SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2016-06-01 DOI:10.1109/DSN.2016.20

Xitao Wen, Bo Yang, Yan Chen, Chengchen Hu, Yi Wang, B. Liu, Xiaolin Chen

{"title":"SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets","authors":"Xitao Wen, Bo Yang, Yan Chen, Chengchen Hu, Yi Wang, B. Liu, Xiaolin Chen","doi":"10.1109/DSN.2016.20","DOIUrl":null,"url":null,"abstract":"The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.","PeriodicalId":102292,"journal":{"name":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"38","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2016.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 38

Abstract

The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

查看原文本刊更多论文

SDN shield:协调SDN应用市场的可配置应用权限

OpenFlow范式支持第三方开发工作，因此遭受了潜在的攻击，这些攻击篡夺了控制平面应用程序(app)的过多特权。这种特权滥用可能导致影响整个管理域的各种攻击。在本文中，我们提出了SDNShield，一个权限控制系统，可以帮助网络管理员表达和强制执行单个控制器应用程序所需的最低权限。SDN shield通过以下方式实现了这一目标:(i)细粒度的SDN权限抽象，允许准确表示应用程序的行为边界;(ii)自动安全策略协调，将管理员指定的安全策略整合到请求的应用程序权限中;(iii)轻量级的基于线程的控制器架构，用于控制器/应用程序隔离和可靠的权限执行。通过原型实现，我们验证了其对概念验证攻击的有效性。性能评估表明，snshield引入的运行时开销可以忽略不计。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量