KR20160145373A - Method, apparatus and computer program for analzing vulnerability of software defined network - Google Patents

Abstract

The present invention relates to a method for analyzing vulnerability of a software defined networking (SDN) network, including: a step of classifying at least one vulnerability which is able to occur in an arbitrary SDN network into a control plane category, a data plane category, and a control channel category according to an attack location, and obtaining a vulnerability database including an attack code for a corresponding vulnerability; a first test step of executing at least one agent on the SDN network to be analyzed, and attacking based on the vulnerability database; and a step of collecting a first test result to analyze the vulnerability of the network to be analyzed.

Description

METHOD, APPARATUS AND COMPUTER PROGRAM FOR ANALYZING VULNERABILITY OF SOFTWARE DEFINED NETWORK,

The present invention relates to a method, apparatus and computer program for analyzing a vulnerability of a software defined network. More particularly, the present invention relates to a framework that can be applied commonly to structuring information on vulnerabilities that may occur in a software defined network and analyzing vulnerabilities of the SDN network.

Software Defined Networking (SDN) is a technology that manages all the network devices in the network by an intelligent central management system. In the SDN technology, a controller provided in a form of software can perform processing instead of a control operation related to the packet processing performed by itself in a conventional hardware type network device, so that various functions can be developed and given over the existing network structure.

The SDN system generally includes a controller server that controls the entire network, a plurality of open flow switches that are controlled by the controller server and process packets, and a host that is a lower layer of the open flow switch. Here, the open flow switch is only responsible for transmitting and receiving packets, and routing, management, and control of the packets are all performed in the controller server. That is, it is a basic structure of the SDN system to separate the data plane constituting the network equipment and the control plane operating the network.

1 is a diagram for explaining a configuration of a software defined network. Referring to FIG. 1, a software defined network may include a controller server 100, network equipment 200, and a host 300. The network device 200 and the host 300 are nodes, and the connection between two nodes is called a link.

The controller server 100 manages the network equipment 200 and centrally manages and controls the plurality of network equipment 200. Specifically, the controller server 100 includes an application that performs functions such as topology management, path management related to packet processing, link discovery, and packet flow flow management. As shown in FIG.

The network device 200 functions to process packets under the control of the controller server 100. Examples of the network equipment 200 include a mobile communication base station, a base station controller, a gateway equipment, a wired network switch, and a router. Hereinafter, for convenience of explanation, the case where the network equipment 200 is an open flow switch will be mainly described.

In the present specification, the open flow switch 200 should be understood as a concept including a switch supporting only an open flow protocol, a virtual switch supporting an open flow protocol, and a general L2 switch supporting an open flow protocol.

In the software defined network, the controller server 100 and the open flow switch 200 exchange information with each other. The open flow protocol is widely used as a protocol for this. That is, the open flow protocol is a standard that allows the controller server 100 and the open flow switch 200 to communicate with each other.

More specifically, the open flow switch 200 exchanges information with the controller server 100 via a control channel. The control channel is a communication channel between the open flow switch 200 and the controller server 100 located at a remote location. Information exchanged between the controller server 100 and the open flow switch 200 can be encrypted.

The open flow switch 200 has one or more flow tables for defining and processing packets and including statistical information related to the packets. The flow table reflects a flow rule that defines packet processing and the flow rule is a flow mode message generated by the controller server 100 and transmitted to the open flow switch 200 And may be added, modified or deleted by the user. The open flow switch 200 processes the packet with reference to the flow table.

The flow table may include a match field for a packet defining a flow, operation information for defining processing of the packet, and statistical information for each flow (Stats). Each row constituting the flow table is called a flow entry, and a priority can be assigned to each flow entry. The open flow switch can process the packet according to the operation information of the flow entry having the highest priority among the flow entries having match information matching the information of the packet.

The host 300 means a terminal or the like corresponding to a lower layer of the open flow switch 200, and can be used to mean a client and a server. The host 300 can generate a packet for sending to another host via a software defined network and transmit the packet to the open flow switch 200 through a port of the network interface.

For example, when the first host 300a wants to send a packet to the second host 300b, the first host 300a first generates a packet to be sent and transmits the packet to the first host 300a via an open flow To the switch 200a. When there is a flow entry matching the packet in the open flow switch that received the packet, the packet is processed as specified in the flow entry. However, when there is no flow entry matched with the packet in the open flow switch 200a, the open flow switch 200a transmits a packet-in message informing the controller server 100 of the packet flow. The controller server 100 generates a flow rule change that specifies the processing of the packet and transmits the flow rule change to the open flow switch 200a. The open flow switch 200a changes the state based on the change and processes the packet.

Meanwhile, a path through which the first host 300a can send a packet to the second host 300b may vary. This is because a plurality of open flow switches 200 and the host 300 exist in the whole network, and therefore, each node has a plurality of links. At this time, the controller server 100 can calculate an optimal path among a plurality of paths that can transmit the packet based on the entire network topology map. The controller server 100 transmits information on the calculated route to the open flow switch 200 in the form of a flow rule, and the open flow switch 200 processes the packet in accordance with the flow rule.

An object of the present invention is to provide a database structured with information on vulnerabilities that may occur in a software defined network.

Furthermore, the present invention aims to provide a framework that can be commonly applied to analyze the vulnerability of an SDN network.

In order to solve the above problem, a method of analyzing a vulnerability of an SDN (Software Defined Networking) network according to an embodiment of the present invention includes analyzing at least one vulnerability that may occur in an SDN network to a control plane ), A data plane, and a control channel category, and acquiring a vulnerability database including an attack code for the vulnerability; A first test step of executing at least one agent on an SDN network to be analyzed and attacking based on the vulnerability database; And analyzing a vulnerability of the analysis target network by collecting the first test result.

Further, an apparatus for analyzing a vulnerability of a software defined network according to an embodiment of the present invention includes a control plane, a data plane, and a control plane for at least one vulnerability that may occur in a software defined network, A storage unit for classifying the vulnerability database into a control channel category and storing a vulnerability database including attack code information for the vulnerability; And a controller for executing at least one agent on the network to be analyzed, attacking the network based on the vulnerability database, and analyzing the vulnerability of the network to be analyzed by collecting the first test result.

Further, in order to perform a process of analyzing a vulnerability of a software defined network according to an embodiment of the present invention, an application stored in a medium may include a control plane according to an attack location for at least one vulnerability that may occur in a software defined network, A data plane, and a control channel category, and acquiring a vulnerability database including attack code information for the vulnerability; A first test function for executing at least one agent on the network to be analyzed and attacking based on the vulnerability database; And analyzing a vulnerability of the analysis target network by collecting the first test result.

According to the present invention, it is effective to provide a standardized framework for testing the vulnerability of an SDN network. Therefore, it is not necessary to consider the configuration for the vulnerability test for each attack scenario for each network to be analyzed, thereby making it easy to test the network.

Further, according to the present invention, it is possible to provide a database structured with information on vulnerabilities that may occur in the SDN network. Therefore, since it is possible to carry out a thorough test on the confirmed attack, the security of the analyzed network is enhanced.

1 is a diagram for explaining the configuration of a software defined network;
2 is a flowchart illustrating a method for analyzing a vulnerability of a software defined network according to an embodiment of the present invention
3 is a view for explaining contents of a vulnerability database according to an embodiment of the present invention;
4 is a flowchart illustrating a software configuration of a framework for diagnosing a vulnerability of a software defined network according to an embodiment of the present invention

It is to be understood that the present invention is not limited to the description of the embodiments described below, and that various modifications may be made without departing from the technical scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

In the drawings, the same components are denoted by the same reference numerals. And in the accompanying drawings, some of the elements may be exaggerated, omitted or schematically illustrated. It is intended to clearly illustrate the gist of the present invention by omitting unnecessary explanations not related to the gist of the present invention. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

As described above, the SDN network is implemented entirely differently from the conventional hardware-based network. Therefore, techniques for analyzing the vulnerability of a conventional hardware type network can not be applied to the SDN network.

In addition, since it is the beginning of SDN, it is vulnerable to SDN network vulnerability such as what kind of attack can be applied to SDN network, which type of attack is most vulnerable, Information about the system is not systematized and / or characterized

Therefore, in order to check the vulnerability of the SDN network, test modules for arbitrary attack scenarios for each analyzed network should be developed. Furthermore, the testing is dependent on the administrator's personal capabilities and may not be checked for all possible attack scenarios. Therefore, vulnerability checks are less credible and users may have doubts about the security of the network.

The present invention is intended to solve the above problems. The present invention proposes a standardized framework for testing vulnerabilities of an SDN network using a database structured with information on vulnerabilities that may occur in the SDN network.

The framework, that is, the vulnerability diagnosis computer program, executes each agent on a control plane, a control channel, and a data plane of the analysis target network, and uses an attack code provided from the vulnerability database to attack And an agent manager for controlling the agent manager. Furthermore, attack results can be analyzed to determine whether there are known vulnerabilities in the network.

Further, the present invention proposes a method for checking an SDN network against not only known vulnerabilities but also unknown vulnerabilities. For example, the vulnerability diagnostic computer program may be configured to perform a test to apply random data to the analysis target network to check for an unknown vulnerability, and to update the vulnerability database with respect to the purge result.

2 is a flowchart illustrating a method of analyzing a vulnerability of a software defined network according to an embodiment of the present invention.

An SDN vulnerability checking apparatus according to an embodiment of the present invention may acquire a database of vulnerabilities that may occur in the SDN in step 210. [

The database may contain information about vulnerabilities that may occur in any SDN network. For example, it may include information on previously known location of a vulnerability, a cause of the vulnerability, an attack code for the vulnerability, a result of the attack, and / or a solution to the vulnerability.

The vulnerabilities of the vulnerability database according to the present invention can be classified into a control plane, a data plane, and a control channel according to an attack location. This is for convenience of the vulnerability diagnostic test that attacks the target network using the vulnerability database.

Meanwhile, the database may be updated by modifying, deleting and / or adding a vulnerability check test result according to an embodiment of the present invention. For this, the vulnerability database management program and the vulnerability check test program can refer to each other.

The vulnerability database according to the embodiment of the present invention may include vulnerability information for 22 types of attacks.

Table 1 shows the 22 vulnerabilities that can occur in the SDN network. Table 1 shows a total of 15 managed codes for the relevant vulnerabilities. A vulnerability with managed code beginning with A is for an attack that can be placed on the control plane, a vulnerability starting with B is for an attack that can be placed on the control chain, and a vulnerability starting with C is an attack Lt; / RTI >

Vulnerability name Managed code Explanation Packet-In Flooding A-01-A Numerous Packet-Ins may lead a SDN controller to an unpredictable state:
For example, a malicious host may generate a number of distinct flows, and thus exhaust the system resource of a SDN controller machine. Service Chain Interference A-02-M A chained execution of applications may be interfered:
i) Control Message Drop : A malicious application may participate in a service chain and drop control messages before the other applications awaiting for them.
ii) Infinite Loops : A malicious application may fall into an infinite loop to stop the execution of applications. Internal Storage Abuse A-03-MA For example, a SDN application may be accessed and manipulated by a SDN controller in a network topology managed by the SDN controller Control Message Manipulation A-04-MA Control messages may be manipulated to put the control plane in an unpredictable state:
i) Switch Table Flooding : An adversary may persistently send control messages to the SDN controller.
ii) Switch Identification Spoofing : The switch identification field of a control message may be manipulated to put the control plane in an unpredictable state.
iii) Malformed Control Message : A malformed control message may cause malfunction of the control plane. Control Message Abuse A-05-M A SDN application may arbitrarily issue control messages:
i) Flow Rule Modification : A malicious application may issue a flow rule to overwrite the existing rule in the flow table of the unexpected network behavior.
ii) Flow Table Clearance : A malicious application may issue a control message that clears the flow table entries. Northbound API Abuse A-06-M A SDN application may manipulate the behavior of the other applications by abusing a poorly designed Northbound API.
i) Event Listener Unsubscription : A malicious application may arbitrarily unsubscribe the target application from the control message subscription list to make the target incapable of any of the messages.
ii) Application Eviction : A SDN application may force the other SDN applications on duty. Resource Exhaustion A-07-MA A SDN application may exclusively use all available system resources and affect the performance of the other applications or the controller itself
i) Memory Exhaustion : A malicious application may continuously allocate memory to use all available system memory.
ii) CPU Exhaustion : A malicious application may continuously create working threads to use up all available CPU resources. System Variable Manipulation A-08-MA System variables may be manipulated to put a SDN controller in an unpredictable state:
An adversary may change the system time to make the controller disconnect from the connected switches. System Command Execution A-09-A A SDN application may execute a system exit command to terminate the controller instance Network Topology Poisoning A-10-A An adversary may manipulate the network topology by exploiting the vulnerabilities in the Host Tracking Service and Link Discovery Service of various SDN controllers:
i) Host Location Hijacking : An adversary may generate the crafted network traffic to arbitrarily hijack the location of the other hosts.
ii) Link Fabrication : An adversary may manipulate the network topology by sending a forged or relayed LLDP packet to the controller. Eavesdrop B-01-A An adversary may sniff the control channel to steal sensitive information:
For example, an adversary may sniff the ongoing control messages on the control channel to learn the network topology. Man-In-The- Middle B-02-A An adversary may act actively in the control channel:
For example, an adversary modifies the flow rule message that is transferred, and corrupts the behavior of a network. Flow Rule Flooding C-01-MA Numerous flow rules may lead to an unpredictable state:
An adversary may intervene in the control channel and install a number of flow rules to switch to the flow table. Switch Firmware Abuse C-02-M The characteristics or traits of a certain switch model may be abused:
For example, an adversary may install the crafted flow rules that can not be processed in a certain switch model. Control Message Manipulation C-03-M A malformed control message may put the data plane in an unpredictable state:
An adversary may inject a malformed control message to the data plane to interrupt the connection between the control plane and the data plane.

A-02-M, A-05-M, A-06-M, A-06-MA, B- The M code is a newly discovered vulnerability according to an embodiment of the present invention, and a more detailed description is as follows.

First, the vulnerability to service chain interference (A-02-M) is caused by a malicious application dropping a control message necessary for chained excitation of applications installed on the controller, To attack.

Table 2 shows the attack codes dropping the control message. Table 3 shows the attack codes that cause the infinite loop to fall. Such an attack code may be included in the vulnerability database according to the embodiment of the present invention, and the same is true for the remaining vulnerabilities.

[Table 2]

Activatior.java

{

List <ContainerServiceDependency> list = this.c.getDependencies ();

DependencyManager manager = this.c.getDependencyManager ();

List <DependencyManager> dlist = manager.getDependencyManagers ();

BundleContext ctx = manager.getBundleContext ();

Bundle [] blist = ctx.getBundles ();

System.out.println ("dList size:" + dlist.size () + "\ n");

i <dlist.size (); i ++) {

DependencyManager dm = dlist.get (i);

System.out.println ("DM:" + dm.toString ());

List <Component> temp = dm.getComponents ();

System.out.println ("Componenets Size:" + temp.size ());

temp.size (); j ++) {

Component ct = temp.get (j);

@SuppressWarnings ("unchecked")

Dictionary <String, Object> props = ct.getServiceProperties ();

if (props! = null) {

Object res = props.get ("salListenerName"); // salListenerName

if (res! = null) {

if (! ((String) res) .contains ("appagent")) {

Dictionary <String, Object> props_new = new Hashtable <String, Object> ();

Enumeration <String> keys = props.keys ();

while (keys.hasMoreElements ()) {

String key = keys.nextElement ();

props_new.put (key, props.get (key));

}

props_new.put ("salListenerDependency", "appagent");

ct.stop ();

ct.setServiceProperties (props_new);

ct.start ();

} else {

System.out.println ("Here");

}

}

}

}

}

}

AppAgent.java

public PacketResult receiveDataPacket (RawPacket inPkt) {

return PacketResult.CONSUME;

}

[Table 3]

public void Infinite_Loop () {

int i = 0;

System.out.println ("[ATTACK] Infinite Loop");

while (true) {

i ++;

if (i == 10)

i = 0;

}

}

Second, the vulnerability to control message abuse (A-05-M) is against malicious applications that arbitrarily issue flow rules to modify flow rules or delete flow tables.

Third, the vulnerability to API change (A-06-M, Northbound API Abuse) is used to prevent malicious applications from exploiting an arbitrary application or to exploit an arbitrary application. will be.

Fourth, vulnerability to system variable manipulation (A-08-MA, System Variable Manipulation) is a vulnerability to attack that manipulates controller's system time.

Fifth, vulnerability to eavesdropping (B-01-A, Eavesdrop) is a vulnerability to attack that acquires network topology information by eavesdropping packets between controller and switch.

The sixth vulnerability to man-in-the-middle (A-Man-In-The-Middle) is an attack that modifies the network topology by modifying packets between the controller and the switch.

Seventh, Switch Firmware Abuse (C-02-M) is an attack using the model-specific characteristics of switch firmware. For example, the match field of a flow rule applied to a specific switch is low- To a value supported only by the switch, thereby slowing packet processing of the switch.

Eighth, Control Message Manipulation (C-03-M) is for attacks that apply manipulated flow rules to switches.

The vulnerabilities in Table 1 can be classified into a control plane, a data plane, and a control channel category according to their location, which will be described with reference to FIG.

FIG. 3 is a representation of vulnerabilities that may occur in the SDN network at the occurrence location.

3, Service Chain Interference (A-2), Control Message Abuse (A-5), Application API operation (A-6, Northbound API Abuse), resource depletion (Resource Exhaustion) and System Command Execution (A-9, System Command Execution) may occur in the application layer 310 of the control plane 100 of the SDN.

A-1, Packet-In Flooding, A-3, Internal Storage Abuse , A-4, Control Message Manipulation and Network Topology Pollution (A-10, Network Topology Poisoning may occur in the control layer 320 of the control plane 100 of the SDN.

The eavesdropping (B-01, Eavesdrop) and meson (B-02, Man-In-The-Middle) may occur on the control channel 150 of the SDN.

Flow Rule Flooding (C-1), Switch Firmware Abuse (C-02) and Control Message Manipulation (C-03) are performed in the infrastructure layer (330).

Returning now to the description of FIG. 2, in step 220, the vulnerability checking device may execute an agent that attacks or purges the network for testing, respectively, on the control plane, control channel, and data plane of the network under analysis.

More specifically, it is possible to execute an application agent in an application layer of a controller of a network to be analyzed, a channel agent in a control channel, and a host agent in a network device of the network.

Thereafter, the vulnerability checking apparatus can control the agent to attack the analysis target network according to information provided from the vulnerability database. Or to purge the network to be analyzed to test whether unknown vulnerabilities not present in the vulnerability database exist in the network. (Step 230)

For example, the application agent attacks according to the vulnerability information included in the control plane category of the vulnerability database, the channel agent attacks according to the vulnerability information included in the control channel category of the vulnerability database, and the host agent attacks the data plane category Based on the vulnerability information included in the vulnerability information.

According to the present invention, the respective agents are executed in the three areas constituting the analysis target network as described above, and the network is attacked according to the attack code of the category for each agent, Can be efficiently scanned.

On the other hand, purging is a technique for checking whether an unknown vulnerability exists. More specifically, the vulnerability checking device can randomly apply random data to the network under test and test the response of the network. For example, the vulnerability checker can control each agent to apply random data to that location.

According to an embodiment of the present invention, if a new vulnerability is found that has not been found previously in the above purging and / or new information about a conventional vulnerability is obtained, the purging result can be updated to the vulnerability database.

Then, the vulnerability analysis device can analyze the vulnerability of the analyzed network and provide the analysis result by collecting the result and / or the purging result of the attack of the agent. (Step 240)

For example, the Vulnerability Analyzer displays reports on the outcome of an attack that targets a specific vulnerability, the location and cause of the vulnerability in the network being analyzed, statistics on how well the network can absorb attacks, And / or a solution to the vulnerability.

4 is a diagram for explaining a software configuration of a vulnerability analysis framework of a software defined network according to an embodiment of the present invention.

The vulnerability analysis framework according to an embodiment of the present invention may include the agent manager 410, the application agent 420, the channel agent 430 and the host agent 440 shown in FIG.

Particularly, the agent manager 410 obtains the vulnerability database, and executes the application agent 420, the channel agent 430, and the host agent 440 in the respective locations shown in FIG. 4, Based on this, you can control to execute attacks in each category, and collect and analyze attack results.

Further, the agent manager 410 may control the agent to apply random data to the corresponding location, and may collect and analyze the purging result.

Further, according to the embodiment of the present invention, an attack for diagnosing a vulnerability may be provided by a GUI such as 450 in FIG.

The embodiments of the present invention disclosed in the present specification and drawings are intended to be illustrative only and not intended to limit the scope of the present invention. It is to be understood by those skilled in the art that other modifications based on the technical idea of the present invention are possible in addition to the embodiments disclosed herein.

100: Controller server
150: control channel
200: Open flow switch
300, 300a, 300b: Host

Claims (8)

In a method for analyzing a vulnerability of a Software Defined Networking (SDN) network,
At least one vulnerability that can occur in an arbitrary SDN network is classified into a control plane, a data plane, and a control channel according to an attack location, and an attack code for the vulnerability is included Obtaining a vulnerability database;
A first test step of executing at least one agent on an SDN network to be analyzed and attacking based on the vulnerability database; And
And analyzing a vulnerability of the network to be analyzed by collecting the first test result. The method according to claim 1,
A second test step of applying random data to the analysis target network and purging the random data;
Collecting the second test result and analyzing the vulnerability of the network to be analyzed; And
And updating the vulnerability database with respect to the second test result. 2. The method of claim 1, wherein the first test step comprises:
Executing an application agent on a controller of the network to be analyzed and controlling the application agent to attack according to vulnerability information included in the control plane category of the vulnerability database;
Executing a channel agent on a control channel of the analysis target network and controlling the channel agent to attack according to vulnerability information included in the control channel category of the vulnerability database; And
Executing a host agent in the network equipment of the analysis target network and controlling the host agent to attack a vulnerability included in the data plane category of the vulnerability database. The system according to claim 1,
In the control plane category,
A vulnerability to an attack that drops a control message necessary for chained excution of a plurality of applications or causes an infinite loop to be dropped; a vulnerability to an attack that a malicious application arbitrarily issues a flow rule to change a flow table , A vulnerability to an attack that alters a controller's API to disallow receiving an event from any application or to exploit an arbitrary application, or a vulnerability to an attack that manipulates the controller's system time And analyzing the network vulnerability information. The system according to claim 1,
In the data plane category,
A vulnerability to an attack that changes a match field of a flow rule applied to a specific switch to a value that supports a low specification at the switch or a vulnerability to an attack that applies a manipulated flow rule to a switch The network vulnerability analysis method comprising: The system according to claim 1,
In the control channel category,
A vulnerability to an attack for acquiring network topology information by eavesdropping a packet between a controller and a switch or a vulnerability to an attack for modifying the network topology by modifying the packet, Network vulnerability analysis method. An apparatus for analyzing a vulnerability of a software defined network,
Software Defined Classify at least one vulnerability that can occur in the network into the control plane, data plane, and control channel category according to attack location, A storage unit for storing a vulnerability database including the vulnerability database; And
And analyzing a vulnerability of the analysis target network by executing at least one agent on the analysis target network, attacking the vulnerability database, and analyzing the vulnerability of the analysis target network by collecting the first test result. In an application stored in a medium for performing a process of analyzing a vulnerability of a software defined network,
Software Defined Classify at least one vulnerability that can occur in the network into the control plane, data plane, and control channel category according to attack location, The ability to obtain a vulnerability database containing;
A first test function for executing at least one agent on the network to be analyzed and attacking based on the vulnerability database; And
And analyzing a vulnerability of the analysis target network by collecting the first test result.

Images