The Finest Penetration Testing Framework for Software-Defined Networks

Conference:  BlackHat USA 2018



Delta is a framework for finding new security holes in SDN controllers by adapting the black box version technique and systematically randomizing control flows.
  • Delta provides two operation modes: reproducing known test cases and finding new vulnerabilities
  • Delta uses three types of SDN control flows: symmetric, asymmetric, and intra-controller
  • Delta identifies the current state of the target controller and manipulates the flow sequences or input values of the SDN control flows to find new vulnerabilities
The channel agent can impose a delay on SDN control by capturing and releasing it, and it can simulate a simple SDN controller against a target switch under the test and vice versa.


Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.We will show nine new attack cases that have been found by DELTA but never been announced before.Also, we will discuss:- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.- What key components and workflow of DELTA to attack the real SDN components.- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.