research-article

Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

Authors:
Hitesh Padekar

San Jose State University, San Jose, CA, USA

San Jose State University, San Jose, CA, USA
View Profile

,
Younghee Park

San Jose State University, San Jose, CA, USA

San Jose State University, San Jose, CA, USA
View Profile

,
Hongxin Hu

Clemson University, South Carolina, SC, USA

Clemson University, South Carolina, SC, USA
View Profile

,
Sang-Yoon Chang

Advanced Digital Sciences Center, Singapore, Singapore

Advanced Digital Sciences Center, Singapore, Singapore
View Profile

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and TechnologiesJune 2016Pages 51–61https://doi.org/10.1145/2914642.2914647

Published:06 June 2016Publication History

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

Pages 51–61

ABSTRACT

Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.

References

AspectJ: A seamless aspect-oriented extension to the Java programming language. https://www.eclipse.org/aspectj/.Google Scholar
cbench: Performance benchmarking tool for the controller. https://www.github.com/andi-bigswitch/oflops/tree/master/cbench.Google Scholar
The daikon invariant detector. http://plse.cs.washington.edu/daikon/.Google Scholar
Floodlight: Open SDN Controller. http://www.projectfloodlight.org.Google Scholar
ONOS: Open Networking Operation System. http://onosproject.org/.Google Scholar
OpenDaylight Platform. https://www.opendaylight.org/.Google Scholar
SDN. http://www.sdncentral.com/flow/sdn-software-defined-networking/.Google Scholar
Spring: Platform with inbuilt AspecJ libraries for JVM-based systems. https://www.spring.io/.Google Scholar
Project Foodlight. Circuit Pusher. http://www.projectfloodlight.org/circuit-pusher/.Google Scholar
Nate Foster, Rob Harrison, Michael J Freedman, Christopher Monsanto, Jennifer Rexford, Alec Story, and David Walker. Frenetic: A network programming language. In ACM SIGPLAN Notices, volume 46, pages 279--291. ACM, 2011. Google ScholarDigital Library
Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.Google Scholar
Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), February 2015.Google ScholarCross Ref
Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, and P Godfrey. Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Computer Communication Review, 42(4):467--472, 2012. Google ScholarDigital Library
Felix Klaedtke, Ghassan O Karame, Roberto Bifulco, and Heng Cui. Access control for sdn controllers. In Proceedings of the third workshop on Hot topics in software defined networking, pages 219--220. ACM, 2014. Google ScholarDigital Library
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008. Google ScholarDigital Library
Phillip Porras, Steven Cheung, Martin Fong, Keith Skinner, and Vinod Yegneswaran. Securing the software-defined network control layer. In Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California, 2015.Google ScholarCross Ref
Sandra Scott-Hayward, Christopher Kane, and Sakir Sezer. Operationcheckpoint: Sdn application control. In Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, pages 618--623. IEEE, 2014. Google ScholarDigital Library
Seungwon Shin, Yongjoo Song, Taekyung Lee, Sangho Lee, Jaewoong Chung, Phillip Porras, Vinod Yegneswaran, Jiseong Noh, and Brent Byunghoon Kang. Rosemary: A robust, secure, and high-performance network operating system. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 78--89. ACM, 2014. Google ScholarDigital Library
Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 413--424. ACM, 2013. Google ScholarDigital Library
S. Son, Seungwon Shin, V. Yegneswaran, P. Porras, and Guofei Gu. Model checking invariant security properties in OpenFlow. In Communications (ICC), 2013 IEEE International Conference on, pages 1974--1979, June 2013.Google ScholarCross Ref
Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 171--172. ACM, 2013. Google ScholarDigital Library

Index Terms

Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

A Defense Mechanism for Distributed Denial of Service Attack in Software-Defined Networks
FCST '15: Proceedings of the 2015 Ninth International Conference on Frontier of Computer Science and Technology

Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined ...
Read More
On the Security of Software-Defined Networks
EWSDN '15: Proceedings of the 2015 Fourth European Workshop on Software Defined Networks

To achieve a widespread deployment of Software-Defined Networks (SDNs) these networks need to be secure against internal and external misuse. Yet, currently, compromised end hosts, switches, and controllers can be easily exploited to launch a variety of ...
Read More
Enabling Software-Defined Network Security for Next-Generation Networks
CoNEXT '16: Proceedings of the 12th International on Conference on emerging Networking EXperiments and Technologies

The state of network security today is quite abysmal. Security breaches and downtime of critical infrastructures continue to be the norm rather than the exception, despite the dramatic rise in spending on network security.

Attackers today can easily ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies
June 2016
248 pages
ISBN:9781450338028
DOI:10.1145/2914642
General Chair:
X. Sean Wang
Fudan University, China
,
Program Chairs:
Lujo Bauer
Carnegie Mellon University, USA
,
Florian Kerschbaum
SAP, Germany
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 June 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
api misuse
network attacks
software-defined networks
Qualifiers
- research-article
Conference

Acceptance Rates
SACMAT '16 Paper Acceptance Rate18of55submissions,33%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 20
  Total Citations
  View Citations
- 424
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Defense Mechanism for Distributed Denial of Service Attack in Software-Defined Networks

On the Security of Software-Defined Networks

Enabling Software-Defined Network Security for Next-Generation Networks