Visible to the public Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

TitleEnabling Dynamic Access Control for Controller Applications in Software-Defined Networks
Publication TypeConference Paper
Year of Publication2016
AuthorsPadekar, Hitesh, Park, Younghee, Hu, Hongxin, Chang, Sang-Yoon
Conference NameProceedings of the 21st ACM on Symposium on Access Control Models and Technologies
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-3802-8
KeywordsAccess Control, API misuse, network attacks, pubcrawl, Resiliency, Scalability, SDN security, Software-Defined Networks

Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.

Citation Keypadekar_enabling_2016