AEGIS: Validating Execution Behavior of Controller Applications in Software-Defined Networks

The software-defined network (SDN) controller provides an application programming interface (API) for network applications and controller modules. Malicious applications and network attackers can misuse these APIs to cause outbreaks on the controller. The controller is the heart of the SDN and should be secured from such API misuse scenarios and network attacks. Most of the prior research in security for SDN controllers focuses on a defense mechanism for a particular attack scenario that requires changes in the controller code. This research proposes dynamic access control and a policy engine-based approach for protecting the SDN controller from network attacks and application bugs, thus defending against the misuse of the controller APIs. The proposed AEGIS protects controller APIs and defines a set of access, semantic, syntactic and communication policy rules and a permission set for accessing controller APIs. It utilizes the traditional API hooking technique to control API usage. We generated various attack scenarios that included application bugs and network attacks on the Floodlight SDN controller and showed that applying AEGIS secured the Floodlight controller APIs and hence protected them from network attacks and application bugs. Finally, we discuss performance comparison tests of the new AEGIS controller implementation for memory usage, API execution time and boot-up time and conclude that AEGIS effectively protects the SDN controller for trustworthy operations

Outsmarting Network Security with SDN Teleportation

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call \emph{teleportation}. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today's trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.Comment: Accepted in EuroSP'1