The overall goal of the project is to develop new detection and defense techniques (e.g., race detection) for software environments such as SDN control planes to precisely pinpoint security bugs/vulnerabilities, particularly those race related.

We found several new attack surfaces in existing software-defined infrastructure. We illustrate two major outcomes on detecting SDN vulnerabilities below:

1. We identified a novel attack against SDN networks that can cause serious security and reliability risks by exploiting harmful race conditions in the SDN controllers, similar in spirit to classic TOCTTOU (Time of Check to Time of Use) attacks against file systems. We further developed a novel dynamic framework, CONGUARD, that can effectively detect and exploit harmful race conditions. We show that an adversary can remotely exploit many harmful race conditions with a high success ratio by injecting the “right” external events into the SDN network. We have designed and implemented a framework called CONGUARD for detecting and exploiting concurrency vulnerabilities in the SDN control plane, and we have evaluated it on three mainstream open-source SDN controllers –Floodlight, ONOS, and OpenDaylight, with 34 applications in total. CONGUARD found 15 previously unknown harmful race conditions in these SDN controllers. All of them have been confirmed by developers and 12 of them are patched with our assistance.
2. We found that it is possible for a weak adversary who only controls a commodity network device (host or switch) to attack previously unreachable control plane components by maliciously increasing reachability in the control plane. We introduce D2C2 (data dependency creation and chaining) attack, which leverages some widely-used SDN protocol features (e.g., custom fields) to create and chain unexpected data dependencies in order to achieve greater reachability. We have developed a novel tool, SVHunter, which can effectively identify D2C2 vulnerabilities. We have evaluated SVHunter on three mainstream open-source SDN controllers (i.e., ONOS, Floodlight, and Opendaylight) as well as one security-enhanced controller (i.e., SE-Floodlight). SVHunter detects 18 previously unknown vulnerabilities, all of which can be exploited remotely to launch serious attacks such as executing arbitrary commands, exfiltrating confidential files, and crashing SDN services. To fix these vulnerabilities, we have made responsible disclosure and notified the vendors of each vulnerable controller. They reacted immediately to fix most of them. Our found vulnerabilities have also been assigned with 9 CVE numbers. Our research has significantly improved the security of our society. 

Going beyond SDN, we have also developed new race detection algorithms and techniques that either significantly advanced prior state-of-the-art approaches or have become the state-of-the-art. Our tools on static and dynamic race detection have been applied to a large collection of real-world parallel applications written in different programming languages such as C/C++/Java/OpenMP/Go/Rust. We illustrate two representative outcomes below:

1. Our dynamic race detection tool UFO scales to large real-world C/C++ programs such as Chromium and FireFox and detects over a hundred potential UAFs that are previously unknown. The significance of this work was also recognized by Google and the results were published in the flagship international software engineering conference (ICSE'18). Our open source pointer analysis implementation has been adopted by the popular WALA program analysis framework developed by IBM T.J. Watson Research Center.
2. Our static race detection tool OMPRacer uses novel flow-sensitive, interprocedural analysis to detect data races in parallel programs written in OpenMP. Unlike dynamic tools that currently dominate the field, OMPRACER achieves almost 100% OpenMP code coverage using static analysis to detect a broader category of races without running the program or relying on specific input and runtime behaviour to trigger the race. Moreover, OMPRACER has competitive precision with representative dynamic tools such as Archer and ROMP: it passes 105 out of the 116 cases in DataRaceBench with a total accuracy of 91%. OMPRACER has been used to analyze the large-scale OpenMP applications containing over 2 million lines of code in under 10 minutes and has revealed a previously-unknown race in them.

During this project, several graduate students have gained valuable experience and learned several research skills such as scientific reading/writing, scientific data analysis, security system development.

Last Modified: 09/29/2021
Modified by: Guofei Gu