SEAPP: A secure application management framework based on REST API access control in SDN-enabled cloud environment

Abstract Cloud computing provides scalable network services and makes network management more flexible by combining Software-Defined Networking (SDN). Through the northbound interface (e.g., REST API) offered by the SDN controller, users can easily deploy diversified applications to access the network resources. However, exploiting the openness of the northbound interface, malicious applications abuse APIs to launch hostile attacks, which poses serious threats to the network. In this paper, we propose SEAPP, a secure application management framework based on REST API access control. Our main idea is to granularly manage application permissions and encrypt REST API calls to defend against malicious attacks. SEAPP includes two components: 1) permissions detection engine identifies the facticity of application permissions by analyzing permission manifests and byte codes and further identifies the legality of permissions with constructed sensitive API list; 2) registration authorization engine executes encrypted registration between applications and controller by virtue of NTRU algorithm and authorizes applications to call the requested REST APIs based on their risk levels after securely authenticating them. Besides, SEAPP is a lightweight logic architecture between application plane and control plane and supports quick deployment and reconfiguration in runtime. Both theoretical analysis and evaluation results show the security and effectiveness of SEAPP. Besides, SEAPP introduces negligible CPU and memory overheads.

[1]  Thar Baker,et al.  Multi-controller Based Software-Defined Networking: A Survey , 2018, IEEE Access.

[2]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[3]  Wolfgang Kellerer,et al.  MORPH: An Adaptive Framework for Efficient and Byzantine Fault-Tolerant SDN Control Plane , 2018, IEEE Journal on Selected Areas in Communications.

[4]  Brian Hayes,et al.  What Is Cloud Computing? , 2019, Cloud Technologies.

[5]  Tarik Taleb,et al.  A Survey on Emerging SDN and NFV Security Mechanisms for IoT Systems , 2019, IEEE Communications Surveys & Tutorials.

[6]  Jianping Wu,et al.  MSAID: Automated detection of interference in multiple SDN applications , 2019, Comput. Networks.

[7]  Kuochen Wang,et al.  Application-aware Routing Scheme for SDN-based cloud datacenters , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[8]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[9]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[10]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[11]  Ya-Feng Liu,et al.  Joint Switch Upgrade and Controller Deployment in Hybrid Software-Defined Networks , 2019, IEEE Journal on Selected Areas in Communications.

[12]  Tao Hu,et al.  Dynamic slave controller assignment for enhancing control plane robustness in software-defined networks , 2019, Future Gener. Comput. Syst..

[13]  Vinod Yegneswaran,et al.  Flow Wars: Systemizing the Attack Surface and Defenses in Software-Defined Networks , 2017, IEEE/ACM Transactions on Networking.

[14]  H. Jonathan Chao,et al.  Improving the performance of load balancing in software-defined networks through load variance-based synchronization , 2014, Comput. Networks.