Richard Skowyra

Verifiably-safe software-defined networks for CPS

Next generation cyber-physical systems (CPS) are expected to be deployed in domains which require scalability as well as performance under dynamic conditions. This scale and dynamicity will require that CPS communication networks be programmatic (i.e., not requiring manual intervention at any stage), but still maintain iron-clad safety guarantees. Software-defined networking standards like Openflow provide a means for scalably building tailor-made network architectures, but there is no guarantee that these systems are safe, correct, or secure. In this work we propose a methodology and accompanying tools for specifying and modeling distributed systems such that existing formal verification techniques can be transparently used to analyze critical requirements and properties prior to system implementation. We demonstrate this methodology by iteratively modeling and verifying an Openflow learning switch network with respect to network correctness, network convergence, and mobility-related properties. We posit that a design strategy based on the complementary pairing of software-defined networking and formal verification would enable the CPS community to build next-generation systems without sacrificing the safety and reliability that these systems must deliver.

Software-Defined IDS for securing embedded mobile devices

The increasing deployment of networked mobile embedded devices leads to unique challenges communications security. This is especially true for embedded biomedical devices and robotic materials handling, in which subversion or denial of service could result in loss of human life and other catastrophic outcomes. In this paper we present the Learning Intrusion Detection System (L-IDS), a network security service for protecting embedded mobile devices within institutional boundaries, which can be deployed alongside existing security systems with no modifications to the embedded devices. L-IDS utilizes the OpenFlow Software-Defined Networking architecture, which allows it to both detect and respond to attacks as they happen.

A Verification Platform for SDN-Enabled Applications

Recent work on integration of SDNs with application-layer systems like Hadoop has created a class of system, SDN-Enabled Applications, which implement application-specific functionality on the network layer by exposing network monitoring and control semantics to application developers. This requires domain-specific knowledge to correctly reason about network behavior and properties, as the SDN is now tightly coupled to the larger system. Existing tools for SDN verification and analysis are insufficiently expressive to capture this composition of network and domain models. Unfortunately, it is exactly this kind of automated reasoning and verification that is necessary to develop robust SDN-enabled applications for real-world systems. In this paper, we present ongoing work on Verificare, a verification platform being built to enable formal verification of SDNs as components of a larger domain-specific system. SLA, safety, and security requirements can selected from a variety of formal libraries and automatically verified using a variety of off-the-shelf tools. This approach not only extends the flexibility of existing SDN verification systems, but can actually provide more fine-grained analysis of possible network states due to extra information supplied by the domain model.

BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

We create BEADS, a framework to automatically generate test scenarios and find attacks in SDN systems. The scenarios capture attacks caused by malicious switches that do not obey the OpenFlow protocol and malicious hosts that do not obey the ARP protocol. We generated and tested almost 19,000 scenarios that consist of sending malformed messages or not properly delivering them, and found 831 unique bugs across four well-known SDN controllers: Ryu, POX, Floodlight, and ONOS. We classify these bugs into 28 categories based on their impact; 10 of these categories are new, not previously reported. We demonstrate how an attacker can leverage several of these bugs by manually creating 4 representative attacks that impact high-level network goals such as availability and network topology.

Multi-variant execution to protect unpatched software

For a variety of economic and practical reasons, security patches often cannot be deployed immediately after a patchs release. To mitigate attacks against unpatched software, we present the design and evaluation of a Moving Target technique that uses a form of software diversity called multi-variant execution. Our technique decomposes the softwares behavior into its low-level system calls and compares unpatched and patched execution traces to identify malicious behavior in the unpatched software. We evaluate our approach on benign and malicious document samples and our results indicate that multi-variant execution can detect real exploits with low false positives.

Towards accessible integration and deployment of formal tools and techniques

Computer science researchers in the programming languages and formal verification communities, among others, have produced a variety of automated assistance and verification tools and techniques for formal reasoning. While there have been notable successes in utilizing these tools on the development of safe and secure software and hardware, these leading-edge advances remain largely underutilized by large populations of potential users that may benefit from them. In particular, we consider researchers, instructors, students, and other end users that may benefit from instant feedback from lightweight modeling and verification capabilities when exploring system designs or formal arguments. We describe Aartifact, a supporting infrastructure that makes it possible to quickly and easily assemble interacting collections of small domain-specific languages, as well as translations between those languages and existing tools (e.g., Alloy, SPIN, Z3) and techniques (e.g., evaluation, type checking, congruence closure); the infrastructure also makes it possible to compile and deploy these translators in the form of a cloud-based web application with an interface that runs inside a standard browser. This makes more manageable the process of exposing a limited, domain-specific, and logistically accessible subset of the capabilities of existing tools and techniques to end users. This infrastructure can be viewed as a collection of modules for defining interfaces that turn third-party formal modeling and verification tools and techniques into plug-ins that can be integrated within web-based interactive formal reasoning environments.

Cross-App Poisoning in Software-Defined Networking

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control planes integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

QUASAR: Quantitative Attack Space Analysis and Reasoning

Computer security has long been an arms race between attacks and defenses. While new defenses are proposed and built to stop specific vectors of attacks, novel, sophisticated attacks are devised by attackers to bypass them. This rapid cycle of defenses and attacks has made it difficult to strategically reason about the protection offered by each defensive technique, the coverage of a set of defenses, and possible new vectors of attack for which to design future defenses. In this work, we present QUASAR, a framework that systematically analyzes attacks and defenses at the granularity of the capabilities necessary to mount the attacks. We build a model of attacks in the memory corruption domain, and represent various prominent defenses in this domain. We demonstrate that QUASAR can be used to compare defenses at a fundamental level (what they do instead of how they do it), reason about the coverage of a defensive configuration, and hypothesize about possible new attack strategies. We show that of the top five hypothesized new attack strategies, in fact, four have been published in security venues over the past two years. We investigate the fifth hypothesized vector ourselves and demonstrate that it is, in fact, a viable vector of attack.