Abstract
Software-Defined Networking (SDN) enables diversified network functionalities with plentiful applications deployed on a logically-centralized controller. In order to work properly, applications are naturally provided with much information on SDN. However, this paper shows that malicious applications can exploit basic SDN mechanisms to build covert channels to stealthily leak out valuable information to end hosts, which can bypass network security policies and break physical network isolation. We design two types of covert channels with basic SDN mechanisms. The first type is a high-rate covert channel that exploits SDN proxy mechanisms to transmit covert messages to colluding hosts inside SDN. The second type is a low-rate covert channel that exploits SDN rule expiry mechanisms to transmit covert messages from SDN applications to any host on the Internet. We develop the prototypes of both covert channels in a real SDN testbed consisting of commercial hardware switches and an open source controller. Evaluations show that the covert channels successfully leak out a TLS private key from the controller to a host inside SDN at a rate of 200 bps with 0% bit error rate, or to a remote host on the Internet at a rate of 0.5 bps with less than 3% bit error rate. In addition, we discuss possible countermeasures to mitigate the covert channel attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The padding aims to bloat the ARP frame to the 64-byte length which is the minimum required length of an Ethernet frame.
- 2.
As there are so many flows in the traffic trace, the hosts randomly choose some flows to ensure that the number of flow rules generated by the flows does not exceed the flow table capacity of switches.
References
Access Control in ONOS Controller. https://wiki.onosproject.org/display/ONOS/Access+Control+Based+on+DHCP
Firewall Application in Floodlight Controller. https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/pages/1343616/Firewall
Floodlight DHCP Proxy Service. https://github.com/floodlight/floodlight/tree/master/src/main/java/net/floodlightcontroller/dhcpserver
Floodlight ProxyARP. https://github.com/mbredel/floodlight-proxyarp
Manchester Code. https://en.wikipedia.org/wiki/Manchester_code
Microsoft Azure and Software Defined Networking. https://docs.microsoft.com/en-us/windows-server/networking/sdn/azure_and_sdn/
ONOS Neighbour Resolution Service for ARP and NDP Proxy. https://wiki.onosproject.org/display/ONOS/Neighbour+Resolution+Service
ONOS ProxyARP. https://github.com/opennetworkinglab/onos/blob/master/apps/proxyarp/src/main/java/org/onosproject/proxyarp/DefaultProxyArp.java
OpenDayLight ARP Proxy Service. https://github.com/opendaylight/honeycomb-vbd/blob/master/api/src/main/yang/proxy-arp
OpenDayLight Neutron DHCP Proxy Service. https://docs.opendaylight.org/en/stable-nitrogen/submodules/netvirt/docs/specs/neutron-port-for-dhcp-service.html
OpenFlow Specification v1.5.1. https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf
OpenvSwitch: Products and Vulnerabilities. https://www.cvedetails.com/vendor/12098/Openvswitch.html
Routing Application on Floodlight. https://github.com/floodlight/floodlight/tree/master/src/main/java/net/floodlightcontroller/routing/
Abdelltif, A.A., et al.: SDN-based load balancing service for cloud servers. IEEE Commun. Mag. 56(8), 106–111 (2018)
Achleitner, S., et al.: Adversarial network forensics in software defined networking. In: ACM SOSR, pp. 8–20 (2017)
Braun, W., Menth, M.: Software-defined networking using openflow: protocols, applications and architectural design choices. Futur. Internet 6(2), 302–336 (2014)
CAIDA Passive Monitor: Chicago B: http://www.caida.org/data/passive/trace_stats/chicago-B/2015/?monitor=20150219-130000.UTC
Cao, J., Xu, M., Li, Q., Sun, K., Yang, Y., Zheng, J.: Disrupting SDN via the data plane: a low-rate flow table overflow attack. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds.) SecureComm 2017. LNICST, vol. 238, pp. 356–376. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78813-5_18
Chiang, S.-H., et al.: Online multicast traffic engineering for software-defined networks. In: IEEE INFOCOM, pp. 414–422 (2018)
Cui, H., et al.: On the fingerprinting of software-defined networks. IEEE TIFS 11(10), 2160–2173 (2016)
Dhawan, M., et al.: Sphinx: detecting security attacks in software-defined networks. In: NDSS, vol. 15, pp. 8–11 (2015)
Gras, B., et al.: Translation leak-aside buffer: defeating cache side-channel protections with TLB attacks. In: USENIX Security, pp. 955–972 (2018)
Hizver, J.: Taxonomic modeling of security threats in software defined networking. In: BlackHat Conference, pp. 1–16 (2015)
Hocquenghem, A.: Codes correcteurs d’erreurs. Chiffres 2(2), 147–156 (1959)
Jafarian, J.H., et al.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: ACM HotSDN, pp. 127–132 (2012)
Kang, M.S., et al.: The crossfire attack. In: IEEE Symposium on Security and Privacy, pp. 127–141 (2013)
Katta, N., et al.: Infinite cacheflow in software-defined networks. In: ACM HotSDN, pp. 175–180 (2014)
Klöti, R., et al.: OpenFlow: a security analysis. In: IEEE ICNP, pp. 1–6 (2013)
Kreutz, D., et al.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Krösche, R., et al.: I DPID it my way! A covert timing channel in software-defined networks. In: IFIP Networking (2018)
Lam, P., et al.: The soot framework for java program analysis: a retrospective. In: CETUS 2011, vol. 15, p. 35 (2011)
Lee, S., et al.: The smaller, the shrewder: a simple malicious application can kill an entire SDN environment. In: ACM SDN-NFV Security, pp. 23–28 (2016)
Li, H., et al.: vNIDS: towards elastic security with safe and efficient virtualization of network intrusion detection systems. In: ACM CCS, pp. 17–34 (2018)
Lin, Y.-D., et al.: OFBench: performance test suite on OpenFlow switches. IEEE Syst. J. 12(3), 2949–2959 (2018)
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: USENIX Security, pp. 973–990 (2018)
Liu, S., et al.: Flow reconnaissance via timing attacks on SDN switches. In: IEEE ICDCS, pp. 196–206 (2017)
Maurice, C., et al.: Hello from the other side: SSH over robust cache covert channels in the cloud. In: NDSS (2017)
Moon, S.-J., et al.: Nomad: mitigating arbitrary cloud side channels via provider-assisted migration. In: ACM CCS, pp. 1595–1606 (2015)
Narten, T.: Neighbor Discovery for IP version 6. RFC 2461 (1998)
Ou, X., et al.: A scalable approach to attack graph generation. In: ACM CCS, pp. 336–345 (2006)
Porras, P.A., et al.: Securing the software defined network control layer. In: NDSS (2015)
Rossow, C.: Amplification hell: revisiting network protocols for DDOS abuse. In: NDSS (2014)
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: ACM HotSDN, pp. 165–166 (2013)
Shin, S., et al.: Rosemary: a robust, secure, and high-performance network operating system. In: ACM CCS, pp. 78–89 (2014)
Sonchack, J., et al.: Timing-based reconnaissance and defense in software-defined networks. In: IEEE ACSAC, pp. 89–100 (2016)
Thimmaraju, K., et al.: Outsmarting network security with SDN teleportation. In: IEEE EuroS&P, pp. 563–578 (2017)
Ujcich, B.E., et al.: Cross-app poisoning in software-defined networking. In: ACM CCS (2018)
Wang, H., et al.: Towards fine-grained network security forensics and diagnosis in the SDN era. In: ACM CCS, pp. 3–16 (2018)
Wen, X., et al.: SDNshield: reconciliating configurable application permissions for SDN app markets. In: IEEE/IFIP DSN, pp. 121–132 (2016)
Xu, L., et al.: Attacking the brain: races in the SDN control plane. In: USENIX Security, pp. 451–468 (2017)
Yoon, C., Lee, S.: Attacking SDN infrastructure: are we ready for the next-gen networking? In: BlackHat-USA (2016)
Yoon, C., et al.: A security-mode for carrier-grade SDN controllers. In: ACM ACSAC. pp. 461–473 (2017)
Zheng, J., et al.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE TIFS 13(7), 1838–1853 (2018)
Acknowledgment
The research is partially supported by the National Natural Science Foundation of China (NSFC) under Grant 61832013, 61625203, 61572278 and U1736209, the National Key R&D Program of China under Grant 2017YFB0803202, and the NSF grants IIP-1266147 and CNS-1822094.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cao, J. et al. (2019). Covert Channels in SDN: Leaking Out Information from Controllers to End Hosts. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-37228-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37227-9
Online ISBN: 978-3-030-37228-6
eBook Packages: Computer ScienceComputer Science (R0)