOVED HOST_UPDATED etc...

DATA PLANE INPUTS DATA PLANE OUTPUTS

EVENTSCOPE Vulnerability Validation

Event listener with relevant missing event Event listener (other)

slide-41
SLIDE 41

41

SDN app code SDN controller code

Candidate Vulnerability Generator Event Flow Graph Generator

Missing Event Types 1 2 3

1 2 3

Data Plane In Data Plane Out

Vulnerability Validator

Data Plane In Data Plane Out

Vulnerabilities API definition

Reported 14 vulnerabilities to ONOS Security Team and requested CVE identifiers

EVENTSCOPE Evaluation

slide-42
SLIDE 42

acl.impl AclManager InternalHostListener FlowRuleService applyFlowRules(…)

Data Plane Out

HostProviderService hostDetected(…) HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED mobility HostMobility InternalHostListener HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED

Data Plane In

PacketContext inPacket(…) provider.host.impl HostLocationProvider InternalHostProvider fwd ReactiveForwarding ReactivePacketProcessor FlowObjectiveService forward(…) FlowRuleService removeFlowRules(…)

CVE-2019-11189

42

Firewall app installs flow deny rule to prevent host from communicating

slide-43
SLIDE 43

acl.impl AclManager InternalHostListener FlowRuleService applyFlowRules(…)

Data Plane Out

HostProviderService hostDetected(…) HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED mobility HostMobility InternalHostListener HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED

Data Plane In

PacketContext inPacket(…) provider.host.impl HostLocationProvider InternalHostProvider fwd ReactiveForwarding ReactivePacketProcessor FlowObjectiveService forward(…) FlowRuleService removeFlowRules(…)

CVE-2019-11189

43

Malicious host spoofs ARP message, which tricks controller into thinking host has moved

X

Access control app never gets called! Host mobility app removes access control’s flow rules!

slide-44
SLIDE 44

acl.impl AclManager InternalHostListener FlowRuleService applyFlowRules(…)

Data Plane Out

HostProviderService hostDetected(…) HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED mobility HostMobility InternalHostListener HOST REMOVED HOST MOVED HOST ADDED HOST UPDATED

Data Plane In

PacketContext inPacket(…) provider.host.impl HostLocationProvider InternalHostProvider fwd ReactiveForwarding ReactivePacketProcessor FlowObjectiveService forward(…) FlowRuleService removeFlowRules(…)

CVE-2019-11189

44

Malicious host can now force flow allow rule to be installed and send packets into the network

slide-45
SLIDE 45

§ Considered the cross-plane event-based vulnerability problem in SDN § Design takeaways

– Hosts have outsized effect on SDN operation – Security analysis must consider all apps working together – Developers must design defensively

§ Discovered and validated 14 new vulnerabilities in ONOS SDN controller

Conclusions

45

slide-46
SLIDE 46

Thank you for your time! Benjamin E. Ujcich E-mail: ujcich2@illinois.edu Web: http://ujcich2.web.engr.illinois.edu

Questions?

46

This work was supported in part by NSF Grant Nos. CNS-1657534 and CNS-1750024. Any

  • pinions, findings, and conclusions or recommendations expressed in this material are those of

the author(s) and do not necessarily reflect the views of the National Science Foundation.