SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets

Citations Over TimeTop 10% of 2016 papers

Abstract

The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Related Papers

• Active and cooperative learning techniques for the computer science classroom(2002)
• → Proposed Curriculum for Programs Leading to Teacher Certification in Computer Science(1985)5 cited
• → Computer Science for Secondary Schools: Course Content(1985)5 cited
• Seed treatments: trends and opportunities.(2012)
• Effective use of algorithms in action web site(2003)