Xitao Wen,Bo Yang,Yan Chen,Chengchen Hu,Yi Wang,Bin Liu,Xiaolin Chen

DOI: https://doi.org/10.1109/dsn.2016.20

2016-01-01

Abstract:The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Tao Hu,Zhen Zhang,Peng Yi,Dong Liang,Ziyong Li,Quan Ren,Yuxiang Hu,Julong Lan

DOI: https://doi.org/10.1016/j.jpdc.2020.09.006

IF: 4.542

2021-01-01

Journal of Parallel and Distributed Computing

Abstract:<p>Cloud computing provides scalable network services and makes network management more flexible by combining Software-Defined Networking (SDN). Through the northbound interface (e.g., REST API) offered by the SDN controller, users can easily deploy diversified applications to access the network resources. However, exploiting the openness of the northbound interface, malicious applications abuse APIs to launch hostile attacks, which poses serious threats to the network. In this paper, we propose SEAPP, a secure application management framework based on REST API access control. Our main idea is to granularly manage application permissions and encrypt REST API calls to defend against malicious attacks. SEAPP includes two components: 1) permissions detection engine identifies the facticity of application permissions by analyzing permission manifests and byte codes and further identifies the legality of permissions with constructed sensitive API list; 2) registration authorization engine executes encrypted registration between applications and controller by virtue of NTRU algorithm and authorizes applications to call the requested REST APIs based on their risk levels after securely authenticating them. Besides, SEAPP is a lightweight logic architecture between application plane and control plane and supports quick deployment and reconfiguration in runtime. Both theoretical analysis and evaluation results show the security and effectiveness of SEAPP. Besides, SEAPP introduces negligible CPU and memory overheads.</p>

computer science, theory & methods

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

Rui Chang,Liehui Jiang,Wenzhi Chen,Hongqi He,Shuiqiao Yang

DOI: https://doi.org/10.1109/cit.2016.14

2016-01-01

Abstract:As the number of smart devices continues to grow dramatically, programmes and data handled by such smart devices have become the primary targets of hackers and malwares. ARM-Android is the most widespread platform for smart devices. Access to privacy-and security-relevant parts of the API is controlled by the corresponding permission in a manifest. However, while requesting access to permissions, these applications may offer opportunities to malicious codes to gain access to other inaccessible resources which will cause a series of security issues. Recently, many researchers focus on the permission-based mechanism which restricts accesses of users and applications to critical resources on an ARM-Android device. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our permission-based security architecture on ARM-Android platform. We propose an usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension. In contrast to previous work, the proposed security architecture provides a flexible mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness in mitigating permission leakage vulnerabilities.

Yang Luo,Wu Luo,Tian Puyang,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/cloud.2016.0017

2016-01-01

Abstract:The access control mechanisms of existing cloud systems, mainly OpenStack, fail to provide two key factors: i) centralized access mediation and ii) flexible policy customization. This situation prevents cloud administrators and end customers from enhancing their security. Furthermore, a variety of clouds have implemented their access control systems and policies in separated ways. This might confuse the customers whose businesses are built on multiple clouds, as they have to take efforts to accommodate their policies for different platforms. The OpenStack Security Modules (OSM) project has developed a least-invasive access control framework for OpenStack to enable different access control models to be implemented as loadable modules. This framework can be a good replacement of the existing permission checks in OpenStack and other platforms. We also propose an integration mechanism for multiple policies to form a single decision. This paper presents the design and implementation of OSM, including a new service called patron and an attachment module called access endpoint middleware (AEM). Experiments on the tempest benchmark indicate that OSM has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead remains as low as 7.3%, which is acceptable for practical use.

Shengru Li,Daoyun Hu,Wenjian Fang,Shoujiang Ma,Cen Chen,Huibai Huang,Zuqing Zhu

DOI: https://doi.org/10.1109/mnet.2017.1600030nm

IF: 10.294

2017-01-01

IEEE Network

Abstract:Software-defined networking separates the control and forwarding planes of a network to make it more programmable and application- aware. As one of the initial implementations of SDN, OpenFlow abstracts a forwarding device as a flow table and realizes flow processing by applying the "match-and-act" principle. However, the protocol-dependent nature of OpenFlow still limits the programmability of the forwarding plane. Hence, in this article, we discuss how to leverage protocol-oblivious forwarding (POF) to further enhance the network programmability such that the forwarding plane becomes protocol-independent and can be dynamically reprogrammed to support new protocol stacks seamlessly. We first review the development of OpenFlow and explain the motivations for introducing POF. Then we explain the working principle of POF, discuss our efforts on realizing the POF development ecosystem, and show our implementation of POF-based source routing as a novel use case. Finally, we elaborate on the first WAN-based POF network testbed that includes POF switches located in two cities in China.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Chao Liu,Cankun Hou,Tianyu Jiang,Jianting Ning,Hui Qiao,Yusen Wu

2024-06-06

Abstract:Data-driven landscape across finance, government, and healthcare, the continuous generation of information demands robust solutions for secure storage, efficient dissemination, and fine-grained access control. Blockchain technology emerges as a significant tool, offering decentralized storage while upholding the tenets of data security and accessibility. However, on-chain and off-chain strategies are still confronted with issues such as untrusted off-chain data storage, absence of data ownership, limited access control policy for clients, and a deficiency in data privacy and auditability. To solve these challenges, we propose a permissioned blockchain-based privacy-preserving fine-grained access control on-chain and off-chain system, namely FACOS. We applied three fine-grained access control solutions and comprehensively analyzed them in different aspects, which provides an intuitive perspective for system designers and clients to choose the appropriate access control method for their systems. Compared to similar work that only stores encrypted data in centralized or non-fault-tolerant IPFS systems, we enhanced off-chain data storage security and robustness by utilizing a highly efficient and secure asynchronous Byzantine fault tolerance (BFT) protocol in the off-chain environment. As each of the clients needs to be verified and authorized before accessing the data, we involved the Trusted Execution Environment (TEE)-based solution to verify the credentials of clients. Additionally, our evaluation results demonstrated that our system offers better scalability and practicality than other state-of-the-art designs.

Cryptography and Security

Chen Tian,Alex X. Liu,Ali Munir,Jie Yang,Yangming Zhao

DOI: https://doi.org/10.48550/arxiv.1603.05353

2016-01-01

Abstract:The state-of-the-art OpenFlow technology only partially realized SDN vision of abstraction and centralization for packet forwarding in switches. OpenFlow/P4 falls short in implementing middlebox functionalities due to the fundamental limitation in its match-action abstraction. In this paper, we advocate the vision of Software-Defined Middleboxes (SDM) to realize abstraction and centralization for middleboxes. We further propose OpenFunction, an SDM reference architecture and a network function abstraction layer. Our SDM architecture and OpenFunction abstraction are complementary to existing SDN and Network Function Virtualization (NFV) technologies. SDM complements SDN as SDM realizes abstraction and centralization for middleboxes, whereas SDN realizes those for switches. OpenFunction complements OpenFlow as OpenFunction addresses network functions whereas OpenFlow addresses packet forwarding. SDM also complements NFV in that SDM gives NFV the ability to use heterogenous hardware platforms with various hardware acceleration technologies.

Nian Xue,Lulu Liang,Jie Zhang,Xin Huang

DOI: https://doi.org/10.1007/978-3-319-59608-2_43

2016-01-01

Abstract:The OpenFlow protocol, as a fundamental element for Software Defined Networking (SDN) architecture, only supports for packet forwarding across switches in general networks. In this paper, the authors propose Software-Defined Function (SDF) which entitles administrators to manage the Internet of Things (IoT) devices and services through abstraction of the underlying infrastructure. The authors further present OpenFunction, a secure communications protocol stemmed from OpenFlow, which enables the IoT devices to be upgraded or reprogrammed remotely and securely. Finally, the authors implement a preliminary SDF system and evaluate its performance. The experimental results demonstrate that the SDF and OpenFunction can grant programmability, flexibility, centralization and security to the IoT.

Guangwu Hu,Ke Xu,Jianping Wu

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.169

2013-01-01

Abstract:Enterprise networks have become increasingly important with the rising number of users accessing their services, which consequently brings challenges in various aspects. Though OpenFlow, the promising scheme for enterprise network control, can provide fine-grained and flow-level control in networks, yet it still has a few undesirable designs in security, scalability and performance. Inspired by many excellent OpenFlow-included studies, we in this paper, propose SuperFlow, a reliable, controlable and scalable architecture for large-scale enterprise networks. It not only inherits the merits of OpenFlow, but also overcomes OpenFlow's limitations by introducing many novel features, including the trustiness between hosts and users based on the compulsory authentication mechanisms, the flexible flow controling upon the well-organized control-rule designing, the scalable architecture considerations in both controller load-balancing and management scales. The prototype experiments also prove that SuperFlow possesses these features with desirable performance.

Chen Sun,Jun Bi,Zili Meng,Xiao Zhang,Hongxin Hu

DOI: https://doi.org/10.1109/iwqos.2018.8624151

2018-01-01

Abstract:Network Function Virtualization (NFV) together with Software Defined Networking (SDN) offers the potential for enhancing service delivery flexibility and reducing overall costs. Based on the capability of dynamic creation and destruction of network function (NF) instances, NFV provides great elasticity in NF control, such as NF scaling out, scaling in, load balancing, etc. To realize NFV elasticity control, network traffic flows need to be redistributed across NF instances. However, deciding which flows are suitable for migration is a critical problem for efficient NFV elasticity control. In this paper, we propose to build an innovative flow migration controller, OFM Controller, to achieve optimized flow migration for NFV elasticity control. We identify the trigger conditions and control goals for different situations, and carefully design models and algorithms to address three major challenges including buffer overflow avoidance, migration cost calculation, and effective flow selection for migration. We implement the OFM Controller on top of NFV and SDN environments. Our evaluation results show that OFM Controller is efficient to support optimized flow migration in NFV elasticity control.

Daniel Rosendo,Judith Kelner,Patrícia Endo

DOI: https://doi.org/10.5753/sbrc_estendido.2018.14177

2018-05-06

Abstract:Enterprise network managers need to control the access to their network resources and protect them from malicious users. Current Network Access Control (NAC) solutions rely on approaches, such as firewalls, VLAN, ACL, and LDAP that are inflexible and require per-device and vendor-specific configurations, being error-prone. Besides, misconfigurations may result in vulnerabilities that could compromise the overall network security. Managing security policies involve dealing with many access control rules, conflicting policies, rule priorities, right delegation, dynamics of the network, etc. This work presents HACFlow, a novel, autonomic, and policy-based framework for access control management in OpenFlow networks. HACFlow simplifies and automates the network management allowing network operators to govern rights of network entities by defining dynamic, fine-grained, and high-level access control policies. We analyzed the performance of HACFlow and compared it against related approaches.

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1049/el.2016.2670

2016-01-01

Electronics Letters

Abstract:Modifying flow rule attack posts a huge threat to controllers in network operating system (NOS) for software defined network (SDN) due to its concealment. Based on the previously proposed NOS architecture with multiple controllers which introduce heterogeneity and dynamic to defend above attack effectively, its dynamic segment about dynamically scheduling controllers is explicitly presented. A dynamic-scheduling method is put forward to maximise security gain of NOS during each switch. This algorithm is able to improve NOS security through altering its framework's diversity to maximum degree while considering switching cost and latency simultaneously. Theory analysis and simulation results prove validity and availability of the devised mechanism and its more effective security performance over traditional architectures.

Li Junfei,Hu Yuxiang,Wu Jiangxing

DOI: https://doi.org/10.7544/issn1000-1239.2017.20160055

2017-01-01

Journal of Computer Research and Development

Abstract:Software defined network (SDN) proposes the architecture of separating the control logic and forwarding devices in networks,which brings the open API for freely programing and makes the network management more fine.However,while the centralized control of SDN brings innovation and convenience for network applications,it also brings other problems,for example the reliability problem and the scalability problem simultaneously.For the problem of control plane's reliability in SDN,the method that voting deals with the same OpenFlow messages by combing multiple controllers to a quorum view is proposed to tolerate Byzantine faults,which is different from the current OpenFlow protocol.Firstly,we concretely explain the network structure,workflow and exception handling in the application of Byzantine fault-tolerance algorithm with the feature of SDN,and establish the analytical model of multi-controller's deployment.Secondly,we design a heuristic algorithm to solve the problem of multi-controller's deployment.Finally,to verify the fault tolerance method and deploy algorithms by simulation,experimental results show that this method can effectively deal with controllers' faults,improving the reliability of the control layer,but it will sacrifice the system's performance at some level.Meanwhile,the deployment algorithm can effectively reduce the transmission delay of processing OpenFlow request.

Tao Feng,Jun Bi,Peiyao Xiao,Xiuli Zheng

DOI: https://doi.org/10.1109/inm.2015.7140368

2015-01-01

Abstract:The application of SDN and OpenFlow in a production network will face the challenges of integration with legacy routers and legacy control and management protocols. Our contribution is to preserve distributed basic functions in legacy network devices and improve central control on complex functions with OpenFlow. This paper describes a refactoring process of an intra-AS source address validation from a traditional network application to an OpenFlow-based one. It shows practical solutions about introducing OpenFlow into a commercial router by fireware updating without device hardware modification, extending OpenFlow for routing notification and packets sampling to integrate with legacy control protocols, extending an OpenFlow controller to receive and forward routing status and packets sampling messages for external control.

Alam Masoom,Seifert Jean-Pierre,Li Qi,Zhang Xinwen

DOI: https://doi.org/10.1145/1368310.1368345

2008-01-01

Abstract:Continuous access control after an object is released into a distributed environment has been regarded as the usage control problem and has been investigated by different researchers in various papers. However, the enabling technology for usage control is a challenging problem and the space has not been fully explored yet. In this paper we identify the general requirements of a trusted usage control enforcement in heterogeneous computing environments, and also propose a general platform architecture to meet these requirements.

Arusa Kanwal,Mohammad Nizamuddin,Waseem Iqbal,Waqas Aman,Yawar Abbas,Shynar Mussiraliyeva

DOI: https://doi.org/10.1109/access.2024.3390968

IF: 3.9

2024-04-27

IEEE Access

Abstract:Software Defined Networking (SDN) has emerged as a new paradigm for managing heterogeneous networks ranging from enterprises to home network via decoupling the control plane from the data plane. In the traditional networking landscape, these two planes are tightly bound together inside a single appliance. The logically centralized and distributed control plane and programmability offer a great opportunity to improve network security, such as by implementing new mechanisms to detect and mitigate various threats, and also enable security as a service in an SDN paradigm. Due to the ever increasing and fast development of SDN, this paper provides an extensive survey of SDN controllers, SDN-related security threats, and solutions to mitigate the security threats. This study provides a comprehensive survey of 53 SDN controllers from different aspects, including language, architecture, organization, open source, scalability, consistency, reliability, API used, library, and their description. We have also provided a detailed security analysis of SDN architecture with an extensive classification of security threats endangering its different architectural components and the solutions to effectively mitigate them. This paper also identifies challenges and promising future directions on SDN deployment, standardization, implementation, and security issues that should be addressed in this field.

computer science, information systems,telecommunications,engineering, electrical & electronic

Montida Pattaranantakul,Ruan He,Zonghua Zhang,Ahmed Meddahi,Ping Wang

DOI: https://doi.org/10.1109/TDSC.2018.2889709

2021-01-01

Abstract:AbstractNetwork Functions Virtualization (NFV) has been widely recognized as an effective way to implement and consolidate hardware-based network functions by using software-based approaches, with a potential to significantly reducing CAPEX and OPEX. In particular, NFV orchestrators (e.g., Tacker, Cloudify, and ONAP) play a vital role in managing and orchestrating various virtualized network resources (e.g., VMs, Virtualized Network Functions), and TOSCA is one of the standard data models to fulfil such a role. However, it remains unclear how the security mechanisms can be seamlessly integrated into the entire lifecycle of those virtualized network assets. Starting with a comparative analysis on the available NFV orchestrators, we extend the TOSCA model to incorporate security attributes of interest, and leverage the extended model to create access control policies at cloud scale. Specifically, a security orchestrator is developed, which contains a TOSCA-parser and a novel tenant-specific access control paradigm. One of the salient features of our security orchestrator is that it allows to dynamically generate access control models and policies for different tenant domains, resulting in a flexible and scalable protection coverage that is across different NFV layers and multiple data centers. To validate its feasibility and effectiveness, we develop a security orchestrator prototype and test its performance with respect to throughput, scalability, and adaptability. The experimental results demonstrate that all the desirable properties can be achieved, and the throughput of our security orchestrator can be maintained at a satisfactory level regardless of the varying number of tenants, users, or objects that are deployed in the cloud.

Chen Tian,Ali Munir,Alex X. Liu,Jie Yang,Yangming Zhao

DOI: https://doi.org/10.1109/tnet.2018.2829882

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:We propose OpenFunction, an extensible data plane abstraction protocol for platform-independent software-defined middleboxes. The main challenge is how to abstract packet operations, flow states and event generations with elements. The key decision of OpenFunction is: actions/states/events operations should be defined in a uniform pattern and independent from each other. We implemented a working SDM system including one OpenFunction controller and OpenFunction boxes based on Netmap, DPDK and FPGA to verify OpenFunction abstraction.