Protecting OpenFlow Flow Tables with Intel SGX

Research output: Chapter in Book/Report/Conference proceedingPaper in conference proceeding

Abstract

Flexible and powerful control over network flows is one of the core advantages of Software-Defined Networking (SDN). Flow rules stored in switch network flow tables contain information on packet processing and routing. Flow rules are stored in memory, in a set of data structure rules, and managed by a classifier in flow tables. Network flows are a valuable asset: they contain information about the traffic patterns between the endpoints, while network tenants may be competing for the (limited) entries in flow tables.Commodity software switches do not currently implement confidentiality or integrity protection of flow tables. An attacker can exploit software vulnerabilities to access the switch host memory and observe or modify installed flows. Observing installed flows allows an attacker to learn security-sensitive information: topology, flow patterns between endpoints, and flow priority. Modifying installed flows allows an attacker to exploit routing loopholes and avoid certain packet steps - e.g. route around a firewall or prevent mirroring packets to an intrusion detection system.
In this demo we presentOFTinSGX, an approach to protect the confidentiality and integrity of network flows installed on soft-ware switches. Our approach is based on decomposing the network switch to reduce the attack surface by isolating the OpenFlow flow tables and the flow rules from the rest of the code base. OFTinSGX allows to prevent attacks on the confidentiality and integrity of flow rules in software switches.

Details

Authors
Organisations
External organisations
  • RISE SICS AB
  • New Jersey Institute of Technology
  • Blekinge Institute of Technology
Research areas and keywords

Subject classification (UKÄ) – MANDATORY

  • Communication Systems
Original languageEnglish
Title of host publicationACM SIGCOMM 2019 Conference on Posters and Demos
PublisherACM
Pages146-147
Publication statusPublished - 2019 Aug 23
Publication categoryResearch
Peer-reviewedYes
EventACM SIGCOMM 2019 - Beijing, China
Duration: 2019 Aug 192019 Aug 24

Conference

ConferenceACM SIGCOMM 2019
CountryChina
CityBeijing
Period2019/08/192019/08/24