SDNShield

The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications. Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this project, we design SDNShield, an access control system that helps network administrators to express and enforce only the minimum required privileges to individual controller applications. SDNShield achieves this goal through (i) fine-grained permission abstractions that allow accurate representation of application behavior boundary, and (ii) automatic security policy reconciliation that incorporate security policies specified by administrators into the requested permissions. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Publication

Xitao Wen, Bo Yang, Yan Chen, Chengchen Hu, Yi Wang, Bin Liu, Xiaolin Chen, SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets , in the Proc. of IEEE/IFIP DSN, 2016
Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, Yi Wang, "Towards A Secure Controller Platform for OpenFlow Application" , short paper in HotSDN 2013, Hong Kong, China, August 2013.
Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, Yi Wang, "Towards A Secure Controller Platform for OpenFlow Application" , poster paper in NSDI 2013, Lombard, IL, April 2013.

Patent

"The Method for Control-layer Application Access Control and Controller", Pending China Patent: CN 201510064799.5.

People

Xitao Wen (Google)
Bo Yang (Zhejiang University)
Chao Shi
Yan Chen (Northwestern University)

Collaborators

Chengchen Hu (Xi'an Jiaotong University)
Yi Wang (Tsinghua University)
Bin Liu (Tsinghua University)