Taking Control of SDN-Based Cloud Systems Via the Data Plane

Taking Control of SDN-Based Cloud Systems Via the Data Plane

Delft University of Technology Taking Control of SDN-based Cloud Systems via the Data Plane Thimmaraju, Kashyap; Shastry, Bhargava; Fiebig, Tobias; Hetzelt, Felicitas; Seifert, Jean-Pierre; Feldmann, Anja; Schmid, Stefan DOI 10.1145/3185467.3185468 Publication date 2018 Document Version Accepted author manuscript Published in Proceedings of ACM Symposium on SDN Research (SOSR) Citation (APA) Thimmaraju, K., Shastry, B., Fiebig, T., Hetzelt, F., Seifert, J-P., Feldmann, A., & Schmid, S. (2018). Taking Control of SDN-based Cloud Systems via the Data Plane. In Proceedings of ACM Symposium on SDN Research (SOSR) (pp. 1-15). Association for Computing Machinery (ACM). https://doi.org/10.1145/3185467.3185468 Important note To cite this publication, please use the final published version (if applicable). Please check the document version above. Copyright Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons. Takedown policy Please contact us and provide details if you believe this document breaches copyrights. We will remove access to the work immediately and investigate your claim. This work is downloaded from Delft University of Technology. For technical reasons the number of authors shown on this cover page is limited to a maximum of 10. Taking Control of SDN-based Cloud Systems via the Data Plane Kashyap Bhargava Shastry Tobias Fiebig Felicitas Hetzelt Thimmaraju Security in Faculty of Technology, Security in Security in Telecommunications Policy and Management Telecommunications Telecommunications TU Berlin TU Delft TU Berlin TU Berlin Berlin, Germany Delft, Netherlands Berlin, Germany Berlin, Germany bshastry@sect:tu- t:fiebig@tudelft:nl file@sect:tu-berlin:de kash@sect:tu-berlin:de berlin:de Jean-Pierre Seifert Anja Feldmann Stefan Schmid∗† Security in Internet Architecture Faculty of Computer Telecommunications Max-Planck-Institut für Science TU Berlin Informatik University of Vienna Berlin, Germany Saarbrücken, Germany Vienna, Austria jpseifert@sect:tu- anja@mpi-inf:mpg:de schmiste@univie:ac:at berlin:de ABSTRACT We demonstrate the practical relevance of our analysis Virtual switches are a crucial component of SDN-based cloud using a case study with Open vSwitch and OpenStack. Em- systems, enabling the interconnection of virtual machines in ploying a fuzzing methodology, we find several exploitable a flexible and “software-defined” manner. This paper raises vulnerabilities in Open vSwitch. Using just one vulnerabil- the alarm on the security implications of virtual switches. In ity we were able to create a worm that can compromise particular, we show that virtual switches not only increase the hundreds of servers in a matter of minutes. attack surface of the cloud, but virtual switch vulnerabilities Our findings are applicable beyond virtual switches: NFV can also lead to attacks of much higher impact compared to and high-performance fast path implementations face similar traditional switches. issues. This paper also studies various mitigation techniques We present a systematic security analysis and identify and discusses how to redesign virtual switches for their inte- four design decisions which introduce vulnerabilities. Our gration. findings motivate us to revisit existing threat models for SDN- based cloud setups, and introduce a new attacker model for KEYWORDS SDN-based cloud systems using virtual switches. Network Isolation; Network Virtualization; Data Plane Secu- rity; Packet Parsing; MPLS; Virtual Switches; Open vSwitch; Cloud Security; OpenStack; Attacker Models; ROP; SDN; ∗ Also with, Internet Network Architectures, TU Berlin. NFV †Also with, Dept. of Computer Science, Aalborg University. 1 INTRODUCTION Permission to make digital or hard copies of all or part of this work for Modern cloud systems such as OpenStack [7], Microsoft personal or classroom use is granted without fee provided that copies Azure [26] and Google Cloud Platform [92] are designed are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for programmability, (logically) centralized network con- for components of this work owned by others than the author(s) must trol and global visibility. These tenets also lie at the heart be honored. Abstracting with credit is permitted. To copy otherwise, or of Software-defined Networking (SDN) [23, 51] which en- republish, to post on servers or to redistribute to lists, requires prior specific ables cloud providers to efficiently utilize their resources [35], permission and/or a fee. Request permissions from [email protected]. manage their multi-tenant networks [44], and reason about SOSR ’18, March 28–29, 2018, Los Angeles, CA, USA orchestration [41]. © 2018 Copyright held by the owner/author(s). Publication rights licensed to the Association for Computing Machinery. The data plane of Software-Defined Networks in the cloud ACM ISBN 978-1-4503-5664-0/18/03...$15.00 are highly virtualized [44]: Virtual switches (running on https://doi:org/10:1145/3185467:3185468 the servers) are responsible for providing connectivity and the security issues identified in this paper leading usto OF 1.3 ovs-0.90.4OF 1.0ovs-1.0.0 OF 1.1 ovs-1.2.0OF 1.2 ovs-1.7.0 ovs-1.11.0 ovs-2.3.0 ovs-2.4.0 ovs-2.6.0ovs-2.7.0 introduce a new attacker model for the operation of vir- 50 tualized data plane components in a Software-defined 40 Network as well as in the context of Network Function 30 20 Virtualization (NFV): A low-budget attacker can cause Parsed Protocols 10 significant harm on SDN-based cloud systems. 0 • We demonstrate the practical feasibility of our attacks on OvS, a popular open-source virtual switch imple- Jul-2009 Jul-2010 Jul-2011 Jul-2012 Jul-2013 Jul-2014 Jul-2015 Jul-2016 Jul-2017 Jan-2009 Jan-2010 Jan-2011 Jan-2012 Jan-2013 Jan-2014 Jan-2015 Jan-2016 Jan-2017 Time mentation used in SDN-based cloud systems. This case Open vSwitch OpenFlow vNexus study shows that commonly used virtual switch im- plementations are not resilient against our attacker Figure 1: The total number of parsed high-level pro- model. Indeed, such an attacker can successfully ex- tocols in two popular virtual switches and OpenFlow ploit a whole SDN-based cloud setup within minutes. from 2009-2017. • We extend our study by surveying high performance fast paths, other virtual switch implementations, and related SDN and NFV technologies. We find that they isolation among virtual machines [63]. Prominent virtual are also susceptible to the same design issues. Further- switches today are: Open vSwitch (OvS) [64], Cisco Nexus more, we find that software mitigations are commonly 1000V [93], VMware vSwitch [94] and Microsoft VFP [26]. not considered during the evaluation of new data plane Virtual switches are typically not limited to provide tra- components. ditional switching but support an increasing number of net- • We find that software mitigations for the vulnerabili- work and middlebox functionality [26, 33], e.g., routing, fire- ties we exploited could be adopted with a small perfor- walling, network address translation and load-balancing. mance penalty for real-world traffic scenarios. Their Placing such functionality at the virtualized edge of the net- use must be evaluated during design and implementa- work (i.e., the servers) is attractive, as it allows to keep the tion of new SDN and NFV components. network fabric simple and as it supports scalability [26, 63]. However, the trend to move functionality from the net- Ethical Considerations: To avoid disrupting the normal work fabric to the edge (virtual switch) also comes at the operation of businesses, we verified our findings on our price of increased complexity. For example, the number of own infrastructure. We have disclosed our findings to the protocols that need to be parsed and supported by virtual OvS team who have integrated the fixes. Ubuntu, Redhat, switches (Open vSwitch and Cisco Nexus 1000v) and Open- Debian, Suse, Mirantis, and other stakeholders have applied Flow [51] have been growing steadily over the last years [89] these fixes in their stable releases. Furthermore, CVE-2016- (see Fig. 1). 2074 and CVE-2016-10377 were assigned to the discovered The trend towards more complex virtual switches is wor- vulnerabilities. risome as it may increase the attack surface of the virtual Structure: We provide necessary background information switch. For example, implementing network protocol parsers on virtual switches in Section 2. Section 3 introduces and in the virtual switch is non-trivial and error-prone [25, 79, 82]. discusses our security analysis of virtual switches and exist- These observations lead us in this paper to conduct a security ing threat models. Based on this analysis we propose a new study of virtual switches. attacker model. Section 4 presents a proof-of-concept case Our contributions: study attack on OvS in OpenStack. We then investigate how • We present a systematic security analysis of virtual our findings on OvS relate to other virtual switches, high switches. We find that virtual switches not only in- performance fast paths and SDN/NFV in Section 5. Subse- crease the attack surface of an SDN-based cloud sys- quently, we discuss possible software mitigations and their tem (compared to their traditional counterparts), but performance impact in Section 6, and design countermea- can also have a much larger impact on cloud systems. sures in Section 7. After discussing related work in Section 8, • Our analysis reveals four main factors that cause se- we conclude in Section 9. curity issues: The co-location of virtual switches with the server’s virtualization layer (in user- and kernel- space); centralized control; complex packet parsing 2 BACKGROUND (and processing) of attacker controlled data.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us