Reins to the Cloud: Compromising Cloud Systems via the Data Plane

TL;DR

This paper reveals vulnerabilities in virtual switches used in cloud systems, demonstrating that even simple attackers can compromise the data plane, leading to serious security risks and highlighting the need for improved threat models.

Contribution

It uncovers new attack surfaces in virtual switches, demonstrates practical exploits like the 'rein worm', and evaluates the effectiveness and overhead of existing mitigations.

Findings

Compromising the data plane is feasible with limited resources.

Vulnerabilities in OvS can lead to remote code execution.

Performance overhead of mitigations varies between kernel and user space.

Abstract

Virtual switches have become popular among cloud operating systems to interconnect virtual machines in a more flexible manner. However, this paper demonstrates that virtual switches introduce new attack surfaces in cloud setups, whose effects can be disastrous. Our analysis shows that these vulnerabilities are caused by: (1) inappropriate security assumptions (privileged virtual switch execution in kernel and user space), (2) the logical centralization of such networks (e.g., OpenStack or SDN), (3) the presence of bi-directional communication channels between data plane systems and the centralized controller, and (4) non-standard protocol parsers. Our work highlights the need to accommodate the data plane(s) in our threat models. In particular, it forces us to revisit today's assumption that the data plane can only be compromised by a sophisticated attacker: we show that compromising the data plane of modern computer networks can actually be performed by a very simple attacker with limited resources only and at low cost (i.e., at the cost of renting a virtual machine in the Cloud). As a case study, we fuzzed only 2\% of the code-base of a production quality virtual switch's packet processor (namely OvS), identifying serious vulnerabilities leading to unauthenticated remote code execution. In particular, we present the "rein worm" which allows us to fully compromise test-setups in less than 100 seconds. We also evaluate the performance overhead of existing mitigations such as ASLR, PIEs, and unconditional stack canaries on OvS. We find that while applying these countermeasures in kernel-space incurs a significant overhead, in user-space the performance overhead is negligible.