Richard Skowyra scite author profile

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane's integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads. CCS CONCEPTS • Security and privacy → Access control; Information flow control; Information accountability and usage control; • Networks → Programmable networks; KEYWORDS software-defined networking; data provenance; information flow control; network operating system * DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.

show abstract

Software-Defined IDS for securing embedded mobile devices

Skowyra

Bahargam

Bestavros

2013

View full text Add to dashboard Cite

Abstract-The increasing deployment of networked mobile embedded devices leads to unique challenges communications security. This is especially true for embedded biomedical devices and robotic materials handling, in which subversion or denial of service could result in loss of human life and other catastrophic outcomes.In this paper we present the Learning Intrusion Detection System (L-IDS), a network security service for protecting embedded mobile devices within institutional boundaries, which can be deployed alongside existing security systems with no modifications to the embedded devices. L-IDS utilizes the OpenFlow SoftwareDefined Networking architecture, which allows it to both detect and respond to attacks as they happen.

show abstract

Address Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity

Rudd

Skowyra

Bigelow

et al. 2017

View full text Add to dashboard Cite

BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

Jero

Nita-Rotaru

et al. 2017

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Richard Skowyra

Effective Topology Tampering Attacks and Defenses in Software-Defined Networks

Cross-App Poisoning in Software-Defined Networking

Software-Defined IDS for securing embedded mobile devices

Address Oblivious Code Reuse: On the Effectiveness of Leakage-Resilient Diversity

BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

Contact Info

Product

Resources

About