openflow a security analysis
play

OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 - PowerPoint PPT Presentation

Mar 15, 2023 •108 likes •479 views

Introduction Approach Results Recommendations Conclusion OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 Rowan Kl 1 rkloeti@alumni.ethz.ch ETH Zurich 2 vkotroni@tik.ee.ethz.ch ETH Zurich 3 paul.smith@ait.ac.at AIT

  1. Introduction Approach Results Recommendations Conclusion OpenFlow: A Security Analysis oti 1 Vasileios Kotronis 2 Paul Smith 3 Rowan Kl¨ 1 rkloeti@alumni.ethz.ch ETH Zurich 2 vkotroni@tik.ee.ethz.ch ETH Zurich 3 paul.smith@ait.ac.at AIT Austrian Institute of Technology GmbH 07.10.2013 ICNP NPSec 2013, G¨ ottingen, Germany 1 / 36

  2. Introduction Approach Results Recommendations Conclusion Outline Introduction 1 Objectives SDN and OpenFlow Approach 2 Attack Model STRIDE Attack Trees Combining the Approaches Experimental Setup Results 3 Security Analysis Empirical Testing Recommendations 4 Conclusion 5 2 / 36

  3. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion Objectives Security analysis of OpenFlow protocol and networks Focus on v1.0.0, but extensible/adaptable methodology Develop model Analyze model Describe attacks Empirically demonstrate one or more security issues Develop setup to enable this empirical demonstration Suggest potential fixes and mitigations for security issues 3 / 36

  4. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion Why OpenFlow Security Analysis? OpenFlow started as a largely academic endeavour But has recently seen increasing deployment in production systems: Google’s OpenFlow WAN Cisco, Juniper, HP products Adoption by cloud hosts and service providers But why security? No official security analysis of the protocol itself Research is just catching up (see HotSDN 2013 program) Security is extremely important for production systems, but can be overlooked 4 / 36

  5. Introduction Approach Objectives Results SDN and OpenFlow Recommendations Conclusion SDN and OpenFlow 101 Software Defined Networks (SDNs) separate data plane and control plane Header Fields OpenFlow implements SDN: Counters Switch implements data plane Actions Controller implements control plane Switch and controller connected with secure channel over control network Controller installs flow rules on switch Flow rule header fields match packet headers Packets matching a flow rule have actions performed on them 5 / 36

  6. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Attack Model Three scenarios Attacker controls a single client Attacker controls multiple clients Attacker has access to control network The first scenario is given greatest consideration Scenarios where attacker has access to actual secure channel are not considered This would involve compromising SSL or TLS, which is outside the scope of this work 6 / 36

  7. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup STRIDE Security modeling methodology Types of vulnerabilities modeled Client by the method[3]: Request Reply S poofing T ampering Web application R epudiation I nformation Disclosure D enial of Service and E levation of Privilege Query Results Use data flow diagrams to uncover potential vulnerabilities Database Models how external data enters into and propagates Figure : Data flow diagram through system 7 / 36

  8. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Attack Trees Used to describe and analyze Get root access attacks Based on fault tree analysis [4] Represent prerequisites for Social attacks Dictionary Exploit engineering attack vulnerability Leaf nodes represent actions or events These propagate through AND and OR gates Find Develop Execute vulnerability exploit attack Root node is objective Can calculate various metrics if values for leaf nodes are Figure : Attack tree known 8 / 36

  9. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup From STRIDE DFDs to Attack Trees Data flow diagrams show us potential vulnerabilities They show us which components present an attack surface Attack trees allow these to be developed into practical attacks A given objective may have multiple attack paths Attack trees help to analyze and optimise attack paths These two approaches are complementary 9 / 36

  10. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Experimental Setup Mininet is a virtual network emulation environment Based on Linux network namespaces Runs Open vSwitch (virtual OpenFlow switch) Can emulate performance constraints Bandwidth Latency and jitter This is required to simulate attacks Forms the basis of test environment Use POX as a controller 10 / 36

  11. Introduction Attack Model Approach STRIDE Results Attack Trees Recommendations Combining the Approaches Conclusion Experimental Setup Setup Schematics h1-1 h2-1 h1-1 h2-1 h1 s1 s1 h2 h1-2 h1-2 s1 s1 s2 s2 h2-2 h1 h2 h1-2 h1-2 h2-2 c0 c0 h1-3 h1-3 c0 c0 h2-3 h2-3 Figure : Network topology for Figure : Network topology for Denial of Service attack Information Disclosure attack demonstration demonstration 11 / 36

  12. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service I Received packet from 1 Received packet Interface 1 Input buffer 1 Sent packet to 1 Transmitted packet Packet to process OpenFlow Output buffer 1 Module Remove/modify packet Get state/event Transmit packet Set state/action Packet sample Controller-to-switch message Forwarded/Enqueued packet Data path Secure Channel Read flow table Modify flow table Asynchronous message Forwarded/Enqueued packet Read flow table Update counter Remove/modify packet Output buffer 2 Flow table Packet to process Transmitted packet Denial of Service Received packet from 2 Information Disclosure Received packet Interface 2 Input buffer 2 Tampering Sent packet to 2 Figure : Data flow diagram of switch 12 / 36

  13. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service II Set state/action OpenFlow Secure Module Channel Transmit packet Get state/event Packet sample Data path Read Modify Read flow table Update counter Flow table Denial of Service Information Disclosure Tampering Figure : Close-up of data flow diagram 13 / 36

  14. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service III Denial of service Against switch Against controller Against Decision process Against OpenFlow Exploit security hole Against OpenFlow Interface and data Against Flow table Against Input buffer in controller (if Module flow Asynchronous present) message Locate security hole in Perform Develop exploit Identify which controller Obtain access processor flow rules are software to multiple intensive tasks created without client interfaces on several wildcards connections Attack OpenFlow Attack controller Interface and OpenFlow Interface Asynchronous directly message Identify which Generate flow rules are extremely high created without traffic load on Generate very high wildcards interface rate of new flows on several interfaces Perform regular Identify which Generate very Generate very Obtain access denial of Obtain access flow rules are high traffic load high traffic load to management service attack to multiple created without on each on interface network against client interfaces wildcards interface controller Identify exact Identify hash Cause hash form of flow function used collisions on table entries for flow table flow table Figure : Denial of Service attack tree with attack path highlighted 14 / 36

  15. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Denial of Service IV Denial of service Against switch Against Flow table Identify which Generate very flow rules are high traffic created load on without interface wildcards Figure : Close-up of highlighted attack path 15 / 36

  16. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Information Disclosure I Denial of Service Information Disclosure Tampering Controller-to-switch message Set state/action Get policy OpenFlow Decision Policy Administrator Interface Asynchronous message Get state/event Read policy Write policy Set value Write log Write log Get value Read log Administration Log interface Set configuration Get configuration Figure : Data flow diagram of controller 16 / 36

  17. Introduction Approach Security Analysis Results Empirical Testing Recommendations Conclusion Information Disclosure II Denial of Service Information Disclosure Tampering Controller-to-switch message Set state/action OpenFlow Switch Decision Interface Get state/event Asynchronous message Figure : Close-up of data flow diagram 17 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr Contents 1. Introduction 1.1 Motivation 1.2 Related Works Analysis 1.2.1 OpenFlow: A Security Analysis 1.2.2 OpenFlow Vulnerability Assessment

345 views • 30 slides
OpenFlow and Software Defjned Networks Outline o The history of OpenFlow o What is OpenFlow? o

OpenFlow and Software Defjned Networks Outline o The history of OpenFlow o What is OpenFlow? o

OpenFlow and Software Defjned Networks Outline o The history of OpenFlow o What is OpenFlow? o Slicing OpenFlow networks o Software Defjned Networks o Industry interest Original Question How can researchers on college campuses test out new

718 views • 35 slides
A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran , Martin Fong, Mabry Tyson (SRI International) Seungwon Shin, Guofei Gu (Texas A&M University) Classic Network Perimeter Defense Security

207 views • 20 slides
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?) Seungwon Shin Guofei Gu SUCCESS Lab SUCCESS Lab Texas A&M University Texas A&M

314 views • 6 slides
TouSIX First OpenFlow European IXP Marc Bruyre, CNRS 2 TouSIX First OpenFlow European IXP

TouSIX First OpenFlow European IXP Marc Bruyre, CNRS 2 TouSIX First OpenFlow European IXP

TouSIX First OpenFlow European IXP Marc Bruyre, CNRS 2 TouSIX First OpenFlow European IXP What is an IXP ? Today IXP switching fabric Operator-oriented OpenFlow IXP fabric The Toulouse IXP : TouIX Migrating TouIX in TouSIX TouSIX-Manager

850 views • 41 slides
HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST /

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST /

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr Software-Defined Networking

673 views • 36 slides
Networking and OpenFlow Jeffrey Dalla Tezza and Nate Schloss Agenda What is SDN SDN Today

Networking and OpenFlow Jeffrey Dalla Tezza and Nate Schloss Agenda What is SDN SDN Today

Software Defined Networking and OpenFlow Jeffrey Dalla Tezza and Nate Schloss Agenda What is SDN SDN Today What is OpenFlow Why OpenFlow Whats next for SDN Our OpenFlow Demonstration Software Defined Networking

274 views • 26 slides
PERFORMANCE ANALYSIS OF OPENFLOW HARDWARE Michiel Appelman Maikel de Boer Supervisor: Ronald van

PERFORMANCE ANALYSIS OF OPENFLOW HARDWARE Michiel Appelman Maikel de Boer Supervisor: Ronald van

PERFORMANCE ANALYSIS OF OPENFLOW HARDWARE Michiel Appelman Maikel de Boer Supervisor: Ronald van der Pol (SARA) PERFORMANCE ANALYSIS OF OPENFLOW HARDWARE Michiel Appelman Maikel de Boer Supervisor: Ronald van der Pol (SARA) AGENDA

466 views • 21 slides
Optimizing Rules Placement in OpenFlow networks: Trading routing for better efficiency NGUYEN

Optimizing Rules Placement in OpenFlow networks: Trading routing for better efficiency NGUYEN

Optimizing Rules Placement in OpenFlow networks: Trading routing for better efficiency NGUYEN Xuan-Nam , Damien Saucez, Chadi Barakat, Thierry Turletti DIANA INRIA Sophia Antipolis, France Motivation Today With SDN/OpenFlow Manual

394 views • 6 slides
OpenFlow Workshop APAN FIT Workshop Hong Kong APAN FIT Workshop Hong Kong Chris Small

OpenFlow Workshop APAN FIT Workshop Hong Kong APAN FIT Workshop Hong Kong Chris Small

OpenFlow Workshop APAN FIT Workshop Hong Kong APAN FIT Workshop Hong Kong Chris Small Indiana University Feb 22 2011 Sections Sections OpenFlow concepts, hardware and software l h d d f OpenFlow use cases Network Operators

910 views • 73 slides
UNINETT OpenFlow testbed UNINETT OpenFlow testbed Terena Network Architecture Workshop,

UNINETT OpenFlow testbed UNINETT OpenFlow testbed Terena Network Architecture Workshop,

UNINETT OpenFlow testbed UNINETT OpenFlow testbed Terena Network Architecture Workshop, 13-14/11-2013 Terena Network Architecture Workshop, 13-14/11-2013 Olav Kvittem, Martin Osmundsvg, Otto Wittner, Gurvinder Singh UNINETT Aryan

366 views • 7 slides
The Beacon OpenFlow Controller www.beaconcontroller.net David Erickson Stanford Motivation

The Beacon OpenFlow Controller www.beaconcontroller.net David Erickson Stanford Motivation

The Beacon OpenFlow Controller www.beaconcontroller.net David Erickson Stanford Motivation Back to circa 2008-2009 The OpenFlow controller world == NOX Single threaded event based C++ with SWIG glue to Python Python apps C++

513 views • 18 slides
OpenFlow Campus Trials GEC7 Stanford University Continued progress Increasing provider

OpenFlow Campus Trials GEC7 Stanford University Continued progress Increasing provider

OpenFlow Campus Trials GEC7 Stanford University Continued progress Increasing provider OpenFlow 1.0 interest and engagement Spec released in Dec 2009 Google, Amazon, Yahoo, Reference implementations Microsoft, and

656 views • 26 slides
HyperFlow A Distributed Control Plane for OpenFlow Amin Tootoonchian Yashar Ganjali System and

HyperFlow A Distributed Control Plane for OpenFlow Amin Tootoonchian Yashar Ganjali System and

HyperFlow A Distributed Control Plane for OpenFlow Amin Tootoonchian Yashar Ganjali System and Networking Group Department of Computer Science University of Toronto Brief Overview of OpenFlow Root cause of network mgmt. & control

659 views • 14 slides
Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison , Matthew L.

Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison , Matthew L.

Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison , Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker PRESTO 2010, Philadelphia, PA 11.28.2010 Background OpenFlow/NOX allowed us to take back

858 views • 21 slides
OFELIA Pan European OpenFlow Testbed OFELIA Pan European OpenFlow Testbed Hagen Woesner

OFELIA Pan European OpenFlow Testbed OFELIA Pan European OpenFlow Testbed Hagen Woesner

OFELIA Pan European OpenFlow Testbed OFELIA Pan European OpenFlow Testbed Hagen Woesner EICT GmbH Coordinator, OFELIA project APAN meeting 32st New Delhi APAN meeting 32st New Delhi (Future Internet Testbed Workshop) Agenda Future Internet

416 views • 18 slides
Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds

Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds

Security Challenges & Opportunities in June 30 th , 2015 Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services 1 Orange

385 views • 15 slides
Understanding the Role of Automated Response AcOons to Improve AMI Resiliency Ahmed Fawaz 1 ,

Understanding the Role of Automated Response AcOons to Improve AMI Resiliency Ahmed Fawaz 1 ,

Understanding the Role of Automated Response AcOons to Improve AMI Resiliency Ahmed Fawaz 1 , Robin Berthier 1 , Bill Sanders 1 , Partha Pal 2 April 24, 2012 1 University of Illinois at Urbana Champaign 2 BBN Technologies | 1 TCIPG

585 views • 57 slides
Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat

Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat

Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat Supervisors: Research Project 2 #100 Gerben van Malenstein Arnold Buntsma Migiel de Vos Mar Badias Sim Max Mudde NetherLight: open lightpath

633 views • 25 slides
Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

West Virginia University Cybersecurity research and education: Helping meet the high demand for cybersecurity experts Katerina Goseva-Popstojanova Professor Lane Department of Computer Science and Electrical Engineering (LCSEE) West

538 views • 21 slides
Altigen Communications Investor Presentation June 2019 ATGN Presented by: Jeremiah Fleming,

Altigen Communications Investor Presentation June 2019 ATGN Presented by: Jeremiah Fleming,

Altigen Communications Investor Presentation June 2019 ATGN Presented by: Jeremiah Fleming, President & CEO Altigen Communications Overview Provider of Unified Communications as a Service (UCaaS) Solutions based on the Microsoft Platform

391 views • 11 slides
H1 FY20 RESULTS 2 6 F E B R U A R Y 2 0 2 0 Will Lopes Chief Executive Officer James Orlando

H1 FY20 RESULTS 2 6 F E B R U A R Y 2 0 2 0 Will Lopes Chief Executive Officer James Orlando

H 1 F Y 2 0 R E S U L T S H1 FY20 RESULTS 2 6 F E B R U A R Y 2 0 2 0 Will Lopes Chief Executive Officer James Orlando Executive Director Hayden Stockdale Chief Financial Officer 1 C A T A P U L T S P O R T S . C O M H 1 F Y 2 0 R E S

451 views • 30 slides
style 31 January 2020 Click to edit Master subtitle style Tim Sykes, CEO Richard Hughes, CFO

style 31 January 2020 Click to edit Master subtitle style Tim Sykes, CEO Richard Hughes, CFO

Investor Presentation Click to edit Master title Half year results for the period ended style 31 January 2020 Click to edit Master subtitle style Tim Sykes, CEO Richard Hughes, CFO Disclaimer These presentation slides and the accompanying

683 views • 27 slides
Earnings call Q3 2019 TODAYS SPEAKERS Daniel Wikberg Elin Lundstrm CEO CFO Please use

Earnings call Q3 2019 TODAYS SPEAKERS Daniel Wikberg Elin Lundstrm CEO CFO Please use

Earnings call Q3 2019 TODAYS SPEAKERS Daniel Wikberg Elin Lundstrm CEO CFO Please use the Q&A feature during the presentation to ask questions Upsales at a glance What we do Help companies reach new customers and win more

480 views • 20 slides

More recommend