$30 off During Our Annual Pro Sale. View Details »

O-RAN CNF Migration Attacks(遷移攻擊)

蔡秀吉
August 24, 2023
Technology
0
110

O-RAN CNF Migration Attacks(遷移攻擊)

本專題簡報針對於 O-RAN O-Cloud 以及部屬在其上面的雲原生網路功能(CNF),可能會遇到的 Migration Attacks 資安威脅進行說明,並提出可能的解決方案。

Migrant Attack 是一種新型的 DoS (阻斷服務攻擊) 用於破壞雲資源/計算服務。遷移攻擊是利用雲服務供應商會需要經常在其不同的伺服器間遷移虛擬機(VM),用於平衡工作負載(Workload) 的機制。駭客可以利用這一點,刻意改變惡意虛擬機(VM)的資源使用情況,進而觸發「實時遷移」。這會導致過多的實時遷移被觸發並執行,嚴重破壞雲平台的效能和服務品質。

由於 O-RAN 架構當中的 SMO 支援透過 O2介面連接多個 O-Cloud 伺服器,O-cloud 伺服器也會藉由遷移 CNF 進行工作負載的優化,因此遷移攻擊(Migration Attacks) 在 O-RAN 架構中是完全可以發生的。
O-RAN CNF Migration Attacks 主要分為兩類,分別是 Data Plane 的攻擊和 Control Plane 的攻擊。
Data Plane 的攻擊目標是 CNF 從一台 O-Cloud 伺服器,遷移到另一台 O-Cloud 伺服器,之間所經過的網路練路(network links)。
透過中間人攻擊(MitM) ,駭客只要對兩台 O-Cloud 伺服器之間交換的封包,進行截竊分析(Packet Sniffing),並讀取遷移的記憶體頁(Migrated Memory Pages)。就可以去監控或修改接收到的封包,並將這些惡意封包繼續轉發到目標的 CNF 上面,受害者完全不會察覺到任何惡意活動正在自己的 CNF上運行。

Control Plane Attacks 攻擊的目標,就是伺服器上負責處理遷移過程的模組,稱為遷移模組(Migration Module)。利用 Migration Module 軟體的漏洞,駭客可以入侵伺服器並完全控制 Migration Module,進而發起惡意活動。
Control Plane Attacks 又分為以下兩種:Migration Flooding (洪水遷移攻擊) 和 False Resource Advertising (虛假資源廣播)

#Tampering(竄改) #Information disclosure(訊息洩漏) #DoS(阻斷服務)

教育部資訊安全人才培育計畫臺灣好厲駭第七屆學員蔡秀吉
[email protected]
指導教授:邱德泉

蔡秀吉

August 24, 2023
Tweet

More Decks by 蔡秀吉

See All by 蔡秀吉
GDSC CTU|First Meeting Party
thc1006
0
3
陽明交大新增「心理健康假」討論會
thc1006
0
35
The Cloud-Native Solution of Integrate Satellite Ground Station System and Telecommunication Network System
thc1006
0
25
什麼是Nephio?
thc1006
0
140
AI/ML O-RAN Cloud-Native Automation
thc1006
0
170
2023 第五屆 Google 學生開發者社群領袖(GDSC)招募說明會簡報
thc1006
0
320
O-RAN OAM 整合SMO 以及 用 ONAP 部屬 SMO 介紹
thc1006
0
210
Google IO Extended 2023 Hsinchu開場
thc1006
0
140
2023 台灣海洋國際青年論壇 -Prince Wang and his happy friends
thc1006
0
7

Other Decks in Technology

See All in Technology
Rest Clientユーザーの自分がPostman の VS Code拡張機能を扱ってみた感想
smt7174
0
150
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
310
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
1
390
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
220
生成AIでシステム開発はどう変わるか
etaroid
19
7.8k
AWSに関わる全ての エンジニアへの変革!
ysasago
2
130
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
生成AI革命期に求められる無知の知とハッカー精神
shunsukeono_am
0
180
本当にわかりやすいAI入門
segavvy
21
7.3k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
1
230
合宿はいいぞ / Training camp is so good.
okamototakuyasr2
0
110

Featured

See All Featured
Design by the Numbers
sachag
272
18k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.3k
GitHub's CSS Performance
jonrohan
1021
440k
Happy Clients
brianwarren
91
6.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Designing Experiences People Love
moore
133
23k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Fireside Chat
paigeccino
18
2.3k
Why Our Code Smells
bkeepers
PRO
329
56k
Automating Front-end Workflow
addyosmani
1354
200k
In The Pink: A Labor of Love
frogandcode
135
21k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k

Transcript

  1. #Tampering( ) #Information disclosure( ) #DoS( )
    Open RAN
    CNF Migration Attacks
    [email protected]

    View Slide

  2. Experience

    Education


    View Slide

  3. RRH
    BBU
    EPC

    View Slide

  4. RAN Disaggregation
    O-DU O-CU
    RU
    (SMO)

    View Slide

  5. O-DU
    ( )
    O-CU
    ( )
    RU (Infrastructure)
    (SMO)
    Hardware Disaggregation
    (Infrastructure)

    View Slide

  6. O-RAN 介紹

    View Slide

  7. O-RAN

    View Slide

  8. Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-DU
    RIC O-CU
    AAL AAL
    O-Cloud
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    O-Cloud 伺服器支援部屬 VNF/CNF

    View Slide

  9. Application
    O-CU, O-DU
    RU
    COTS HW
    COTS HW
    RU
    VNF/CNF
    O-CU O-DU
    Edge Side On-Prem ( )
    UPF
    UPF
    BBU
    PNF
    O-RAN
    RU

    View Slide

  10. 電信業轉型雲原生
    DevOps

    View Slide

  11. View Slide

  12. View Slide

  13. Migrant Attack
    J. -R. Yeh, H. -C. Hsiao and A. -C. Pang, "Migrant Attack: A Multi-resource DoS Attack on Cloud
    Virtual Machine Migration Schemes," 2016 11th Asia Joint Conference on Information Security
    (AsiaJCIS), Fukuoka, Japan, 2016, pp. 92-99, doi: 10.1109/AsiaJCIS.2016.14.

    View Slide

  14. O-RAN
    Migrant Attack SMO
    NFs
    O-Cloud
    O-Cloud
    O2
    O-Cloud
    O-Cloud
    O-Cloud
    O-Cloud

    View Slide

  15. O-RAN CNF
    Migration Attacks
    Data Plane Attacks Control Plane Attacks
    • Migration Flooding
    • False Resource Advertising

    (MitM)

    View Slide

  16. Data Plane Attacks
    O-RAN.WG11.O-CLOUD-Security-Analysis-TR.O-R003-v03.00

    View Slide

  17. Data Plane Attacks
    Illustration of the migration MITM attack
    O-RAN.WG11.O-CLOUD-Security-Analysis-TR.O-R003-v03.00

    View Slide

  18. Control Plane Attacks
    Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-RU
    O-CU O-DU
    AAL AAL AAL
    PDCP/
    SDAP
    RRC RLC MAC Low-
    PHY
    RF
    High-
    PHY
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Migration
    Module
    Control Plane Attacks
    • Migration Flooding
    • False Resource Advertising

    View Slide

  19. Migration Flooding
    Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-RU
    O-CU O-DU
    AAL AAL AAL
    PDCP/
    SDAP
    RRC RLC MAC Low-
    PHY
    RF
    High-
    PHY
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Migration
    Module

    View Slide

  20. Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Container Network Functions
    NF NF NF
    O-Cloud Physical Infra Node
    RIC
    O-CU
    O-DU
    Cloud Stack (Containers/VMs, OS, Mgmt.)
    FPGA x86
    ASIC
    GPU
    Migration
    Module
    Illustration of the migration flooding attack
    NF
    NF

    View Slide

  21. False Resource Advertising ( )
    Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-RU
    O-CU O-DU
    AAL AAL AAL
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Migration
    Module

    View Slide

  22. Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Migration
    Module
    Container Network Functions
    NF NF NF

    View Slide

  23. Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    Migration
    Module
    Container Network Functions
    NF NF NF
    Cloud Stack (Containers/VMs, OS, Mgmt.)
    O-Cloud Physical Infra Node
    FPGA
    x86 ASIC GPU
    RIC O-CU O-DU

    View Slide

  24. View Slide

  25. Potential mitigations ( )






    O-RAN.WG11.O-CLOUD-Security-Analysis-TR.O-R003-v03.00

    View Slide



  26. View Slide

  27. VNF/CNF -


    View Slide

  28. -

    View Slide

  29. O-Cloud Node Clusters
    -

    View Slide

  30. View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. 南針時賜,藉匡不逮
    報告完畢

    View Slide