Outsmarting Network Security with SDN Teleportation

Outsmarting Network Security with SDN Teleportation

Abstract

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call teleportation. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today’s trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.

Grafik Top
Authors
  • Thimmaraju, Kashyap
  • Schiff, Liron
  • Schmid, Stefan
Grafik Top
Supplemental Material
Shortfacts
Category
Paper in Conference Proceedings or in Workshop Proceedings (Paper)
Event Title
2nd IEEE European Symposium on Security and Privacy (EuroS&P)
Divisions
Communication Technologies
Subjects
Informatik Allgemeines
Event Location
Paris, France
Event Type
Conference
Event Dates
April 2017
Date
2017
Export
Grafik Top