30
Developing and maintaining trust among SDN entities Frank Acker SoSSDN Workshop June 17, 2016 [email protected]
The overall briefing is classified:
Developing and maintaining trust among SDN entities
Frank Acker
SoSSDN Workshop
June 17, 2016
In this Talk • SDN Security Challenges
• Trusted Platform Module (TPM)
• Trust Management
• Measurement & Attestation (M&A)
• M&A Protocol
• SDN Root of Trust (RoT) Research
2
Research Challenges for SDN Security • Remotely Programmable Network
• New protocols – open & proprietary
• Few standards
• Security is a low priority for most SDN vendors
• New attack surfaces
• How do we trust the devices/apps/users …
3
So what does this mean? • Opportunities for SDN Security Research
– Security and data exchange protocols
– Security instantiation and maintenance processes
– Applications for security policy enforcement
– Novel integration of HW & SW
4
Actions • Conduct leading edge research for SDN security
• Apply trust management to SDN infrastructure
• Partner with Industry
• Develop trust among SDN entities
– Physical machines
– Virtual machines & containers
– Trusted boot & operations
– Protocol and application development
– Formal protocol analysis
5
Methods of Trust • Hardware
– Trusted Platform Module (TPM)
• Software
– Virtual Trusted Platform Module (vTPM)
6
Trusted Platform Module (TPM)
7
• Defined by Trusted Computing Group – www.trustedcomputinggroup.org
– International Standards body
– Used in Trusted Network Connect (TNC) products
– Platform Independent
– Generations • Ver 1.1 – old
• Ver 1.2 – Phase-out
• Ver 2.0 – current
TPM Functions & Operations • TCG Software Stack (TSS)
– Interface for using TPM services (TrouSerS)*
– http://sourceforge.net/projects/trousers/files
• Cryptographic Engine – Encryption
– Digital signatures
– Hashing
• Platform Configuration Registers (PCRs) – Representation of the software state
– Values derived by additional hashing **
8
* Challener (2011) ** Osborn & Challener (2013)
9
How to establish Trust?
10
• Conduct Measurement & Attestation (M&A)
– Collect reliable information about platform.
– Evaluate the evidence for identity and integrity of the system.
– Make decision.
Principles of M&A
11
1. Fresh Information – Current on running system
2. Comprehensive Information – Capability to deliver full target information
3. Constrained Disclosure – Enforce policy of info released to attester
4. Semantic Explicitness – Consistent for appraiser to infer multiple measurements
5. Trustworthy Mechanism – Provide reliable evidence
Ref: Sheehy et. al (2007)
M&A Architecture
12
1. Measure – Collect diverse evidence of target
2. Separate domains – Tools can prepare results without interference
3. Protect itself – Evidence cannot be compromised without detection
4. Delegate Attestation – Summarize measurements that target will permit
5. Manage attestation – Deliver evidence to appraiser as per policy
Ref: Sheehy et. al (2007)
M&A Development • Applying the Principle & Architecture using
CAVES protocol*.
– Secrecy and authentication security properties
– Proven mathematical analysis through all possible executions of protocol based upon set of assumptions
• Cryptographic Protocol Shape Analysis (CPSA) (ref: hackage.haskell.org/package/cpsa)
13
* Ref: Ramsdell et al., 2009
CAVES Protocol
14
Ref: Ramsdell et al., 2009
SDN Architecture
15
SDN Controller
North Bound Links
South Bound Links
Control Layer
(Control Plane)
Apps Apps Apps
Infrastructure Layer
(Data Plane)
Application Layer
OpenFlow Protocol
Net Device
Net Device
Net Device
Net Device
Net Device
RoT SDN Research • Problem: There is no method to verify the
trustworthiness of devices in the SDN infrastructure.
• Research Goal: Develop a methodology which enables remote attestation for the exchange of trust information, and establish a Root-of-Trust (RoT) among SDN Entities.
16
RoT SDN Research • Approach: Apply and modify existing research
models for establishing trust in an SDN testbed.
• Research for use and extension:
– Trusted Computing Platform
– Measurement and Attestation
– Secure Virtual Platform
– CPSA Analysis
17
Use Cases
18
1. Initial startup of a simple network architecture and establishing trust among the components.
2. Change in the number of operating network devices.
3. Run time trust management monitoring of network devices.
4. Adding an additional controller.
5. SDN Cross domain trust management.
Use Case 1 Initial startup of a simple network architecture and establishing trust among the components.
19
Apps Server
Apps Apps Apps Apps
Controller
SW 1
H1 H2
NB Links
SB Links
IP Links
VM VM VM VM VM VM
• One Controller
• One App Server
• One switch
• Conduct M&A w/CAVES
• Instantiate operations
if trust established
Use Case 2 Change in the number of operating network devices.
20
• Network in operational status
• Change number of net
devices. • Add device
• Conduct M&A process
as Use Case 1
• Remove a device.
Apps Server
Apps Apps Apps Apps
Controller
SW 1
H1 H2
NBLinks
SBLinks
IP Links
VM VM VM VM VM VM
SW 2 SW 3
Use Case 3 Run time trust management monitoring of network devices
21
Conduct M&A (Use Case 1)
Trusted? Continue
OPS Remove
(Use Case 2)
Y N
• During operation,
conduct M&A as in
Use Case 1
• If corruption
detected, remove
device as described
in Use Case 2
Use Case 4 Adding additional controllers • Conduct M&A
• Controllers establish mutual trust
• Add into network
22
Apps Server
Apps Apps Apps Apps
SBLinks
Controller1 VM VM VM VM VM VM
SW 3
H1 H2
IP Links
SW 4
Controller2 VM VM VM VM VM VM
SW 5
SW 6 SW 1
SW 2
Use Case 5 SDN Cross Domain trust management
• Exchange information between the two domains – Root of Trust establishment
• Both domains have established trust within their respective domains
– Federating trust
– Access policies between the two domains
– Different levels of trust • Defined through policy from allowing full information exchange to minimal or no
information being shared.
• Conduct research to identify the gating factors in inter-domain trust management.
23
Apps Server
SDN RoT Research Architecture
24
Apps Apps Apps Apps
Controller
SW 1
SW 4
SW 2 SW 3
H1 H2
North Bound Links
South Bound Links
IP Links among devices
VM VM VM VM VM VM
Research Environment
25
• Control Layer
– HP Server
• Application Layer
– HP Server
• Data Plane
– Dell Desktop PC’s with multiple NIC’s
• OS
– CentOS 7
• Hypervisor
– Xen
• Switch
– OpenVSwitch
Current Status • Infrastructure in place
• Development of CAVES entities
• Working on Use Case 1
• Working on protocol development of:
– UC 2 - Processes to add & delete devices
– UC 3 - Methods to re-verify trusted operation
– UC 4 – Change number of controllers
– UC 5 - Policy development & management for Intra & Inter SDN domain environments
26
SDN Resources • SDX Central – www.sdxcentral.com
• SDN Course - https://www.cousera.org/course/sdn
• Open Networking Foundation – opennetworking.org
• Companies & Organizations Directory
– www.sdxcentral.com/sdn-directory/
• Videos on youtube.com
27
Summary • SDN is an evolving technology
• New players are entering the foray
• Security is largely undefined
• Looking for industry and academic research partners
28
References
29
• Challener, D. (2011). Programming with TrouSerS. Applied Physics Laboratory, Johns Hopkins Univ. 13.
• Osborn, J., & Challener, D. (2013). Trusted platform evolution. Johns Hopkins APL Technical Digest, 32, (2), 536-543. www.jhuapl.edu/techdigest
• Ramsdell, J. D., Guttman, I. D., Millen, I. K., & O’Hanlon, B. (2009). An Analysis of the CAVES Attestation Protocol using CPSA. arXiv preprint arXiv:1207.0418.
• Sheehy, J., Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen, J., & Sniffen, B. (2007). Attestation: Evidence and trust. Mitre Technical Paper
