Data inconsistency attack and defense in software-defined networking

Abstract

Over the years, Software-Defined Networking (SDN) has grown aggressively, and many SDN controller products have been released to date as not only open source projects but also commercial ones. Considering the adoption of SDN, the security of SDN components is an essential aspect that needs to be thoroughly investigated, so research in this area has been getting attention. However, despite growing interest in SDN security, SDN controllers are vulnerable to security vulnerabilities that have not yet been disclosed. Among them, we focus on data inconsistency problems between the controller and switches. In this work, we try to find out the inconsistency states between each layer, which are powerful enough to jeopardize the entire network. To more efficiently detect those vulnerabilities and bugs, we introduce a framework called RE-CHECKER that can find the security holes using RESTful services in SDN controller. As a result, using RE-CHECKER, we found four bug types against three open source controllers: ONOS, Floodlight, and Ryu. Based on the result of RE-CHECKER, we illustrate some design flaws of the controllers through security analysis. After that, we present another framework called AUDI, which can detect and address the data inconsistency between the controller and switches. To prove the feasibility and examine the potential impact of the data inconsistency, we demonstrate some vulnerable scenarios in the real SDN environments.