Taking Control of SDN-based Cloud Systems via the Data Plane

Feldmann, Anja (author); Fiebig, T. (author); Hetzelt, Felicitas (author); Schmid, Stefan (author); Seifert, Jean-Pierre (author); Shastry, Bhargava (author); Thimmaraju, Kashyap (author)

Taking Control of SDN-based Cloud Systems via the Data Plane

Authors: Anja (author) Feldmann
T. (author) Fiebig
Felicitas (author) Hetzelt
Stefan (author) Schmid
Jean-Pierre (author) Seifert
Bhargava (author) Shastry
Kashyap (author) Thimmaraju
Publication date: 1 January 2018
Publisher: 'Association for Computing Machinery (ACM)'
Doi

Abstract

Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and “software-defined” manner. This paper raises the alarm on the security implications of virtual switches. In particular, we show that virtual switches not only increase the attack surface of the cloud, but virtual switch vulnerabilities can also lead to attacks of much higher impact compared to traditional switches. We present a systematic security analysis and identify four design decisions which introduce vulnerabilities. Our findings motivate us to revisit existing threat models for SDN-based cloud setups, and introduce a new attacker model for SDN-based cloud systems using virtual switches.Information and Communication Technolog