Cross-app poisoning in software-defined networking

Benjamin E. Ujcich; Samuel Jero; Anne Edmundson; Qi Wang; Richard Skowyra; James Landry; Adam Bates; William H. Sanders; Cristina Nita-Rotaru; Hamed Okhravi

doi:10.1145/3243734.3243759

Cross-app poisoning in software-defined networking

Benjamin E. Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H. Sanders, Cristina Nita-Rotaru, Hamed Okhravi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane’s integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

Original language	English (US)
Title of host publication	CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	648-663
Number of pages	16
ISBN (Electronic)	9781450356930
DOIs	https://doi.org/10.1145/3243734.3243759
State	Published - Oct 15 2018
Event	25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada Duration: Oct 15 2018 → …

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Other

Other	25th ACM Conference on Computer and Communications Security, CCS 2018
Country	Canada
City	Toronto
Period	10/15/18 → …

Keywords

Data provenance
Information flow control
Network operating system
Software-defined networking

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3243734.3243759

Fingerprint Dive into the research topics of 'Cross-app poisoning in software-defined networking'. Together they form a unique fingerprint.

Cite this

Ujcich, B. E., Jero, S., Edmundson, A., Wang, Q., Skowyra, R., Landry, J., Bates, A., Sanders, W. H., Nita-Rotaru, C., & Okhravi, H. (2018). Cross-app poisoning in software-defined networking. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (pp. 648-663). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3243734.3243759

Cross-app poisoning in software-defined networking. / Ujcich, Benjamin E.; Jero, Samuel; Edmundson, Anne; Wang, Qi; Skowyra, Richard; Landry, James; Bates, Adam ; Sanders, William H.; Nita-Rotaru, Cristina; Okhravi, Hamed.

CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. p. 648-663 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ujcich, BE, Jero, S, Edmundson, A, Wang, Q, Skowyra, R, Landry, J, Bates, A , Sanders, WH, Nita-Rotaru, C & Okhravi, H 2018, Cross-app poisoning in software-defined networking. in CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 648-663, 25th ACM Conference on Computer and Communications Security, CCS 2018, Toronto, Canada, 10/15/18. https://doi.org/10.1145/3243734.3243759

Ujcich BE, Jero S, Edmundson A, Wang Q, Skowyra R, Landry J et al. Cross-app poisoning in software-defined networking. In CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2018. p. 648-663. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/3243734.3243759

Ujcich, Benjamin E. ; Jero, Samuel ; Edmundson, Anne ; Wang, Qi ; Skowyra, Richard ; Landry, James ; Bates, Adam ; Sanders, William H. ; Nita-Rotaru, Cristina ; Okhravi, Hamed. / Cross-app poisoning in software-defined networking. CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2018. pp. 648-663 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{78d0ddde4830491da7dddfb2a4fedf6a,

title = "Cross-app poisoning in software-defined networking",

abstract = "Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane{\textquoteright}s integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.",

keywords = "Data provenance, Information flow control, Network operating system, Software-defined networking",

author = "Ujcich, {Benjamin E.} and Samuel Jero and Anne Edmundson and Qi Wang and Richard Skowyra and James Landry and Adam Bates and Sanders, {William H.} and Cristina Nita-Rotaru and Hamed Okhravi",

note = "Funding Information: This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Defense. Funding Information: This material is based upon work supported by the Maryland Procurement Office under Contract No. H98230-18-D-0007 and by the National Science Foundation under Grant Nos. CNS-1657534 and CNS-1750024.; 25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",

year = "2018",

month = oct,

day = "15",

doi = "10.1145/3243734.3243759",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "648--663",

booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Cross-app poisoning in software-defined networking

AU - Ujcich, Benjamin E.

AU - Jero, Samuel

AU - Edmundson, Anne

AU - Wang, Qi

AU - Skowyra, Richard

AU - Landry, James

AU - Bates, Adam

AU - Sanders, William H.

AU - Nita-Rotaru, Cristina

AU - Okhravi, Hamed

N1 - Funding Information: This material is based upon work supported by the Department of Defense under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Defense. Funding Information: This material is based upon work supported by the Maryland Procurement Office under Contract No. H98230-18-D-0007 and by the National Science Foundation under Grant Nos. CNS-1657534 and CNS-1750024.

PY - 2018/10/15

Y1 - 2018/10/15

N2 - Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane’s integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

AB - Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane’s integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

KW - Data provenance

KW - Information flow control

KW - Network operating system

KW - Software-defined networking

UR - http://www.scopus.com/inward/record.url?scp=85056857465&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056857465&partnerID=8YFLogxK

U2 - 10.1145/3243734.3243759

DO - 10.1145/3243734.3243759

M3 - Conference contribution

AN - SCOPUS:85056857465

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 648

EP - 663

BT - CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

T2 - 25th ACM Conference on Computer and Communications Security, CCS 2018

Y2 - 15 October 2018

ER -