Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks
Title | Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Padekar, Hitesh, Park, Younghee, Hu, Hongxin, Chang, Sang-Yoon |
Conference Name | Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-3802-8 |
Keywords | Access Control, API misuse, network attacks, pubcrawl, Resiliency, Scalability, SDN security, Software-Defined Networks |
Abstract | Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered. |
URL | http://doi.acm.org/10.1145/2914642.2914647 |
DOI | 10.1145/2914642.2914647 |
Citation Key | padekar_enabling_2016 |