INTENDER: Fuzzing Intent-Based Networking with Intent-State Transition Guidance

Intent-based networking (IBN) abstracts network configuration complexity from network operators by focusing on what operators want the network to do rather than how such configuration should be implemented. While such abstraction eases network management challenges, little attention to date has focused on IBN's new security concerns that adversely impact an entire network's correct operation. To motivate the prevalence of such security concerns, we systematize IBN's security challenges by studying existing bug reports from a representative IBN implementation within the ONOS network operating system. We find that 61% of IBN-related bugs are semantic bugs that are challenging, if not impossible, to detect efficiently by state-of-the-art vulnerability discovery tools. To tackle existing limitations, we present INTENDER, the first semantically-aware fuzzing framework for IBN. INTENDER leverages network topology information and intentoperation dependencies (IOD) to efficiently generate testing inputs. INTENDER introduces a new feedback mechanism, intent-state transition guidance (ISTG), which traces the history of transitions in intent states. We evaluate INTENDER using ONOS and find 12 bugs, 11 of which were CVE-assigned security-critical vulnerabilities affecting network-wide control plane integrity and availability. Compared to state-of-the-art fuzzing tools AFL, Jazzer, Zest, and PAZZ, INTENDER generates up to 78.7x more valid fuzzing input, achieves up to 2.2x better coverage, and detects up to 82.6x more unique errors. INTENDER with IOD reduces 73.02% of redundant operations and spends 10.74% more time on valid operations. INTENDER with ISTG leads to 1 .8x more intent-state transitions compared to code-coverage guidance.