使用英特尔SGX保护OpenFlow

2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN) Pub Date : 2019-11-01 DOI:10.1109/NFV-SDN47374.2019.9039980

Jorge Medina, Nicolae Paladi, P. Arlos

{"title":"使用英特尔SGX保护OpenFlow","authors":"Jorge Medina, Nicolae Paladi, P. Arlos","doi":"10.1109/NFV-SDN47374.2019.9039980","DOIUrl":null,"url":null,"abstract":"OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasized when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.","PeriodicalId":394933,"journal":{"name":"2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Protecting OpenFlow using Intel SGX\",\"authors\":\"Jorge Medina, Nicolae Paladi, P. Arlos\",\"doi\":\"10.1109/NFV-SDN47374.2019.9039980\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasized when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.\",\"PeriodicalId\":394933,\"journal\":{\"name\":\"2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)\",\"volume\":\"40 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NFV-SDN47374.2019.9039980\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NFV-SDN47374.2019.9039980","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

摘要

Open vSwitch中的OpenFlow流表包含有关已安装流、优先级、数据包动作和路由策略的宝贵信息。当分配的租户竞争可用于安装流规则的有限条目时，它们的重要性得到了强调。OpenFlow流表是一种安全资产，需要保密性和完整性保证。然而，商品软件交换机实现(例如Open vSwitch)没有实现能够阻止攻击者获取有关已安装流或修改流表的信息的保护机制。我们采用一种新颖的方法通过分解实现OpenFlow流表保护。我们确定需要安全保证的核心资产，通过分解隔离OpenFlow流表，并使用Open vSwitch和Software Guard Extensions enclaves实现原型。在分布式测试平台上对原型进行了评估，既证明了该方法的实用性，又指出了进一步改进的方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Protecting OpenFlow using Intel SGX

OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasized when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)

自引率

0.00%

发文量