Advanced

Protecting OpenFlow using Intel SGX

Medina, Jorge ; Paladi, Nicolae LU and Arlos, Patrik (2020) IEEE Conference on Network Function Virtualization and Software Defined Networks
Abstract
OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow... (More)
OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements. (Less)
Please use this url to cite or link to this publication:
author
; and
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
keywords
Software Defined Networks, confidentiality, Software Guard Extentions, Integrity
host publication
IEEE Conference on Network Function Virtualization and Software Defined Networks : (NFV-SDN) - (NFV-SDN)
article number
9039980
publisher
IEEE - Institute of Electrical and Electronics Engineers Inc.
conference name
IEEE Conference on Network Function Virtualization and Software Defined Networks
conference location
Dallas, United States
conference dates
2019-11-12 - 2019-11-14
external identifiers
  • scopus:85082985337
ISBN
978-1-7281-4546-4
978-1-7281-4545-7
DOI
10.1109/NFV-SDN47374.2019.9039980
project
Säkra mjukvaruuppdateringar för den smarta staden
language
English
LU publication?
yes
id
dafe54d3-25a1-426d-bef9-eba697544c6b
date added to LUP
2020-01-17 09:05:30
date last changed
2021-02-17 06:49:41
@inproceedings{dafe54d3-25a1-426d-bef9-eba697544c6b,
  abstract     = {OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.},
  author       = {Medina, Jorge and Paladi, Nicolae and Arlos, Patrik},
  booktitle    = {IEEE Conference on Network Function Virtualization and Software Defined Networks : (NFV-SDN)},
  isbn         = {978-1-7281-4546-4},
  language     = {eng},
  month        = {03},
  publisher    = {IEEE - Institute of Electrical and Electronics Engineers Inc.},
  title        = {Protecting OpenFlow using Intel SGX},
  url          = {https://lup.lub.lu.se/search/ws/files/75133945/nfvsdn19.pdf},
  doi          = {10.1109/NFV-SDN47374.2019.9039980},
  year         = {2020},
}