Protecting OpenFlow using Intel SGX

Jorge Medina; Nicolae Paladi; Patrik Arlos

doi:10.1109/NFV-SDN47374.2019.9039980

Protecting OpenFlow using Intel SGX

Jorge Medina, Nicolae Paladi, Patrik Arlos

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

217 Downloads (Pure)

Abstract

OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

Original language	English
Title of host publication	IEEE Conference on Network Function Virtualization and Software Defined Networks
Subtitle of host publication	(NFV-SDN)
Publisher	IEEE - Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	978-1-7281-4545-7
ISBN (Print)	978-1-7281-4546-4
DOIs	https://doi.org/10.1109/NFV-SDN47374.2019.9039980
Publication status	Published - 2020 Mar 19
Event	IEEE Conference on Network Function Virtualization and Software Defined Networks - Dallas, United States Duration: 2019 Nov 12 → 2019 Nov 14

Conference

Conference	IEEE Conference on Network Function Virtualization and Software Defined Networks
Country/Territory	United States
City	Dallas
Period	2019/11/12 → 2019/11/14

Subject classification (UKÄ)

Computer Systems

Free keywords

Software Defined Networks
confidentiality
Software Guard Extentions
Integrity

Access to Document

10.1109/NFV-SDN47374.2019.9039980

Medina-nfvsdn19Accepted author manuscript, 627 KB

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden
Hell, M. (PI), Magnusson, B. (PI), Gehrmann, C. (CoI), Paladi, N. (Researcher), Karlsson, L. (Researcher), Sönnerup, J. (Researcher), Johnsson, B. A. (Researcher), Hedin, G. (Researcher), Nordahl, M. (Researcher), Pagnin, E. (Researcher), Kundu, R. (Researcher), Åkesson, A. (Researcher), Stankovski Wagner, P. (Researcher) & Ramezanian, S. (Researcher)
Swedish Foundation for Strategic Research, SSF
2018/03/01 → 2024/12/31
Project: Research

Cite this

@inproceedings{dafe54d325a1426dbef9eba697544c6b,

title = "Protecting OpenFlow using Intel SGX",

abstract = "OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.",

keywords = "Software Defined Networks, confidentiality, Software Guard Extentions, Integrity",

author = "Jorge Medina and Nicolae Paladi and Patrik Arlos",

year = "2020",

month = mar,

day = "19",

doi = "10.1109/NFV-SDN47374.2019.9039980",

language = "English",

isbn = "978-1-7281-4546-4",

booktitle = "IEEE Conference on Network Function Virtualization and Software Defined Networks",

publisher = "IEEE - Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "IEEE Conference on Network Function Virtualization and Software Defined Networks ; Conference date: 12-11-2019 Through 14-11-2019",

}

Medina, J, Paladi, N & Arlos, P 2020, Protecting OpenFlow using Intel SGX. in IEEE Conference on Network Function Virtualization and Software Defined Networks: (NFV-SDN)., 9039980, IEEE - Institute of Electrical and Electronics Engineers Inc., IEEE Conference on Network Function Virtualization and Software Defined Networks, Dallas, United States, 2019/11/12. https://doi.org/10.1109/NFV-SDN47374.2019.9039980

TY - GEN

T1 - Protecting OpenFlow using Intel SGX

AU - Medina, Jorge

AU - Paladi, Nicolae

AU - Arlos, Patrik

PY - 2020/3/19

Y1 - 2020/3/19

N2 - OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

AB - OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

KW - Software Defined Networks

KW - confidentiality

KW - Software Guard Extentions

KW - Integrity

U2 - 10.1109/NFV-SDN47374.2019.9039980

DO - 10.1109/NFV-SDN47374.2019.9039980

M3 - Paper in conference proceeding

SN - 978-1-7281-4546-4

BT - IEEE Conference on Network Function Virtualization and Software Defined Networks

PB - IEEE - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE Conference on Network Function Virtualization and Software Defined Networks

Y2 - 12 November 2019 through 14 November 2019

ER -

Protecting OpenFlow using Intel SGX

Abstract

Conference

Subject classification (UKÄ)

Free keywords

Access to Document

Fingerprint

Projects

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden

Cite this