Protecting OpenFlow using Intel SGX

Authors

Jorge Medina, New Jersey Institute of Technology
Nicolae Paladiy, Lunds Universitet
Patrik Arlosz, Blekinge Tekniska Högskola

Document Type

Conference Proceeding

Publication Date

11-1-2019

Abstract

OpenFlow flow tables in Open vSwitch contain valuable information about installed flows, priorities, packet actions and routing policies. Their importance is emphasized when collocated tenants compete for the limited entries available to install flow rules. OpenFlow flow tables are a security asset that requires confidentiality and integrity guarantees. However, commodity software switch implementations - such as Open vSwitch - do not implement protection mechanisms capable to prevent attackers from obtaining information about the installed flows or modifying flow tables. We adopt a novel approach to enabling OpenFlow flow table protection through decomposition. We identify core assets requiring security guarantees, isolate OpenFlow flow tables through decomposition and implement a prototype using Open vSwitch and Software Guard Extensions enclaves. An evaluation of the prototype on a distributed testbed both demonstrates that the approach is practical and indicates directions for further improvements.

Identifier

85082985337 (Scopus)

ISBN

[9781728145457]

Publication Title

IEEE Conference on Network Function Virtualization and Software Defined Networks Nfv Sdn 2019 Proceedings

External Full Text Location

https://doi.org/10.1109/NFV-SDN47374.2019.9039980

Grant

826093

Fund Ref

Horizon 2020 Framework Programme

Recommended Citation

Medina, Jorge; Paladiy, Nicolae; and Arlosz, Patrik, "Protecting OpenFlow using Intel SGX" (2019). Faculty Publications. 7248.
https://digitalcommons.njit.edu/fac_pubs/7248