AbdelRahman Abdou scite author profile

Software defined networking implements the network control plane in an external entity, rather than in each individual device as in conventional networks. This architectural difference implies a different design for control functions necessary for essential network properties, e.g., loop prevention and link redundancy. We explore how such differences redefine the security weaknesses in the SDN control plane and provide a framework for comparative analysis which focuses on essential network properties required by typical production networks. This enables analysis of how these properties are delivered by the control planes of SDN and conventional networks, and to compare security risks and mitigations. Despite the architectural difference, we find similar, but not identical, exposures in control plane security if both network paradigms provide the same network properties and are analyzed under the same threat model. However, defenses vary; SDN cannot depend on edge based filtering to protect its control plane, while this is arguably the primary defense in conventional networks. Our concrete security analysis suggests that a distributed SDN architecture that supports fault tolerance and consistency checks is important for SDN control plane security. Our analysis methodology may be of independent interest for future security analysis of SDN and conventional networks.

show abstract

SoK: Delegation and Revocation, the Missing Links in the Web's Chain of Trust

Chuat

Abdou

Sasse

et al. 2020

View full text Add to dashboard Cite

CPV: Delay-Based Location Verification for the Internet

Abdou

Matrawy

Oorschot

2017

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract-The number of location-aware services over the Internet continues growing. Some of these require the client's geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates or employing a non-local IP address through proxy and virtual private networks. We devise Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a device's presence inside a prescribed geographic region. CPV does not identify devices by their IP addresses. Rather, the device's location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating measured delays. To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client's participating device, and mines these delays for evidence supporting/refuting the asserted location. We evaluate CPV through detailed experiments on PlanetLab, exploring various factors that affect its efficacy, including the granularity of the verified location, and the verification time. Results highlight the potential of CPV for practical adoption.

show abstract

Server Location Verification (SLV) and Server Location Pinning

Abdou

Oorschot

2017

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication (e.g., augmenting TLS) by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any new interoperability conflicts. Additionally, we introduce the notion of (verifiable) server location pinning within TLS (conceptually similar to certificate pinning) to support SLV, and evaluate their combined impact using a server-authentication evaluation framework. The results affirm the addition of new security benefits to the existing SSL/TLS-based authentication mechanisms. We implement SLV through a location verification service, the simplest version of which requires no serverside changes. We also implement a simple browser extension that interacts seamlessly with the verification infrastructure to obtain realtime server location-verification results.

show abstract

Accurate One-Way Delay Estimation With Reduced Client Trustworthiness

2015

View full text Add to dashboard Cite

Abstract-The requirement for accurate one-way delay (OWD) estimation lead to the recent introduction of an algorithm enabling a server to estimate OWDs between itself and a client by cooperating with two other servers, requiring neither clientclock synchronization nor client trustworthiness in reporting one-way delays. We evaluate the algorithm by deriving the probability distribution of its absolute error, and compare its accuracy with the well-known round-trip halving algorithm. While neither algorithm requires client-trustworthiness nor client clock synchronization, the analysis shows that the new algorithm is more accurate in many situations.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.