Protecting OpenFlow using Intel SGX

Jorge Medina, Nicolae Paladi, Patrik Arlos

    Research output: Chapter in Book/Report/Conference proceedingPaper in conference proceedingpeer-review

    217 Downloads (Pure)

    Abstract

    OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.
    Original languageEnglish
    Title of host publicationIEEE Conference on Network Function Virtualization and Software Defined Networks
    Subtitle of host publication(NFV-SDN)
    PublisherIEEE - Institute of Electrical and Electronics Engineers Inc.
    ISBN (Electronic)978-1-7281-4545-7
    ISBN (Print)978-1-7281-4546-4
    DOIs
    Publication statusPublished - 2020 Mar 19
    EventIEEE Conference on Network Function Virtualization and Software Defined Networks - Dallas, United States
    Duration: 2019 Nov 122019 Nov 14

    Conference

    ConferenceIEEE Conference on Network Function Virtualization and Software Defined Networks
    Country/TerritoryUnited States
    CityDallas
    Period2019/11/122019/11/14

    Subject classification (UKÄ)

    • Computer Systems

    Free keywords

    • Software Defined Networks
    • confidentiality
    • Software Guard Extentions
    • Integrity

    Fingerprint

    Dive into the research topics of 'Protecting OpenFlow using Intel SGX'. Together they form a unique fingerprint.

    Cite this