Vulnerabilities of network OS and mitigation with state-based permission system

The advancement of software defined networking SDN is redefining traditional computer networking architecture. The role of the control plane of SDN is of such importance that SDNs are referred to as network operating systems OSs. However, the robustness and security of the network OS has been overlooked. In this paper, we report three main issues pertaining to network OSs. First, we identified vulnerabilities that could be exploited by malicious or buggy applications running on network OSs. We also identified four major attack vectors that could undermine network OS operations: denial of service, global data manipulation, control plane poisoning, and system shell execution. Further, it was demonstrated that real-world attacks can be launched on commonly used network OSs without significant effort. Second, we present a method to address the attacks by analyzing network applications running on network OSs to identify their behavioral features, which enabled the extraction of a permission set for each network application. Based on this work, a permission-based malicious network application detector was introduced, which examines the permission set of each application and prevents it from executing without permission. Our system shows almost no performance overhead. Copyright © 2015 John Wiley & Sons, Ltd.

[1]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[2]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[3]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[4]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[5]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[6]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[7]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[8]  Oliver Michel,et al.  Applying operating system principles to SDN controller design , 2013, HotNets.

[9]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[10]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[11]  Sakir Sezer,et al.  OperationCheckpoint: SDN Application Control , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[12]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[13]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[14]  Alexander Shalimov,et al.  Advanced study of SDN/OpenFlow controllers , 2013 .

[15]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[16]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[17]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[18]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[19]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[20]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[21]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[22]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[23]  George Danezis,et al.  Proceedings of the 2012 ACM conference on Computer and communications security , 2012, CCS 2012.

[24]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[25]  Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security , 2014, CCS.

[26]  Srinivasan Seshan,et al.  Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM , 2013, SIGCOMM 2013.

[27]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[28]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.