Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing...
Transcript of Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing...
![Page 1: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/1.jpg)
![Page 2: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/2.jpg)
FlowFuzzA Framework for Fuzzing OpenFlow-enabled
Software and Hardware Switches
Nicholas Gray, Manuel Sommer, Thomas Zinner, Phuoc Tran-Gia
![Page 3: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/3.jpg)
About us
Chair of Communication Networkscomnet.informatik.uni-wuerzburg.de
Prof. Dr.-Ing. Phuoc Tran-Gia
Dr. Thomas Zinner
Nicholas Gray M. Sc.
Manuel SommerB. Sc.
SarDiNeSardine-project.org
Modeling,Performance
Analysis & Optimization,Measurement,
Experimentation,Simulation
Software-defined Networking &
Cloud Networks
Future Internet &
Smartphone Applications
Network Dynamics &
Control
QoE Modeling&
Resource Management
![Page 4: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/4.jpg)
Agenda• Software-defined Networking (SDN)
• SDN Basics• Enhancing Network Security with SDN• Overview of the SDN Attack Surface• OpenFlow
• FlowFuzz• Architecture• Evaluation of Software Switches• Investigation of Feedback Sources for Hardware Switches• Evaluation of Hardware Switches
![Page 5: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/5.jpg)
Speed of Innovation
Edge
Core
Data Center
![Page 6: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/6.jpg)
Speed of Innovation
Edge
Core
Data Center
![Page 7: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/7.jpg)
Speed of Innovation
Edge
Core
Data Center
![Page 8: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/8.jpg)
Speed of Innovation
Edge
Core
Data Center
![Page 9: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/9.jpg)
Speed of Innovation
Edge
Core
Data Center
Ethernet, IPv4, BGP…
![Page 10: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/10.jpg)
Speed of Innovation
Edge
Core
Data Center
Ethernet, IPv4, BGP…
![Page 11: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/11.jpg)
Innovation Barrier
Specialized Hardware
Control Plane
Data Plane
![Page 12: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/12.jpg)
Innovation Barrier
Proprietary Firmware
Specialized Hardware
Control Plane
Data Plane
![Page 13: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/13.jpg)
Innovation Barrier
Proprietary Firmware
Over Specification
Specialized Hardware
Control Plane
Data Plane
![Page 14: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/14.jpg)
Innovation Barrier
Proprietary Firmware
Over Specification
Specialized Hardware
FewVendors
Control Plane
Data Plane
![Page 15: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/15.jpg)
Software-defined Networking (SDN)
Control Plane
Data Plane
Separation of Control and Data
Plane
![Page 16: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/16.jpg)
Software-defined Networking (SDN)
Data Plane
Control PlaneSeparation of Control and Data
PlaneSouthbound
API
![Page 17: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/17.jpg)
Software-defined Networking (SDN)
Data Plane
Control PlaneLogically Centralized
Control Plane
Separation of Control and Data
PlaneSouthbound
API
![Page 18: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/18.jpg)
Software-defined Networking (SDN)
Data Plane
Control PlaneLogically Centralized
Control Plane
Open Interfaces
Separation of Control and Data
PlaneSouthbound
API
![Page 19: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/19.jpg)
Software-defined Networking (SDN)
Data Plane
Control PlaneLogically Centralized
Control Plane
Open Interfaces
Separation of Control and Data
Plane
Programm-ability
Southbound API
![Page 20: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/20.jpg)
SDN – Packet Handling & Table Structure
ActionRule Stats
![Page 21: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/21.jpg)
SDN – Packet Handling & Table Structure
ActionRule Stats
Switch Port
Switch Phy Port
Metadata
ETH Dst
ETH Src
ETH Type
VLAN VID
VLAN PCP
IP DSCP
IP ECN
IP Proto
IPv4 Src
IPv4 Dst
TCP Src
TCP Dst
UDP Src
UDP Dst
SCTP Src
SCTP Dst
ICMPv4 Type
ICMPv4 Code
ARP OP
ARP SPA
ARP TPA
ARP SHA
ARP THA
…
…
Mask for match fields
![Page 22: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/22.jpg)
SDN – Packet Handling & Table Structure
ActionRule Stats
• Forward packet to zero or more ports• Encapsulate and forward to controller• Send to normal processing pipeline• Modify Fields• Any extensions you add!
Switch Port
Switch Phy Port
Metadata
ETH Dst
ETH Src
ETH Type
VLAN VID
VLAN PCP
IP DSCP
IP ECN
IP Proto
IPv4 Src
IPv4 Dst
TCP Src
TCP Dst
UDP Src
UDP Dst
SCTP Src
SCTP Dst
ICMPv4 Type
ICMPv4 Code
ARP OP
ARP SPA
ARP TPA
ARP SHA
ARP THA
…
…
Mask for match fields
![Page 23: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/23.jpg)
SDN – Packet Handling & Table Structure
ActionRule Stats
• Forward packet to zero or more ports• Encapsulate and forward to controller• Send to normal processing pipeline• Modify Fields• Any extensions you add!
Packet + Byte Counters
Switch Port
Switch Phy Port
Metadata
ETH Dst
ETH Src
ETH Type
VLAN VID
VLAN PCP
IP DSCP
IP ECN
IP Proto
IPv4 Src
IPv4 Dst
TCP Src
TCP Dst
UDP Src
UDP Dst
SCTP Src
SCTP Dst
ICMPv4 Type
ICMPv4 Code
ARP OP
ARP SPA
ARP TPA
ARP SHA
ARP THA
…
…
Mask for match fields
![Page 24: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/24.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Reactive Proactive
![Page 25: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/25.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Reactive Proactive
![Page 26: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/26.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Reactive Proactive
![Page 27: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/27.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Reactive Proactive
![Page 28: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/28.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Reactive Proactive
![Page 29: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/29.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
B
Reactive Proactive
![Page 30: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/30.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Control Plane (CP)
Data Plane (DP)
Southbound API
A B
Match Action
CP*.* B
Reactive Proactive
![Page 31: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/31.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Control Plane (CP)
Data Plane (DP)
Southbound API
A B
Match Action
CP*.* B
Reactive Proactive
![Page 32: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/32.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Control Plane (CP)
Data Plane (DP)
Southbound API
A B
Match Action
CP*.* B B
Reactive Proactive
![Page 33: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/33.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Control Plane (CP)
Data Plane (DP)
Southbound API
A B
Match Action
CP*.* B B
Reactive Proactive
![Page 34: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/34.jpg)
SDN ExampleControl Plane (CP)
Data Plane (DP)
Southbound API Match Action
A
CP*.*
B
Control Plane (CP)
Data Plane (DP)
Southbound API
A B
Match Action
CP*.* B B
Reactive Proactive
![Page 35: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/35.jpg)
SDN Ecosystem
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN WAN
Switch Switch
![Page 36: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/36.jpg)
SDN Ecosystem
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN WAN
Application Control Plane
Northbound API
Switch Switch
Application Control Module
Application Control Module
![Page 37: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/37.jpg)
SDN Ecosystem
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 38: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/38.jpg)
SDN Ecosystem
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 39: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/39.jpg)
SDN Use Cases
Cloud Orchestration
Application Awareness
Routing/Load Balancing
Network Monitoring
Network Management
Network Security
Software-defined
Networking
![Page 40: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/40.jpg)
SDN Use Cases
Cloud Orchestration
Application Awareness
Routing/Load Balancing
Network Monitoring
Network Management
Network Security
Software-defined
Networking
![Page 41: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/41.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 42: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/42.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 43: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/43.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 44: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/44.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 45: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/45.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 46: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/46.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 47: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/47.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 48: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/48.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 49: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/49.jpg)
Can we enhance network security with SDN?
External Network Internal Network
![Page 50: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/50.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private CloudServices
AAA
SDN Switch SDN Switch
![Page 51: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/51.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private CloudServices
AAA
SDN Switch SDN Switch
![Page 52: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/52.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 53: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/53.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private Cloud
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 54: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/54.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private Cloud
FW VNF
…
Shared State
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 55: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/55.jpg)
Internal Network
SDN Omni-Present Firewall
SDN Controller
Network Management
System
Cloud Management
System
FW VNF
Private Cloud
FW VNF
…
Shared State
Available Services
Services
AAA
SDN Switch SDN Switch
![Page 56: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/56.jpg)
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 57: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/57.jpg)
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 58: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/58.jpg)
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 59: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/59.jpg)
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Westbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
![Page 60: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/60.jpg)
Westbound API
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Cloud
HypervisorvSwitch
SDN Network Control Plane
Legacy Network Control Plane
Legacy WAN
Switch Switch
Southbound API
Application Control Module
Application Control Module
Eastbound API
![Page 61: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/61.jpg)
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Cloud
HypervisorvSwitch
Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
Network Control Module
Application Control
Interface
Network Control Module
SDN Control PlaneSDN Control Plane
Westbound API
![Page 62: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/62.jpg)
Westbound API
Network Control Module
Application Control
Interface
Network Control Module
SDN Control Plane
SDN Attack Surface
SDN WAN
Application Control Plane
Northbound API
Cloud
HypervisorvSwitch
SDN Control Plane Legacy Network Control Plane
Legacy WAN
Eastbound API
Switch Switch
Southbound API
Application Control Module
Application Control Module
![Page 63: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/63.jpg)
OpenFlow• De-facto standard Southbound API protocol
• Maintained by the Open Networking Foundation
• First release in December 2009
• Most current version 1.5.1 (April 2015)
• Supported by 120+ industrial members
![Page 64: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/64.jpg)
OpenFlow – Channel Initialization
OpenFlow Switch Controller
![Page 65: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/65.jpg)
OpenFlow – Channel Initialization
TCP SYNSYN ACK
ACK
TCPHandshake
ARP RequestARP Reply
MACResolution
OpenFlow Switch Controller
![Page 66: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/66.jpg)
OpenFlow – Channel Initialization
HelloHello
Feature RequestFeature Reply
OpenFlowHandshake
TCP SYNSYN ACK
ACK
TCPHandshake
ARP RequestARP Reply
MACResolution
OpenFlow Switch Controller
![Page 67: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/67.jpg)
OpenFlow – Message Structure & Types
OpenFlow Message Header
Version Type Length XID
…Payload…
![Page 68: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/68.jpg)
OpenFlow – Message Structure & Types
OpenFlow Message Header
Version Type Length XID
…Payload…
SymmetricAsynchronous Controller-to-Switch
![Page 69: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/69.jpg)
OpenFlow – Message Structure & Types
OpenFlow Message Header
Version Type Length XID
…Payload…
Symmetric
HelloEcho Request
Echo ReplyExperimeter
Asynchronous
Packet-InFlow Removed
Port StatusError
Controller-to-Switch
Feature Request, Get Config Request, Set Config, Packet-Out, Flow Modification, Group Modification, Port Modification, Table
Modification, Meter Modification, Statistics Request, Barrier Request, Queue Get ConfigRequest, Role Request, Get Asynchronous
Request, Set Asynchronous
![Page 70: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/70.jpg)
Fuzzing
System/Device Under Test
Random Input
Invalid Input
Unexpected InputAutomated
Fuzzer
![Page 71: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/71.jpg)
Fuzzing
System/Device Under Test
Random Input
Invalid Input
Unexpected InputAutomated
Fuzzer
Check for Crash
![Page 72: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/72.jpg)
Fuzzing
System/Device Under Test
Random Input
Invalid Input
Unexpected InputAutomated
Fuzzer
MutationMutates valid
input
GenerationGenerates
valid/invalid input
Check for Crash
![Page 73: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/73.jpg)
Fuzzing
System/Device Under Test
Random Input
Invalid Input
Unexpected InputAutomated
Fuzzer
MutationMutates valid
input
GenerationGenerates
valid/invalid input
Feedback Loop
Check for Crash
![Page 74: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/74.jpg)
Open vSwitch (OvS)• Production quality, multilayer open virtual switch
• Integrated into OpenStack, Xen, Pica8…
• Fully supports OpenFlow up to v1.4
• Operates either as software switch or ascontrol stack for dedicated hardware
ovs-vswitchd
openvswitch.ko
ovsdb
…Virtual Switch
Virtual Switch
Kernel Space
User Space
![Page 75: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/75.jpg)
Open vSwitch Fuzzer – A First Try
Open vSwitchRyu OpenFlowController Mutation
Fuzzer
![Page 76: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/76.jpg)
Open vSwitch Fuzzer – A First Try
Open vSwitchRyu OpenFlowController Mutation
Fuzzer
Lack of control
![Page 77: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/77.jpg)
Open vSwitch Fuzzer – A First Try
Open vSwitchRyu OpenFlowController Mutation
Fuzzer
Lack of controlController needs to be actively triggered
![Page 78: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/78.jpg)
Open vSwitch Fuzzer – A First Try
Open vSwitchRyu OpenFlowController Mutation
Fuzzer
Lack of controlController needs to be actively triggeredHard to integrate a feedback loop
![Page 79: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/79.jpg)
Open vSwitch Fuzzer – A First Try
Open vSwitchRyu OpenFlowController Mutation
Fuzzer
Lack of controlController needs to be actively triggeredHard to integrate a feedback loop
Simple and fast but no promising approach
![Page 80: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/80.jpg)
FlowFuzz
Protocol Aware
Python Based
Supports OF v1.0/1.3
Corpus of Valid Inputs
Directed and Random Input Generation
Various Sources as Feedback Loop
FlowFuzz
![Page 81: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/81.jpg)
FlowFuzz – Architecture & Stages
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
![Page 82: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/82.jpg)
FlowFuzz – Architecture & Stages
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 83: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/83.jpg)
FlowFuzz – Architecture & Stages
OF Handshake
Table Initiation
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 84: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/84.jpg)
FlowFuzz – Architecture & Stages
OF Handshake
Table Initiation
Input Generation
Transmission
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 85: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/85.jpg)
FlowFuzz – Architecture & Stages
OF Handshake
Table Initiation
Input Generation
Transmission
Sanity Checks
Logging
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 86: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/86.jpg)
FlowFuzz – Architecture & Stages
OF Handshake
Table Initiation
Input Generation
Transmission
Sanity Checks
Logging Reset
Evaluation
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 87: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/87.jpg)
FlowFuzz – Architecture & Stages
OF Handshake
Table Initiation
Input Generation
Transmission
Sanity Checks
Logging Reset
Evaluation
TCP Connection Handler
LogModule
TestcaseLoader
ReplayModule
Test Manager
Pre-condition Test Execution Validation Post-condition
![Page 88: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/88.jpg)
Open vSwitch – Test Bed
OpenvSwitch v1.5
OpenvSwitch v2.0
OpenvSwitch v2.5
OpenvSwitch v2.7
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
Ubuntu VM
vSwitchFuzzer
All compiled with AdressSanitizer
![Page 89: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/89.jpg)
Open vSwitch – Fuzzer Evaluation• Test duration of one week
• Targeted OpenFlow version 1.0
• Crafted and random inputs
• Code coverage as main feedback source
Results
Version v1.5 v2.0 v2.5 v2.7
Anomalies 2538 2986 2263 2047
Crashes 13 10 14 0
![Page 90: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/90.jpg)
Open vSwitch – Fuzzer Evaluation• Test duration of one week
• Targeted OpenFlow version 1.0
• Crafted and random inputs
• Code coverage as main feedback source
Results
Version v1.5 v2.0 v2.5 v2.7
Anomalies 2538 2986 2263 2047
Crashes 13 10 14 0
High number of false positives due to switch reconnects
![Page 91: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/91.jpg)
Open vSwitch – Fuzzer Evaluation• Test duration of one week
• Targeted OpenFlow version 1.0
• Crafted and random inputs
• Code coverage as main feedback source
Results
Version v1.5 v2.0 v2.5 v2.7
Anomalies 2538 2986 2263 2047
Crashes 13 10 14 0
High number of false positives due to switch reconnects Crashes due to environment setup and could not be reproduced
![Page 92: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/92.jpg)
Open vSwitch – Fuzzer Evaluation• Test duration of one week
• Targeted OpenFlow version 1.0
• Crafted and random inputs
• Code coverage as main feedback source
Results
Version v1.5 v2.0 v2.5 v2.7
Anomalies 2538 2986 2263 2047
Crashes 13 10 14 0
High number of false positives due to switch reconnects Crashes due to environment setup and could not be reproduced No security flaws detected – yet!
![Page 93: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/93.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Hardware Switch – Feedback Sources
![Page 94: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/94.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
![Page 95: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/95.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
Black Box?
![Page 96: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/96.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
Protocol Errors
Debug Mode
Device Log
Black Box?
![Page 97: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/97.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
Protocol Errors
Debug Mode
Device Log
System Stats
Power Consumption
Response Times
Black Box?
![Page 98: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/98.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
Protocol Errors
Debug Mode
Device Log
System Stats
Power Consumption
Response Times
Combine all sources to create an unique signature per input
Black Box?
![Page 99: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/99.jpg)
NEC PF5240
Pronto 3290
HP 2920-24G
Quanta T1048-LB9
Traditional guided fuzzing mechanisms
cannot be applied!
Hardware Switch – Feedback Sources
Protocol Errors
Debug Mode
Device Log
System Stats
Power Consumption
Response Times
Combine all sources to create an unique signature per input
Black Box?
![Page 100: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/100.jpg)
Feedback Sources – Measuring Response Times
Hardware SwitchFuzzer
Intended Message
Barrier Request
Barrier Reply
Start =
End =
Timediff = End - Start
![Page 101: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/101.jpg)
Feedback Sources – Evaluation of Response Times
HP 2920-24G Pronto 3290
![Page 102: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/102.jpg)
Hardware Switch – Test Bed
NECPF5240
HP2920-24G
QuantaT1048-LB9
Pronto3290
Ubuntu VM
Fuzzer
Ubuntu VM
Fuzzer
Ubuntu VM
Fuzzer
Ubuntu VM
Fuzzer
![Page 103: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/103.jpg)
Hardware Switch – Fuzzer Evaluation• Test duration of 12h
• Targeted OpenFlow version 1.0
• Crafted and random inputs
• Response times as main feedback source
Results
Version NEC HP Quanta Pronto
Anomalies 2133 1735 1915 2643
Crashes 0 0 0 0
High number of false positives due to switch reconnects No security flaws decteted – yet!
![Page 104: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/104.jpg)
Flow Fuzz – Next Steps & Future Extension
Measurements
• Reduce false positive rate• Increase test duration
• Fuzz OpenFlow v1.3
Extensions
• Support higher OF versions• Optimize feedback loop
• Agents for DP fuzzng
Corpus Generation
• Categorized by OF version• Derived from code coverage
![Page 105: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/105.jpg)
Sound Bytes• SDN is coming – Be prepared!
• SDN can enhance the security of networks
• FlowFuzz – A protocol-aware OpenFlow fuzzing framework
• De-blackboxing black boxes by using alternative feedback sources
![Page 106: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/106.jpg)
Questions
Chair of Communication Networkscomnet.informatik.uni-wuerzburg.de
SarDiNeSardine-project.org
![Page 107: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/107.jpg)
Sources• Michael Jarschel, Thomas Zinner, Tobias Hoßfeld, Phuoc Tran-Gia, and Wolfgang Kellerer,
Interfaces, Attributes, and Use Cases: A Compass for SDN,IEEE Communications Magazine, 52, 2014
• D. Kreutz et al.,Software-Defined Networking: A Comprehensive Survey,ArXiv e-prints, Jun. 2014.
• Lorenz, C., Hock, D., Scherer, J., Durner, R., Kellerer, W., Gebert, S., Gray, N., Zinner, T., Tran-Gia, P.,An SDN/NFV-enabled Enterprise Network Architecture Offering Fine-Grained Security Policy Enforcement,IEEE Communications Magazine. 55, 217 - 223 (2017)
• Gray, N., Lorenz, C., Müssig, A., Gebert, S., Zinner, T., Tran-Gia, P.,A Priori State Synchronization for Fast Failover of Stateful Firewall VNFs. Workshop on Software-Defined Networking and Network Function Virtualization for Flexible Network Management, SDNFlex 2017
![Page 108: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/108.jpg)
Sources• Pfaff B., Scherer J., Hock D., Gray N., Zinner T., Tran-Gia P., Durner R., Kellerer R., Lorenz C.,
SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat Mitigation for Enterprise,ACM SIGCOMM Computer Communication Review, 2017
• Tsipenyuk, Katrina, Brian Chess, and Gary McGraw,Seven pernicious kingdoms: A taxonomy of software security errors,IEEE Security & Privacy 3.6 (2005): 81-84
• Benton, Kevin, L. Jean Camp, and Chris Small,Openflow vulnerability assessment,Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, ACM, 2013
• Thimmaraju, K., Shastry, B., Fiebig, T., Hetzelt, F., Seifert, J. P., Feldmann, A., & Schmid, S.,Reigns to the cloud: Compromising cloud systems via the data plane,arXiv preprint arXiv:1610.08717
![Page 109: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/109.jpg)
Sources• Changhoon Yoon, Seungsoo Lee,
Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?,Black Hat USA 2016
• Jennia Hizver,Taxonomic Modeling of Security Threats in Software Defined Networking,Black Hat USA 2015
• Gregory Pickett,Abusing Software Defined Networks,Black Hat Europe 2014
• Scott-Hayward, Sandra, Gemma O'Callaghan, and Sakir Sezer,SDN security: A survey,Future Networks and Services (SDN4FNS), 2013 IEEE SDN For. IEEE, 2013.
![Page 110: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/110.jpg)
Sources• Open Networking Foundation,
https://www.opennetworking.org,called on 2017-07-14
• Open Networking Foundation,OpenFlow Switch Specification Version 1.3.5,called on 2017-07-14
• Ari Takanen, Jared DeMott, Charlie Miller,Fuzzing for Software Security Testing and Quality Assurance, ARTECH HOUSE, INC. ISBN 13: 978-1-59693-214-2
• OpenVSwitch - Linux Foundation,https://openvswitch.org,called on 2017-07-14
![Page 111: Gray-FlowFuzz-A-Framework-For-Fuzzing-OpenFlow · PDF fileFlowFuzz A Framework for Fuzzing OpenFlow-enabled. Software and Hardware Switches. Nicholas Gray, Manuel Sommer, ... • Most](https://reader030.fdocuments.us/reader030/viewer/2022013120/5abc28e97f8b9a24028d7e66/html5/thumbnails/111.jpg)
Sources• Ryu SDN Framework Community
https://osrg.github.io/ryu/,called on 2017-07-14
• OpenStack – Open Source Cloud Computing Softwarehttps://www.openstack.org/called on 2017-07-14