search query: @instructor Aura, Tuomas / total: 33
reference: 1 / 33
« previous | next »
| Author: | Bidaj, Andi |
| Title: | Security Testing SDN Controllers |
| Publication type: | Master's thesis |
| Publication year: | 2016 |
| Pages: | (6) + 61 Language: eng |
| Department/School: | Perustieteiden korkeakoulu |
| Main subject: | Security and Mobile Computing (T3011) |
| Supervisor: | Aura, Tuomas |
| Instructor: | Aura, Tuomas |
| Electronic version URL: | http://urn.fi/URN:NBN:fi:aalto-201608263040 |
| Location: | P1 Ark Aalto 5405 | Archive |
| Keywords: | SDN OpenFlow fuzzing opendaylight ONOS |
| Abstract (eng): | Software-defined networking is a new paradigm that separates the network's control plane from the data plane. Many SDN controllers have been implemented since this concept was first introduced. As with other network models, security becomes an important requirement because adversaries can launch various attacks to steal sensitive data, manipulate network's state or cause denial of service to legitimate users. In this work, we apply fuzzing techniques to discover vulnerabilities in implementation of the OpenFlow protocol in SDN controllers such as OpenDaylight and ONOS. Careful planning and understanding of the system is crucial to improve testing efficiency. Threat modeling is an approach to identify and analyze risks and threats in the system under test. The list of threats is first constructed applying the STRIDE methodology and extended using CAPEC Mitre attack libraries. Testing revealed a considerable number of denial of service vulnerabilities and other bugs. An exploit of few lines of code written using scapy managed to crash the controller. Another important denial of service attack blocked legitimate applications to add flows to particular switches until the OpenDaylight controller is restarted. Moreover, fuzzing revealed several less important bugs, which affected both the OpenDaylight and ONOS controllers. Testing presented a number of challenges. Measuring and improving test coverage poses a significant issue. Increasing the number of test case scenarios could help covering larger parts of the software. |
| ED: | 2016-09-04 |
INSSI record number: 54252
+ add basket
« previous | next »
INSSI