when match fields do not need to match buffered packet
play

When Match Fields Do Not Need to Match: Buffered Packet Hijacking in - PowerPoint PPT Presentation

Apr 01, 2023 •103 likes •443 views

When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie, Kun Sun , Qi Li, Guofei Gu, and Mingwei Xu Outline SDN Overview Background on SDN Rule Installation A New Vulnerability: Buffered Packet

  1. When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie, Kun Sun , Qi Li, Guofei Gu, and Mingwei Xu

  2. Outline – SDN Overview – Background on SDN Rule Installation – A New Vulnerability: Buffered Packet Hijacking – Buffered Packet Hijacking Attacks – Defense – Conclusion 2

  3. Outline – SDN Overview 3

  4. SDN Overview – SDN applications (apps) – Extend controller capacities and SDN functionalities – SDN controller – Take centralized network control – SDN switches – Forward and process flows according to the controller 4

  5. Outline – Background on SDN Rule Installation 5

  6. Rule Installation in SDN – Packet-in Routing App • Query network decisions for a new flow SDN Controller (3) packet-in • Contain a buffer ID and packet headers (4) flow-mod – Flow-mod h 1 h 2 S 2 1. Install rules with match S 1 (1) new flow fields and actions Match Action Buffer ID: 1 2. Specify a buffer ID to ip_dst:10.0.0.2 output: S 2 release a buffered packet (2) buffer in S 1 (5) flow rules in S 1 6

  7. Rule Conflict in SDN – Conflict reason Routing Malicious App App • Multiple apps process the same flow may generate SDN Controller (3) packet-in conflicting rules – Conflict abuse (4) flow-mod x2 • Apps install conflicting h 1 h 2 S 2 rules to override other S 1 (1) new flow apps’ decisions Match Match Action Action Buffer ID: 1 ! t c i l f n ip_dst:10.0.0.2 ip_dst:10.0.0.2 output: S 2 output: S 2 o C ip_dst:10.0.0.2 drop (2) buffer in S 1 (5) flow rules in S 1 7

  8. Rule Conflict Detection – Rule conflict detection Malicious Routing App App – Extract match fields and Block! actions in all flow-mod • flow-mod • flow-mod • match: ip_dst:10.0.0.1 • match: ip_dst:10.0.0.1 messages • action: drop • action: forward – Check potential conflict • buffer id: 1 • buffer id: 1 when installing new rules VerfiFlow (NSDI ’13), SE-Floodlight (NDSS ‘15), FortNOX (HotSDN ‘12)… Do not consider potential buffer ID abuse 8

  9. Outline – A New Vulnerability: Buffered Packet Hijacking 9

  10. Buffered Packet Hijacking Vulnerability – Mechanism Malicious Routing App App – Manipulate buffer IDs to hijack buffered packets • flow-mod • flow-mod • match: ip_dst:1.1.1.1 • match: ip_dst:10.0.0.1 • action: drop • action: forward à 1 • buffer id: 2 • buffer id: 1 – Root Cause – No checking on the inconsistency between buffer IDs and match fields when installing rules Hijack buffered packets Buffer ID: 1 without conflicting rules! Buffer ID: 2 10

  11. Outline – Buffered Packet Hijacking Attacks 11

  12. Threat Model – Attacker Objective – Exploit the vulnerability to attack all three SDN layers – System Assumptions – SDN controllers, switches, and control channels are secure – Existing SDN defense may be deployed – Apps are untrusted , which may originate from third parties – A malicious app has basic permissions of listening packet-in and installing flow rules 12

  13. Attacks and Testbed – Four attacks – Real SDN testbed – Attacking application – Open source controller 1. cross-app poisoning – Floodlight – Attacking control plane – Commercial SDN switches 2. control traffic amplification – EdgeCore AS4610-54T – Attacking data plane – Real background flows 3. security policy bypass – Traffic trace from CAIDA 4. TCP connection disruption – Crafted test flows 13

  14. Attack 1: Cross-App Poisoning (CAP) – A malicious app resends modified buffered packets to the controller APP Y learns: APP Y learns: APP Y APP X (Host, Port) = (h 1 , port 1 ) (Host, Port) = (h 2 , port 1 ) PACKET-IN FLOW-MOD Incorrect mapping! h 1 h 2 port 2 port 1 S 1 match: other flow APP X: FLOW-MOD buf_id: 1 buf_id: 1 action: set-field (IP_SRC à IP_h 2 ), output:controller 14

  15. Evading Defense against CAP – Existing CAP attacks and defense – Attack by modifying shared data objects in the control plane – Defend by checking information flow control policy violations * – This CAP attack – Manipulate buffered packets in the data plane – Evade defense since there are no policy violations * Ujcich, Benjamin E., et al. “Cross-app poisoning in software-defined networking.” CCS ’18 15

  16. Attack 2: Control Traffic Amplification Bomb – A malicious app copies massive buffered packets to trigger packet-in messages consuming bandwidth and computing resources 100% SDN 90% bandwidth APP X Controller CPU FLOW-MOD PACKET-IN x3 50% 0% h 1 h 2 S 1 match: other flow buf_id: 1 buf_id: 1 APP X: FLOW-MOD action: no_buffer, group_all (3 action buckets), output:controller 16

  17. Evading Defense against Packet-in Flooding – Existing flooding attacks and defense – Attack by generating packets matching no rules to trigger massive packet-in messages – Detect malicious flows or adopt TCP SYN proxy to throttle TCP- based flooding * – This flooding attack – Hijack buffered packets of benign flows to trigger massive packet-in messages – Generate no malicious flows and can hijack UDP flows • Shin, Seungwon, et al. “Avant-guard: Scalable and vigilant switch flow management in software-defined networks.” CCS ’13 Shang, Gao, et al. “FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks.” INFOCOM ’17 17

  18. Attack 3: Network Security Policy Bypass – A malicious app redirects buffered packets to different ports match: red APP Y APP X buf_id: 1 APP Y: FLOW-MOD action: output:Firewall FLOW-MOD FLOW-MOD S 2 h 1 h 2 S 1 S 3 buf_id: 1 match: other flow buf_id: 1 APP X: FLOW-MOD action: output:S 2 Successfully bypass firewall � 18

  19. Evading Defense against Security Bypass – Existing security bypass attacks and defense – Generate conflicting rules to bypass security policies – Detect rule conflict to prevent security policy bypass * – This attack – Manipulate buffer IDs to bypass security policies – Evade defense by generating no conflicting rules * Porras, Phillip A., et al. “Securing the software defined network control layer.” NDSS ’15. Khurshid, Ahmed, et al. “Veriflow: Verifying network-wide invariants in real time.” NSDI ’13 Porras, Philip, et al. “A security enforcement kernel for OpenFlow networks.” HotSDN ’12 19

  20. Attack 4: TCP Connection Disruption – TCP three-way handshake process – A TCP connection is established only after a successful TCP three- way handshake The first packet of a TCP flow is always the TCP SYN packet 20

  21. Attack 4: TCP Connection Disruption – A malicious app drops a buffered TCP SYN packet match: red APP Y APP X APP Y: FLOW-MOD buf_id: 1 action: output:h 2 FLOW-MOD FLOW-MOD 10 ms 1000 ms after 1s try again match: other flow h 1 h 2 buf_id: 1 APP X: FLOW-MOD S 1 action: drop buf_id: 1 Every 100 ms latency may cost 1% in business revenue for Amazon. No existing SDN defense solutions consider this attack � 21

  22. Hijacking Probability: Intra-Chain Hijacking – Single Processing Chain – Apps in the same processing chain process packet-in and send flow-mod messages in turn – Success Condition – A malicious app is in front of the app that will process the flow (target app) 22

  23. Hijacking Probability: Inter-Chain Hijacking – Multiple Processing Chains – Apps in different processing chains process packet-in and send flow-mod messages independently – Success Condition – A malicious app could be in any position, if %&'"(")*+ 2&3452 ! ,-./0 < ! ,-./0 "#$ "#$ 23

  24. Hijacking Probability: Experimental Results – Experiments with two processing chains in real SDN testbed • Intra-chain hijacking probability is either 0 or 100% • Inter-chain hijacking probability decreases when the malicious app moves towards tail, e.g., from 100% to 36.3% for Load Balancer 24

  25. Hijacking Probability: Theory Analysis – Derive hijacking probability from processing chain model • Intra-chain hijacking probability: • Inter-chain hijacking probability: ! ",$ : malicious app, the c-th application in the • r-th processing chain ! %,& : target app, the i-th application in the j-th • processing chain Details in our paper! ' • %,& : probability density function of processing delays in ! %,& 25

  26. Outline – Defense 26

  27. Defense: ConCheck – Add consistency check between buffer IDs and match fields • API Calls Extractor intercepts API calls on reading packet-in and generating flow-mod messages • Consistency Checker checks inconsistency for API calls on generating flow-mod messages Detection Example ConCheck Architecture 27

  28. Outline – Conclusion 28

  29. Conclusion – We discover a new vulnerability in SDN rule installation. – We identify four buffered packet hijacking attacks that disrupt all SDN layers and can evade all existing defense systems. – We propose a lightweight and application-transparent countermeasure. 29

  30. Thank you! Kun Sun ksun3@gmu.edu

  31. Backup: Permissions – The ratio of applications with the permission of listening packet-in messages and installing flow rules Many apps have the permissions 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age

Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age

Match.com Leonard Hock, DO, MACOI, CMD, HMDC, FAAHPM Match.com Profile Gender Age Profession Favorite color Favorite song Favorite thing to do Yesterdays LTC Match.com All about census Matches

709 views • 19 slides
CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The

CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The

South Platte River River Vision Program CWCB Approved Funding $450,000 in WSRA Funding $450,000 match: CCD &amp; UDFCD match The Greenway Foundation will provide 60% design of the following elements: ! Multi-use river access, including

369 views • 16 slides
Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match

Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match

1 Blastns seed length Recall: blastns seed match is of length w = 11 , 12 exact match w &gt; 10 is compatible with the packing speedup a seed match is extended to a gapless alignment What is the significance of w ? 2 w

531 views • 31 slides
AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At

AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At

AFL SYDNEY JUNIORS TEAM MANAGERS INFORMATION Contents 1. Your Role 2. Before Match Day 3. At Match Day 4. After Match Day CLUB DEVELOPMENT CONFERENCE SUNDAY 17TH MARCH YOUR ROLE Team organisation Paperwork Link between

503 views • 18 slides
Co Connection Advisor Match Consultants | Firm Overview Q1 2020 |

Co Connection Advisor Match Consultants | Firm Overview Q1 2020 |

Experience Creates Co Connection Advisor Match Consultants | Firm Overview Q1 2020 | info@advisormatchconsultants.com About Advisor Match Consultants Overview Advisor Match Consultants (AMC) Advisor Match Consultants was founded by Roger

665 views • 12 slides
Topics to be covered Motivation: match application domains Generic match operator

Topics to be covered Motivation: match application domains Generic match operator

A survey of approaches to automatic schema matching E. Rahm, and P. A. Bernstein. The VLDB Journal , 10(3): 334-350, 2001. Presented by Joel So (j2so@cs.uwaterloo.ca) Topics to be covered Motivation: match application domains Generic

397 views • 8 slides
Future Match Report 2014 ICT-Brokerage Event at CeBIT 10 14 March 2014

Future Match Report 2014 ICT-Brokerage Event at CeBIT 10 14 March 2014

Future Match / CeBIT 2014 Future Match Report 2014 ICT-Brokerage Event at CeBIT 10 14 March 2014 www.futurematch.cebit.de Matthias Wurch, Leibniz University Hanover Future Match / CeBIT 2014 Future Match at CeBIT 2014 Organised for the

813 views • 14 slides
C L I F T O N S U I T B A G C L I F T O N S U I T B A G 65,90 THE PERFECT MATCH FROM

C L I F T O N S U I T B A G C L I F T O N S U I T B A G 65,90 THE PERFECT MATCH FROM

C L I F T O N S U I T B A G C L I F T O N S U I T B A G 65,90 THE PERFECT MATCH FROM CASUAL TO BUSINESS The idea behind Clifton Suit Bag is to create a bag with smart functionality. So we decided to combine a weekender style bag

123 views • 8 slides
Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014 Plan 1 Match Box Meet-in-the-Middle Attacks Sieve-in-the-Middle Framework Match Box Cryptanalysis of KATAN 2 Description

1.61k views • 37 slides
Optimal Packet Scheduling in Output- Buffered Optical Switches with Limited-Range Wavelength

Optimal Packet Scheduling in Output- Buffered Optical Switches with Limited-Range Wavelength

Optimal Packet Scheduling in Output- Buffered Optical Switches with Limited-Range Wavelength Conversion Lin Liu and Yuanyuan Yang Stony Brook University Outline Introduction The WDM optical packet switch model Finding an optimal

667 views • 34 slides
Does Training Affect Match Performance? A Study Using Data Mining And Tracking Devices

Does Training Affect Match Performance? A Study Using Data Mining And Tracking Devices

Does Training Affect Match Performance? A Study Using Data Mining And Tracking Devices Fernndez, J. Medina, D., Gmez A., Arias M., Gavald R. From Training Variation to Match Performance From Training Variation to Match Performance

530 views • 21 slides
Vi Virginia Fres esh M h Match ch VAHSA Health &amp; Family Institute Wednesday, November 13,

Vi Virginia Fres esh M h Match ch VAHSA Health &amp; Family Institute Wednesday, November 13,

Vi Virginia Fres esh M h Match ch VAHSA Health &amp; Family Institute Wednesday, November 13, 2019 Annalise Adams, Shalom Farms Maureen McNamara Best, Local Environmental Agriculture Project (LEAP) 1 i 2 Agenda Virginia Fresh Match

617 views • 18 slides
THE PERFECT MATCH COMMITMENTS The wheel I need, readily available Steel or alloy wheel

THE PERFECT MATCH COMMITMENTS The wheel I need, readily available Steel or alloy wheel

THE PERFECT MATCH COMMITMENTS The wheel I need, readily available Steel or alloy wheel available to meet customers liking and budget Easy to find, order, receive and install The wheel that fits! THE PERFECT MATCH

811 views • 63 slides
Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA,

Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA,

Managing Asthma Through Case Management in Homes (MATCH) EVALUATION &amp; GROWTH Tisa Vorce, MA, RRT Michigan Dept. of Community Health MATCH Model Six or more home visits by AE-C Physician care conference (AE-C + client/family + HCP)

185 views • 15 slides
Requirements Provider Handbook pg. 9 D. Required Match Policy of the HSD HSD seeks to maximize

Requirements Provider Handbook pg. 9 D. Required Match Policy of the HSD HSD seeks to maximize

Requirements Provider Handbook pg. 9 D. Required Match Policy of the HSD HSD seeks to maximize the dollars available for services to Clients and therefore requires a 10% unit of service match of contracted services, unless otherwise noticed

602 views • 45 slides
CS449/649: Human-Computer Interaction Spring 2017 Lecture III Anastasia Kuzminykh Understand

CS449/649: Human-Computer Interaction Spring 2017 Lecture III Anastasia Kuzminykh Understand

CS449/649: Human-Computer Interaction Spring 2017 Lecture III Anastasia Kuzminykh Understand Your Users User study Observe Register Features Ask Questions Quantitative Qualitative Behavioral Fixed &amp; measurable Dynamic

735 views • 36 slides
Miner Lake Association Spring 2016 Meeting May 28, 2016 Agenda Approve Minutes from Fall

Miner Lake Association Spring 2016 Meeting May 28, 2016 Agenda Approve Minutes from Fall

Miner Lake Association Spring 2016 Meeting May 28, 2016 Agenda Approve Minutes from Fall Meeting Treasurer Report Update on the Miner Lake Dam Water Quality Report and Monitoring for 2016 Replacement of VP position Membership Topics and Q/A

300 views • 18 slides
Models for Computer-Aided Trial &amp; Program Design Terrence Blaschke, M.D. VP, Methodology

Models for Computer-Aided Trial &amp; Program Design Terrence Blaschke, M.D. VP, Methodology

Models for Computer-Aided Trial &amp; Program Design Terrence Blaschke, M.D. VP, Methodology and Science Pharsight Corporation &amp; Professor of Medicine &amp; Molecular Pharmacology Stanford University MODELS What is a model and

507 views • 40 slides
Incremental SAT Library Integration using Abstract Stobjs Sol Swords Centaur Technology, Inc.

Incremental SAT Library Integration using Abstract Stobjs Sol Swords Centaur Technology, Inc.

Incremental SAT Library Integration using Abstract Stobjs Sol Swords Centaur Technology, Inc. ACL2 Workshop 2018 Incremental vs. Monolithic SAT Monolithic SAT: Incremental SAT: Provide a Boolean formula (CNF), check Check SAT for permanent

317 views • 15 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Bamboozling Certificate Authorities with BGP Henry Birge-Lee, Yixin Sun, Anne Edmundson,

Bamboozling Certificate Authorities with BGP Henry Birge-Lee, Yixin Sun, Anne Edmundson,

Bamboozling Certificate Authorities with BGP Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, Prateek Mittal Autonomous System (AS) NTT 2914 Internet at the highest level Routing within an AS is completely autonomous

713 views • 29 slides
Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof.

Securing Internet Communication: TLS, contd Network security CS 161: Computer Security Prof. Raluca Ada Popa Feb 27, 2018 Some slides credit David Wagner Announcements Midterm grades released Regrades: Read the follow-ups on the

1.75k views • 156 slides
The Origin of Near Earth The Origin of Near Earth The Origin of Near Earth The Origin of Near

The Origin of Near Earth The Origin of Near Earth The Origin of Near Earth The Origin of Near

The Origin of Near Earth The Origin of Near Earth The Origin of Near Earth The Origin of Near Earth Asteroids Asteroids Asteroids Asteroids Judit Judit Gy Ries Ries Ries Judit Judit rgyey Ries Gy Gy rgyey rgyey Gy rgyey

465 views • 24 slides

More recommend