Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing...

FlowFuzzA Framework for Fuzzing OpenFlow-enabled

Software and Hardware Switches

Nicholas Gray, Manuel Sommer, Thomas Zinner, Phuoc Tran-Gia

About us

Chair of Communication Networkscomnet.informatik.uni-wuerzburg.de

Prof. Dr.-Ing. Phuoc Tran-Gia

Dr. Thomas Zinner

Nicholas Gray M. Sc.

Manuel SommerB. Sc.

SarDiNeSardine-project.org

Modeling,Performance

Analysis & Optimization,Measurement,

Experimentation,Simulation

Software-defined Networking &

Cloud Networks

Future Internet &

Smartphone Applications

Network Dynamics &

Control

QoE Modeling&

Resource Management

Agenda• Software-defined Networking (SDN)

• SDN Basics• Enhancing Network Security with SDN• Overview of the SDN Attack Surface• OpenFlow

• FlowFuzz• Architecture• Evaluation of Software Switches• Investigation of Feedback Sources for Hardware Switches• Evaluation of Hardware Switches

Speed of Innovation

Data Center

Speed of Innovation

Data Center

Speed of Innovation

Data Center

Speed of Innovation

Data Center

Speed of Innovation

Data Center

Ethernet, IPv4, BGP…

Speed of Innovation

Data Center

Ethernet, IPv4, BGP…

Innovation Barrier

Specialized Hardware

Control Plane

Data Plane

Innovation Barrier

Proprietary Firmware

Control Plane

Data Plane

Innovation Barrier

Over Specification

Control Plane

Data Plane

Innovation Barrier

Over Specification

FewVendors

Control Plane

Data Plane

Software-defined Networking (SDN)

Control Plane

Data Plane

Separation of Control and Data

Data Plane

Control PlaneSeparation of Control and Data

PlaneSouthbound

Data Plane

Control PlaneLogically Centralized

Control Plane

PlaneSouthbound

Data Plane

Control Plane

Open Interfaces

PlaneSouthbound

Data Plane

Control Plane

Open Interfaces

Programm-ability

Southbound API

SDN – Packet Handling & Table Structure

ActionRule Stats

Switch Port

Switch Phy Port

Metadata

ETH Dst

ETH Src

ETH Type

VLAN VID

VLAN PCP

IP DSCP

IP ECN

IP Proto

IPv4 Src

IPv4 Dst

TCP Src

TCP Dst

UDP Src

UDP Dst

SCTP Src

SCTP Dst

ICMPv4 Type

ICMPv4 Code

ARP OP

ARP SPA

ARP TPA

ARP SHA

ARP THA

Mask for match fields

ActionRule Stats

• Forward packet to zero or more ports• Encapsulate and forward to controller• Send to normal processing pipeline• Modify Fields• Any extensions you add!

Switch Port

Switch Phy Port

Metadata

ETH Dst

ETH Src

ETH Type

VLAN VID

VLAN PCP

IP DSCP

IP ECN

IP Proto

IPv4 Src

IPv4 Dst

TCP Src

TCP Dst

UDP Src

UDP Dst

SCTP Src

SCTP Dst

ICMPv4 Type

ICMPv4 Code

ARP OP

ARP SPA

ARP TPA

ARP SHA

ARP THA

ActionRule Stats

• Forward packet to zero or more ports• Encapsulate and forward to controller• Send to normal processing pipeline• Modify Fields• Any extensions you add!

Packet + Byte Counters

Switch Port

Switch Phy Port

Metadata

ETH Dst

ETH Src

ETH Type

VLAN VID

VLAN PCP

IP DSCP

IP ECN

IP Proto

IPv4 Src

IPv4 Dst

TCP Src

TCP Dst

UDP Src

UDP Dst

SCTP Src

SCTP Dst

ICMPv4 Type

ICMPv4 Code

ARP OP

ARP SPA

ARP TPA

ARP SHA

ARP THA

SDN ExampleControl Plane (CP)

Data Plane (DP)

Southbound API Match Action

Reactive Proactive

Data Plane (DP)

Reactive Proactive

Data Plane (DP)

Reactive Proactive

Data Plane (DP)

Reactive Proactive

Data Plane (DP)

Reactive Proactive

Data Plane (DP)

Reactive Proactive

Data Plane (DP)

Control Plane (CP)

Data Plane (DP)

Southbound API

Match Action

CP*.* B

Reactive Proactive

Data Plane (DP)

Control Plane (CP)

Data Plane (DP)

Southbound API

Match Action

CP*.* B

Reactive Proactive

Data Plane (DP)

Control Plane (CP)

Data Plane (DP)

Southbound API

Match Action

CP*.* B B

Reactive Proactive

Data Plane (DP)

Control Plane (CP)

Data Plane (DP)

Southbound API

Match Action

CP*.* B B

Reactive Proactive

Data Plane (DP)

Control Plane (CP)

Data Plane (DP)

Southbound API

Match Action

CP*.* B B

Reactive Proactive

SDN Ecosystem

Network Control Module

Application Control

Interface

SDN Control Plane

SDN WAN

Switch Switch

SDN Ecosystem

Application Control

Interface

SDN Control Plane

SDN WAN

Application Control Plane

Northbound API

Switch Switch

Application Control Module

SDN Ecosystem

Application Control

Interface

SDN Control Plane

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

SDN Control Plane

Switch Switch

Southbound API

SDN Ecosystem

Application Control

Interface

SDN Control Plane

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

SDN Control Plane Legacy Network Control Plane

Legacy WAN

Eastbound API

Switch Switch

Southbound API

SDN Use Cases

Cloud Orchestration

Application Awareness

Routing/Load Balancing

Network Monitoring

Network Management

Network Security

Software-defined

Networking

SDN Use Cases

Cloud Orchestration

Application Awareness

Routing/Load Balancing

Network Monitoring

Network Management

Network Security

Software-defined

Networking

Can we enhance network security with SDN?

External Network Internal Network

Internal Network

SDN Omni-Present Firewall

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private CloudServices

SDN Switch SDN Switch

Internal Network

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private CloudServices

Internal Network

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private Cloud

Available Services

Services

Internal Network

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private Cloud

Available Services

Services

Internal Network

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private Cloud

FW VNF

Shared State

Available Services

Services

Internal Network

SDN Controller

Network Management

System

Cloud Management

System

FW VNF

Private Cloud

FW VNF

Shared State

Available Services

Services

Application Control

Interface

SDN Control Plane

SDN Attack Surface

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

Legacy WAN

Eastbound API

Switch Switch

Southbound API

Application Control

Interface

SDN Control Plane

SDN Attack Surface

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

Legacy WAN

Eastbound API

Switch Switch

Southbound API

Application Control

Interface

SDN Control Plane

SDN Attack Surface

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

Legacy WAN

Eastbound API

Switch Switch

Southbound API

SDN Attack Surface

SDN WAN

Northbound API

Westbound API

HypervisorvSwitch

Legacy WAN

Eastbound API

Switch Switch

Southbound API

Application Control

Interface

SDN Control Plane

Westbound API

Application Control

Interface

SDN Control Plane

SDN Attack Surface

SDN WAN

Northbound API

HypervisorvSwitch

SDN Network Control Plane

Legacy Network Control Plane

Legacy WAN

Switch Switch

Southbound API

Eastbound API

SDN Attack Surface

SDN WAN

Northbound API

HypervisorvSwitch

Legacy Network Control Plane

Legacy WAN

Eastbound API

Switch Switch

Southbound API

Application Control

Interface

SDN Control PlaneSDN Control Plane

Westbound API

Application Control

Interface

SDN Control Plane

SDN Attack Surface

SDN WAN

Northbound API

HypervisorvSwitch

Legacy WAN

Eastbound API

Switch Switch

Southbound API

OpenFlow• De-facto standard Southbound API protocol

• Maintained by the Open Networking Foundation

• First release in December 2009

• Most current version 1.5.1 (April 2015)

• Supported by 120+ industrial members

OpenFlow – Channel Initialization

OpenFlow Switch Controller

TCP SYNSYN ACK

TCPHandshake

ARP RequestARP Reply

MACResolution

HelloHello

Feature RequestFeature Reply

OpenFlowHandshake

TCP SYNSYN ACK

TCPHandshake

ARP RequestARP Reply

MACResolution

OpenFlow – Message Structure & Types

OpenFlow Message Header

Version Type Length XID

…Payload…

SymmetricAsynchronous Controller-to-Switch

…Payload…

Symmetric

HelloEcho Request

Echo ReplyExperimeter

Asynchronous

Packet-InFlow Removed

Port StatusError

Controller-to-Switch

Feature Request, Get Config Request, Set Config, Packet-Out, Flow Modification, Group Modification, Port Modification, Table

Modification, Meter Modification, Statistics Request, Barrier Request, Queue Get ConfigRequest, Role Request, Get Asynchronous

Request, Set Asynchronous

Fuzzing

System/Device Under Test

Random Input

Invalid Input

Unexpected InputAutomated

Fuzzer

Fuzzing

Random Input

Invalid Input

Fuzzer

Check for Crash

Fuzzing

Random Input

Invalid Input

Fuzzer

MutationMutates valid

GenerationGenerates

valid/invalid input

Check for Crash

Fuzzing

Random Input

Invalid Input

Fuzzer

MutationMutates valid

GenerationGenerates

valid/invalid input

Feedback Loop

Check for Crash

Open vSwitch (OvS)• Production quality, multilayer open virtual switch

• Integrated into OpenStack, Xen, Pica8…

• Fully supports OpenFlow up to v1.4

• Operates either as software switch or ascontrol stack for dedicated hardware

ovs-vswitchd

openvswitch.ko

…Virtual Switch

Virtual Switch

Kernel Space

User Space

Open vSwitch Fuzzer – A First Try

Open vSwitchRyu OpenFlowController Mutation

Fuzzer

Lack of control

Fuzzer

Lack of controlController needs to be actively triggered

Fuzzer

Lack of controlController needs to be actively triggeredHard to integrate a feedback loop

Fuzzer

Lack of controlController needs to be actively triggeredHard to integrate a feedback loop

Simple and fast but no promising approach

FlowFuzz

Protocol Aware

Python Based

Supports OF v1.0/1.3

Corpus of Valid Inputs

Directed and Random Input Generation

Various Sources as Feedback Loop

FlowFuzz

FlowFuzz – Architecture & Stages

TCP Connection Handler

LogModule

TestcaseLoader

ReplayModule

Test Manager

LogModule

TestcaseLoader

ReplayModule

Test Manager

Pre-condition Test Execution Validation Post-condition

OF Handshake

Table Initiation

LogModule

TestcaseLoader

ReplayModule

Test Manager

OF Handshake

Table Initiation

Input Generation

Transmission

LogModule

TestcaseLoader

ReplayModule

Test Manager

OF Handshake

Table Initiation

Input Generation

Transmission

Sanity Checks

Logging

LogModule

TestcaseLoader

ReplayModule

Test Manager

OF Handshake

Table Initiation

Input Generation

Transmission

Sanity Checks

Logging Reset

Evaluation

LogModule

TestcaseLoader

ReplayModule

Test Manager

OF Handshake

Table Initiation

Input Generation

Transmission

Sanity Checks

Logging Reset

Evaluation

LogModule

TestcaseLoader

ReplayModule

Test Manager

Open vSwitch – Test Bed

OpenvSwitch v1.5

OpenvSwitch v2.0

OpenvSwitch v2.5

OpenvSwitch v2.7

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

Ubuntu VM

vSwitchFuzzer

All compiled with AdressSanitizer

Open vSwitch – Fuzzer Evaluation• Test duration of one week

• Targeted OpenFlow version 1.0

• Crafted and random inputs

• Code coverage as main feedback source

Results

Version v1.5 v2.0 v2.5 v2.7

Anomalies 2538 2986 2263 2047

Crashes 13 10 14 0

Results

Anomalies 2538 2986 2263 2047

Crashes 13 10 14 0

High number of false positives due to switch reconnects

Results

Anomalies 2538 2986 2263 2047

Crashes 13 10 14 0

High number of false positives due to switch reconnects Crashes due to environment setup and could not be reproduced

Results

Anomalies 2538 2986 2263 2047

Crashes 13 10 14 0

High number of false positives due to switch reconnects Crashes due to environment setup and could not be reproduced No security flaws detected – yet!

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

Hardware Switch – Feedback Sources

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

Traditional guided fuzzing mechanisms

cannot be applied!

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

cannot be applied!

Black Box?

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

cannot be applied!

Protocol Errors

Debug Mode

Device Log

Black Box?

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

cannot be applied!

Protocol Errors

Debug Mode

Device Log

System Stats

Power Consumption

Response Times

Black Box?

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

cannot be applied!

Protocol Errors

Debug Mode

Device Log

System Stats

Power Consumption

Response Times

Combine all sources to create an unique signature per input

Black Box?

NEC PF5240

Pronto 3290

HP 2920-24G

Quanta T1048-LB9

cannot be applied!

Protocol Errors

Debug Mode

Device Log

System Stats

Power Consumption

Response Times

Combine all sources to create an unique signature per input

Black Box?

Feedback Sources – Measuring Response Times

Hardware SwitchFuzzer

Intended Message

Barrier Request

Barrier Reply

Start =

Timediff = End - Start

Feedback Sources – Evaluation of Response Times

HP 2920-24G Pronto 3290

Hardware Switch – Test Bed

NECPF5240

HP2920-24G

QuantaT1048-LB9

Pronto3290

Ubuntu VM

Fuzzer

Ubuntu VM

Fuzzer

Ubuntu VM

Fuzzer

Ubuntu VM

Fuzzer

Hardware Switch – Fuzzer Evaluation• Test duration of 12h

• Response times as main feedback source

Results

Version NEC HP Quanta Pronto

Anomalies 2133 1735 1915 2643

Crashes 0 0 0 0

High number of false positives due to switch reconnects No security flaws decteted – yet!

Flow Fuzz – Next Steps & Future Extension

Measurements

• Reduce false positive rate• Increase test duration

• Fuzz OpenFlow v1.3

Extensions

• Support higher OF versions• Optimize feedback loop

• Agents for DP fuzzng

Corpus Generation

• Categorized by OF version• Derived from code coverage

Sound Bytes• SDN is coming – Be prepared!

• SDN can enhance the security of networks

• FlowFuzz – A protocol-aware OpenFlow fuzzing framework

• De-blackboxing black boxes by using alternative feedback sources

Questions

Chair of Communication Networkscomnet.informatik.uni-wuerzburg.de

SarDiNeSardine-project.org

Sources• Michael Jarschel, Thomas Zinner, Tobias Hoßfeld, Phuoc Tran-Gia, and Wolfgang Kellerer,

Interfaces, Attributes, and Use Cases: A Compass for SDN,IEEE Communications Magazine, 52, 2014

• D. Kreutz et al.,Software-Defined Networking: A Comprehensive Survey,ArXiv e-prints, Jun. 2014.

• Lorenz, C., Hock, D., Scherer, J., Durner, R., Kellerer, W., Gebert, S., Gray, N., Zinner, T., Tran-Gia, P.,An SDN/NFV-enabled Enterprise Network Architecture Offering Fine-Grained Security Policy Enforcement,IEEE Communications Magazine. 55, 217 - 223 (2017)

• Gray, N., Lorenz, C., Müssig, A., Gebert, S., Zinner, T., Tran-Gia, P.,A Priori State Synchronization for Fast Failover of Stateful Firewall VNFs. Workshop on Software-Defined Networking and Network Function Virtualization for Flexible Network Management, SDNFlex 2017

Sources• Pfaff B., Scherer J., Hock D., Gray N., Zinner T., Tran-Gia P., Durner R., Kellerer R., Lorenz C.,

SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat Mitigation for Enterprise,ACM SIGCOMM Computer Communication Review, 2017

• Tsipenyuk, Katrina, Brian Chess, and Gary McGraw,Seven pernicious kingdoms: A taxonomy of software security errors,IEEE Security & Privacy 3.6 (2005): 81-84

• Benton, Kevin, L. Jean Camp, and Chris Small,Openflow vulnerability assessment,Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, ACM, 2013

• Thimmaraju, K., Shastry, B., Fiebig, T., Hetzelt, F., Seifert, J. P., Feldmann, A., & Schmid, S.,Reigns to the cloud: Compromising cloud systems via the data plane,arXiv preprint arXiv:1610.08717

Sources• Changhoon Yoon, Seungsoo Lee,

Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?,Black Hat USA 2016

• Jennia Hizver,Taxonomic Modeling of Security Threats in Software Defined Networking,Black Hat USA 2015

• Gregory Pickett,Abusing Software Defined Networks,Black Hat Europe 2014

• Scott-Hayward, Sandra, Gemma O'Callaghan, and Sakir Sezer,SDN security: A survey,Future Networks and Services (SDN4FNS), 2013 IEEE SDN For. IEEE, 2013.

Sources• Open Networking Foundation,

https://www.opennetworking.org,called on 2017-07-14

• Open Networking Foundation,OpenFlow Switch Specification Version 1.3.5,called on 2017-07-14

• Ari Takanen, Jared DeMott, Charlie Miller,Fuzzing for Software Security Testing and Quality Assurance, ARTECH HOUSE, INC. ISBN 13: 978-1-59693-214-2

• OpenVSwitch - Linux Foundation,https://openvswitch.org,called on 2017-07-14

Sources• Ryu SDN Framework Community

https://osrg.github.io/ryu/,called on 2017-07-14

• OpenStack – Open Source Cloud Computing Softwarehttps://www.openstack.org/called on 2017-07-14

Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing...

Documents

Introduction to Information Security · Introduction to Information Security Fuzzing 1. Today •Introduction to fuzzing •Fuzzing principles •Useful tools and leads. What is fuzzing?

HIGH-DEF FUZZING - Ruxcon Fuzzing... · HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job = "Senior Security Researcher"

Gsm Fuzzing

Biswajit Mazumder Rohit Hooda Arpan Chowdhary. What is Fuzzing? Fuzzing techniques Types of Fuzzing Fuzzing explained Case study and changes:

Fuzzing Frameworks - Exploit€¦ · Fuzzing Frameworks . Pedram Amini Introduction . There are a number of available specialized fuzzing utilities which

Introduction to OpenFlow - clnchina.com.cnicon.clnchina.com.cn/pdf/Introduction_to_openflow_by_shdu.pdfIntroduction to OpenFlow ... •OpenFlow defines logical “ports” for passing

75-OpenFlow ENOG4 Dolmatov · OPENFLOW (Cont.) OpenFlow Controllers • Beacon • Floodlight • NOX • Trema OpenFlow switches • Software - vOpenFlow • Hardware. Internetworking

Finding security vulnerabilities with modern fuzzing …archive.hack.lu/2018/Slides_Fuzzing_Workshop_Hack.lu_v1...Definition of fuzzing (source Wikipedia): Fuzzing or fuzz testing

Security Testing esp. Fuzzing - E. Poll, - cs.ru.nl · Overview • Testing • Abuse cases & negative tests • Fuzzing –dumb fuzzing –generational aka grammar-based fuzzing

Smart COM Fuzzing they were for ActiveX fuzzing, not COM

OpenFlow - Cudi

Extensions to OpenFlow Protocol in support Circuit …xuelin/openflow/openflow-circuitspec-v02.pdfE. xtension. s to OpenFlow Protocol in support Circuit Switching Add. endum to O

OpenFlow Technology Investigation Vendors Review on ... · PDF fileOpenFlow Technology Investigation Vendors Review on OpenFlow ... OpenFlow is “just” an enabler of ... OpenFlow

OpenFlow Switch Specification - Open Networking Foundation · OpenFlow 1.2 December 2011 The Open Networking Foundation hereby issues OpenFlow 1.2, following this page. OpenFlow 1.2

Fuzzing’– WhatTheFuzz - EurOpeneuropen.cz › Proceedings › 38 › fuzzing europen.pdf · 2017-05-04 · – An Introduction to SPIKE, the Fuzzer Creation Kit. "– MSRPC Fuzzing

OpenFlow and Software Defined Networks. Outline o The history of OpenFlow o What is OpenFlow? o Slicing OpenFlow networks o Software Defined Networks

Realizing the Fuzzing Potential: Precision and Accuracy … · Fuzzing Specialist Codenomicon Realizing ... Realizing the Fuzzing Potential: Precision and Accuracy vs. Coverage

File Format Fuzzing in Android - DeepSec · Agenda 2 •File format fuzzing in Android •Fuzzing the Stagefright media framework •Fuzzing the Android application installer •Fuzzing

OpenFlow - SURF

Software-defined Networking and OpenFlow McKeown...Software-defined Networking and OpenFlow Nick McKeown ... OpenFlow Hardware Cisco Catalyst 6k ... Build robust OpenFlow infrastructure