Protecting OpenFlow using Intel SGX

Jorge Medina; Nicolae Paladi; Patrik Arlos

doi:10.1109/NFV-SDN47374.2019.9039980

Protecting OpenFlow using Intel SGX

Jorge Medina, Nicolae Paladi, Patrik Arlos

Nätverk och säkerhet

Forskningsoutput: Kapitel i bok/rapport/Conference proceeding › Konferenspaper i proceeding › Peer review

158 Nedladdningar (Pure)

Sammanfattning

OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

Originalspråk	engelska
Titel på värdpublikation	IEEE Conference on Network Function Virtualization and Software Defined Networks
Undertitel på värdpublikation	(NFV-SDN)
Förlag	IEEE - Institute of Electrical and Electronics Engineers Inc.
ISBN (elektroniskt)	978-1-7281-4545-7
ISBN (tryckt)	978-1-7281-4546-4
DOI	https://doi.org/10.1109/NFV-SDN47374.2019.9039980
Status	Published - 2020 mars 19
Evenemang	IEEE Conference on Network Function Virtualization and Software Defined Networks - Dallas, USA Varaktighet: 2019 nov. 12 → 2019 nov. 14

Konferens

Konferens	IEEE Conference on Network Function Virtualization and Software Defined Networks
Land/Territorium	USA
Ort	Dallas
Period	2019/11/12 → 2019/11/14

Ämnesklassifikation (UKÄ)

Datorsystem

Tillgång till dokument

10.1109/NFV-SDN47374.2019.9039980

Medina-nfvsdn19Accepterat manuskript från författare, 627 KB

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden
Hell, M., Magnusson, B., Gehrmann, C., Paladi, N., Karlsson, L., Sönnerup, J., Johnsson, B. A., Hedin, G., Nordahl, M., Pagnin, E., Kundu, R. & Åkesson, A.
Stiftelsen för Strategisk Forskning, SSF
2018/03/01 → 2023/02/28
Projekt: Forskning

Citera det här

@inproceedings{dafe54d325a1426dbef9eba697544c6b,

title = "Protecting OpenFlow using Intel SGX",

abstract = "OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.",

keywords = "Software Defined Networks, confidentiality, Software Guard Extentions, Integrity",

author = "Jorge Medina and Nicolae Paladi and Patrik Arlos",

year = "2020",

month = mar,

day = "19",

doi = "10.1109/NFV-SDN47374.2019.9039980",

language = "English",

isbn = "978-1-7281-4546-4",

booktitle = "IEEE Conference on Network Function Virtualization and Software Defined Networks",

publisher = "IEEE - Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "IEEE Conference on Network Function Virtualization and Software Defined Networks ; Conference date: 12-11-2019 Through 14-11-2019",

}

Medina, J, Paladi, N & Arlos, P 2020, Protecting OpenFlow using Intel SGX. i IEEE Conference on Network Function Virtualization and Software Defined Networks: (NFV-SDN)., 9039980, IEEE - Institute of Electrical and Electronics Engineers Inc., IEEE Conference on Network Function Virtualization and Software Defined Networks, Dallas, USA, 2019/11/12. https://doi.org/10.1109/NFV-SDN47374.2019.9039980

TY - GEN

T1 - Protecting OpenFlow using Intel SGX

AU - Medina, Jorge

AU - Paladi, Nicolae

AU - Arlos, Patrik

PY - 2020/3/19

Y1 - 2020/3/19

N2 - OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

AB - OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

KW - Software Defined Networks

KW - confidentiality

KW - Software Guard Extentions

KW - Integrity

U2 - 10.1109/NFV-SDN47374.2019.9039980

DO - 10.1109/NFV-SDN47374.2019.9039980

M3 - Paper in conference proceeding

SN - 978-1-7281-4546-4

BT - IEEE Conference on Network Function Virtualization and Software Defined Networks

PB - IEEE - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE Conference on Network Function Virtualization and Software Defined Networks

Y2 - 12 November 2019 through 14 November 2019

ER -

Protecting OpenFlow using Intel SGX

Sammanfattning

Konferens

Ämnesklassifikation (UKÄ)

Tillgång till dokument

Fingeravtryck

Projekt

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden

Citera det här