ABSTRACT
Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.
- AspectJ: A seamless aspect-oriented extension to the Java programming language. https://www.eclipse.org/aspectj/.Google Scholar
- cbench: Performance benchmarking tool for the controller. https://www.github.com/andi-bigswitch/oflops/tree/master/cbench.Google Scholar
- The daikon invariant detector. http://plse.cs.washington.edu/daikon/.Google Scholar
- Floodlight: Open SDN Controller. http://www.projectfloodlight.org.Google Scholar
- ONOS: Open Networking Operation System. http://onosproject.org/.Google Scholar
- OpenDaylight Platform. https://www.opendaylight.org/.Google Scholar
- SDN. http://www.sdncentral.com/flow/sdn-software-defined-networking/.Google Scholar
- Spring: Platform with inbuilt AspecJ libraries for JVM-based systems. https://www.spring.io/.Google Scholar
- Project Foodlight. Circuit Pusher. http://www.projectfloodlight.org/circuit-pusher/.Google Scholar
- Nate Foster, Rob Harrison, Michael J Freedman, Christopher Monsanto, Jennifer Rexford, Alec Story, and David Walker. Frenetic: A network programming language. In ACM SIGPLAN Notices, volume 46, pages 279--291. ACM, 2011. Google ScholarDigital Library
- Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.Google Scholar
- Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), February 2015.Google ScholarCross Ref
- Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, and P Godfrey. Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Computer Communication Review, 42(4):467--472, 2012. Google ScholarDigital Library
- Felix Klaedtke, Ghassan O Karame, Roberto Bifulco, and Heng Cui. Access control for sdn controllers. In Proceedings of the third workshop on Hot topics in software defined networking, pages 219--220. ACM, 2014. Google ScholarDigital Library
- Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008. Google ScholarDigital Library
- Phillip Porras, Steven Cheung, Martin Fong, Keith Skinner, and Vinod Yegneswaran. Securing the software-defined network control layer. In Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California, 2015.Google ScholarCross Ref
- Sandra Scott-Hayward, Christopher Kane, and Sakir Sezer. Operationcheckpoint: Sdn application control. In Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, pages 618--623. IEEE, 2014. Google ScholarDigital Library
- Seungwon Shin, Yongjoo Song, Taekyung Lee, Sangho Lee, Jaewoong Chung, Phillip Porras, Vinod Yegneswaran, Jiseong Noh, and Brent Byunghoon Kang. Rosemary: A robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 78--89. ACM, 2014. Google ScholarDigital Library
- Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 413--424. ACM, 2013. Google ScholarDigital Library
- S. Son, Seungwon Shin, V. Yegneswaran, P. Porras, and Guofei Gu. Model checking invariant security properties in OpenFlow. In Communications (ICC), 2013 IEEE International Conference on, pages 1974--1979, June 2013.Google ScholarCross Ref
- Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 171--172. ACM, 2013. Google ScholarDigital Library
Index Terms
- Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks
Recommendations
A Defense Mechanism for Distributed Denial of Service Attack in Software-Defined Networks
FCST '15: Proceedings of the 2015 Ninth International Conference on Frontier of Computer Science and TechnologyDistributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined ...
On the Security of Software-Defined Networks
EWSDN '15: Proceedings of the 2015 Fourth European Workshop on Software Defined NetworksTo achieve a widespread deployment of Software-Defined Networks (SDNs) these networks need to be secure against internal and external misuse. Yet, currently, compromised end hosts, switches, and controllers can be easily exploited to launch a variety of ...
Enabling Software-Defined Network Security for Next-Generation Networks
CoNEXT '16: Proceedings of the 12th International on Conference on emerging Networking EXperiments and TechnologiesThe state of network security today is quite abysmal. Security breaches and downtime of critical infrastructures continue to be the norm rather than the exception, despite the dramatic rise in spending on network security.
Attackers today can easily ...
Comments