causal analysis for software-defined networking attacks
TRANSCRIPT
Causal Analysis forSoftware-Defined Networking
AttacksBenjamin E. Ujcich1, Samuel Jero2, Richard Skowyra2,
Adam Bates3, William H. Sanders4, and Hamed Okhravi2
30th USENIX Security SymposiumAugust 11–13, 2021
Virtual Event
1 2
3 4
SDN: A Primer
2
Decoupling of traffic decision-making from
traffic being forwarded
CONTROLPLANE
Switches
Data PlaneHosts
Data PlaneHosts
DATAPLANE
SDN: A Primer
3
Logically centralized control plane that
determines behavior
CONTROLPLANE
Switches
SB API protocol(e.g., OpenFlow)
Data PlaneHosts
SDNController
Southbound API
Data PlaneHosts
Logically centralized (but perhaps physically
distributed)
DATAPLANE
SDN: A Primer
4
Network services API for extensible
network applications
FirewallApp
CONTROLPLANE
Switches
SB API protocol(e.g., OpenFlow)
Data PlaneHosts
SDNController
Southbound API
Northbound API
Data PlaneHosts
QoSApp
RoutingApp
NB API protocol
APPLICATION PLANE
DATAPLANE
Logically centralized (but perhaps physically
distributed)
SDN: A Security Target
5
FirewallApp
CONTROLPLANE
Switches
SB API protocol(e.g., OpenFlow)
Data PlaneHosts
SDNController
Southbound API
Northbound API
Data PlaneHosts
QoSApp
RoutingApp
NB API protocol
APPLICATION PLANE
DATAPLANE
Cross-app poisoning(Ujcich et al., CCS ‘18)
Cross-plane vulnerabilities
(Ujcich et al., NDSS ‘20)(Xiao et al., S&P ’20)
Help, My SDN Has Been Attacked!
What events happened in my network?How do I know I have complete oversight?
Can I accurately understand the attack?What are the root causes of the attack?
What else did the attack affect?
6
Data Provenance to the Rescue J
7
Process
Evidence (data)
…
Malicious process
……
…
Backward Tracing(What were the causes?)
Process
Evidence (data)
…
……
…
Forward Tracing(What were the effects?)
§ Shows how data were generated and used
§ Captures system principals, processes, and data objects in DAG
§ Useful for attack investigation and root cause analysis
What Makes This Challenging for SDN?
8
Challenge 1:Dependency explosion
Challenge 2:Incomplete dependencies
Challenge 3:Attribution and responsibility
Challenge 4:Interpretation
PICOSDNProvenance-Informed Causal Observation for
Software-Defined Networking
PICOSDN Challenges and Solutions
9
Challenge 1: Dependency explosionDiscovery: Long-running apps produce false data and process dependencies
Long-running SDN application (fwd application)
Packet 1 Packet 2
Flow rule 1 Flow rule 2
Packet 3 Packet 4
Flow rule 3 Flow rule 4
wasGeneratedBy
usedused used used
wGB wGB wGB
Packet 1 Packet 2
Dependency?
Packet 3 Packet 4
Flow rule 3
Dependency? Dependency? Dependency?
PICOSDN Challenges and Solutions
10
fwd app event listener instance
Packet 1 Packet 2
Flow rule 1 Flow rule 2
Packet 3 Packet 4
Flow rule 3 Flow rule 4
wasGeneratedBy
used used used used
wGB wGB wGB
fwd app event listener instance
fwd app event listener instance
fwd app event listener instance
Solution: Mitigate with events as short processes (execution partitioning) and control plane objects as data (data partitioning)
PICOSDN Challenges and Solutions
11
Challenge 2: Incomplete dependenciesDiscovery: Control plane can trigger other control plane activities via the data plane
DATA PLANE
CONTROL PLANE
Switch 1 Switch 2Switch 1Port 1
SDN Controller
Switch 2Port 1
NORTHBOUNDAPI
Packet
App X App Y
SOUTHBOUNDAPI
1
2 3
4Packet Out
Packet In
PICOSDN Challenges and Solutions
12
Packet InTime: 1 + εSwitch: 2
Port: 1
Packet OutTime: 1
Switch: 1Port: 1
fwd app event listener instance
fwd app event listener instance
wasDerivedFrom
Data plane model based on:happens-before relations, packet timestamps (within threshold), match
fields, and network topology
Solution: Mitigate by modeling the data plane
PICOSDN Challenges and Solutions
13
Challenge 3: Attribution and responsibilityDiscovery: Default flow rules create a data dependency explosion
Default Flow Rule (flow ID = 1)Match: all traffic
Action: send to controller
Packet InTime: 1
Flow ID: 1
Packet InTime: 2
Flow ID: 1
Packet InTime: 10
Flow ID: 1
Packet InTime: 100Flow ID: 1
wasDerivedFrom wasDerived
From wasDerivedFrom
wasDerivedFrom …
High fan-out potential
PICOSDN Challenges and Solutions
14
Switch 1Port 1
Default Flow Rule (flow ID = 1)Match: all traffic
Action: send to controller
Packet InTime: 1
Flow ID: 1
Packet InTime: 2
Flow ID: 1
Packet InTime: 10
Flow ID: 1
Packet InTime: 100Flow ID: 1
Switch 1Port 2
Switch 1Port 3
wasAttributedTo
wasAttributedTo
wasAttributedTo
wasAttributedTo
Solution: Mitigate by assigning agency to a switch port
PICOSDN Challenges and Solutions
15
Challenge 3: Attribution and responsibilityDiscovery: Host identifiers can be easily spoofed
VictimHost
Attacker-Controlled Host
ARP ARP
Victim sends packets with its own network
identifier (MAC address)
Attacker spoofs victim’s network identifier to trick SDN controller into
redirecting victim traffic to the attackerSwitch 1Port 1
Switch 1Port 2
PICOSDN Challenges and Solutions
16
Host XMAC address: X
Location: Switch 1, Port 1
Host Provider event listener
Packet In
Switch 1Port 1
Host XMAC address: X
Location: Switch 1, Port 2
Host Provider event listener
Packet In
Switch 1Port 2
… wasRevisionOf
wasRevisionOf
Host identifier evolution
Solution: Track how hosts’ identifiers change over time
PICOSDN Challenges and Solutions
17
Challenge 4: InterpretationDiscovery: Provenance is not useful unless we can understand it
PICOSDN Challenges and Solutions
1. Common ancestry: Given several nodes, what nodes are the common ancestors?
2. Backward-forward: Given a path between evidence (node) and root, what does the ancestry look like at each stage?
3. Activity summary: How do data plane packets impact flow rules?
4. Identifier evolution: How do hosts change identity?
18
Solution: Provide practical tools to summarize, analyze, and trace network activities
PICOSDN Architecture
19
SDN
Co
ntr
olle
r Controller core
Event Listeners & Packet Processors
App 1
App n
…
NB API
ONLINE OPERATION
APPLICATION PLANE
Hooked Methods
Data Store
SB APIHooked Methods
PICOSDN RUNTIME PHASE
Provenance Collector
Provenance Serializer
Internal State
PICOSDN INVESTIGATION PHASE
Ingester
Cleaner
TopologyAugmenter
TracerCommon Ancestry
Data Plane Model
Backward-Forward
Activity Summary
Identifier Evolution
Causal Analysis Queries
PICOSDN Inputs and Outputs(from/to network administrator)
OFFLINE OPERATION
12
3 4
6
7
CONTROL PLANE
Forwarding Devices
DATA PLANE …
…
Southbound API
Data Plane Hosts
Configuration
5
PICOSDN Security Evaluation
Example: Cross-Plane Event-Based Vulnerabilities
1. Switch ports as agents 2. Host identifier evolution
(i.e., spoofing)3. Data plane model based
on reactive forwarding
20
PM = packet managerHP = host providerf = flow rule, p = packeth = host, s = switchfwd = forwarding appacl = access control app
3
1
1
2
Conclusions
§ Considered causal analysis challenges in SDN attacks§ Design takeaways– Dependency explosion mitigated by control plane control
plane objects (data) and events (execution)– Incomplete dependencies mitigated by data plane model– Attribution and responsibility are challenging
§ Designed PICOSDN and implemented on ONOS SDN controller
21
Thanks!
Thank you for your time!
Benjamin E. UjcichE-mail: [email protected]
Web: https://benujcich.georgetown.domains/
22
This work was supported in part by NSF Grant No. CNS-1750024. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s)
and do not necessarily reflect the views of the National Science Foundation.