论文信息 - RE-CHECKER: Towards Secure RESTful Service in Software-Defined Networking

RE-CHECKER: Towards Secure RESTful Service in Software-Defined Networking

Over the years, Software-Defined Networking (SDN) has grown aggressively, and many SDN controller products have been released to date as not only open source projects but also commercial ones. Considering the adoption of SDN, the security of SDN components is an essential aspect that needs to be thoroughly investigated, so research in this area has been getting attention. However, despite growing interest in SDN security, SDN controllers are vulnerable to security vulnerabilities that have not yet been disclosed. Among them, we focus on RESTful services provided by SDN controllers because those services help users to implement useful network functions in a programmable way, so it can be a critical attack point to an adversary. Therefore, in this work, we try to find out vulnerabilities and bugs of the RESTful service implementation, which are powerful enough to jeopardize the entire network. To more efficiently detect those vulnerabilities and bugs, we introduce a framework called RE-CHECKER that can find the security holes of RESTful services in SDN controller. As a result, using RE-CHECKER, we found four bug types against three open source controllers: ONOS, Floodlight, and Ryu. To prove the feasibility and examine the potential impact of each vulnerability and bug, we demonstrate some vulnerable scenarios in the real SDN environments.

[1] Lei Xu,et al. Attacking the Brain: Races in the SDN Control Plane , 2017, USENIX Security Symposium.

[2] Sonia Fahmy,et al. BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems , 2017, RAID.

[3] Jan Medved,et al. OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[4] Salvatore J. Stolfo,et al. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[5] Vinod Yegneswaran,et al. A Security-Mode for Carrier-Grade SDN Controllers , 2017, ACSAC.

[6] Jim Esch,et al. Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[7] Sakir Sezer,et al. Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[8] Vinod Yegneswaran,et al. DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[9] Brent Byunghoon Kang,et al. Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[10] Lei Xu,et al. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.