Hacking the Brain: Customize Evil Protocol to Pwn an SDN Controller

Video thumbnail (Frame 0) Video thumbnail (Frame 1400) Video thumbnail (Frame 7269) Video thumbnail (Frame 9152) Video thumbnail (Frame 10432) Video thumbnail (Frame 13872) Video thumbnail (Frame 15116) Video thumbnail (Frame 18775) Video thumbnail (Frame 19202) Video thumbnail (Frame 19927) Video thumbnail (Frame 20348) Video thumbnail (Frame 21052) Video thumbnail (Frame 24962) Video thumbnail (Frame 25632) Video thumbnail (Frame 27440)
Video in TIB AV-Portal: Hacking the Brain: Customize Evil Protocol to Pwn an SDN Controller

Formal Metadata

Hacking the Brain: Customize Evil Protocol to Pwn an SDN Controller
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Software-Defined Networking (SDN) is now widely deployed in production environments with an ever-growing community. Though SDN's software-based architecture enables network programmability, it also introduces dangerous code vulnerabilities into SDN controllers. However, the decoupled SDN control plane and data plane only communicate with each other with pre-defined protocol interactions, which largely increases the difficulty of exploiting such security weaknesses from the data plane. In this talk, we extend the attack surface and introduce Custom Attack, a novel attack against SDN controllers that leverages legitimate SDN protocol messages (i.e., the custom protocol field) to facilitate Java code vulnerability exploitation. Our research shows that it was possible for a weak adversary to execute arbitrary command or manipulate data in the SDN controller without accessing the SDN controller or any applications, but only controlling a host or a switch. To the best of our knowledge, Custom Attack is the first attack that can remotely compromise SDN software stack to simultaneously cause multiple kinds of attack effects in SDN controllers. Till now we have tested 5 most popular SDN controllers and their applications and found all of them are vulnerable to Custom Attack in some degree. 14 serious vulnerabilities are discovered, all of which can be exploited remotely to launch advanced attacks against controllers (e.g., executing arbitrary commands, exfiltrating confidential files, crashing SDN service, etc.). This presentation will include: an overview of SDN security research and practices. a new attack methodology for SDN that is capable of compromising the entire network. our research process that leads to these discoveries, including technical specifics of exploits. showcases of interesting Custom Attack chains in real-world SDN projects.
Game controller Word Presentation of a group Software Student's t-test Hacker (term) Communications protocol
Group action Decision theory Water vapor Web 2.0 Mathematics Plane (geometry) Roundness (object) Component-based software engineering Bit rate Hypermedia Different (Kate Ryan album) Core dump Information Physical system Link (knot theory) Open source Element (mathematics) Category of being Googol Internet service provider Architecture Summierbarkeit Quicksort Hacker (term) Topology Functional (mathematics) Enterprise architecture Open source Link (knot theory) Number Architecture Natural number Hacker (term) Software Service-oriented architecture Configuration space Traffic reporting Game controller Rule of inference Mobile app Focus (optics) Axiom of choice Scaling (geometry) Forcing (mathematics) Control engineering Projective plane State of matter Expert system Interactive television Planning Computer network Plane (geometry) Word Software Integrated development environment √úbertragungsfunktion Logic Function (mathematics) Network topology Infinite conjugacy class property Object (grammar) Service-oriented architecture Table (information) Communications protocol
Tape drive Mass Field (computer science) Data model Graphical user interface Component-based software engineering Plane (geometry) Hacker (term) Encryption Musical ensemble Circle Service-oriented architecture Communications protocol Information security Metropolitan area network Game controller Mobile app Transport Layer Security Interactive television Planning Field (computer science) Computer network Database Demoscene Plane (geometry) Component-based software engineering Software Function (mathematics) Hacker (term) Service-oriented architecture Communications protocol
Context awareness Divisor Open source Multiplication sign Real number Simultaneous localization and mapping 1 (number) Virtual machine Set (mathematics) Field (computer science) Number Product (business) Component-based software engineering Roundness (object) Root Data mining Endliche Modelltheorie Multiplication Game controller Context awareness Mobile app Interactive television Field (computer science) Computer network Exploit (computer security) Flow separation Component-based software engineering Software Order (biology) Communications protocol Resultant Computer worm Spacetime
Web 2.0 Coefficient of determination Component-based software engineering Virtual machine Smith chart
Mobile app Link (knot theory) Scripting language Inheritance (object-oriented programming) Error message Control engineering Computer worm Gastropod shell Virtual machine Family
Scripting language Mobile app Functional (mathematics) Link (knot theory) Inheritance (object-oriented programming) Real number Open source Exploit (computer security) Error message File system Computer worm Gastropod shell Loop (music) Installable File System Family
NP-hard Functional (mathematics) System call Computer file State of matter Field (computer science) Neuroinformatik Usability Web 2.0 Explosion Chain Exclusive or Performance appraisal Component-based software engineering Remote Access Service System identification Communications protocol Scripting language Authentication Graph (mathematics) Real number Forcing (mathematics) Control engineering Open source Content (media) Data storage device Planning Total S.A. Price index Cartesian coordinate system Flow separation Product (business) Software Function (mathematics) Order (biology) Software testing Resultant
Email Projective plane Home page Mathematical analysis Open set System call Twitter Number User profile Component-based software engineering Crash (computing) Gastropod shell Service-oriented architecture Contrast (vision) Physical system
are so weak that thing shout at us. i ever and thanks for coming out the early a ph d. student adult pennsylvania state university and their support due to be or not a speaker but he can calm. to some we saw problems so i just put these pictures here and my understand so we can to gather to kick the presentation to your bank you. you like or i sold today we are going to talk about a new attack the attack is about these are tack a week other words or he is able to hack the brain of the soft well defined networks the asked the un comptroller.
whoa. here is that the ferns between the league as the networks and the software defined networks and the league as the network is always when they were dependent it means the networks the rise is always work independently with pre-defined functions and we cannot change it anymore but in asked the end the whole network is treaty. he asked to plans that control pain to operating or and the data play so of all network functions are knol been placed into the brain off the network the comptroller and the holes and switched to use for the device on our place into the data playing right. well this is the difference between the two networks soul and this new architecture now it's widely deployed in production environments with swallowing communities on one hand the open source of knives asians like me nuts foundations are sort of sport are supporting a large number off as the and. projects like a dolphin day lie off flop light on our most and comedies like quality sisco also released their commercial heard that acts. and they are occasions and on the other hand the growing communicate the girl growing community exeter rates the replacement of the network infrastructure for example the world leading web scale providers such as google microsoft deploying as the and even they are data are centers. so this is how s. the in i used to date. so when some people are using it we have people economy that you hack it to the attack and when to attack her can successfully break into our soft oil to fight network just like we can act to the wife i hear if it is us off the word defied network architecture which so the. she were probably target actor controller course it is the brain of the network to in this talk we concluded three categories of common attack objectives for attacks on the control planes that nine of surrey's data leakage and natural many poor nations and in these tables. some objectives have been achieved by prove years researchers and some sums are not and we discovered that these exists team attacks for example just like the topology poison not tax i'll fall coast foreclose on those so it's logical all comptroller. which means these are tax for example to topple a g. attack attack attack the apology to scarborough service in the controller to report face to two reports force links and let my left the comptroller make round decisions. nestle you to discover the swannery it is you should be a hacker and and xp an expert you should know the details have to ask the improv according to the actions the relationship among the soviets logic but i think most of us are not as the an expert. hurt and we even not so for media weeks asked ian but it is widely used so while i'm so i'm consider whether i can find a math or to hack the software to mike network we solve learning so much about asked the and and my attack should be powerful. in the basque eight each should achieve all the objects attack objectives in these table all of them no matter it is our existing one or a new one.
seoul how to hack are asked the and like car hacker weld the controllers are software systems and we both know that the software systems are inherently one rubble so it is possible that the comptroller components contains are one or abilities. is this is core course we're hackers and we know how to find this cold want to remain it is right however the data plane and under control plane as i mentioned the at the kabul which means they only communicate with each other with pretty fine protocol interactions. all these architecture make us hard to exploited these cold one will believe east from the data pain where we always in a soul in the stock we introduced the custom attack which breaks the border built by that the koppel planes. this. but unlike previous attacks that the focus on the attacking the comptroller service logic custom attack can be used to attack all kinds of cold water abilities in the comptroller so hard to do it.
i so lot let's see how to conquer the difficulty be awed by the decoupled two planks the e.s.p.n. protocols for wired some feels to latch the sweets and network device to cause some of them selfs usually the cost them a feels his subscribe by us forces. if control spur city comptroller components are for example if a switch and must wish may send a fort collins not acacia mass each to the control plane and this mass each well be first black by a service can coit are collecting so it's maybe and the so as well said. and the mass age to the two subscriber maybe our network monitor component so this is how the cost them a field works.
so i'm sorry i'm in milan backhand a little bit tired so maybe joe way i will put you on the table. us or right last move on moon so there is a semantic gap you to buy the cost of a failed scenes the cost them a field can be totally controlled by the controlled by the data obtained by the hacker so any proper treatment all may break the security border of that the cop old. control plane and of the data playing that's the reason it does not even gauging example monitor components that's know how to parse the nobody not even cation mass each however the crack the service or collected first in the us not so the clock the service may stored the mass each in the database. if we solve any security considerations if a hacker inject a malicious circling see into the cost them a feels the database will in danger and this is the start of carsten my pack and it is his only in their start. or act and we start cost them attack we can be exploited serious one will be at the scene astrium comptroller to bring several out when stop jack tapes for example we can't usual be truly as the income man's by korean the exposed network many human a.p.i. or we can. we have some confidential data we are stuck or injection or on the things. and this is the threat mogul have to cost them more tack first the hackers don't have to do you actually have access to natural work of the comptroller we see which is sometimes separated from the date a plane out the network devices and he can't you will not need. to access any obligations in the comptroller it's also a hacker don't need to hack into the encrypted protocol channels between the control planes and a tough place to what the hacker needs is to only to perform the g.t. made probable interactions with the control playing so. a malicious host or switch is enough.
just like we can use a mobile phone you know. however after attacking the wonder of all components handling dumb money show us crist custom have failed county introduce limited in fact to the network they are several reasons first hour receiving or component in the comptroller rounds in separate context for example just like. and then threat so the freely off our single component we're not a factor or will abilities of fathers are and second the control the critical components i usually spatially contact as a result is that the city's the vehicle to abusing these important ones. we cannot attack them directly attacked them with these customer feels so as a result if we want to do something be one to we need a more complex attack a multi-stage exploitation to control more resources in the comptroller this is the.
the walk a lot lower parties that data playing where the and that workhorses and switch is normally cannot directly access the comptroller because the two networks alois separated but there will always be able to interact with use the control always using the esteem product. calls like to open for mole or other things. so we need several stage the first stage is the toll whole stage this is where we are tapped the components weaste cost them a field in this that we will inject our craft payload into the cost them a field and sent them to the control claimed we allergy to made protocol interaction. it's. after the first the exploitation is we cannot control what's more number of county control a smaller number or face sat in a component to harvest more control pain a sept we need a high roots harvest stage we will need to exploited more one will be to use in order in other compensation. on and we screw us controlled a set for example we can we may able to launch h.t.t.p. require asked in the first stage so all in the second stage we can leverage the space that could do more things we may access to a rasp a.p.i. to issue some commence. so after week controlling a large number of ways that we try to change them to gather to achieve our cash advance to tackle and as you can see instead of merely attacking the components that handling the cost them a fear was we still use our attack model we can now able. to exploit all kinds of one abilities to hack more components ok now is time for us to have something real first i will show you read your them all in this them all we attacked open source comptroller it is a pop maybe the most popular on the. our nurse and we the attack in fact least we get to remould show from the controller ok and the honors controller is are remote machine though one one one and.
and our compromise switch east this machine dog one all eight seoul and this is the web component of diana a nurse we can see that their small devices in the controller yet ok and we can hold our for a more to our.
back the. honest controllers and get our seas to ensure all from the controllers are this is our devices connected well as you can see. the sexes body get us essential.
unknown us in.
seoul disease are exploited chair with smart the stage exploitation that works soul how it actually works last next i will give you more details about the p.r.c. chen as showing the picture our target is to get diagnostic function.
which read and excuse a script fond of file system so to abuse these function we need to control to a sax to harvey's to a sense the first is the script itself to excuse to a beach or he commands we need to inject payrolls into the script.
however controlling the script is not enough we also need to access the ras the a.p.i. that course the course that their diagnostic function as i have mentioned important components are usually spatially protected so the rest a.p.i. is protected by up basic authentication. we need to also indication poll can for the use rest a p i a let's check a lot he said we can actually control in our first stage. we found our access as in the web components as you can see this one really he can be explored by a cost them a feel so now we can control the pace asked that expose to be accessed such as some network computer asians however we cannot steel to actively attack. all art pocket function soul that's move on her second stage stuff obvious stage. first let's try to handle the basic authentication new shoes we found that adults indication poll can ease store as planned tax ad hoc compete by so as long as we can control and read these files we can get the token this means that we need to find a new one ability that can read some contents. i have for several days hard work we find our force your days in an arse the seaside access the it can be and it and it can be exploited by a cost them a field dad we control as a result who can read at the top open to solve a also problem. now we can try to control the eighth those scree pace at which the fief still day we found the now nurse it is up castro was so bad in the function these function is to handle that seeped files are promoted from the web component remembered that in the first stage we discover or. excess one really be in the web component now we can average seize our tactics excess asked to upload our craft the fire and then all right a pizzeria fires with any content we want so finally we controlled the script. this is to complete our tax graph order to explore champ we say we use five previously on the lawn one will be duties in three different stage set to construct these remote command exclusion champ. i'm sorry. i mean.
the sole how about the impact of the cost them a failed we analyzed five popular as the in controllers and their fifty four happy applications in total we and many identify eighteen one really to use and construct twenty four war explore chance. and all these explosions are involved in two or three stage states to see us the impact of these explore chance we all these explosions we construct can come introduce are serious attack the fact to the controller and and.
this cable show also ordered zero day we found we can as we can see from the last call him and we want to read it he can be used to introduce the more than one attack the fact and we found that one us has the largest number of one released and i think this is because. first on earth is where we easy to use we can install any components we want is a simple click by contrast hacking the open they like he's really difficult to install or or the bark are component we need to spend that the whole afternoon or and youzhny we found not thing. so what we can only found three bucks in the open day light so may be making your project hard to used can be a great defense. yes yes that's what i've important finding seen our research.
ok that's our thanks for his money. a ok i got home you a. i.