skip to main content
10.1145/2914642.2914647acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

Published: 06 June 2016 Publication History

Abstract

Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.

References

[1]
AspectJ: A seamless aspect-oriented extension to the Java programming language. https://www.eclipse.org/aspectj/.
[2]
cbench: Performance benchmarking tool for the controller. https://www.github.com/andi-bigswitch/oflops/tree/master/cbench.
[3]
The daikon invariant detector. http://plse.cs.washington.edu/daikon/.
[4]
Floodlight: Open SDN Controller. http://www.projectfloodlight.org.
[5]
ONOS: Open Networking Operation System. http://onosproject.org/.
[6]
OpenDaylight Platform. https://www.opendaylight.org/.
[7]
SDN. http://www.sdncentral.com/flow/sdn-software-defined-networking/.
[8]
Spring: Platform with inbuilt AspecJ libraries for JVM-based systems. https://www.spring.io/.
[9]
Project Foodlight. Circuit Pusher. http://www.projectfloodlight.org/circuit-pusher/.
[10]
Nate Foster, Rob Harrison, Michael J Freedman, Christopher Monsanto, Jennifer Rexford, Alec Story, and David Walker. Frenetic: A network programming language. In ACM SIGPLAN Notices, volume 46, pages 279--291. ACM, 2011.
[11]
Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.
[12]
Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), February 2015.
[13]
Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, and P Godfrey. Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Computer Communication Review, 42(4):467--472, 2012.
[14]
Felix Klaedtke, Ghassan O Karame, Roberto Bifulco, and Heng Cui. Access control for sdn controllers. In Proceedings of the third workshop on Hot topics in software defined networking, pages 219--220. ACM, 2014.
[15]
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008.
[16]
Phillip Porras, Steven Cheung, Martin Fong, Keith Skinner, and Vinod Yegneswaran. Securing the software-defined network control layer. In Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California, 2015.
[17]
Sandra Scott-Hayward, Christopher Kane, and Sakir Sezer. Operationcheckpoint: Sdn application control. In Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, pages 618--623. IEEE, 2014.
[18]
Seungwon Shin, Yongjoo Song, Taekyung Lee, Sangho Lee, Jaewoong Chung, Phillip Porras, Vinod Yegneswaran, Jiseong Noh, and Brent Byunghoon Kang. Rosemary: A robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 78--89. ACM, 2014.
[19]
Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 413--424. ACM, 2013.
[20]
S. Son, Seungwon Shin, V. Yegneswaran, P. Porras, and Guofei Gu. Model checking invariant security properties in OpenFlow. In Communications (ICC), 2013 IEEE International Conference on, pages 1974--1979, June 2013.
[21]
Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 171--172. ACM, 2013.

Cited By

View all
  • (2024)Machine learning-based intelligent security framework for secure cloud key managementCluster Computing10.1007/s10586-024-04288-827:5(5953-5979)Online publication date: 18-Feb-2024
  • (2024)Machine Learning Techniques for Secure Edge SDNSecure Edge and Fog Computing Enabled AI for IoT and Smart Cities10.1007/978-3-031-51097-7_14(175-193)Online publication date: 20-Mar-2024
  • (2023)SDN Application Backdoor: Disrupting the Service via Poisoning the TopologyIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10229058(1-10)Online publication date: 17-May-2023
  • Show More Cited By

Index Terms

  1. Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies
    June 2016
    248 pages
    ISBN:9781450338028
    DOI:10.1145/2914642
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 06 June 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. access control
    2. api misuse
    3. network attacks
    4. software-defined networks

    Qualifiers

    • Research-article

    Funding Sources

    • National Science Foundation

    Conference

    SACMAT 2016
    Sponsor:

    Acceptance Rates

    SACMAT '16 Paper Acceptance Rate 18 of 55 submissions, 33%;
    Overall Acceptance Rate 177 of 597 submissions, 30%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)6
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 22 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Machine learning-based intelligent security framework for secure cloud key managementCluster Computing10.1007/s10586-024-04288-827:5(5953-5979)Online publication date: 18-Feb-2024
    • (2024)Machine Learning Techniques for Secure Edge SDNSecure Edge and Fog Computing Enabled AI for IoT and Smart Cities10.1007/978-3-031-51097-7_14(175-193)Online publication date: 20-Mar-2024
    • (2023)SDN Application Backdoor: Disrupting the Service via Poisoning the TopologyIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10229058(1-10)Online publication date: 17-May-2023
    • (2023)DACAS: integration of attribute-based access control for northbound interface security in SDNWorld Wide Web10.1007/s11280-022-01130-226:4(2143-2173)Online publication date: 9-Jan-2023
    • (2022)Mitigating Threats Emerging from the Interaction between SDN Apps and SDN (Configuration) DatastoreProceedings of the 2022 on Cloud Computing Security Workshop10.1145/3560810.3564265(23-39)Online publication date: 7-Nov-2022
    • (2022)A comprehensive survey on SDN security: threats, mitigations, and future directionsJournal of Reliable Intelligent Environments10.1007/s40860-022-00171-89:2(201-239)Online publication date: 8-Feb-2022
    • (2021)Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined NetworksACM Computing Surveys10.1145/345364854:6(1-36)Online publication date: 13-Jul-2021
    • (2021)Network Security Challenges and Countermeasures in SDN Environments2021 Eighth International Conference on Software Defined Systems (SDS)10.1109/SDS54264.2021.9732104(1-8)Online publication date: 6-Dec-2021
    • (2021)A Survey of the Main Security Issues and Solutions for the SDN ArchitectureIEEE Access10.1109/ACCESS.2021.31095649(122016-122038)Online publication date: 2021
    • (2021)Adaptive Network Security Service Orchestration Based on SDN/NFVInformation Security Applications10.1007/978-3-030-89432-0_19(231-242)Online publication date: 27-Oct-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media