Protecting OpenFlow using Intel SGX

Medina, Jorge; Paladi, Nicolae; Arlos, Patrik

Protecting OpenFlow using Intel SGX

Mark

Medina, Jorge ; Paladi, Nicolae ^LU

and Arlos, Patrik (2020) IEEE Conference on Network Function Virtualization and Software Defined Networks

Abstract: OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow... (More); OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/dafe54d3-25a1-426d-bef9-eba697544c6b

author

Medina, Jorge ; Paladi, Nicolae ^LU

and Arlos, Patrik

organization

Networks and Security (research group)

publishing date

2020-03-19

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

Computer Systems

keywords

Software Defined Networks, confidentiality, Software Guard Extentions, Integrity

host publication

IEEE Conference on Network Function Virtualization and Software Defined Networks : (NFV-SDN) - (NFV-SDN)

article number

9039980

publisher

IEEE - Institute of Electrical and Electronics Engineers Inc.

conference name

IEEE Conference on Network Function Virtualization and Software Defined Networks

conference location

Dallas, United States

conference dates

2019-11-12 - 2019-11-14

external identifiers

scopus:85082985337

ISBN

978-1-7281-4546-4

978-1-7281-4545-7

DOI

10.1109/NFV-SDN47374.2019.9039980

project

Säkra mjukvaruuppdateringar för den smarta staden

language

English

LU publication?

yes

id

dafe54d3-25a1-426d-bef9-eba697544c6b

date added to LUP

2020-01-17 09:05:30

date last changed

2023-04-10 06:53:32

@inproceedings{dafe54d3-25a1-426d-bef9-eba697544c6b,
  abstract     = {{OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasised when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.}},
  author       = {{Medina, Jorge and Paladi, Nicolae and Arlos, Patrik}},
  booktitle    = {{IEEE Conference on Network Function Virtualization and Software Defined Networks : (NFV-SDN)}},
  isbn         = {{978-1-7281-4546-4}},
  keywords     = {{Software Defined Networks; confidentiality; Software Guard Extentions; Integrity}},
  language     = {{eng}},
  month        = {{03}},
  publisher    = {{IEEE - Institute of Electrical and Electronics Engineers Inc.}},
  title        = {{Protecting OpenFlow using Intel SGX}},
  url          = {{https://lup.lub.lu.se/search/files/75133945/nfvsdn19.pdf}},
  doi          = {{10.1109/NFV-SDN47374.2019.9039980}},
  year         = {{2020}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Protecting OpenFlow using Intel SGX