P. Chaignon, Diane Adjavon, Kahina Lazri, J. François, O. Festor
Cloud applications rely on a diverse set of security services from application-layer rate-limiting to TCP SYN cookies and application firewalls. Some of these services are implemented at the infrastructure layer, on the host or in the NIC, to filter attacks closer to their source and free CPU cycles for the tenants' applications. Most security services, however, remain difficult to implement at the infrastructure layer because they are closely tied to the applications they protect. In this paper, we propose to allow tenants to offload small filtering programs to the infrastructure. We design a mechanism to ensure fairness in resource consumption among tenants and show that, by carefully probing specific points of the infrastructure, all resource consumption can be accounted for. We prototype our solution over the new high-performance datapath of Linux. Our preliminary experiments show that an offload to the host's CPU can bring a 4-6x performance improvement. In addition, fairness among tenants introduces an overhead of only 14% in the worst case and approximately 3% for realistic applications.
云应用程序依赖于一系列不同的安全服务,从应用层速率限制到TCP SYN cookie和应用程序防火墙。其中一些服务是在基础设施层、主机上或网卡中实现的,以便在靠近攻击源的地方过滤攻击,并为租户的应用程序释放CPU周期。然而,大多数安全服务仍然难以在基础设施层实现,因为它们与它们所保护的应用程序紧密相连。在本文中,我们建议允许租户将小型过滤程序卸载到基础设施中。我们设计了一种机制,以确保租户之间资源消耗的公平性,并表明,通过仔细探测基础设施的特定点,所有资源消耗都可以考虑在内。我们在Linux的新的高性能数据路径上对我们的解决方案进行了原型化。我们的初步实验表明,卸载到主机的CPU可以带来4-6倍的性能改进。此外,租户之间的公平性在最坏的情况下只会带来14%的开销,在实际应用程序中大约会带来3%的开销。
{"title":"Offloading Security Services to the Cloud Infrastructure","authors":"P. Chaignon, Diane Adjavon, Kahina Lazri, J. François, O. Festor","doi":"10.1145/3229616.3229624","DOIUrl":"https://doi.org/10.1145/3229616.3229624","url":null,"abstract":"Cloud applications rely on a diverse set of security services from application-layer rate-limiting to TCP SYN cookies and application firewalls. Some of these services are implemented at the infrastructure layer, on the host or in the NIC, to filter attacks closer to their source and free CPU cycles for the tenants' applications. Most security services, however, remain difficult to implement at the infrastructure layer because they are closely tied to the applications they protect. In this paper, we propose to allow tenants to offload small filtering programs to the infrastructure. We design a mechanism to ensure fairness in resource consumption among tenants and show that, by carefully probing specific points of the infrastructure, all resource consumption can be accounted for. We prototype our solution over the new high-performance datapath of Linux. Our preliminary experiments show that an offload to the host's CPU can bring a 4-6x performance improvement. In addition, fairness among tenants introduces an overhead of only 14% in the worst case and approximately 3% for realistic applications.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129158068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
While multi-tenant cloud computing provides great benefits in terms of resource sharing, it introduces a new security landscape and requires strong network isolation guarantees between the tenants. Such network isolation is typically implemented using network virtualization: Virtual switches residing in the virtualization layer enforce isolation, e.g., via tunnel protocols and per-tenant flow rules. The design of such switches is a very active topic: Since 2009 alone, at least 22 different designs have been introduced. Our systematic analysis of 22 virtual switches uncovers 4 security weaknesses: Co-location, single point of failure, privileged packet processing and manual packet parsing. An attacker can easily undermine network isolation by exploiting those weaknesses. Hence, we introduce 3 secure design principles to build a resilient virtual switch, thereby offering strong virtual network isolation.
{"title":"Virtual Network Isolation: Are We There Yet?","authors":"K. Thimmaraju, G. Rétvári, S. Schmid","doi":"10.1145/3229616.3229618","DOIUrl":"https://doi.org/10.1145/3229616.3229618","url":null,"abstract":"While multi-tenant cloud computing provides great benefits in terms of resource sharing, it introduces a new security landscape and requires strong network isolation guarantees between the tenants. Such network isolation is typically implemented using network virtualization: Virtual switches residing in the virtualization layer enforce isolation, e.g., via tunnel protocols and per-tenant flow rules. The design of such switches is a very active topic: Since 2009 alone, at least 22 different designs have been introduced. Our systematic analysis of 22 virtual switches uncovers 4 security weaknesses: Co-location, single point of failure, privileged packet processing and manual packet parsing. An attacker can easily undermine network isolation by exploiting those weaknesses. Hence, we introduce 3 secure design principles to build a resilient virtual switch, thereby offering strong virtual network isolation.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124343552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Surridge, Gianluca Correndo, K. Meacham, J. Papay, S. Phillips, Stefanie Wiegand, T. Wilkinson
5G technologies will change the business landscape for mobile network operation. The use of virtualization through SDN, NFV and Cloud computing offer significant savings of CAPEX and OPEX, but they also allow new stakeholders to rent infrastructure capacity and operate mobile networks, including specialized networks supporting so-called vertical applications serving specific business sectors. In the resulting diverse stakeholder communities, the old trust assumptions between network operators will no longer apply. There is a pressing need for a far broader understanding of trust in such networks if they are to operate safely and securely for the engaged stakeholder communities. This paper describes the work carried out in the 5G-ENSURE project to address this need.
{"title":"Trust Modelling in 5G mobile networks","authors":"M. Surridge, Gianluca Correndo, K. Meacham, J. Papay, S. Phillips, Stefanie Wiegand, T. Wilkinson","doi":"10.1145/3229616.3229621","DOIUrl":"https://doi.org/10.1145/3229616.3229621","url":null,"abstract":"5G technologies will change the business landscape for mobile network operation. The use of virtualization through SDN, NFV and Cloud computing offer significant savings of CAPEX and OPEX, but they also allow new stakeholders to rent infrastructure capacity and operate mobile networks, including specialized networks supporting so-called vertical applications serving specific business sectors. In the resulting diverse stakeholder communities, the old trust assumptions between network operators will no longer apply. There is a pressing need for a far broader understanding of trust in such networks if they are to operate safely and securely for the engaged stakeholder communities. This paper describes the work carried out in the 5G-ENSURE project to address this need.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121810635","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. Prabhu, G. Chaudhry, Brighten Godfrey, M. Caesar
Network operators face a challenge of ensuring correctness as networks grow more complex, in terms of scale and increasingly in terms of diversity of software components. Network-wide verification approaches can spot errors, but assume a simplified abstraction of the functionality of individual network devices, which may deviate from the real implementation. In this paper, we propose a technique for high-coverage testing of end-to-end network correctness using the real software that is deployed in these networks. Our design is effectively a hybrid, using an explicit-state model checker to explore all network-wide execution paths and event orderings, but executing real software as subroutines for each device. We show that this approach can detect correctness issues that would be missed both by existing verification and testing approaches, and a prototype implementation suggests the technique can scale to larger networks with reasonable performance.
{"title":"High-coverage testing of softwarized networks","authors":"S. Prabhu, G. Chaudhry, Brighten Godfrey, M. Caesar","doi":"10.1145/3229616.3229617","DOIUrl":"https://doi.org/10.1145/3229616.3229617","url":null,"abstract":"Network operators face a challenge of ensuring correctness as networks grow more complex, in terms of scale and increasingly in terms of diversity of software components. Network-wide verification approaches can spot errors, but assume a simplified abstraction of the functionality of individual network devices, which may deviate from the real implementation. In this paper, we propose a technique for high-coverage testing of end-to-end network correctness using the real software that is deployed in these networks. Our design is effectively a hybrid, using an explicit-state model checker to explore all network-wide execution paths and event orderings, but executing real software as subroutines for each device. We show that this approach can detect correctness issues that would be missed both by existing verification and testing approaches, and a prototype implementation suggests the technique can scale to larger networks with reasonable performance.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124980934","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A framework of Software-Defined Networking (SDN) provides a centralized and integrated method to manage and control modern optical networks. Unfortunately, the centralized and programmable structure of SDN introduces several new security threats, which may allow an adversary to take over the entire operation of the network. In this paper, we investigate the potential security threats of SDN over optical networks and propose a mutual authentication and a fine-grained access control mechanism, which are essential to avoid an unauthorized access to the network. The proposed schemes are based only on cryptographic hash functions and do not require an installation of the complicated cryptographic library such as SSL. Unlike conventional authentication and access control schemes, the proposed schemes are flexible, compact and, in addition, are resistant to quantum computer attacks, which may become critical in the near future.
{"title":"Practical Authentication and Access Control for Software-Defined Networking over Optical Networks","authors":"J. Cho, T. Szyrkowiec","doi":"10.1145/3229616.3229619","DOIUrl":"https://doi.org/10.1145/3229616.3229619","url":null,"abstract":"A framework of Software-Defined Networking (SDN) provides a centralized and integrated method to manage and control modern optical networks. Unfortunately, the centralized and programmable structure of SDN introduces several new security threats, which may allow an adversary to take over the entire operation of the network. In this paper, we investigate the potential security threats of SDN over optical networks and propose a mutual authentication and a fine-grained access control mechanism, which are essential to avoid an unauthorized access to the network. The proposed schemes are based only on cryptographic hash functions and do not require an installation of the complicated cryptographic library such as SSL. Unlike conventional authentication and access control schemes, the proposed schemes are flexible, compact and, in addition, are resistant to quantum computer attacks, which may become critical in the near future.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115916238","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","authors":"","doi":"10.1145/3229616","DOIUrl":"https://doi.org/10.1145/3229616","url":null,"abstract":"","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125138049","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In Software-Defined Networks (SDN), so called SDN controllers are responsible for managing the network devices building such a network. Once such a core component of the network has been infected with malicious software (e.g., by a malicious SDN application), an attacker typically has a strong interest in remaining undetected while compromising other devices in the network. Thus, hiding a malicious network state and corresponding network manipulations are important objectives for an adversary. To achieve this, rootkit techniques can be applied in order to manipulate the SDN controller's view of a network. As a consequence, monitoring capabilities of SDN controllers as well as SDN applications with a security focus can be fooled by hiding adverse network manipulations. To tackle this problem, we propose a novel approach capable of detecting and preventing hidden network manipulations before they can attack a network. In particular, our method is able to drop adverse network manipulations before they are applied on a network. We achieve this by comparing the actual network state, which includes both malicious and benign configurations, with the network state which is provided by a potentially compromised SDN controller. In case of an attack, the result of this comparison reveals network manipulations which are adversely removed from an SDN controller's view of a network. To demonstrate the capabilities of this approach, we implement a prototype and evaluate effectiveness as well as efficiency. The evaluation results indicate scalability and high performance of our system, while being able to protect major SDN controller platforms.
{"title":"Preventing Malicious SDN Applications From Hiding Adverse Network Manipulations","authors":"Christian Röpke, Thorsten Holz","doi":"10.1145/3229616.3229620","DOIUrl":"https://doi.org/10.1145/3229616.3229620","url":null,"abstract":"In Software-Defined Networks (SDN), so called SDN controllers are responsible for managing the network devices building such a network. Once such a core component of the network has been infected with malicious software (e.g., by a malicious SDN application), an attacker typically has a strong interest in remaining undetected while compromising other devices in the network. Thus, hiding a malicious network state and corresponding network manipulations are important objectives for an adversary. To achieve this, rootkit techniques can be applied in order to manipulate the SDN controller's view of a network. As a consequence, monitoring capabilities of SDN controllers as well as SDN applications with a security focus can be fooled by hiding adverse network manipulations. To tackle this problem, we propose a novel approach capable of detecting and preventing hidden network manipulations before they can attack a network. In particular, our method is able to drop adverse network manipulations before they are applied on a network. We achieve this by comparing the actual network state, which includes both malicious and benign configurations, with the network state which is provided by a potentially compromised SDN controller. In case of an attack, the result of this comparison reveals network manipulations which are adversely removed from an SDN controller's view of a network. To demonstrate the capabilities of this approach, we implement a prototype and evaluate effectiveness as well as efficiency. The evaluation results indicate scalability and high performance of our system, while being able to protect major SDN controller platforms.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"192 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129769679","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Heedo Kang, Seungwon Shin, V. Yegneswaran, Shalini Ghosh, Phillip A. Porras
An important consideration in Software-defined Networks (SDNs), is that one SDN application, through a bug or API misuse, can break an entire SDN. While previous works have tried to mitigate such concerns by implementing access control mechanisms (permission models) for an SDN controller, they commonly require serious manual efforts in creating a permission model. Moreover, they do not support flexible permission models, and they are often tightly coupled with a specific SDN controller. To address such limitations, we introduce an automated permission generation and verification system called AEGIS. A distinguishing aspect of AEGIS is that it automatically generates flexible permission models and yet is completely separated from an SDN controller implementation. To demonstrate the feasibility of our approach, we implement a prototype, evaluate its completeness and soundness, and examine its usability in the context of popular SDN controllers.
{"title":"AEGIS","authors":"Heedo Kang, Seungwon Shin, V. Yegneswaran, Shalini Ghosh, Phillip A. Porras","doi":"10.1145/3229616.3229623","DOIUrl":"https://doi.org/10.1145/3229616.3229623","url":null,"abstract":"An important consideration in Software-defined Networks (SDNs), is that one SDN application, through a bug or API misuse, can break an entire SDN. While previous works have tried to mitigate such concerns by implementing access control mechanisms (permission models) for an SDN controller, they commonly require serious manual efforts in creating a permission model. Moreover, they do not support flexible permission models, and they are often tightly coupled with a specific SDN controller. To address such limitations, we introduce an automated permission generation and verification system called AEGIS. A distinguishing aspect of AEGIS is that it automatically generates flexible permission models and yet is completely separated from an SDN controller implementation. To demonstrate the feasibility of our approach, we implement a prototype, evaluate its completeness and soundness, and examine its usability in the context of popular SDN controllers.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122613579","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Software-defined networking (SDN) and Network Function Virtualization (NFV) have inspired security researchers to devise new security applications for these new network technology. However, since SDN and NFV are basically faithful to operating a network, they only focus on providing features related to network control. Therefore, it is challenging to implement complex security functions such as packet payload inspection. Several studies have addressed this challenge through an SDN data plane extension, but there were problems with performance and control interfaces. In this paper, we introduce a new data plane architecture, HEX which leverages existing data plane architectures for SDN to enable network security applications in an SDN environment efficiently and effectively. HEX provides security services as a set of OpenFlow actions ensuring high performance and a function of handling multiple SDN actions with a simple control command. We implemented a DoS detector and Deep Packet Inspection (DPI) as the prototype features of HEX using the NetFPGA-1G-CML, and our evaluation results demonstrate that HEX can provide security services as a line-rate performance.
{"title":"HEX Switch: Hardware-assisted security extensions of OpenFlow","authors":"Taejune Park, Zhaoyan Xu, Seungwon Shin","doi":"10.1145/3229616.3229622","DOIUrl":"https://doi.org/10.1145/3229616.3229622","url":null,"abstract":"Software-defined networking (SDN) and Network Function Virtualization (NFV) have inspired security researchers to devise new security applications for these new network technology. However, since SDN and NFV are basically faithful to operating a network, they only focus on providing features related to network control. Therefore, it is challenging to implement complex security functions such as packet payload inspection. Several studies have addressed this challenge through an SDN data plane extension, but there were problems with performance and control interfaces. In this paper, we introduce a new data plane architecture, HEX which leverages existing data plane architectures for SDN to enable network security applications in an SDN environment efficiently and effectively. HEX provides security services as a set of OpenFlow actions ensuring high performance and a function of handling multiple SDN actions with a simple control command. We implemented a DoS detector and Deep Packet Inspection (DPI) as the prototype features of HEX using the NetFPGA-1G-CML, and our evaluation results demonstrate that HEX can provide security services as a line-rate performance.","PeriodicalId":230847,"journal":{"name":"Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124332732","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: