Exploiting Temporal Vulnerabilities for Unauthorized Access in Intent-based Networking

Exploiting Temporal Vulnerabilities for Unauthorized Access in Intent-based Networking

연구 분야: Strategies

학회: CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed in the network and implement the desired behavior. We discovered that current IBN specifications and implementations do not specify that flow rule installation orderings should be enforced, which leads to temporal vulnerabilities where, for a limited time, attackers can exploit indeterminate connectivity behavior to gain unauthorized network access. In this paper, we analyze the causes of such temporal vulnerabilities and their security impacts with a representative case study via the ONOS IBN implementation. We devise the Phantom Link attack and demonstrate a working exploit to highlight the security impacts. To defend against such attacks, we propose Spotlight, a detection method that can alert a system administrator of risky intent updates prone to exploitable temporal vulnerabilities. Spotlight is effective in identifying risky updates using realistic network topologies and policies. We show that Spotlight can detect risky updates in a mean time of 0.65 seconds for topologies of over 1,300 nodes.