Component integrity guarantees in software-defined networking infrastructure

Operating system level virtualization containers are commonly used to deploy virtual network functions (VNFs) which access the centralized network controller in software-defined networking (SDN) infrastructure. While this allows flexible network configuration, it also increases the attack surface, as sensitive information is transmitted between the controller and the virtual network functions. In this work we propose a mechanism for bootstrapping secure communication between the SDN controller and deployed network applications. The proposed mechanism relies on platform integrity evaluation and execution isolation mechanisms, such as Linux Integrity Measurement Architecture and Intel Software Guard Extensions. To validate the feasibility of the proposed approach, we have implemented a proof of concept which was further tested and evaluated to assess its performance. The prototype can be seen as the first step into providing users with security guarantees regarding the integrity of components in the SDN infrastructure.

[1]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[2]  Container and Kernel-Based Virtual Machine ( KVM ) Virtualization for Network Function Virtualization ( NFV ) , 2015 .

[3]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[4]  K. K. Ramakrishnan,et al.  Toward a software-based network: integrating software defined networking and network function virtualization , 2015, IEEE Network.

[5]  Christian Banse,et al.  A Secure Northbound Interface for SDN Applications , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[6]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[7]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[8]  Bryan Parno,et al.  Bootstrapping Trust in a "Trusted" Platform , 2008, HotSec.

[9]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[10]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[11]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.

[12]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[13]  Nicolae Paladi,et al.  Trusted Geolocation-Aware Data Placement in Infrastructure Clouds , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[14]  Kostas Pentikousis,et al.  Software-Defined Networking (SDN): Layers and Architecture Terminology , 2015, RFC.

[15]  Jean-Pierre Seifert,et al.  Fault Attacks on Encrypted General Purpose Compute Platforms , 2016, CODASPY.

[16]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[17]  Fulvio Risso,et al.  Offloading personal security applications to a secure and trusted network node , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[18]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[19]  Nicolae Paladi,et al.  TruSDN: Bootstrapping Trust in Cloud Network Infrastructure , 2016, SecureComm.