Vulnerability Digging for Software-Defined Network Controller Using Event Flow Graph Analysis

Software-defined network (SDN) controllers, the core of SDN network architecture, need to deal with network events of the whole network, which has huge program state space and complex logic dependency, with security issues related. Vulnerabilities in the SDN controller can paralyze the whole network. Existing controller testing methods are difficult to dig into the hidden logic vulnerability for their ignorance of the complex events interactions among controllers, apps, and data plane inputs. Different from file processing software, network software is driven by events, and the event flow can more accurately and comprehensively reflect the execution process. In this work, we propose an SDN controller vulnerability digging method based on event flow graph analysis. The proposed method consists of three main steps: first, we execute the instrumented controller in a normal environment and generate event flow graphs and then extract their features as reference. Second, we generate and execute test cases using the fuzzing method and dig the newly built event flow graphs with potential vulnerabilities. Finally, we manually examine and validate the potential vulnerabilities. To accurately discover abnormal subgraphs, we utilize graph feature extraction and analysis technologies, such as graph mining and clustering, to distinguish the normal graph and abnormal graph. We implement our method on the Ryu controller and compare it with other SDN testing methods, such as BEADS and Delta. The evaluation indicates that our method uncovered three new vulnerabilities that other methods failed to find.