Outsmarting Network Security with SDN Teleportation

2017 IEEE European Symposium on Security and Privacy (EuroS&P) Pub Date : 2016-11-16 DOI:10.1109/EuroSP.2017.21

K. Thimmaraju, Liron Schiff, S. Schmid

{"title":"Outsmarting Network Security with SDN Teleportation","authors":"K. Thimmaraju, Liron Schiff, S. Schmid","doi":"10.1109/EuroSP.2017.21","DOIUrl":null,"url":null,"abstract":"Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call teleportation. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today's trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.","PeriodicalId":233564,"journal":{"name":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","volume":"142 2","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EuroSP.2017.21","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 27

Abstract

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call teleportation. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today's trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.

查看原文本刊更多论文

用SDN传送胜过网络安全

软件定义网络被认为是一个很有前途的新范例，它使通信网络更加可靠和正式可验证。然而，本文表明，控制平面与数据平面的分离是软件定义网络(sdn)的核心，它引入了一个新的漏洞，我们称之为隐形传输。攻击者(例如，数据平面上的恶意交换机或连接到网络的主机)可以使用隐形传输通过控制平面传输信息，绕过数据平面上的关键网络功能(例如防火墙)，并且违反安全策略以及逻辑甚至物理分离。本文从理论上描述了隐形传态攻击的设计空间，并对四种不同的隐形传态攻击技术进行了分类。我们演示并讨论了如何利用这些技术进行不同的攻击(例如，以高速率窃取机密数据)，并开始讨论可能的对策。一般来说，考虑到当今更多基于意图的网络的趋势，我们相信我们的发现与本文中考虑的用例无关。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE European Symposium on Security and Privacy (EuroS&P)

自引率

0.00%

发文量