A Critical Analysis of Layer 2 Network Security in Virtualized
Transcription
A Critical Analysis of Layer 2 Network Security in Virtualized
A Critical Analysis of Layer 2 Network Security in Virtualized Environments Ronny L. Bull [email protected] A Doctoral Dissertation Research Proposal Submitted to the Department of Computer Science Clarkson University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Postdam, New York Fall 2014 A Critical Analysis of Layer 2 Network Security in Virtualized Environments Except where reference is made to the work of others, the work described in this Doctoral Dissertation Research Proposal is my own or was done in collaboration with my advisory committee. Further, the content of this Doctoral Dissertation Research Proposal is truthful in regards to my own work and the portrayal of others’ work. This Doctoral Dissertation Research Proposal does not include proprietary or classified information. Ronny L. Bull [email protected] Certificate of Approval: A Critical Analysis of Layer 2 Network Security in Virtualized Environments Ronny L. Bull [email protected] Permission is granted to Clarkson University to make copies of this Doctoral Dissertation Research Proposal at its discretion, upon the request of individuals or institutions and at their expense. The author reserves all publication rights. Ronny L. Bull [email protected] Fall 2014 iii Abstract Cloud service providers offer their customers the ability to access virtual private servers hosted within multi-tenant environments. Typically these virtual machines are connected to the physical network via a virtualized network within the host environment. This could be as simple as a bridged interface connected to multiple virtual interfaces attached to each virtual machine, or it could entail the usage of a virtual switch to provide more robust networking features such as VLANs, QoS, and monitoring. All client virtual machines are essentially connected to a virtual version of a physical networking device. In this research, I intend to explore whether Layer 2 network attacks that work on physical switches apply to their virtualized counterparts by performing a systematic study across four major hypervisor environments with seven different virtual networking configurations. In the preliminary research performed each environment was evaluated by utilizing a malicious virtual machine to run a MAC flooding attack along with Wireshark in order to verify if it was possible to eavesdrop on other client traffic passing over the same virtual network. It was concluded that out of the four virtual switch implementations tested Open vSwitch proves to be the most vulnerable to MAC flooding allowing for an attacker to capture a co-resident virtual machine’s network traffic. These initial results highlight the necessity for further research in the area of virtualized network security. iv Table of Contents List of Figures viii List of Tables ix 1 1 Background and Related Work 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Network Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.1 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.2 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Layer 2 Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.1 MAC Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.2 STP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.3 VLAN Hopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.4 DHCP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.5 ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 1.4 7 2 Detailed Research Plan v 2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Research Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3 Preliminary Research - MAC Flooding Attacks . . . . . . . . . . . . . . . . . . . . . 9 2.4 2.3.1 Bridged Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.2 Open vSwitch 1.11.0 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.3 Open vSwitch 2.0.0 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.4 Citrix XenServer 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.5 Microsoft Hyper-V Server 2008 R2 . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.6 VMware vSphere (ESXi) 5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.7 Summary of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Current Work - DHCP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.1 Duplicate Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.2 Rogue DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.3 Incorrect Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4 Remote Execution of Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.5 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.4.6 Summary of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.4.7 Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.6 Proposed Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 vi 3 Conclusion 22 Bibliography 23 vii List of Figures 1.1 A basic bridge using a forwarding table to pass requests between network segments. 2 1.2 A switch and its CAM table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 A malicious virtual machine located on a multi-tenant virtual network. . . . . . . . . 9 2.2 A malicious virtual machine running macof to flood a virtual network with random MAC addresses and malformed packets. . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 A malicious virtual machine running macof on an Open vSwitch virtual network and successfully sniffing HTTP traffic with Wireshark from another tenant virtual machine. 11 2.4 Dynamic Host Configuration Protocol process. . . . . . . . . . . . . . . . . . . . . . 14 2.5 Duplicate addressing within a broadcast domain due to the presence of a rogue DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.6 Presence of a poisoned DNS server on a network whos address is provided to clients associated with a rogue DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.7 Malicious VM configured as a router on a network whose address is provided to clients as a default gateway when associated with a rogue DHCP server. . . . . . . . 17 2.8 Malicious DHCP server passing a configuration option to a client VM that leverages the BASH shellshock vulnerability instructing the client to delete everything in / recursively. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 viii List of Tables 2.1 Summary of MAC flooding attack results across seven test environments . . . . . . . 13 2.2 Summary of virtual network usability during a MAC flooding attack for seven different environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3 New virtual machines added to each hypervisor platform for Layer 2 DHCP attack testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.4 Summary of DHCP shellshock attack across seven test environments . . . . . . . . . 19 2.5 Summary of poisoned DNS server attack across seven test environments . . . . . . . 19 2.6 Summary of invalid default gateway attack across seven test environments . . . . . . 20 2.7 Summary of rogue default gateway attack across seven test environments . . . . . . 20 2.8 Plan for completion of research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 ix Chapter 1 Background and Related Work 1.1 Introduction With the growing popularity of Internet based cloud service providers such as Amazon EC2 and Microsoft Azure, more businesses are turning to these services to host their mission critical data and applications. Cloud providers offer their customers the ability to roll out a plethora of heterogeneous virtual machines within their environments, all hosted on shared resources such as CPU, memory, and networking hardware. Each virtual host must provision guest virtual machine access to network resources, especially if Internet accessible services will be offered on the guest. Typically virtualized hosting environments will utilize either a bridged network interface or a virtualized switch such as Open vSwitch[31, 32] for Xen and KVM based environments, or the Cisco Nexus 1000V Series virtual switch for VMware vSphere environments[12]. These virtual switches are designed to emulate their physical counterparts. Whether they can be exploited through Layer 2 vulnerabilities in the same manner warrants further investigation. It is important for users of multi-tenant cloud services to understand how secure their network traffic is from other users of the same cloud services. If another tenant can launch a Layer 2 network attack and capture all the network traffic flowing from and to their virtual machines, this is clearly important to know. By understanding which virtual switches are vulnerable to which attacks, users can evaluate the workloads they run in the cloud, consider additional security mechanisms such as increased encryption and/or pressure cloud providers to deploy monitoring and detection of possible Layer 2 attacks. The vulnerability across virtual switch products to various categories of Layer 2 network attacks has not been thoroughly examined. In my preliminary research a systematic study was performed to evaluate the effects of MAC flooding attacks across four major hypervisor environments with seven different virtual network configurations. Currently I am conducting research geared toward determining the effects of Layer 2 DHCP attacks within the same test environments. VLAN and ARP attacks will also be explored using the experimental infrastructure in order to provide a detailed overview of the state of Layer 2 network security in virtualized environments. 1 1.2 Network Configuration Options As previously stated virtual networks are configured to use either a virtual bridge or virtual switch in order to provide inter-networking capabilities for connected virtual machines. These Layer 2 virtual networking devices can then be bound to a physical network interface on the host machine in order to connect the virtual network to the physical world so that virtual machines can interact with physical devices from the local network or the Internet. 1.2.1 Bridging Bridged mode is the simplest of configurations for an interface dedicated to virtual machine use. A bridge connects two or more network segments at Layer 2 creating separate collision domains[34]. A forwarding table[22, 34] is utilized that consists of a list of MAC addresses that are associated with devices located on each network segment connected to the bridge (Figure 1.1). Requests are forwarded based upon the destination MAC address located within the Ethernet frame. A frame is forwarded across the bridge only if the MAC address in the destination block of the frame is reachable from a different segment attached to the bridge. Otherwise, the frame is directed to a destination address located on the same segment as the transmitting device or dropped. Figure 1.1: A basic bridge using a forwarding table to pass requests between network segments. 2 In virtualized environments, guest machines utilize user-space network TAP interfaces that simulate a Layer 2 network device in order to connect to the virtual bridge. Typically, the virtual bridge is configured and bound to a physical interface on the host machine that is dedicated solely to virtual machine traffic. 1.2.2 Switching Physical switches have the capability of operating at Layer 2 or higher of the OSI model. Switches can be thought of as multi-port bridges[34] where each port of the switch is considered as its own isolated collision domain. Instead of a forwarding table switches employ the use of content addressable memory, otherwise known as a CAM table[34]. Content addressable memory is specialized memory hardware located within a switch that allows for the retention of a dynamic table or buffer that is used to map MAC addresses of devices to the ports they are connected to (Figure 1.2). This allows a switch to intelligently send traffic directly to any connected device without broadcasting frames to every port on the switch. The switch reads the frame header for the destination MAC address of the target device, matches the address against its CAM table, then forwards the frame on to the correct device. The use of a CAM table and the separation of collision domains are key factors in preventing eavesdropping of network traffic between devices connected to the switch. However, a physical switch is an embedded device and has a finite amount of memory available to its CAM table, once it is used up the switch can no longer dynamically add to its buffer thereby forcing it into hub mode. The majority of physical switches in use today employ CAM chips that are capable of holding up to 32,000 addresses[34] which can easily be saturated by a single MAC flooding attack in a very short amount of time. Figure 1.2: A switch and its CAM table. 3 Virtual switches are an advanced form of virtual networking that emulate their physical counterparts. They are capable of providing features such as VLAN traffic separation, performance and traffic monitoring, as well as quality of service (QoS) solutions. Virtual machines are connected to a virtual switch by the way of virtual interfaces (VIF) which are similar to the TAP devices used in conjunction with virtual bridges. Also just like physical switches, virtual switches utilize CAM tables emulated in software in order to manage the flow of traffic between devices connected to different virtual interfaces. 1.3 Layer 2 Network Attacks 1.3.1 MAC Attacks The most popular attack in this category is the MAC flooding attack. In this attack, a switch is flooded with numerous random MAC addresses in order to fill up the content addressable memory (CAM) buffer within the switch forcing it into a fail safe mode, otherwise known as hub mode. When a switch is operating in hub mode, the inherent separation of collision domains is broken and all frames passing through the switch are forwarded to all connected devices. This allows for passive eavesdropping of all traffic passing through the device. MAC flooding can be mitigated by enforcing port security on physical switches which imposes a limit on the amount of MAC addresses that can send traffic to a specific port[11]. This feature is not implemented within the majority of the virtual switches available today rendering them vulnerable to MAC flooding attacks. 1.3.2 STP Attacks In this type of attack, incorrect BPDU frames are sent to switches in order to modify the spanning tree topology implemented on the network. By exploiting STP, an attacker could perform a man-in-the-middle (MITM) attack allowing eavesdropping on traffic passing between two nodes on a network[23]. The attacker could also cause a denial of service (DoS) situation rendering services unavailable to legitimate users. These attacks can be mitigated on Cisco Catalyst switches by enabling either the Cisco Catalyst BPDU Guard or Root Guard feature on the device[23]. Seeing as these are proprietary features available only on Cisco Catalyst switches they offer no help in preventing these attacks from being successful within a virtualized network that utilizes STP. 4 1.3.3 VLAN Hopping VLAN hopping is the term used to describe an attack where an Ethernet frame is modified to force traffic to traverse (hop) VLANs in order to allow an attacker to gain unauthorized access to restricted portions of a network. More specifically, an attacker modifies the VLAN tag embedded in the frame to contain the ID of the target VLAN on the network. In order to perform this type of attack against a switch, the attacker must be connected to a port on the device that is a member of the default VLAN, or one that is setup as a trunk port. When the modified frame is passed through the switch, the VLAN tag is read and the switch places it within the correct broadcast domain associated with that VLAN ID. If successful, the attacker can then proceed to intercept traffic on the target VLAN or perform other malicious activities such as DoS attacks against services running on that particular portion of the network. VLAN hopping can be mitigated by enforcing strict VLAN configuration of physical switch ports to prevent unauthorized access to the default VLAN or trunk ports. 1.3.4 DHCP Attacks In order to perform a Layer 2 DHCP attack an attacker must place a rogue DHCP server on a network in hopes that clients in the broadcast domain associate with it rather than the legitimate DHCP server. Once a client receives an IP address lease from a malicious DHCP server under an attacker’s control, that client could also be seeded with the IP address of a poisoned DNS server, an incorrect default gateway, or be forced to run malicious code. This type of attack could also cause DoS situations where duplicate addressing occurs on the network causing the resources bound to those addresses to be inaccessible. These attacks can be mitigated by enforcing static addressing, or by using utilities to monitor the network and alert administrators when this type of activity is encountered. 1.3.5 ARP Spoofing ARP spoofing is a technique used by attackers that allows for the hijacking of traffic destined for another host. Specifically, by using ARP spoofing an attacker can perform a man-in-the-middle (MITM) attack that allows for eavesdropping between two hosts on a network. An attacker can also broadcast fake ARP messages to a network to redirect traffic or create DoS situations. ARP spoofing attacks can be mitigated by using static ARP entries for all hosts on a network, however this is a cumbersome task and is typically avoided unless absolutely necessary. More often that not 5 savvy administrators will employ the use of network monitoring utilities to watch for suspicious behavior and react accordingly based upon the alerts. 1.4 Related Work There has already been a substantial amount of work performed studying the vulnerability of physical networks to Layer 2 attacks, but the impact on virtual networks has not received much attention. A literature review revealed that there is a plethora of publications addressing Layer 2 networking issues inherent in physical networks[2, 13, 23, 40]. This is beneficial in the fact that published research previously performed on physical networks can be repeated[14] within virtual environments and comparisons can be made based upon the physical baselines. For instance in a paper entitled Tools for Attacking Layer 2 Network Infrastructure[40] the authors provide an overview of the most popular Layer 2 networking attacks as well as descriptions of the tools used to perform them. This work was very helpful in identifying possible attack vectors that could be emulated within a virtualized environment. The paper entitled Securing layer 2 in local area networks[2] also describes various attacks that can be performed on local and metropolitan area networks, as well as the authors’ idea of adding a security tag to the Ethernet frame for additional protection. Cisco also published a white paper[13] regarding VLAN security in their Catalyst series of switches. The paper discloses testing that was performed on the switches in August of 2002 by an outside security research firm @stake which was acquired by Symantec in 2004. In the white paper they discussed many of the same attacks that were mentioned in Tools for Attacking Layer 2 Network Infrastructure, however the authors also went into detail about best practices and mitigation techniques that could be implemented on the physical switches in order to prevent the attacks from being successful. It is very pleasing to see a vendor openly publish a document regarding security weaknesses of their products and use it to help educate end users on how to secure the products against those particular threats. 6 Chapter 2 Detailed Research Plan 2.1 Motivation My interest and experience over the past 10 years has been focused in the areas of virtualization technologies, network security, and voice over IP. For my master’s thesis I constructed a highly scalable virtualized environment to use for many of the network and computer security classes offered at SUNYIT[6, 8]. This environment provides an isolated sandbox that can be used by students to practice malicious attacks against vulnerable machines, as well as setup Asterisk servers to use in the voice over IP classes that I offer. For my Ph.D. Dissertation research I wanted to extend upon the work that I have already performed. Originally I was looking at the viability of hosting commercial voice over IP services within virtualized environments in order to consolidate resources in data centers. One of the major components of this research was to evaluate the security of running VoIP services in multi-tenant environments. After some discussions with my advisor we came to the conclusion that VoIP traffic is just like any other traffic traversing over a virtual network, and we figured that a much larger contribution could be made if we evaluated the security of virtualized network traffic as a whole rather than just a few specific protocols and services. After performing a literature review it was found that there are very few publications related to network security in virtualized environments. Most of the work that is currently available deals with developing security appliances[4] and frameworks[9, 33], yet there is a large absence of available work concerning Layer 2 network security threats and mitigation strategies for virtualized networks. 2.2 Research Environment An experimental infrastructure has been constructed and isolated from any production networks in order to simulate the attacks across seven different virtual network configurations without causing disruption to other campus network services. The initial test platform consisted of three identical Dell PowerEdge 860 server systems with dual core Intel Xeon 3050 processors at 2.13GHz, 4 GB of 7 memory, and a 500 GB hard drive. All three servers contain dual Broadcom NetXtreme BCM5721 Gigabit Ethernet PCI Express network interface cards integrated into the motherboard. The first network interface was dedicated to the privileged control domain on each server for administrative functions, and the second configured to be utilized by guest virtual machines. Each sever’s 500 GB hard disk was divided into four partitions; a 100MB ext3 /boot, a 10GB ext3 /, a 2GB swap, with the remainder allocated to LVM storage for virtual machine deployment. An optimized base installation of 64-bit Gentoo Linux with a customized 3.10.7-gentoo-r1 kernel was installed on one of the servers along with the Xen 4.3 hypervisor. The server was completely setup to the point where it was deployable as a fully functional Xen server utilizing a bridge network interface for both para-virtualized and hardware virtualized guest machines. A backup script was created and utilized to capture the system into a stage4 tarball, an archive for rapid deployment of the configured operating system to the remaining test servers for further development and experimentation. The backup script references an accompanied excludes file that is used as a blacklist of directories and files that should not be included in the stage4 tarball due to various reasons. Deployment of the stage4 tarball to the remaining Dell PowerEdge servers began with booting each system to a LiveUSB installation of the SystemRescueCD Linux distribution and partitioning their disks identical to the imaged server. A procedure was then performed on each server in order to extract and deploy the operating system from the previously created stage4 tarball. After these remaining systems were brought online their bridged interfaces were converted into Open vSwitch interfaces for comparative analysis. One of the servers was configured with Open vSwitch 1.11.0 compiled from source due to issues with the Gentoo package manager’s version of the software package. Open vSwitch 2.0.0 was released only a few weeks after the previous machine was setup and was installed from portage on the remaining server. The initially staged server was left with a simple Linux bridge interface for use with the virtual machines as the control part of the experiment. To expand and add some variety to the experiment three production quality commercial virtualization solutions were tested to verify if they were vulnerable as well. Three more servers were acquired and configured with Citrix XenServer 6.2, Microsoft Windows Server 2008 R2 with the Hyper-V hypervisor, and VMware vSphere (ESXi) 5.5 respectively. The hardware utilized for the Citrix XenServer 6.2 system was identical to the initial test systems, however the Microsoft HyperV and VMware vSphere hypervisors were both installed to more modern machines with quite a bit more memory and processing power in order to accommodate for operating system overhead as well as a lack of additional Dell PowerEdge 860 systems. The Hyper-V and vShpere systems were also each outfitted with two network adapters in order to provide separate dedicated interfaces for administrative purposes and virtual machine use. 8 Initially two virtual machines were deployed to each host system, one of which was setup as a malicious client attempting to eavesdrop on the traffic of other tenant virtual machines (Figure 2.1). The Kali Linux security distribution[21] was selected due to the plethora of network security auditing tools that come pre-installed and configured. Two complete installations of Kali were installed to each server on 20GB LVM partitions as HVM guests. The systems were allocated static IP address on the same isolated subnet as the servers and were completely updated. Each attack simulation was performed identically on all platforms in order to analyze the differences between the environments when subjected to the MAC flooding attack. Figure 2.1: A malicious virtual machine located on a multi-tenant virtual network. 2.3 Preliminary Research - MAC Flooding Attacks For the preliminary research only one Layer 2 networking attack was explored and thoroughly tested across all platforms. The program macof from the dsniff package[40] was used on a Kali virtual machine to perform a MAC flooding attack (Figure 2.2) on the virtual network within each test environment. This type of attack when performed on a physical switch typically causes the CAM table on the switch to fill up forcing the device to go into a fail safe or hub mode which in turn causes all packets on the network to be broadcast to every node connected to the switch. Wireshark was used to determine if the attack was successful by monitoring the network for HTTP traffic which should not be intercept-able by other hosts on the virtual network. 9 Figure 2.2: A malicious virtual machine running macof to flood a virtual network with random MAC addresses and malformed packets. All tests were conducted in the same manner. Each server had two Kali Linux virtual machines deployed on them. For testing purposes both virtual machines were brought online. On the first virtual machine (Kali1) macof was started up using the command: macof -i eth0 and left to run. Then Wireshark was started on the same virtual machine and an HTTP filter was applied to only display sniffed HTTP traffic. The second Kali virtual machine (Kali2) was then used to surf the web. If the attack proved to be successful then the HTTP traffic from Kali2 should be viewable in Wireshark on Kali1. 2.3.1 Bridged Interface Running the attack within the bridged virtual network test environment resulted in a significant affect to the usability of the tenant virtual machines, essentially creating a DoS type of attack. However, the MAC flooding attempt did not result in the ability to sniff other virtual machine 10 traffic passing over the interface. This most likely comes from the fact that the standard bridge interface is missing the CAM table that typically is found on switches mapping known MAC addresses to switch ports, an essential element of the attack. Since the random MAC addresses have no actual presence on any segment connected to the virtual bridge they are dropped. 2.3.2 Open vSwitch 1.11.0 Interface When running the attack on the Open vSwitch 1.11.0 virtual network test environment some level of unresponsiveness was observed with the virtual machines, but the systems were still somewhat usable. Secondly, in this case the attacking machine could successfully sniff traffic from another tenant machine. Figure 2.3 depicts the results of the successful attack and provides substance to the claim that virtual switches are vulnerable to some of the same Layer 2 attacks as physical switches. Figure 2.3: A malicious virtual machine running macof on an Open vSwitch virtual network and successfully sniffing HTTP traffic with Wireshark from another tenant virtual machine. 2.3.3 Open vSwitch 2.0.0 Interface Running the attack on the latest version of Open vSwitch available at the time of this research shows that this vulnerability still exists and has not been addressed. The system responded in the same way as the previous two attempts and the other tenant’s HTTP traffic was viewable in Wireshark. 11 2.3.4 Citrix XenServer 6.2 The first commercial virtualization product that was tested was Citrix XenServer 6.2. Citrix utilizes an older stabilized version of Open vSwitch to provide virtual switching services to its client machines. When the MAC flooding test was attempted in the XenServer environment it was found that a single instance of macof did not produce the same results that were experienced in prior tests. HTTP traffic from the other client virtual machine was able to be sniffed but only in spurts. It was necessary to run multiple simultaneous instances of macof in order to successfully sniff traffic reliably from the target virtual machine. It was also found that the flooding was able to escape the virtual environment which caused all upstream physical switches to go into hub mode as well. Not only did this allow the malicious virtual machine running Wireshark to sniff traffic from other tenant virtual machines, it also was able to eavesdrop on traffic from physical machines located within the same broadcast domain that the the physical Ethernet adapter was connected to. 2.3.5 Microsoft Hyper-V Server 2008 R2 Microsoft Windows Server 2008 R2 along with the Hyper-V hypervisor were installed to a Dell PowerEdge 2950 server system containing dual quad core Intel Xeon 5140 processors at 2.33GHz, 32GB of memory, and a 145GB SATA hard drive. Testing was performed both with and without the Windows Firewall service enabled to identify if there was any affect on the results. Testing under both conditions within the Server 2008 R2 environment proved to be unsuccessful due to the fact that Microsoft Windows Server 2008 R2 provides some minimal protection for virtualized network traffic, this includes protection against MAC address spoofing[24]. Further testing was performed on the free version of Microsoft Hyper-V using an identical Dell PowerEdge 2950 server system to see if the protection offered by Server 2008 R2 is also built into the bare metal product. As with previous environment testing was performed both with and without the Windows Firewall service enabled. It was concluded that under both conditions the free version of Microsoft Hyper-V 2008 was also unaffected by the MAC flooding attack since it is built upon a minimal version of Microsoft Windows Server 2008 R2 entitled Server Core. The Core version of Microsoft Server 2008 R2 still provides the same level of network protection as the full version, but only allows for the installation of specific server roles to the operating system[25], in this case the Hyper-V hypervisor. 12 2.3.6 VMware vSphere (ESXi) 5.5 VMware vSphere (ESXi) 5.5 was deployed to a custom built server using a Supermicro X9SCL server motherboard, a quad core Intel Xeon E21240 processor at 3.30GHz, 24GB of memory, and a 500GB SATA hard drive. All testing was performed identically to the previous trials for completeness, however due to the VMware end user license agreement[38] I am prevented from publishing any of the results. 2.3.7 Summary of Results It can clearly be seen from the results summarized in Table 2.1 that any virtualized network environment built upon the Open vSwitch virtual switch is vulnerable to MAC flooding attacks, and has the potential to expose its client traffic to eavesdropping. Therefore, if a virtual machine is transmitting sensitive information over a virtual network that uses any implementation of Open vSwitch precautions should be taken such as using encryption in order to ensure that the information in transit remains confidential. Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V 2008 - Free VMware vSphere (ESXi) 5.5 Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch Vulnerable No Yes Yes Yes No No No Table 2.1: Summary of MAC flooding attack results across seven test environments It was also observed that under certain configurations the MAC flooding attack would cause severe latency crippling the virtual network and the usability of the virtual machines on the host while the attack was under way. Table 2.2 provides a summary of the usability of the virtual machines while the host virtual network was under attack. 13 Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V 2008 - Free VMware vSphere (ESXi) 5.5 Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch VM Usability DoS/Unusable Significant delays Significant delays Significant delays Some delays Some delays Some delays Table 2.2: Summary of virtual network usability during a MAC flooding attack for seven different environments 2.4 Current Work - DHCP Attacks Layer 2 Dynamic Host Configuration Protocol attacks typically consist of an attacker placing a rogue DHCP server on a network that essentially competes with the legitimate DHCP server when responding to client addressing requests broadcast to the network. Setting up a DHCP server on a Linux virtual machine is a fairly simple task that only requires installing the dnsmasq or dhcpd services and making a few minor configuration changes. The entire process can be completed in a short amount of time allowing an attacker to quickly place a rogue DHCP server within a multi-tenant virtualized environment. Since DHCP requests and responses are broadcast across the network (Figure 2.4) the attacks rely on the attacker’s DHCP server to respond to the address request before the legitimate DHCP server in order to be successful. Figure 2.4: Dynamic Host Configuration Protocol process. 14 2.4.1 Duplicate Addressing The main idea behind the DHCP protocol is to automatically allocate addresses to client computers and devices on a network while avoiding duplicate addressing. If two DHCP servers are running on the same network and are providing addresses in the same range there is a high likelihood that duplicate addressing will occur (Figure 2.5). When this condition arises it can cause a denial of service situation that renders the resources bound to those devices inaccessible. This could also be leveraged to direct traffic to a malicious server instead of an authentic one by giving the malicious server the same IP address as the authentic one. This would rely on the malicious server responding to the clients request first. Figure 2.5: Duplicate addressing within a broadcast domain due to the presence of a rogue DHCP server. 2.4.2 Rogue DNS Server When a client receives an IP address lease from a DHCP server it usually is also pushed DNS server information for the network. If the client is seeded with the IP address for a poisoned DNS server under an attacker’s control (Figure 2.6) the client could potentially be directed to spoofed websites and services setup by the attacker to capture private information from the user such as usernames, passwords, credit card numbers, and other personally identifiable information (PII) that the attacker could use to further penetrate the organization. 15 Figure 2.6: Presence of a poisoned DNS server on a network whos address is provided to clients associated with a rogue DHCP server. 2.4.3 Incorrect Default Gateway If clients on a network obtain incorrect default gateway information from a rogue DHCP server under an attacker’s control they will be unable to route traffic outside of the local network creating a denial of service situation for resources on other subnets or the Internet. An attacker can also push the IP address of a default gateway that leads the client into a malicious honeypot network that can be setup to mirror another subnet on the network (Figure 2.7). This could then be used to capture information from the user without their knowledge. 2.4.4 Remote Execution of Code The DHCP protocol allows for the passing of many options, one of these options has recently been used in order to execute remote code on a DHCP client machine running the Bash shell. This exploit has been referred to as ShellShock[26, 27] and allows an attacker to leverage a DHCP option in order to take advantage of a vulnerability in the bash shell to execute remote commands on a vulnerable client system[1, 37] (Figure 2.8). This is a very high risk vulnerability and the full extent of its effect are not yet known since Bash is utilized in many scripts and services that are essential to most Linux/Unix systems including Mac OS X. 16 Figure 2.7: Malicious VM configured as a router on a network whose address is provided to clients as a default gateway when associated with a rogue DHCP server. Figure 2.8: Malicious DHCP server passing a configuration option to a client VM that leverages the BASH shellshock vulnerability instructing the client to delete everything in / recursively. 17 2.4.5 Test Environment The same test environment that was used for the MAC flooding attacks in the preliminary research was also utilized for conducting the DHCP attacks. It was necessary to create four new virtual machines within each hypervisor platform in order to setup scenarios to conduct the experiments. Each new machine was created based upon a minimal installation of CentOS 6.5[10], and configured for a specific purpose (Table 2.3). Operating System CentOS 6.5 (minimal) CentOS 6.5 (minimal) CentOS 6.5 (minimal) CentOS 6.5 (minimal) Updates Applied Fully Updated Fully Updated Fully Updated No Updates Services DNSMasq (DHCP/DNS) Simple Router Apache (Web) Left Vulnerable to ShellShock VIFs 1 2 1 1 Table 2.3: New virtual machines added to each hypervisor platform for Layer 2 DHCP attack testing The first virtual machine was configured as a DHCP server using DNSMasq[36] a lightweight DHCP and DNS server. The second was setup as a simple router using iptables[3] to forward traffic between two broadcast domains using NAT and two network interfaces. The third VM was setup as a basic Apache[35] web server, and the fourth was configured as a minimal client that was left unpatched and vulnerable to shellshock. The DNSMasq server was setup to pass option 100 to clients which was configured to leverage the shellshock exploit in order to remotely execute the echo command on the target machine and place text into a file in /tmp[20]. The following code was placed into the /etc/dnsmasq.conf file on the DHCP server as a proof of concept to illustrate the vulnerability without damaging the client system. dhcp-option-force=100,() { :; }; /bin/echo ’Testing shellshock vulnerability’>/tmp/shellshock_test The DNSMasq server was then used to attempt the other DHCP attacks previously described against the minimal shellshock client which was setup to pull a DHCP address. Since DNSMasq also provides DNS server functionality the rogue DHCP server doubled as the poisoned DNS server that was passed to clients receiving addresses. The third CentOS 6.5 minimal virtual machine was configured as a basic HTTP server running Apache to receive the redirected web traffic. The DNS server was setup to direct all traffic destined to www.gmail.com to be redirected to the malicious web server. A command line web browser called elinks[16] was then used in the shellshock VM to visit www.gmail.com in order to observe the effect. Lastly the DHCP server was configured to pass a bad default gateway address to clients that obtained their network configuration from it. First it was set to pass 1.1.1.1 as the default gateway 18 with the intention of causing a DoS for access of subnets outside of the existing broadcast domain. Then the DHCP server was configured to point clients to the second virtual machine that was setup as a router to direct traffic to a malicious honeynet. This in conjunction with a poisoned DNS server allows the attacker to direct traffic to malicious servers setup within the honeynet. In each case the previously used web server was placed in the honeynet, and a DNS entry was setup to direct traffic to it through the rogue default gateway. 2.4.6 Summary of Results The following tables provide a summary of the results of running the individual DHCP attacks across seven different testing environments. Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V (free) VMware vSphere Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch Vulnerable Yes Yes Yes Yes Yes Yes Yes Table 2.4: Summary of DHCP shellshock attack across seven test environments Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V (free) VMware vSphere Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch Vulnerable Yes Yes Yes Yes Yes Yes Yes Table 2.5: Summary of poisoned DNS server attack across seven test environments 19 Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V (free) VMware vSphere Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch Vulnerable Yes Yes Yes Yes Yes Yes Yes Table 2.6: Summary of invalid default gateway attack across seven test environments Hypervisor OS Xen 4.3 OS Xen 4.3 OS Xen 4.3 Citrix XenServer 6.2 MS Server 2008 R2 w/ Hyper-V MS Hyper-V (free) VMware vSphere Virtual Switch Linux 802.1d Bridging Open vSwitch 1.11.0 Open vSwitch 2.0.0 Open vSwitch MS Hyper-V Switch MS Hyper-V Switch Default vSwitch Vulnerable Yes Yes Yes Yes Yes Yes Yes Table 2.7: Summary of rogue default gateway attack across seven test environments 2.4.7 Mitigation Layer 2 DHCP attacks can be mitigated by enforcing static IP addressing, DNS entries, and default gateways. Utilities such as DHCP snooping can also be used to monitor Layer 2 DHCP traffic on the network and alert administrators when this type of activity is occurring. Software Defined Networking could potentially be utilized in order to define filters that look for DHCP client requests on the broadcast domain and specifically forward them to the correct server. However this would require further investigation and experience with SDN in order for me to make the claim for sure. The results of this research indicate that both virtual and physical networks that have not be secured against DHCP attacks are vulnerable to all of the attacks that were discussed. 2.5 Future Work It is my intention to further explore the other Layer 2 networking attacks previously described in this proposal in order to perform a full assessment on the state of Layer 2 network security in virtualized environments. I also intend to investigate ways of preventing such attacks by utilizing known countermeasures as well as researching and developing solutions and best practices specific to 20 securing virtualized network environments. An example would be the case of MAC flooding attacks as presented from the preliminary research which would normally be mitigated by enforcing port security on a physical switch to limit the amount of MAC addresses that are allowed to access a single interface. This prevents MAC flooding attacks from being successful since it essentially blocks the excess MAC addresses from even being added to the CAM table effectively preventing an overflow incident from occurring which is the heart of the vulnerability. The majority of virtual switches available today do not offer this feature, therefore it is necessary to explore other alternative preventative measures possibly within the realm of software defined networking (SDN)[28] since most virtual switches are able to integrate with an OpenFlow controller. 2.6 Proposed Timeline Timeline Sept. 27th 2014 Dec. 2014 Feb. 2015 May 2015 Aug. 2015 Sept. 2015 Feb. 2016 Sept. 2016 Dec. 2016 Feb. 2017 Mar. 2017 Apr. 2017 Work Topic Selection Research Area Refined Evaluation of Required Resources Test Environment Implemented Test Environment Expanded Attack Vectors Identified Preliminary Results (MAC Flooding) Acquired Preliminary Results Presented at DerbyCon 4.0 DHCP Attack Results Acquired MAC Flooding & DHCP Attack Results Paper Submission (Targets: USENIX Security ‘15 & USENIX HotCloud ‘15) VLAN Hopping Attack Results Acquired ARP Spoofing Attack Results Acquired Present New Results at DerbyCon 5.0 VLAN Hopping & ARP Spoofing Attack Results Paper Submission (Targets: USENIX Security ‘16 & USENIX HotCloud ‘16) Mitigation Techniques & Best Practices Identified Dissertation First Full Draft Mitigation Techniques & Best Practices Paper Submission (Targets: USENIX Security ‘17 & USENIX HotCloud ‘17) Dissertation Final Copy Submissions Dissertation Defense Table 2.8: Plan for completion of research 21 Progress Completed Completed Completed Completed Completed Completed Completed Completed In Progress Goal Goal Goal Goal Goal Goal Goal Goal Goal Goal Chapter 3 Conclusion It is important to note that the Layer 2 vulnerabilities described in this research proposal are directed towards the virtual networking devices and not the hypervisor. With that stated these attacks could be performed on any host running a virtual switch for any number of applications, not just multi-tenant virtualization services. The results of both the preliminary and current research performed are promising. They provide proof that virtual network environments can be vulnerable to Layer 2 network attacks with a long history of reliably exploiting physical devices. Further study is necessary in order to perform a full Layer 2 security assessment on the state of virtual networking devices. In their current state virtual switches pose the same liability as their physical counterparts in terms of network security. If not properly secured against Layer 2 network security attacks they could pose a threat to all client virtual machines hosted on a multi-tenant cloud platform. As proven in the preliminary research, one malicious virtual machine performing a MAC flooding attack against the virtual switch it is connected to could be able to sniff all traffic passing over that virtual switch, potentially compromising the confidentiality, integrity, and availability of a substantial amount of clients. 22 Bibliography [1] Accuvant Labs. Bourne again shell (bash) remote code execution vulnerability - bash shell shock advisory. Retrieved Oct 5, 2014 from http://files.accuvant.com/web/file/ c18f38696677495085074e51178da52b/Bash%20ShellShock%20Advisory.pdf. [2] Altunbasak, H., Krasser, S., Owen, H. L., Grimminger, J., Huth, H.-P., and Sokol, J. Securing layer 2 in local area networks. In ICN’05 Proceedings of the 4th international conference on Networking - Volume Part II (2005), pp. 699–706. [3] Ayuso, P. N., McHardy, P., Kadlecsik, J., Leblond, E., and Westphal, F. The netfilter.org project. Retrieved Oct 21, 2014 from http://www.netfilter.org. [4] Barjatiya, S., and Saripalli, P. Blueshield: A layer 2 appliance for enhancing isolation and security hardening among multi-tenant cloud workloads. In 2012 IEEE/ACM Fifth International Conference on Utility and Cloud Computing (2012), pp. 195–198. [5] Buhr, A., Lindskog, D., Zavarski, P., and Ruhl, R. Media access control address spoofing attacks against port security. In WOOT’11: Proceedings of the 5th USENIX conference on Offensive technologies (2011), pp. 1–1. [6] Bull, R. Design and implementation of computer science virtualized lab environment. Retrieved Oct 19, 2014 from http://web.cs.sunyit.edu/~bullr/publications/bullr_ thesis.pdf. [7] Bull, R. Exploring layer 2 network security in virtualized environments. Retrieved Oct 19, 2014 from http://youtu.be/tLrNh-34sKY. [8] Bull, R. Migrating a voice communications laboratory to a virtualized environment. In SIGITE ’13 Proceedings of the 14th annual ACM SIGITE conference on Information Technology education (2013), pp. 189–194. [9] Cabuk, S., Dalton, C., Ramasamy, H., and Schunter, M. Towards automated provisioning of secure virtualized networks. In CCS ’07, Proceedings of the 14th ACM conference on Computer and communications security (2007), pp. 235–245. [10] CentOS. The centos project. Retrieved Oct 21, 2014 from http://www.centos.org. [11] Cisco Systems, Inc. Catalyst 6500 release 12.2sx software configuration guide. Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/td/docs/switches/lan/ catalyst6500/ios/12-2SX/configuration/guide/book/pref.html. 23 [12] Cisco Systems, Inc. Cisco nexus 1000v series switches for vmware vsphere data sheet. Retrieved November 29, 2013 from http://www.cisco.com/en/US/prod/collateral/ switches/ps9441/ps9902/data_sheet_c78-492971.html. [13] Cisco Systems, Inc. Vlan security white paper [cisco catalyst 6500 series switches]. Retrieved October 18, 2014 from http://www.cisco.com/en/US/products/hw/switches/ ps708/products_white_paper09186a008013159f.shtml#wp39211. [14] Clark, B., Deshane, T., Dow, E., Evanchik, S., Finlayson, M., Herne, J., and Matthews, J. N. Xen and the art of repeated research. In USENIX 2004 Proceedings of the Annual Technical Conference - FREENIX Track (2004), pp. 135–144. [15] die.net. dhcp-options - linux man page. Retrieved Oct 5, 2014 from http://linux.die. net/man/5/dhcp-options. [16] ELinks. Elinks full-featured text www browser. Retrieved Oct 21, 2014 from http://www. elinks.or.cz. [17] Gentoo Bugzilla. Bug 491672 - =net-misc/openvswitch-2.0.0 - install: cannot stat ’brcompat.ko’: No such file or directory. Retrieved December 4, 2013 from https://bugs.gentoo. org/show_bug.cgi?id=491672/. [18] Gentoo Wiki. Qemu with open vswitch network. Retrieved December 4, 2013 from http: //wiki.gentoo.org/wiki/QEMU_with_Open_vSwitch_network/. [19] Hu, W., Hicks, A., Zhang, L., Dow, E., Soni, V., Jiang, H., Bull, R., and Matthews, J. A quantitative study of virtual machine live migration. In CAC ’13, Proceedings of the 2013 ACM Cloud and Autonomic Computing Conference (2013), p. Article No. 11. [20] Information Security Stack Exchange. bash - shellshock dhcp exploitation. Retrieved Oct 19, 2014 from http://security.stackexchange.com/questions/68877/ shellshock-dhcp-exploitation. [21] Kali Linux. The most advanced penetration testing distribution, ever. Retrieved November 29, 2013 from http://www.kali.org/. [22] LAN MAN Standards Committee. IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges. The Institute of Electrical and Electronics Engineers, Inc., New York, NY, 2004. [23] Lauerman, K., and King, J. Stp mitm attack and l2 mitigation techniques on the cisco catalyst 6500. Retrieved May 12, 2014 from http://www.cisco.com/c/en/us/products/ collateral/switches/catalyst-6500-series-switches/white_paper_c11_605972.pdf/. [24] Microsoft. Hyper-v virtual switch overview. Retrieved May 18, 2014 from http://technet. microsoft.com/en-us/library/hh831823.aspx. [25] Microsoft. What is server core? Retrieved June 4, 2014 from http://http://msdn. microsoft.com/en-us/library/dd184075.aspx. 24 [26] National Vulnerability Database. Cve-2014-6271. Retrieved Oct 5, 2014 from http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271. [27] National Vulnerability Database. Cve-2014-7169. Retrieved Oct 5, 2014 from http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169. [28] Open Networking Foundation. Software-defined networking: The new norm for networks. Retrieved May 13, 2014 from https://www.opennetworking.org/images/stories/ downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf. [29] Open vSwitch. How to install open vswitch on linux, freebsd and netbsd. Retrieved December 4, 2013 from http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_ plain;f=INSTALL;hb=HEAD/. [30] Open vSwitch. Production quality, multilayer open virtual switch. Retrieved November 29, 2013 from http://openvswitch.org. [31] Pettit, J., Gross, J., Pfaff, B., Casado, M., and Crosby, S. Virtual switching in an era of advanced edges. In ITC 22 2nd Workshop on Data Center - Converged and Virtual Ethernet Switching (DC-CAVES) (2010). [32] Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., and Shenker, S. Extending networking into the virtualization layer. In HotNets-VIII (2009). [33] Saripalli, P., and Walters, B. Quirc: A quantitative impact and risk assessment framework for cloud security. In 2010 IEEE 3rd International Conference on Cloud Computing (2010), pp. 280–288. [34] Seifert, R., and Edwards, J. The All-New Switch Book. Wiley Publishing, Inc., Indianapolis, Indiana, 2008. [35] The Apache Software Foundation. The apache software foundation. Retrieved Oct 21, 2014 from http://www.apache.org. [36] thekellys.org. Dnsmasq - network services for small networks. Retrieved Oct 19, 2014 from http://www.thekelleys.org.uk/dnsmasq/doc.html. [37] TrustedSec. Shellshock dhcp rce proof of concept. Retrieved Oct 5, 2014 from https: //www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/. [38] VMware Inc. Vmware vsphere end user license agreement. Retrieved May 21, 2014 from http://www.vmware.com/download/eula/esxi50_eula.html. [39] Xen Networking. Setting up open vswitch networking. Retrieved December 4, 2013 from http://wiki.xen.org/wiki/Xen_Networking#Setting_up_Open_vSwitch_networking/. [40] Yeung, K.-H., Fung, D., and Wong, K.-Y. Tools for attacking layer 2 network infrastructure. In IMECS ’08 Proceedings of the International MultiConference of Engineers and Computer Scientists (2008), pp. 1143–1148. 25