Skip to main content
SpringerLink
Log in

TruSDN: Bootstrapping Trust in Cloud Network Infrastructure

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2016)

Abstract

Software-Defined Networking (SDN) is a novel architectural model for cloud network infrastructure, improving resource utilization, scalability and administration. SDN deployments increasingly rely on virtual switches executing on commodity operating systems with large code bases, which are prime targets for adversaries attacking the network infrastructure. We describe and implement \( {\textsf{TruSDN}} \), a framework for bootstrapping trust in SDN infrastructure using Intel Software Guard Extensions (SGX), allowing to securely deploy SDN components and protect communication between network endpoints. We introduce ephemeral flow-specific pre-shared keys and propose a novel defense against cuckoo attacks on SGX enclaves. \( {\textsf{TruSDN}} \) is secure under a powerful adversary model, with a minor performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Linux Containers Project Website: https://linuxcontainers.org/.

  2. 2.

    mbed TLS project website https://tls.mbed.org/.

  3. 3.

    Ryu SDN framework: https://osrg.github.io/ryu/.

  4. 4.

    Commit e0713c7 on https://github.com/sslab-gatech/opensgx.

  5. 5.

    Issue #34 on https://github.com/sslab-gatech/opensgx/issues/34.

References

  1. Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, p. 10. ACM (2013)

    Google Scholar 

  2. Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)

    Google Scholar 

  3. Bifulco, R., Cui, H., Karame, G.O., Klaedtke, F.: Fingerprinting software-defined networks. In: 2015 IEEE 23rd International Conference on Network Protocols (ICNP), pp. 453–459, November 2015

    Google Scholar 

  4. Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. IEEE Trans. Dependable Secure Comput. 9(3), 345–360 (2012)

    Article  Google Scholar 

  5. Casado, M., Foster, N., Guha, A.: Abstractions for software-defined networks. Commun. ACM 57(10), 86–95 (2014)

    Article  Google Scholar 

  6. Checkoway, S., Shacham, H.: Iago attacks: why the system call API is a bad untrusted RPC interface. SIGARCH Comput. Archit. News 41(1), 253–264 (2013). http://doi.acm.org/10.1145/2490301.2451145

  7. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  8. Douceur, J.R.: The sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). doi:10.1007/3-540-45748-8_24

    Chapter  Google Scholar 

  9. Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). Technical report, RFC 4279, December 2005

    Google Scholar 

  10. Farinacci, D., Traina, P., Hanks, S., Li, T.: Generic routing encapsulation (GRE). In: IETF (2000). tools.ietf.org/html/rfc2784

  11. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. ACM SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008)

    Article  Google Scholar 

  12. Hoekstra, M.: Using innovative instructions to create trustworthy software solutions. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, p. 10. ACM (2013)

    Google Scholar 

  13. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software - defined networks: new attacks and countermeasures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  14. Hopps, C.: Analysis of an Equal-Cost Multi-Path Algorithm. In: IETF (2000). tools.ietf.org/html/rfc2992

  15. Jain, P., Desai, S., Kim, S., Shih, M.W., Lee, J., Choi, C., Shin, Y., Kim, T., Kang, B.B., Han, D.: OpenSGX: an open platform for SGX research. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  16. Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software- defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 55–60. ACM (2013)

    Google Scholar 

  17. Kuo, F.C., Tschofenig, H., Meyer, F., Fu, X.: Comparison studies between pre-shared and public key exchange mechanisms for transport layer security. In: INFOCOM 2006. 25th IEEE International Conference on Computer Communications. Proceedings, pp. 1–6. IEEE (2006)

    Google Scholar 

  18. McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 1–1. ACM (2013)

    Google Scholar 

  19. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  20. Nadeau, T.D., Gray, K.: SDN: Software Defined Networks. O’Reilly Media Inc., Sebastopol (2013)

    Google Scholar 

  21. Paladi, N., Gehrmann, C., Michalas, A.: Providing user security guarantees in public infrastructure clouds. IEEE Trans. Cloud Comput. PP(99), 1 (2016)

    Article  Google Scholar 

  22. Paladi, N., Gehrmann, C.: Towards secure multi-tenant virtualized networks. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1180–1185. IEEE (2015)

    Google Scholar 

  23. Parno, B.: Bootstrapping trust in a “trusted” platform. In: HotSec (2008)

    Google Scholar 

  24. Pfaff, B., Lantz, B., Heller, B., et al.: OpenFlow switch specification, version 1.3.0. Open Networking Foundation (2012)

    Google Scholar 

  25. Pfaff, B., Pettit, J., Koponen, T., Jackson, E.J., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., et al.: The design and implementation of Open vSwitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (2015)

    Google Scholar 

  26. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 121–126. ACM (2012)

    Google Scholar 

  27. Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  28. Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. ACM SIGCOMM Comput. Commun. Rev. 43, 27–38 (2013). ACM

    Article  Google Scholar 

  29. Rescorla, E., Modadugu, N.: RFC6347–datagram transport layer security version 1.2. IETF (2012) tools.ietf.org/html/rfc6347

  30. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)

    Google Scholar 

  31. Ruan, X.: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine, 1st edn. Apress, Berkely (2014)

    Google Scholar 

  32. Rutkowska, J.: Thoughts on Intel’s upcoming Software Guard Extensions (Part 2) (2013). http://theinvisiblethings.blogspot.de/2013/09/thoughts-on-intels-upcoming-software.html. Accessed Mar 2016

  33. Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M.: VC3: Trustworthy data analytics in the cloud using SGX. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 38–54, May 2015

    Google Scholar 

  34. Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., Yegneswaran, V., Noh, J., Kang, B.B.: Rosemary: a robust, secure, and high-performance network operating system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 78–89. ACM (2014)

    Google Scholar 

  35. Walker, J., Li, J.: Key exchange with anonymous authentication using DAA-SIGMA protocol. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 108–127. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25283-9_8

    Chapter  Google Scholar 

  36. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 640–656. IEEE (2015)

    Google Scholar 

Download references

Acknowledgements

This research has been performed within 5G-ENSURE project (www.5GEnsure.eu) and received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 671562 and No. 644814.

Author information

Authors and Affiliations

  1. SICS Swedish ICT, Stockholm, Sweden

    Nicolae Paladi & Christian Gehrmann

Authors
  1. Nicolae Paladi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Gehrmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolae Paladi .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert Deng

  2. Jinan University, Guangzhou, Guangdong, China

    Jian Weng

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Paladi, N., Gehrmann, C. (2017). TruSDN: Bootstrapping Trust in Cloud Network Infrastructure. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59608-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59607-5

  • Online ISBN: 978-3-319-59608-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation