SDNShield: Reconciliating configurable application permissions for SDN App markets

Xitao Wen, Bo Yang, Yan Chen, Chengchen Hu, Yi Wang, Bin Liu, Xiaolin Chen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

25 Scopus citations

Abstract

The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Original languageEnglish (US)
Title of host publicationProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages121-132
Number of pages12
ISBN (Electronic)9781467388917
DOIs
StatePublished - Sep 29 2016
Event46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 - Toulouse, France
Duration: Jun 28 2016Jul 1 2016

Publication series

NameProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

Other

Other46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
CountryFrance
CityToulouse
Period6/28/167/1/16

Keywords

  • Access control
  • SDN Security
  • Software-defined networks

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'SDNShield: Reconciliating configurable application permissions for SDN App markets'. Together they form a unique fingerprint.

  • Cite this

    Wen, X., Yang, B., Chen, Y., Hu, C., Wang, Y., Liu, B., & Chen, X. (2016). SDNShield: Reconciliating configurable application permissions for SDN App markets. In Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 (pp. 121-132). [7579735] (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2016.20