Abstract
Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and "software-defined" manner. This paper raises the alarm on the security implications of virtual switches. In particular,we showthat virtual switches not only increase the attack surface of the cloud, but virtual switch vulnerabilities can also lead to attacks of much higher impact compared to traditional switches. We present a systematic security analysis and identify four design decisions which introduce vulnerabilities. Our findings motivate us to revisit existing threat models for SDNbased cloud setups, and introduce a new attacker model for SDN-based cloud systems using virtual switches. We demonstrate the practical relevance of our analysis using a case study with Open vSwitch and OpenStack. Employing a fuzzing methodology, we find several exploitable vulnerabilities in Open vSwitch. Using just one vulnerability we were able to create a worm that can compromise hundreds of servers in a matter of minutes. Our findings are applicable beyond virtual switches: NFV and high-performance fast path implementations face similar issues. This paper also studies various mitigation techniques and discusses how to redesign virtual switches for their integration.
Original language | English |
---|---|
Title of host publication | Proceedings of the Symposium on SDN Research, SOSR 2018 |
Number of pages | 15 |
Publisher | Association for Computing Machinery |
Publication date | 28 Mar 2018 |
Article number | 3185468 |
ISBN (Electronic) | 978-1-4503-5664-0 |
DOIs | |
Publication status | Published - 28 Mar 2018 |
Event | 2018 Symposium on SDN Research, SOSR 2018 - Los Angeles, United States Duration: 28 Mar 2018 → 29 Mar 2018 |
Conference
Conference | 2018 Symposium on SDN Research, SOSR 2018 |
---|---|
Country/Territory | United States |
City | Los Angeles |
Period | 28/03/2018 → 29/03/2018 |
Sponsor | ACM SigComm, Open Networking Summit (ONS) |
Keywords
- Attacker models
- Cloud security
- Data plane security
- MPLS
- Network isolation
- Network virtualization
- NFV
- Open vSwitch
- OpenStack
- Packet parsing
- ROP
- SDN
- Virtual switches