malicious code and access control in sdn
play

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 - PowerPoint PPT Presentation

Jan 26, 2024 •214 likes •418 views

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

  1. Malicious Code and Access Control in SDN SPRING’14 , 31.7. – 1.8.2014 Hans Christian Röpke Chair for System Security

  2. 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 2/19

  3. Computer Market Evolution Appl. Specialized Applications Open Interface Specialized Operation Systems Open Interface Specialized Hardware • Closed, proprietary • Open interfaces • Slow innovation • Rapid innovation • Small industry • Huge industry ∗ McKeown et al., ONS’11 Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 3/19

  4. Networks Today Specialized Features Specialized Control Systems Open Interface Specialized Hardware • Closed, proprietary • Open interfaces • Slow innovation ∗ McKeown et al., ONS’11 Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 4/19

  5. Network Market Evolution Appl. Specialized Features Open Interface Specialized Control ? Systems Open Interface Specialized Hardware • Open interfaces • Closed, proprietary • Rapid innovation (?) • Slow innovation ∗ McKeown et al., ONS’11 Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 5/19

  6. What is Software-Defined Networking? Definition SDN : = Decoupling network control features from forwarding hardware. Appl. Appl. Appl. Appl. Appl. Spec. Features Spec. Control Northbound API Systems Spec. Spec. HW Network OS Spec. Features Spec. Control Features Spec. Control Southbound API Systems Systems Spec. HW Open Spec. HW Interface Open Open Interface Interface Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 6/19

  7. SDN @ Google � Backbone performance � Fault tolerance � Operation costs ∗ Hölzle, ONS’12 Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 7/19

  8. Example Appl. SDN controller packet Flow table ? Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 8/19

  9. Example Appl. SDN controller Flow packet rule packet packet Flow table ? Flow rule Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 9/19

  10. SDN Layers Application Layer Network intelligence Appl. Global network view SDN controller Control Layer Complexity hiding Switch programming Flow packet rule Switch Infrastructure Packet forwarding packet packet Flow table ? Flow rule Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 10/19

  11. Most Common Implementation SDN SDN Appl. Appl. Common OS Standard PC HW SDN SDN Appl. Appl. SDN SDN Appl. Appl. Other Processes SDN Controller Process Common OS Standard PC Hardware OpenFlow-enabled Switch Network Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 11/19

  12. Module vs. REST Applications SDN SDN Appl. Appl. Common OS Standard PC HW SDN SDN REST Applications Appl. Appl. SDN SDN Module Applications Appl. Appl. Other Processes SDN Controller Process Common OS Standard PC Hardware OpenFlow-enabled Switch Network Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 12/19

  13. Network-level vs. System-level • Network-level • Main purpose • Forwarding decisions • Flow rules • System-level • Rather a side effect • Negligible for SDN • But significant with respect to security ∗ Canini et al., NSDI’13 Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 13/19

  14. Malicious SDN Applications SDN SDN Appl. Appl. Other Processes SDN Controller Process Common OS Standard PC Hardware OpenFlow-enabled Switch Network • Module applications • Consequences on system-level Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 14/19

  15. Experiments • Malicious SDN module application samples • Denial-of-service attack • Arbitrary code execution • Remote control / backdoor • Examined SDN controllers (popular & state-of-the-art) • Beacon • Floodlight • OpenDaylight • HP VAN • Results • SDN controller shutdown • Malware execution • Remote control of SDN controllers ( → of entire networks) Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 15/19

  16. Security Tool • Idea • Put SDN module applications into a sandbox • Control access to sensitive operations • Design Default rules Security SDN appl. A rule set rule set SDN appl. B rule set Access Sensitive ? operations Control Code SDN Appl. Execution Non-sensitive operations • Contribution: Effective attack prevention Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 16/19

  17. Access Control in SDN • Security tool limitations • Unknown sensitive operations in use • Manual configuration • Idea: Access control framework • Enable developers to define permissions • Enable network operators to review permission requests • Enforce network operations to decide on permission requests (before the start of a certain SDN application) • Activate security rules automatically according to decisions • Support network operators in case of unavailable permission requests • Contributions • Provide access control mechanism for SDN controllers • Protect SDN controller on system-level Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 17/19

  18. Conclusions • SDN may change the network market drastically • SDN promises rapid innovation through third-party software • Third-party software must not be malicious-free • Malicious SDN applications harm entire networks • SDN security is essential for the SDN success • We provide building blocks for system-level SDN security • Security analysis • Security tool • Access control mechanism Software-Defined Networks|Horst Görtz Institute for IT-Security|SPRING’14|31.7. – 1.8.2014 18/19

  19. Many thanks for your attention! Questions? Contact Hans Christian Röpke christian.roepke@rub.de Chair for System Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

1.02k views • 71 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

985 views • 51 slides
Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at

Virus Concepts and Terminology CS 4440/7440 Malware Analysis & Defense Today } Take a look at this: } https://www.corelan.be/index.php/articles/ } Check out the Exploit Writing Tutorials } Starting Szor, Chapter 2. } Check out the Virus

1.34k views • 46 slides
Abstract Data Types Data types I We type data--classify it into various categories--such as

Abstract Data Types Data types I We type data--classify it into various categories--such as

Abstract Data Types Data types I We type data--classify it into various categories--such as int , boolean , String , Applet A data type represents a set of possible values, such as { ... , -2 , -1 , 0 , 1 , 2 , ... }, or { true , false }

991 views • 58 slides
Distribuerade system - VT2001 Distribuerade system - VT2001 Jerry Eriksson Jerry Eriksson

Distribuerade system - VT2001 Distribuerade system - VT2001 Jerry Eriksson Jerry Eriksson

Distribuerade system - VT2001 Distribuerade system - VT2001 Jerry Eriksson Jerry Eriksson Contests Contests Introduction to DS Introduction to DS Schedule Schedule Litterature Litterature Laboration Laboration Defining DS

358 views • 14 slides
A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy Mihai Christodorescu, Somesh Jha University of Wisconsin, USA Saumya Debray University of Arizona, USA 17-19 Jan, POPL 07, Nice A

828 views • 52 slides
Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad Spensky 3 , Stephanie Forrest 2 , Westley Weimer 1 1 University of Michigan 2 Arizona State University 3 University of California, Santa Babara May 23,

357 views • 6 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides

More recommend