DELTA: A Security Assessment Framework for Software-Defined Networks

Developing a systematic understanding of the attack surface of emergent networks, such as software-defined networks (SDNs), is necessary and arguably the starting point toward making it more secure. Prior studies have largely relied on ad hoc empirical methods to evaluate the security of various SDN elements from different perspectives. However, they have stopped short of converging on a systematic methodology or developing automated systems to rigorously test for security flaws in SDNs. Thus, conducting security assessments of new SDN software remains a non-replicable and unregimented process. This paper makes the case for automating and standardizing the vulnerability identification process in SDNs. As a first step, we developed a security assessment framework, DELTA, that reinstantiates published SDN attacks in diverse test environments. Next, we enhanced our tool with a protocol-aware fuzzing module to automatically discover new vulnerabilities. In our evaluation, DELTA successfully reproduced 20 known attack scenarios across diverse SDN controller environments and discovered seven novel SDN application mislead attacks.

[1]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[2]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[3]  Jun Xu,et al.  Packet vaccine: black-box exploit detection and signature generation , 2006, CCS '06.

[4]  Allen D. Householder,et al.  Probability-Based Parameter Selection for Black-Box Fuzz Testing , 2012 .

[5]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[6]  Zhi Liu,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2014 .

[7]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[8]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[9]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[10]  栄 久米原,et al.  Wiresharkパケット解析リファレンス : Network Protocol Analyzer , 2009 .

[11]  Helen J. Wang,et al.  ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Thorsten Holz,et al.  SDN Rootkits: Subverting Network Operating Systems of Software-Defined Networks , 2015, RAID.

[13]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[14]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[15]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[16]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[17]  Theophilus Benson,et al.  Tolerating SDN Application Failures with LegoSDN , 2014, HotNets.

[18]  Jianping Wu,et al.  Formal Modeling and Systematic Black-Box Testing of SDN Data Plane , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[19]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[20]  Minlan Yu,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM 2010.

[21]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[22]  Srikanth Kandula,et al.  Achieving high utilization using software-driven WAN (extended version) , 2013 .

[23]  Yasuo Okabe,et al.  A packet-in message filtering mechanism for protection of control plane in openflow networks , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[24]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM 2011.

[25]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[26]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  Alexander Shalimov,et al.  Advanced study of SDN/OpenFlow controllers , 2013 .

[28]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[29]  Thomas Wilhelm,et al.  Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research , 2007 .

[30]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.