Transcript Towards A Secure Controller Platform for OpenFlow Applications Xitao Wen1, Yan Chen1, Chengchen Hu2, Chao Shi1, Yi Wang3 1 Northwestern University, 2 Xi’an.

Towards A Secure Controller Platform
for OpenFlow Applications
Xitao Wen1, Yan Chen1, Chengchen Hu2, Chao Shi1, Yi Wang3
1 Northwestern University, 2 Xi’an Jiaotong University, 3 Tsinghua University
Motivation
The OpenFlow (OF) architecture embraces third-party development efforts, and therefore suffers from
potential trust issues on OF applications (apps). In practice, apps possesses great flexibility to define
network behavior. The abuse of such trust could lead to various types of attacks impacting the entire
network.
Threat Model and Potential Attacks
 Two threat models
Class 4: Attack Between Apps
Class 2: Information Leakage
 Exploit of existing benign-but-buggy
Attacker App
User App
apps
on
i
s
u
r
Int
t
c
e
r
: Di
1
s
 Distribution of malicious apps by
s
Network OS
Attacker
Cla
attacker
 Example attack classes
Switch
1) Direct intrusion from control plane
Switch
into data plane
Internet
2) Leakage of sensitive configuration
from control plane
Switch
Alice
3) Manipulation of OpenFlow rules
4) Attacking and deactivating other apps
User App
Switch
Bob
Class 3: Manipulation of
OF Rules
Compromised
Host
Defense – A Fine-grained Permission System for OpenFlow Apps
Untrusted Code
Unprivileged
Threads
Controller Kernel
Kernel
Kernel
Kernel
Module
Module
Modules
API
User
APP
Event
Notifications
Library API
Controller Code
PermOF Library Code
Controller
Service Calls
API
API
Kernel
Service
Deputy
System Calls
Access Control
Shim Layer
Operating System
 Permission Set Design
1) Identify critical activities
2) Build basic permission set
3) Refine Permission set
4) Verify security goals and
determine limitations
 Isolation Goals
1) Controller maintains a
conceptually superior role to apps
2) Apps cannot access functions and
data of the controller as well as
other apps
3) Controller manages apps’ access
to OS resources, e.g. network and
storage
1
1
0.9
0.9
0.8
0.8
0.7
0.7
0.6
0.6
CDF
 We implement a preliminary prototype as
an extension to Floodlight OpenFlow
controller
 Java thread is taken as the isolation
container
 Latency overhead is around tens of
microseconds; while throughput is
comparable with original Floodlight
CDF
Implementation and Evaluation
0.5
0.4
0.5
0.4
0.3
Floodlight
PermOF
BusyWaiting
PermOF
Yielding
0.2
0.1
0
Floodlight
PermOF
BusyWaiting
PermOF
Yielding
0
50
100
Latency Overhead (s)
150
0.3
0.2
0.1
0
0
1000
2000
3000
Throughput (kilorequest/s)
4000
Related Work
 FlowVisor[1] deals with cross-slice attacks; while we mainly focus on inter-app attacks within a user slice
 FortNOX cares about the OF rule conflicts that violate the global security policies; while we expand the
focus to all behaviors of apps that violate the app-specific security policies
[1] Sherwood, R., etc., FlowVisor: A Network Virtualization Layer. OpenFlow Switch Consortium ’09
[2] Porras, P., etc., A Security Enforcement Kernel for OpenFlow Networks. In HotSDN ’12