Reins to the Cloud: Compromising Cloud Systems via the Data Plane

Abstract: Virtual switches have become popular among cloud operating systems to interconnect virtual machines in a more flexible manner. However, this paper demonstrates that virtual switches introduce new attack surfaces in cloud setups, whose effects can be disastrous. Our analysis shows that these vulnerabilities are caused by: (1) inappropriate security assumptions (privileged virtual switch execution in kernel and user space), (2) the logical centralization of such networks (e.g., OpenStack or SDN), (3) the presenc… Show more

“…We assume that an attacker has sufficient resources and knowhow to compromise hosts/switches and therefore do not concern ourselves with how the host/switch is compromised. For example, the attacker can exploit a buffer overflow vulnerability in the switch software to compromise the switch [13].…”

“…Therefore, it may be difficult to distinguish the attack traffic from the benign traffic. Accordingly we believe that, with the separation of the control and data plane, it is now important to monitor and police the communication channel between the separated planes due to the increased attack surface [13].…”

“…It has been shown that the network view of the controller may even be poisoned [27], [28]. Thimmaraju et al [13], point out that threat models for the virtualized data plane need to account for a malicious/compromised data plane in SDNs, and cloud operating systems such as OpenStack.…”

“…However, Software-Defined Networks (SDNs) also introduce new security challenges. In particular, we in this paper study threats introduced by an unreliable south-bound interface, i.e., we consider a threat model in which switches or routers do not behave as expected, but rather are malicious [13], and e.g., contain hardware backdoors [14]. While many existing network security and monitoring tools rely on the trustworthiness of switches and routers, this assumption has become questionable: Attackers have repeatedly demonstrated their ability to compromise switches and routers [15], [16], [17], thousands of compromised access and core routers are being traded underground [18], networking vendors have left backdoors open [19], [20], national security agencies can bug network equipment [14], hacker tools to scan and eventually exploit routers with weak passwords, default settings are openly available on the Web, etc.…”

Outsmarting Network Security with SDN Teleportation

“…We assume that an attacker has sufficient resources and knowhow to compromise hosts/switches and therefore do not concern ourselves with how the host/switch is compromised. For example, the attacker can exploit a buffer overflow vulnerability in the switch software to compromise the switch [13].…”

“…Therefore, it may be difficult to distinguish the attack traffic from the benign traffic. Accordingly we believe that, with the separation of the control and data plane, it is now important to monitor and police the communication channel between the separated planes due to the increased attack surface [13].…”

“…It has been shown that the network view of the controller may even be poisoned [27], [28]. Thimmaraju et al [13], point out that threat models for the virtualized data plane need to account for a malicious/compromised data plane in SDNs, and cloud operating systems such as OpenStack.…”

“…However, Software-Defined Networks (SDNs) also introduce new security challenges. In particular, we in this paper study threats introduced by an unreliable south-bound interface, i.e., we consider a threat model in which switches or routers do not behave as expected, but rather are malicious [13], and e.g., contain hardware backdoors [14]. While many existing network security and monitoring tools rely on the trustworthiness of switches and routers, this assumption has become questionable: Attackers have repeatedly demonstrated their ability to compromise switches and routers [15], [16], [17], thousands of compromised access and core routers are being traded underground [18], networking vendors have left backdoors open [19], [20], national security agencies can bug network equipment [14], hacker tools to scan and eventually exploit routers with weak passwords, default settings are openly available on the Web, etc.…”

Outsmarting Network Security with SDN Teleportation