Cross-App Poisoning in Software-Defined Networking

Benjamin E. Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Willam H. Sanders, Christina Rita-Notaru, and Hamed Okravi.
25th ACM Conference on Computer and Communications Security (CCS'18).
Toronto, Ontario, Canada. October 15, 2018.
(acceptance rate=16.6%)
Available Media
Share
tweet

Abstract

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations since they must generally access or modify data in a shared control plane state. Without an adequate understanding of how such data propagates within the control plane, apps can co-opt other apps into taking actions on their behalf, poisoning the control plane’s integrity.

We present a new class of SDN control plane integrity attacks that we call cross-app poisoning (CAP) in which an unprivileged app tricks a privileged app to take actions on its behalf by manipulating the shared control plane state. We demonstrate how existing role-based access control (RBAC) schemes proposed in prior work are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor for IFC policies that prevent CAP attacks. We implement ProvSDN on top of the Security-Mode ONOS SDN controller and demonstrate that information flow can be tracked with low latency overheads.