AIM-SDN: Aacking information mismanagement in SDN-datastores

Vaibhav Hemant Dixit; Adam Doupe; Yan Shoshitaishvili; Ziming Zhao; Gail-Joon Ahn

doi:10.1145/3243734.3243799

AIM-SDN: Aacking information mismanagement in SDN-datastores

Vaibhav Hemant Dixit, Adam Doupe, Yan Shoshitaishvili, Ziming Zhao, Gail-Joon Ahn

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

14 Scopus citations

Abstract

Network Management is a critical process for an enterprise to con-gure and monitor the network devices using cost eective methods. It is imperative for it to be robust and free from adversarial or accidental security aws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like SNMP appear inadequate and newer techniques like NMDA and NETCONF have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security aws. In this paper, we identify several vulnerabilities in the widely used critical infrastructures which leverage the Network Management Datastore Architecture design (NMDA). Software Dened Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. We base our research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identied in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using our threat detection methodology, we demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and condentiality of the network. We nally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.

Original language	English (US)
Title of host publication	CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	664-676
Number of pages	13
ISBN (Electronic)	9781450356930
DOIs	https://doi.org/10.1145/3243734.3243799
State	Published - Oct 15 2018
Event	25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada Duration: Oct 15 2018 → …

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Other

Other	25th ACM Conference on Computer and Communications Security, CCS 2018
Country/Territory	Canada
City	Toronto
Period	10/15/18 → …

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3243734.3243799

Cite this

Dixit, V. H., Doupe, A., Shoshitaishvili, Y., Zhao, Z., & Ahn, G-J. (2018). AIM-SDN: Aacking information mismanagement in SDN-datastores. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (pp. 664-676). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3243734.3243799

AIM-SDN: Aacking information mismanagement in SDN-datastores. / Dixit, Vaibhav Hemant; Doupe, Adam ; Shoshitaishvili, Yan et al.
CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. p. 664-676 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Dixit, VH, Doupe, A , Shoshitaishvili, Y, Zhao, Z & Ahn, G-J 2018, AIM-SDN: Aacking information mismanagement in SDN-datastores. in CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 664-676, 25th ACM Conference on Computer and Communications Security, CCS 2018, Toronto, Canada, 10/15/18. https://doi.org/10.1145/3243734.3243799

Dixit VH, Doupe A , Shoshitaishvili Y, Zhao Z, Ahn G-J. AIM-SDN: Aacking information mismanagement in SDN-datastores. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2018. p. 664-676. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3243734.3243799

@inproceedings{788230be53c442c09669387a21407c4a,

title = "AIM-SDN: Aacking information mismanagement in SDN-datastores",

abstract = "Network Management is a critical process for an enterprise to con-gure and monitor the network devices using cost eective methods. It is imperative for it to be robust and free from adversarial or accidental security aws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like SNMP appear inadequate and newer techniques like NMDA and NETCONF have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security aws. In this paper, we identify several vulnerabilities in the widely used critical infrastructures which leverage the Network Management Datastore Architecture design (NMDA). Software Dened Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. We base our research on the security challenges put forth by the existing datastore{\textquoteright}s design as implemented by the SDN controllers. The vulnerabilities identied in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using our threat detection methodology, we demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and condentiality of the network. We nally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.",

author = "Dixit, {Vaibhav Hemant} and Adam Doupe and Yan Shoshitaishvili and Ziming Zhao and Gail-Joon Ahn",

note = "Funding Information: This work is paritally supported by the grants from the National Science Foundation (NSF-ACI-1642031 and NSF-CNS-1651661) and a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University. Publisher Copyright: {\textcopyright} 2018 Copyright held by the owner/author(s).; 25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",

year = "2018",

month = oct,

day = "15",

doi = "10.1145/3243734.3243799",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "664--676",

booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - AIM-SDN

T2 - 25th ACM Conference on Computer and Communications Security, CCS 2018

AU - Dixit, Vaibhav Hemant

AU - Doupe, Adam

AU - Shoshitaishvili, Yan

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

N1 - Funding Information: This work is paritally supported by the grants from the National Science Foundation (NSF-ACI-1642031 and NSF-CNS-1651661) and a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University. Publisher Copyright: © 2018 Copyright held by the owner/author(s).

PY - 2018/10/15

Y1 - 2018/10/15

N2 - Network Management is a critical process for an enterprise to con-gure and monitor the network devices using cost eective methods. It is imperative for it to be robust and free from adversarial or accidental security aws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like SNMP appear inadequate and newer techniques like NMDA and NETCONF have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security aws. In this paper, we identify several vulnerabilities in the widely used critical infrastructures which leverage the Network Management Datastore Architecture design (NMDA). Software Dened Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. We base our research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identied in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using our threat detection methodology, we demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and condentiality of the network. We nally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.

AB - Network Management is a critical process for an enterprise to con-gure and monitor the network devices using cost eective methods. It is imperative for it to be robust and free from adversarial or accidental security aws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like SNMP appear inadequate and newer techniques like NMDA and NETCONF have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security aws. In this paper, we identify several vulnerabilities in the widely used critical infrastructures which leverage the Network Management Datastore Architecture design (NMDA). Software Dened Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. We base our research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identied in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using our threat detection methodology, we demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and condentiality of the network. We nally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.

UR - http://www.scopus.com/inward/record.url?scp=85056824448&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056824448&partnerID=8YFLogxK

U2 - 10.1145/3243734.3243799

DO - 10.1145/3243734.3243799

M3 - Conference contribution

AN - SCOPUS:85056824448

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 664

EP - 676

BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 15 October 2018

ER -

AIM-SDN: Aacking information mismanagement in SDN-datastores

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this