Outsmarting Network Security with SDN Teleportation

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call \emph{teleportation}. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today's trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.Comment: Accepted in EuroSP'1

Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers

Computer networks today typically do not provide any mechanisms to the users to learn, in a reliable manner, which paths have (and have not) been taken by their packets. Rather, it seems inevitable that as soon as a packet leaves the network card, the user is forced to trust the network provider to forward the packets as expected or agreed upon. This can be undesirable, especially in the light of today's trend toward more programmable networks: after a successful cyber attack on the network management system or Software-Defined Network (SDN) control plane, an adversary in principle has complete control over the network. This paper presents a low-cost and efficient solution to detect misbehaviors and ensure trustworthy routing over untrusted or insecure providers, in particular providers whose management system or control plane has been compromised (e.g., using a cyber attack). We propose Routing-Verification-as-a-Service (RVaaS): RVaaS offers clients a flexible interface to query information relevant to their traffic, while respecting the autonomy of the network provider. RVaaS leverages key features of OpenFlow-based SDNs to combine (passive and active) configuration monitoring, logical data plane verification and actual in-band tests, in a novel manner

Count Me If You Can: Enumerating QUIC Servers Behind Load Balancers

QUIC is a new transport protocol over UDP which is recently became an IETF RFC. Our security analysis of the Connection ID mechanism in QUIC reveals that the protocol is underspecified. This allows an attacker  to count the number of server instances behind a middlebox, e.g., a  load balancer. We found 4/15 (~25%) implementations vulnerable to  our enumeration attack. We then concretely describe how an attacker  can count the number of instances behind a load balancer that either uses Round Robin or Hashing

Von Bedrohungen zu Lösungen in Rechenzentrumsnetzen

In this dissertation we adopt a threat model where the data center network infrastructure is potentially malicious. To describe practical threats and solutions related to malicious switches, we draw our attention to multi-tenant data center networks that i) consolidate control over the (hardware and software) switches to a logically centralized controller and ii) use virtualization techniques for multi-tenancy. Our extensive security analyses and evaluations of the design, specifications and systems of logically centralized data center network controllers reveals the following. Malicious switches can covertly bypass network-wide security policies and mechanisms via the controller. We identify three reasons for the existence of such covert channels: i) malicious switches share the logical controller, ii) lack of authentication and authorization of switches to the controller and iii) introduction of automation and programmability of the network. These channels can be reliable (TCP-based) and fast (10 Mbps). As a result malicious switches can launch several network-based attacks in the data center, e.g., to circumvent firewalls to access unauthorized data. Furthermore, our state transition and delay model of the switch- controller handshake allows us to design, implement and evaluate a covert timing channel that uses a frame-based transmission scheme for accurate and low bandwidth (20 bps) communication, e.g., to exfiltrate private keys. We also initiate the discussion of practical countermeasures, e.g., coupling TLS with the switch- controller handshake for authentication. Next, our security analysis of network virtualization architectures that use virtual switches—a key system for enforcing network isolation in multi-tenant data center networks—sheds light on the following. Increasing network functionality in the virtual switch coupled with co-locating it with the hypervisor and the lack of appropriate threat models among other reasons has resulted in an insecure design. An attacker can escape host and network virtualization and compromise the entire data center as a worm. By fuzzing the packet parser of a popular virtual switch (OvS), we discovered 3 exploitable memory corruption vulnerabilities. We use just one of them in a popular cloud management system (OpenStack) to demonstrate our point: From a virtual machine (VM) we could take down hundreds of servers in a few minutes. Our measurements of the impact of software-based countermeasures that could have prevented the discovered vulnerabilities from being exploited for OvS show that maximum packet processing throughput is reduced by half in the kernel whereas the overhead in user-space is minimal (1-15%). Finally, we continue our previous work by first surveying the security landscape of 23 virtual switches and conclude that nearly all of them lack security in their design. Hence, we introduce four secure design principles for virtual switches and accordingly build a scalable prototype that prevents the virtual switch from being a liability to the (multi-tenant) data center network. The key insights from our system and performance evaluations are as follows. We can isolate and scale the virtual switches and their respective virtual networks by placing them in containers in VMs. Using Single Root I/O Virtualization allows us to i) reduce the trusted computing base of virtual networking, ii) provide cloud operators an easy upgrade path and iii) increase the tenants’ network application (e.g., web servers and key-value stores) performance.In dieser Dissertation nehmen wir ein Bedrohungsmodell an, bei dem die Netzwerkinfrastruktur eines Rechenzentrums potentiell bösartig ist. Zur eschreibung praktischer Bedrohungen und Lösungen im Zusammenhang mit böswilligen Switches, fokussieren wir uns auf Multi-Mandanten-Rechenzentrumsnetzwerke, i) bei denen die Kontrolle über die (Hard- und Software-) Switches einem (logisch) zentralisierten Controller unterliegt und ii) die Virtualisierungstechniken für Multi-Mandanten-Fähigkeit verwenden. Unsere umfangreichen Sicherheitsanalysen und Bewertungen des Designs, der Spezifikationen und der Systeme von Controllern für zentralisierte Rechenzentrumsnetzwerke zeigt, dass bösartige Switches die netzwerkweiten Sicherheitsrichtlinien und -mechanismen über den Controller verdeckt umgehen können. Wir identifizieren drei Gründe für die Existenz solcher verdeckten Kanäle. i) Der zentralisierte Controller wird von bösartige Switches mitbenutzt; ii) Switches benötigen keine Authentifizierung oder Autorisierung gegenüber dem Controller; sowie iii) die Einführung von Automatisierung und Programmierbarkeit des Netzwerks. Diese Kanäle können verlässlich (TCP-basiert) und schnell (10 Mbps) sein. Damit können bösartige Switches verschiedene netzwerkbasierte Angriffe im Rechenzentrum durchführen und beispielsweise zur Umgehung von Firewalls oder den unberechtigten Zugriff auf Daten benutzen. Darüber hinaus können wir mit Hilfe unseres Zustandsübergangs und Verzögerungsmodell des Switch-Controller-Handshakes einen verdeckten, Zeit-basierten Kommunikationskanal entwerfen, implementieren und evaluieren. Dieses Frame-basierte Übertragungsschema für bandbreitenarme (20 bps) Kommunikation mit niedriger Fehlerrate erlaubt es uns z.B. private Schlüssel zu exfiltrieren. Als Abwehrmaßnahme diskutieren wir unter anderem die Kopplung von TLS mit dem Switch-Controller-Handshake zur Authentifizierung. Eine weitere Schlüsseltechnologie zur Durchsetzung von virtuellen Netzwerk-Architekturen in Multi-Mandanten-Rechenzentrumsnetzwerken ist die Verwendung von virtuellen Switches. Unsere Sicherheitsanalyse dieser Architekturen zeigt, dass die Erhöhung der Funktionalität im virtuellen Switch in Verbindung mit der die Einbettung in den Hypervisor, das Fehlen geeigneter Bedrohungsmodelle neben anderen Gründen zu einem unsicheren Design geführt hat. Ein Angreifer kann der Host- und Netzwerkvirtualisierung entkommen und damit das gesamte Rechenzentrum als Wurm kompromittieren. Durch das Fuzzing des Paketparsers eines populären virtuellen Switch (OvS) entdeckten wir drei ausnutzbare Schwachstellen. Eine davon nutzen wir in einem beliebten Cloud-Management-System (OpenStack) um unseren Befund nachzuweisen: Von einer virtuellen Maschine (VM) aus könnten wir hunderte von Servern in wenigen Minuten kompromittieren. Unsere Messungen zeigen, dass die Auswirkungen von softwarebasierten Gegenmaßnahmen, die hätten verhindern können, dass die in OvS entdeckten Schwachstellen ausgenutzt werden können, den maximalen Paketdurchsatz im Kernel um die Hälfte reduzieren, während der Overhead im User Space minimal ist (1-15%). Abschließend bemerken wir dass in unserer Studie von 23 virtuellen Switches fast keiner Sicherheit als Design-Ziel verfolgt. Daher schlagen wir vier sichere Designprinzipien für virtuelle Switches vor und entwerfen einen skalierbaren Prototyp, der verhindert, dass der virtuelle Switch eine Gefahr für das Multi-Mandanten-Netzwerk darstellt. Die wichtigsten Erkenntnisse aus unseren System- und Leistungsbewertungen sind wie folgt. Wir können die virtuellen Switches und ihre jeweiligen virtuellen Netzwerke durch die Verwendung von VMs isolieren und skalieren. Die Verwendung von Single-Root-I/O- Virtualisierung ermöglicht es uns, i) die trusted computing base virtueller Netzwerke zu reduzieren, ii) Cloud-Betreibern eine einfachen Upgrade-Pfad zu bieten und iii) die Netzwerkdurchsatz der Mandanten-Maschinen zu erhöhen, beispielsweise für Webserver oder Key-Values-Datenbanken

NetCo: Reliable Routing with Unreliable Routers

Software-Defined Networks (SDNs) are typically designed and operated under the assumption that the underlying routers (and switches) are trustworthy. Recent incidents, however, suggest that this assumption is questionable. The possibility of incorrect or even malicious router behavior introduces a wide range of security problems. The problem is exacerbated by the fact that governments and companies do not have the expertise nor budget to build their own trusted high-performance routing hardware. This paper presents NetCo, an approach to build secure routing using insecure routers. NetCo is inspired by the robust combiner concept known from cryptography, and leverages redundancy to compile a secure whole from insecure parts. We present the basic design of NetCo, and report on a prototype implementation in OpenFlow

Taking Control of SDN-based Cloud Systems via the Data Plane

Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and “software-defined” manner. This paper raises the alarm on the security implications of virtual switches. In particular, we show that virtual switches not only increase the attack surface of the cloud, but virtual switch vulnerabilities can also lead to attacks of much higher impact compared to traditional switches. We present a systematic security analysis and identify four design decisions which introduce vulnerabilities. Our findings motivate us to revisit existing threat models for SDN-based cloud setups, and introduce a new attacker model for SDN-based cloud systems using virtual switches.Information and Communication Technolog