From threats to solutions in data center networks

In this dissertation we adopt a threat model where the data center network infrastructure is potentially malicious. To describe practical threats and solutions related to malicious switches, we draw our attention to multi-tenant data center networks that i) consolidate control over the (hardware and software) switches to a logically centralized controller and ii) use virtualization techniques for multi-tenancy. Our extensive security analyses and evaluations of the design, specifications and systems of logically centralized data center network controllers reveals the following. Malicious switches can covertly bypass network-wide security policies and mechanisms via the controller. We identify three reasons for the existence of such covert channels: i) malicious switches share the logical controller, ii) lack of authentication and authorization of switches to the controller and iii) introduction of automation and programmability of the network. These channels can be reliable (TCP-based) and fast (10 Mbps). As a result malicious switches can launch several network-based attacks in the data center, e.g., to circumvent firewalls to access unauthorized data. Furthermore, our state transition and delay model of the switch-controller handshake allows us to design, implement and evaluate a covert timing channel that uses a frame-based transmission scheme for accurate and low bandwidth (20 bps) communication, e.g., to exfiltrate private keys. We also initiate the discussion of practical countermeasures, e.g., coupling TLS with the switch-controller handshake for authentication. Next, our security analysis of network virtualization architectures that use virtual switches— a key system for enforcing network isolation in multi-tenant data center networks—sheds light on the following. Increasing network functionality in the virtual switch coupled with colocating it with the hypervisor and the lack of appropriate threat models among other reasons has resulted in an insecure design. An attacker can escape host and network virtualization and compromise the entire data center as a worm. By fuzzing the packet parser of a popular virtual switch (OvS), we discovered 3 exploitable memory corruption vulnerabilities. We use just one of them in a popular cloud management system (OpenStack) to demonstrate our point: From a virtual machine (VM) we could take down hundreds of servers in a few minutes. Our measurements of the impact of software-based countermeasures that could have prevented the discovered vulnerabilities from being exploited for OvS show that maximum packet processing throughput is reduced by half in the kernel whereas the overhead in user-space is minimal (1-15%). Finally, we continue our previous work by first surveying the security landscape of 23 virtual switches and conclude that nearly all of them lack security in their design. Hence, we introduce four secure design principles for virtual switches and accordingly build a scalable prototype that prevents the virtual switch from being a liability to the (multi-tenant) data center network. The key insights from our system and performance evaluations are as