I DPID It My Way! A Covert Timing Channel in Software-Defined - - PowerPoint PPT Presentation
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert
Robert Krösche, Kashyap Thimmaraju, Liron Schiff and Stefan Schmid
IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1
1. Motivation 2. Covert Timing Channel 3. CVE-2018-1000155 4. Conclusion
2
3
4
5
A New Attack in Software-Defined Networks
6
7
Department
Department
SDN Controller
8
Department
Department
SDN Controller
1) Switch to Controller 2) Controller to Switches 3) Destination Processing
9
10 11 10. .. 1) 2) 3)
10
10 11 10. .. 1) 2) 3) Inherent to the OpenFlow specification
Identifier (DPID) to the same controller
11
A Covert Timing Channel
OpenFlow Messages
12
Features Reply … DPID=1 ... Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
13
Features Reply Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 … DPID=1 ...
OpenFlow Messages
14
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Disconnect 10.0.0.2 I could not connect with DPID=1, s1 sent me a “1”.
15
○ When to start? ○ How long to wait? ○ Did it start? ○ When to end?
○ Load on the controller ○ Controller architecture ○ Path to the controller
16
○ When to start? ○ How long to wait? ○ Did it start? ○ When to end?
○ Load on the controller ○ Controller architecture ○ Path to the controller
17
Frame Structure SoF Bit Data Bit ... 1 1 1 1 1 1 1 End of Transmission
18
19
20
FL 7 SoF Bit Data Bits FL 14 FL 28
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
21
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
22
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
23
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
24
25
No load, M=64bytes, δof f set=5ms and check the conn. status at 2∆/3
26
With load (20 switches trigger Packet-Ins following a Poisson distribution with λ=1), M=64bytes, δof f set=5ms and check the conn. status at 2∆/3
27
error-correction in our prototype
TCP connection establishment time
attacks as the (OpenFlow) messages are legitimate and within the switch-controller channel
Teleportation by securing the OpenFlow handshake
28
ID collision at the controller in OpenFlow
29
○ http://www.openwall.com/lists/oss-security /2018/05/09/4 ○ https://www.theregister.co.uk/2018/05/10 /openflow_switch_auth_vulnerability/ ○ https://www.techrepublic.com/article/open flow-sdn-protocol-flaw-affects-all-versions- could-lead-to-dos-attack/
[Gray et al.] and the respective switches’ public-key certificate identifier
DPID announced in the OpenFlow handshake is over the TLS connection with the associated (DPID) certificate
○ ONOS has already patched, see https://github.com/opennetworkinglab/ono s/commit/f69e3e34092139600404681798 cebeefebcfa6c6 ○ Other controllers to follow
30
31
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Dpid 1 - TLS cert s1 Dpid 2 - TLS cert s2 TLS cert s1 TLS cert s2
32
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Dpid 1 - TLS cert s1 Dpid 2 - TLS cert s2 Dpid 1 Features Reply
33
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Dpid 1 - TLS cert s1 Dpid 2 - TLS cert s2 Features Reply Dpid 1
34
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Dpid 1 - TLS cert s1 Dpid 2 - TLS cert s2 S2 did not use authorized dpid over authenticated TLS channel!
channel in Software-Defined Networks
requirement, isolation, can be violated in SDNs using our covert channel
unidirectional throughput of 20bps with ~90% accuracy
authentication and authorization, and covert channel in OpenFlow
35
Kashyap Thimmaraju Email: kash@sect.tu-berlin.de Web: www.fgsect.de/~hashkash Fingerprint: 5FFC 5589 DC38 F6F5 CEF7 79D8 A10E 670F 9520 75CD
36
1. [SOSR’18] K. Thimmaraju, B. Shastry, T. Fiebig, F. Hetzelt, J.-P. Seifert, A. Feldmann, S. Schmid,” in Proc. ACM Symposium on SDN Research (SOSR), 2018. 2. [EuroSP’17] K. Thimmaraju, L. Schiff, and S. Schmid, “Outsmarting network security with sdn teleportation,” in Proc. IEEE European Security & Privacy (S&P), 2017. 3. [Gray et al.] N. Gray, T. Zinner, and P. Tran-Gia, “Enhancing sdn security by device fingerprinting,” In Proc. IFIP/IEEE International Symposium on Integrated Network Management (IM), May 2017. 4. [Dover] J. M. Dover, “A denial of service attack against the open floodlight sdn controller,” Dover Networks, Tech. Rep., 2013. [Online]. Available: http://dovernetworks.com/wp-content/uploads/ 2013/12/OpenFloodlight-12302013.pdf 5. [Secci et al.] S. Secci, K. Attou, D. C. Phung, S. Scott-Hayward, D. Smyth, S. Vemuri and You Wang, “ONOS Security and Performance Analysis: Report No. 1” ONOS, 2017. 6. [SNBI] https://wiki.opendaylight.org/view/SNBI_Architecture_and_Design 7. [USE] https://wiki.opendaylight.org/images/2/23/Odl-usc-2014_11_20.pdf
37
38
○ Fundamental security property broken ○ Physically separated
39
40
41
Traditional Networks Software-Defined Networks Distributed Control Plane, hard to manage Logically Centralized Control Plane, easy to manage
42
○ Circumvent Firewalls and Intrusion Detection Systems
○ Modify the content of packets in transit
43
EuroSP’17 focused on Out-of-band Forwarding
○ Circumvent Firewalls and Intrusion Detection Systems
○ Modify the content of packets in transit
44
○ Violate physical/logical network isolation ○ Transmit confidential information, e.g., RSA private keys
○ Send/Receive command and control messages from a Bot master
Networking’18 focuses on Switch Identification EuroSP’17 focused on Out-of-band Forwarding
OpenFlow Messages
45
Packet-in Packet-out
46
OpenFlow Messages
47
TCP Handshake Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
48
Transport Connection Established Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
49
Hello Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
50
Hello Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
51
Features Request Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Tell me your Features, e.g., ID, Ports, etc.
OpenFlow Messages
52
Features Reply … DPID=1 ... Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
53
OpenFlow Connection Established Switch from IP 10.0.0.1 has DPID=1 Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
54
TCP Handshake Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
55
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Transport Connection Established
OpenFlow Messages
56
Hello Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
57
Hello Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
58
Features Request Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10
OpenFlow Messages
59
Features Reply Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 … DPID=1 ...
OpenFlow Messages
60
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Switch from IP 10.0.0.2 has DPID=1?!
OpenFlow Messages
61
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Disconnect 10.0.0.2 I could not connect with DPID=1, s1 sent me a “1”.
62
With ONOS
63
64
65
Receiver Sender
66
67
1. δs : The time the sender takes to send a binary bit value 2. δr : The time the receiver takes to receive a binary bit value 3. δsc : The time to transition from the Idle state to the OpenFlow-established state 4. δdc : The time to move from the OpenFlow-established state to OpenFlow-disconnected state 5. δof f set: A timeout value the receiver waits before it sets the controller 6. δof -deny : The time to move from OpenFlow-established to OpenFlow-disconnected when the connection is denied 7. δdelay : A timeout value the receiver waits before it checks the OpenFlow connection status 8. δchk -conn : The time the receiver takes to determine a 0 or 1 by checking the OpenFlow connection status 9. δws = ∆ − δs : A timeout value the sender waits before moving from the OpenFlow-established state to OpenFlow-disconnected 10. δwr = ∆ − δr : A timeout value the receiver waits before moving from the OpenFlow-disconnected state to the Idle state
68
69
Measured the accuracy using Levenshtein distance
1. Effect of timing interval (∆) 2. Effect of frame length (FL) 3. Effect of delay in conn. Status (δdelay) 4. Effect of load on the controller 5. Effect of message length (M)
70
71
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
72
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
73
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/2
74
75
76
Done too soon (Delta/3)
77
Done later (2Delta/3)
78
79
80
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/3
81
No load, M=64bytes, δof f set=5ms and check the conn. status at ∆/3
82
83
84
85
86
87
88
89
90
91
OpenFlow Messages
92
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Switch from IP 10.0.0.2 has DPID=1?!
OpenFlow Messages
93
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Switch from IP 10.0.0.1 had DPID=1 first!
OpenFlow Messages
94
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 Disconnect Switch from IP 10.0.0.2!
OpenFlow Messages
95
Switch s1 10.0.0.1 Switch s2 10.0.0.2 Controller c1 10.0.0.10 I could not connect with DPID=1, s1 sent me a “1”.