TruSDN: Bootstrapping Trust in Cloud Network Infrastructure
Software-Defined Networking (SDN) is a novel architectural model for cloud network infrastructure, improving resource utilization, scalability and administration. SDN deployments increasingly rely on virtual switches executing on commodity operating systems with large code bases, which are prime targets for adversaries attacking the network infrastructure. We describe and implement , a framework for bootstrapping trust in SDN infrastructure using Intel Software Guard Extensions (SGX), allowing to securely deploy SDN components and protect communication between network endpoints. We introduce ephemeral flow-specific pre-shared keys and propose a novel defense against cuckoo attacks on SGX enclaves. is secure under a powerful adversary model, with a minor performance overhead.
Keywords:Software Defined Networking, trust, integrity, virtual switches
Renewed and widespread interest in virtualization – along with proliferation of cloud computing – has spurred a series of innovations, allowing cloud service providers to deliver on-demand compute, storage and network resources for highly dynamic workloads. Consequently, more hardware and virtual components are added to already large networks, complicating network management. To help address this, SDN emerged as a novel network architecture model. Separation of the data and control planes is its core principle, allowing network operators to implement high-level configuration goals by interacting with a single network controller, rather than configuring discrete network components. The controller applies the configuration to the network edge, i.e. to its global view of the data plane gude:2008 (). Data and control plane separation in SDN challenges network infrastructure security best practices evolved in the decades since packet-switched digital network communication gained popularity kreutz:2013 (), paladi:2015 ().
In the cloud infrastructure model, SDN allows tenants to configure complex topologies with rich network functionality, managed by a network controller. The availability of a global view of the data plane enables advanced controller capabilities – from pre-calculating optimized traffic routing to managing applications that replace hardware middleboxes. However, these capabilities also make the controller a valuable attack target: once compromised, it yields the adversary complete control over the network porras:2015 (). The global view itself is security sensitive: an adversary capable of impersonating network components may distort a controller’s global view and influence network-wide routing policies hong:2015 ().
Virtual switches are another category of security sensitive components in SDN deployments. They execute on commodity operating systems (OS) and are often assigned the same trust level and privileges as hardware switches – specialized network components with compact embedded software qazi:2013 () or application-specific integrated circuits. Commodity OS are likely to contain security flaws which can be exploited to compromise virtual switches. For example, their configuration can be modified to disobey the protocol, breach network isolation and reroute traffic to a malicious destination or compromise other network edge elements through lateral attacks. Such risks are accentuated by the extensive control a cloud provider has over the infrastructure of its tenants.
Security and isolation of tenant infrastructure can be strengthened by confining select SDN components to trusted execution environments (TEE) and attesting their integrity before provisioning security-sensitive data. TEEs with strong security guarantees can be built using SGX, a set of recently introduced extensions to the x86 instruction set architecture and related hardware anati:2013 (); mckeen:2013 (). Earlier work used SGX to protect computation in cloud environments, by executing modified OS instances in SGX enclaves baumann:2014 () or a data processing framework in a set of SGX enclaves schuster:2015 (). However, while both of the above efforts highlighted the need to secure network communication, they did not address it.
This paper makes the following contributions:
We present , a framework to bootstrap trust in SDN infrastructure.
We introduce flow-specific pre-shared keys for communication protection.
We describe the implementation and a performance evaluation of .
We introduce the system model in Section 0.2, describe the adversary model in Section 0.3 and the design of in Section 0.4. In Section 0.5 we provide a security analysis, describe the prototype implementation and performance evaluation in Section 0.6 and review the related work in Section 0.7. We discuss future work in Section 0.8 and conclude in Section 0.9.
0.2 System Model
In this section we describe the SDN architectural model and the SDN deployment layers. Furthermore, we describe the use of TEEs based on Intel SGX.
0.2.1 Software Defined Networking
The data plane includes hardware and software switch implementations. Software switching is used in cloud deployments due to its scalability and configuration flexibility. Figure 2 illustrates the software switching approaches for communication between two collocated endpoints. In a typical switch implementation, its kernel-space component is optimized for forwarding performance, lacks decision logic and only forwards packets matching rules in its forwarding information base (FIB) nadeau:2013 (). The FIB comprises packet forwarding rules deployed to satisfy network administrator goals. Mismatching packets are discarded or redirected to the control plane through the southbound API. While the data plane uses complementary functionality of both virtual and physical switches, the role of the latter is often reduced to routing IP-tunneled traffic between hypervisors pfaff:2015 (). In this paper we do not address control of hardware switches and traffic routing between hosts; we assume that the physical network provides uniform capacity across hosts, based on e.g. equal-cost multi-path routing hopps:2000 (), such that if multiple equal-cost routes to the same destination exist, they can be discovered and used to provide load balancing among redundant paths. Overlay networks – e.g. VLANs or GRE farinacci:1994 () – are used for communication between endpoints. In this work, we focus exclusively on software switching and use the term “switch” to denote a virtual, software implementation. We refer to hardware switch implementations as “hardware switches”.
In the control plane, high-level network operator goals are translated into discrete routing policies based on the global network view, i.e. a graph representation of the virtual network topology. The main component of a control plane is the network controller, which we define as follows:
Network Controller (NC) is a logically centralized component that manages network communication in a given deployment by updating the FIB with specific forwarding rules. The NC compiles forwarding rules based on three inputs: the dynamic global network view, the high-level configuration goals of the network operator, and the output of the network management applications.
The NC is typically implemented as part of a logically centralized network OS, which builds and maintains the global network view and may include a network hypervisor, to multiplex network resources among distinct virtual network deployments.
Southbound API is a set of vendor-agnostic instructions for communication between data and control planes. It is often limited to flow-based traffic control of the data plane, with management done through a configuration database pfaff:2015 ().
Network operators use network management applications (NMAs), e.g. firewalls, traffic shapers, etc., to configure the network using high-level commands.
0.2.2 Deployment layers
We next describe the deployment layers of SDN infrastructure (Figure 4).
The hardware layer includes infrastructure for data transfer, processing and storage and is comprised of network hardware (including hardware switches and communication channels), hardware server platforms and data storage.
The infrastructure layer includes software components for virtualization and resource provisioning to infrastructure users, referred to as tenants. For network resources, this layer includes the network hypervisor, which creates network slices by multiplexing physical network infrastructure between tenants. Infrastructure providers expose a slice (i.e. a quota) of network resources to the tenants.
The service layer includes components controlled by tenants. Network components operated by tenants are grouped into network domains, comprising the virtual network resources and topologies that logically belong to the same organizational unit and network slice, and perform related tasks or provide a common service. The network hypervisor ensures that a tenant’s control plane can only control switches in its own slice. Within their slice, tenants have exhaustive creation, destruction and configuration privileges over components, such as instances of switches, the NC, NMAs and network domains. We define three logical communication segments (Figure 4): between the network controller and switches ( segments); among the switches on each host ( segments); between host-local switches and network endpoints ( segments).
The user layer includes endpoint consumers of network services, e.g. virtualization guests, containers and applications in a network domain.
0.2.3 Trusted Execution Environments
The proposed solution relies on TEEs that both provide strong isolation and allow remote code and data integrity attestation. Such a TEE can be created using Intel SGX enclaves (introduced in anati:2013 (); mckeen:2013 ()) during OS runtime and relies for its security on a trusted computing base (TCB) of code and data loaded at build time, processor firmware and processor hardware. At build time, the CPU measures the loaded code, data and memory page layout. At initialization time, the CPU produces a final measurement, after which the enclave becomes immutable and cannot be externally modified. The CPU maintains the measurement throughout the enclave’s lifetime to later assert the integrity of the enclave contents. Processor firmware is the root of trust (ROT) of an enclave. It prevents access to the enclave’s memory segment by either the platform OS, other enclaves, or other external agents. Enclaves operate in a separate memory region inaccessible to non-enclave processes, called the enclave page cache (EPC). Multiple mutually distrusting enclaves can operate on the platform. The processor enforces separation of memory access among enclaves based on the layout in the EPC map. Program execution within an enclave is transparent to both the underlying OS and other enclaves.
Remote attestation allows an enclave to provide integrity guarantees of its contents anati:2013 (). For this, the platform produces an attestation assertion with information about the identity of the enclave and details of its state (e.g. the mode of the software environment, associated data, and a cryptographic binding to the platform TCB making the assertion). For intra-platform attestation (i.e. between enclaves on the same platform), the reporting enclave (reporter) invokes the EREPORT instruction to create a REPORT structure with the assertion and calculate a message authentication code (MAC), using a report key, known only to the target enclave (target) and the CPU. The structure contains a user data field, where the reporter can store a hash of the auxiliary data provided. The target recomputes the MAC with its report key to verify the authenticity of the structure, and compares the hash in the user data with the hash of the auxiliary data, to verify its integrity. Enclaves then use the auxiliary data to establish a secure communication channel. For inter-platform attestation the remote verifier first sends a challenge to the enclave platform, where the challenge is complemented with the indentity of a quoting enclave (QE) and forwarded to the reporter, which appends the challenge response to the REPORT and attests itself to the QE. The QE verifies the structure, signs it with a platform-specific key using the enhanced privacy ID group signature scheme (EPID) brickell:2012 () and returns it to the verifier, to check the authenticity of the signature and the report itself anati:2013 (). The use of the EPID scheme is part of the SGX implementation and allows to maintain the privacy of the platform which hosts the enclave.
0.3 Adversary Model
We now describe the adopted adversary model, as well as the core security assumptions on which we base our design. The adversary model we adopt can be described by the capabilities of the adversary at the network and platform levels respectively (overview in Table 1).
0.3.1 Network infrastructure
For SDN infrastructure, we adopt the adversary model introduced in dolev:1983 () and extended with SDN-specific attack vectors in paladi:2015 (). We assume a powerful adversary (), which controls the cloud deployment network infrastructure; it can intercept, record, forge, drop and replay any message on the network, and is only limited by the constraints of the employed cryptographic methods. Particularly, the may forge messages that do not match any of the rules installed in the FIB. Furthermore the may create own instances of switches and launch Sybil attacks douceur:2002 () and launch other types of topology poisoning attacks hong:2015 () to distort the global network view. Finally, can store arbitrary quantities of intercepted communication and attempt its decryption with encryption keys intercepted or leaked at a later point. It can analyze the traffic patterns in the network through passive probing and may disrupt or degrade network connectivity to achieve its goals. We explicitly exclude Denial-of-Service attacks on the SDN infrastructure.
Intercept, record, forge, drop,
Analyze the traffic patterns;
Disrupt or degrade network connectivity;
Launch topology poisoning attacks
Control non-processor hardware;
Control software stack OS, hypervisor;
Deploy arbitrary software components;
“Cuckoo attack”: Forward function calls
to compromised SGX enclaves;
Return arbitrary values to system calls
Attacks on shielded execution;
|Excplicitly excluded||Denial-of-Service (DoS) attacks||Side-channels: power analysis; DoS attacks|
On the hardware level, we assume the processor is correctly implemented and remains uncompromised; furthermore, we assume a reliable and secure source of random numbers (which can be provided by the CPU). has full control over the remaining hardware, including memory, I/O devices, periferials, etc. Similarly, fully controls the software stack, including the platform OS and the hypervisor. This implies that may pause indefinitely the execution of the code in the TEE and return arbitrary values in response to OS system calls. However, a deployment orchestrator and NC execute under tenant control, on a fully trusted platform and software stack. We exclude side-channel attacks. While some side-channel attacks – e.g. timing, cache-collision, controlled channel attacks – can be mitigated through software modification xu:2015 (), preventing other side-channel attacks – such as power analysis – requires hardware modifications. An with advanced capabilities may leverage its full control over the OS to utilize the class of known attacks on shielded execution; while we do not address such attacks, they have known countermeasures checkoway:2013 (); baumann:2014 ().
SGX, similar to other trusted computing solutions, is vulnerable to cuckoo attacks parno:2008 (). In one attack scenario, malware on the target platform forwards the messages intended for the local SGX enclave () to a remote enclave under ’s physical control (malicious enclave, ). Having physical access to , can apply hardware attacks to violate its security guarantees. As a result, controls all communication between the verifier and , with access to an oracle that provides all of the answers a benign would, but without its expected security properties.
Briefly, the adversary model for platform security largely matches the remote administrator capabilities of an infrastructure cloud provider.
0.4 Solution Description
In this section we present , a framework for bootstrapping trust in SDN deployments. Its goal is to allow tenants to securely deploy computing tasks and create virtualized network infrastructure deployments, given the adversary model defined in Section 0.3. To satisfy this goal, the framework must satisfy the following set of requirements:
Authentication: communication in the domain must the authenticated, and a secure enrollment mechanism for data plane components must be in place.
Topology integrity: the NC must be protected from network components that attempt to distort the global network view.
Component integrity: integrity of switches must be attested prior to enrollment and the cryptographic material required for their network access must be protected with a hardware ROT.
Confidentiality protection of domain secrets: network domain secrets – such as VPN session keys – should not be revealed to the .
Protected network communication: network communication in the tenant domain must be confidentiality and integrity protected.
0.4.1 TruSDN overview
We begin by introducing the building blocks of (Figure 5).
Trusted Execution Environments:
uses TEEs that guarantee secure execution in the given adversary model, assuming the CPU and executed code are correctly implemented.
Protected Compute Tasks:
Security sensitive compute tasks (CT) are deployed in TEEs. Such tasks include all operations that tenants aim to protect from the . However, CTs rely on the untrusted OS for I/O and support functionality.
Protected Data Plane:
Switches are deployed in TEEs – they route traffic between CTs according to forwarding rules communicated through secure channels and maintained in the FIB. The FIB of the switches, and the key material necessary to establish the secure channels are stored in TEEs.
Attested code in TEEs:
An orchestrator under tenant control attests the TEEs during network infrastructure deployment, to ensure integrity of the deployed code and data before keys or key material are provisioned to the respective TEE.
In a typical deployment scenario, the tenant invokes an orchestrator to deploy a switch bootstrap application on the hosts in the tenant’s domain. The bootstrap application invokes a host-local SGX driver to build an SGX enclave containing a switch. Next, the orchestrator attests the created enclave (as described in Section 0.2.3) prior to enrolling the switch with the NC. The orchestrator uses the enclave’s public key from the attestation quote to securely transfer the enclave-specific integrity and confidentiality protection session keys used to establish a protected communication channel between the NC and the TEE. Finally, the NC communicates any remaining security-sensitive payload to the created TEE, e.g. the initial FIB. Next, CTs are deployed in TEEs on the host and the switch forwards packets between the CTs, matching them against the rules in the FIB. Mismatching packets are forwarded to the NC, which may update the FIB with new rules. For clarity, we assume the orchestrator and NC are collocated on a platform under tenant control and view both as a single component, further referred to as “NC”.
protects the communication between CTs, between switches and the NC, as well as among the switches, in the above adversary model. Communication security is ensured using confidentiality and integrity protection keys provisioned to authenticated network components and endpoints executing in TEEs. Furthermore, leverages SDN principles to introduce a novel mechanism – per-flow communication protection using ephemeral flow-specific pre-shared keys (PSKs).
0.4.2 Cryptographic Primitives
We now define the cryptographic primitives and notations used in the remainder of this paper. We denote by the set of all binary strings of length , and by the set of all finite binary strings. In a set , we refer to the element as , and use the following notation for cryptographic operations:
Given an arbitrary message , we denote by a symmetric encryption of using the secret key . The corresponding symmetric decryption operation is .
We denote by a public/private key pair for a public key encryption scheme. We denote by the encryption of message with the public key , and the decryption by .
We denote a digital signature over a message by and the corresponding verification of a digital signature by , where if the signature is valid and otherwise.
We denote a Message Authentication Code () using a secret key over a message by .
We next describe key sharing and communication protection mechanisms on the identified logical segments. Table 2 summarizes the keys used by .
|NC||NC, switch||Enclave-specific session, segment|
|NC||NC , switch||Domain-specific session, segment|
|NC||NC, switch||Ephemeral session key|
|NC||NC, switch||Ephemeral MAC key|
|switch||public||Public key of the switch enclave|
|switch||switch||Private key of the switch enclave|
|CT||public||Public key of the compute task|
|CT||CT||Private key of the compute task|
|vendor||public||Public key of the quoting enclave|
|vendor||vendor, QE||Private key of the quoting enclave|
|NC||NC, CT, CT||Ephemeral flow-specific pre-shared key|
0.4.3 SDN Trust Bootstrapping and Secure Communication
The first step in deploying a infrastructure is to launch a set of trusted switches for connectivity and topology building. The NC requests the creation of switch enclaves to deploy switches in TEEs on hosts in its domain. Switches are deployed based on parameters provided by the NC in plaintext (application code and configuration). Next, the NC attests the integrity of switch enclaves and only enrolls the successfully attested ones (Figure 6). A TEE is attested following the protocol introduced in anati:2013 (). With however, the reporter generates an enclave-specific public-private keypair and submits its public key along with the attestation data; a hash of the public key is stored in the user data field. The switch enclave is only enrolled to the global network view if its reported state matches the one expected by NC.
Having attested enclave , NC communicates an (Table 3) with the enclave-specific pre-shared key and domain-specific pre-shared key , encrypted with an ephemeral key . Switches within a domain use to protect communication on segments. The appends a MAC of the message calculated with and encrypts the keys with .
Once switches are deployed and enrolled, tenants may configure the network topology using the NC to update the switch FIBs. Communication on segments – e.g. FIB updates or unmatched packets forwarded to the NC – is protected using the session key (e.g. using TLS eronen:2005 ()), which never leaves the TEE.
Similarly, a secure channel is established among the switches within the same domain, using the pre-shared key , to protect communication between switches on different hosts (e.g. TEEs 1.2 and 2.3 in Figure 5). never leaves the TEEs, has a limited validity time and is periodically redeployed by the NC. On segments, traffic may traverse multiple hardware switches, forwarded to the host over tunnels deployed on top of a standard routing protocol (e.g. hopps:2000 ()).
Next, the tenant may deploy CTs in TEEs and attest their integrity using the very same scheme and principles as for the switch deployment described above. The CTs and the network controller use the to establish a secure communication channel (e.g. TLS).
Once the NC has deployed and attested the TEEs with switches and CTs, intra-host communication (i.e. between two CT enclaves on the same host) is straightforward (Figure 7): when a packet sent from C1 (e.g. a TLS ClientHello message) reaches the local host switch A, it attempts to match m against a FIB entry; if no suitable flow rule is present, the switch forwards to NC, which processes the packet, generates and deploys on the CTs C1, C2 a flow-specific pre-shared key and finally updates the switch FIB with , after which steps 2 and 3 are ignored; once the FIB is updated, the switch forwards to C2, which continues the message exchange and uses to protect the communication with C1, using e.g. TLS with a PSK ciphersuiteeronen:2005 ().
Communication between CTs C1 and C3 deployed on distinct hosts is similar, with the only notable difference that the NC updates the FIB of the local switches on both hosts where C1, C3 are deployed.
In the above scenarios leverages two aspects of the SDN model – (1) the deployment has a central authority (the NC) and (2) the first packet of a flow is forwarded to the central authority – to deliver on demand ephemeral PSKs to communication endpoints. This allows to relax the need for high-quality entropy being available to CTs (a known issue in virtualized environments ristenpart:2010 ()). Furthermore, this approach ensures communication security without compromising packet visibility – having control over the keys used to protect communication between the CTs allows the NC to maintain fine-grained insight into the traffic.
0.4.4 Preventing Cuckoo Attacks
To prevent cuckoo attacks parno:2008 (), we propose a solution that leverages cryptographic properties of the EPID scheme used by the QE brickell:2012 () and the SIGn and Message Authentication (SIGMA) protocol walker:2011 (), which are both part of the Intel SGX implementation. The EPID scheme supports two signature modes: fully anonymous mode – the verifier cannot associate a given signature with a particular member of the group; pseudo-anonymous mode – the verifier can determine whether it has verified the platform previously. The unlinkability property distinguished in the two modes depends on the chosen base. A signature includes a pseudonym , where is the base chosen for a signature and revealed during the signature; is unique per member and private. For a random base , the pseudonym is – in this case the signatures are unlinkable. For a name base, the pseudonym is , where is the name of the verifier – in this case the signatures remain unlinkable for different verifiers, while signatures with a common can be linked. For privacy reasons, the EPID scheme currently implemented in Intel SGX accepts name base pseudonyms only from verifiers authorized by the EPID authority ruan:2014 (), which is done by provisioning qualified verifiers with an X.509 certificate – e.g. an intermediate certification authority (CA) certificate – signed by the EPID authority acting as root CA.
We propose the following algorithm to prevent cuckoo attacks. At deployment time, the EPID authority issues, to an authorized verifier , an intermediate CA verifier certificate for the platforms in the cloud provider’s data center. Next, attests its platforms following the SIGMA protocol and publishes a list of resulting platform EPID signatures and the signature name base, . To guard against cuckoo attacks, tenants first request to issue an X.509 certificate and enable them to become authorized verifiers. Next, tenants choose the same pseudonym base (and a private ), follow the SIGMA protocol, and verify that the resulting signature is linkable to a signature in the published list. The cloud provider has multiple tools to protect platform privacy and prevent untrusted tenants from fingerprinting the platform infrastructure, e.g. limiting the validity of issued certificates, changing the name base, etc. Considering that the EPID scheme is currently not implemented in the SGX emulation software we used for prototyping, we intend to describe the implementation of the above algorithm in a follow-up report.
0.5 Security Analysis
In this section we analyze the security properties of the proposed framework in the adversary model described in Section 0.3. On the network level, many of the capabilities are thwarted by first authenticating the switches deployed on the data plane, as well as the network edge (i.e. the compute tasks that generate or receive the network traffic), in combination with confidentiality and integrity protection of the traffic on the three identified segments. Authenticating the network components prevents topology poisoning attacks (a countermeasure mentioned in hong:2015 ()), while confidentiality and integrity protection of all of the network traffic in the deployment prevents the from either learning the contents of the exchanged packets or successfully forging packets. The may in this case still intercept and record messages. However, collecting encrypted traffic does not yield the any more information about the contents of the exchanged packets. Similarly, the does not gain an advantage by simply dropping or replaying messages, since these actions would at most simply reduce the channel capacity (as would the ability of the to disrupt network connectivity). Finally, the proposed framework does not prevent the analyzing the traffic patterns and does not prevent it from fingerprinting the components of the deployment, making it vulnerable to rule scanning and denial of service attacks. While the goals of did not include this, such traffic analysis could be prevented using anti-fingerprinting techniques, as proposed in bifulko:2015 ().
On the platform level, the security of the proposed framework relies to a large extent on the security properties of Intel SGX enclaves. This allows to protect the execution of switches and network edge components deployed in TEEs from the capabilities of an controlling non-processor hardware, the software stack of the OS and the hypervisor. Similarly, pausing execution of switches executing in TEEs, while possible, would have no further effect than degrading network connectivity, already discussed above. While the may attempt to deploy own arbitrary components on the data plane or the network edge in order to launch Sybill attacks, the integrity of such components would not be successfully attested, unless they are identical to legitimate components, which are assumed to be executing correctly – rendering Sybill behavior impossible. The is prevented from launching cuckoo attacks by enabling tenants to verify the platforms, as described in Section 0.4.4. As presented in Table 1, several relevant classes of attacks are not addressed by , but have known mitigations, namely cache-collision, controlled channel and attacks on shielded execution (addressed in xu:2015 (); schuster:2015 ()). The capability of the to return arbitrary values to system calls, while not addressed in this work, can be mitigated by a validation component as described in baumann:2014 ().
0.6 Implementation and Evaluation
We now describe the implementation and evaluation of .
The prototype deployment follows the design presented in Section 0.4 and is illustrated in Figure 8. Host 1 and Host 2 are instances of Ubuntu OS 15.04. In each instance, we deployed Linux Containers111Linux Containers Project Website: https://linuxcontainers.org/, similarly based on Ubuntu OS 15.04. Containers create an environment with own process and network space, implemented using namespaces, with a distinct user ID, network stack, mount points, file systems, processes, inter-process communication, and hostname. We chose containers to facilitate prototype implementation, using their lightweight process isolation. Containers are part of the untrusted OS and this implementation choice is orthogonal to the security of . Compute tasks are deployed in TEEs created using SGX enclaves (Figure 8): enclaves E1, E2, E4, E5 are placed respectively within containers C1, C2, C3, C4. The switches are deployed in TEEs created using SGX enclaves (enclaves E3, E6 in Figure 8).
Considering that platforms with hardware and software support for SGX were not publicly available at the time of writing, we used OpenSGX prerit:2016 () to emulate the TEEs. It is a software SGX emulator and a platform for SGX development, implemented using binary translation of QEMU and emulating Intel SGX hardware components at instruction level. It includes emulated hardware and OS components, enclave program loader, the OpenSGX user libraries, debugging and performance monitoring support. The emulator allows to implement, debug, and evaluate SGX applications, but does not support binary compatibility with Intel SGX. Furthermore, OpenSGX does not implement all instructions, e.g. debugging instructions. While OpenSGX does not provide security gurantees, it allows us to obtain performance estimates for the proposed approach. We used mbedTLS222mbed TLS project website https://tls.mbed.org/ v1.3.11 (distributed with the emulator) for attestation of the SGX enclaves. We used OpenSSL v1.0.2d (distributed with the emulator) to set up protected communication channels between the CT enclaves and the local switches, and among switches within the same domain.
An SDN network controller is deployed in a third instance (Host 3). We used the Ryu333Ryu SDN framework: https://osrg.github.io/ryu/ SDN framework, due to its flexibility and versatile APIs.
We now analyze the performance impact, present evaluation results and discuss aspects that cannot be measured with the current prototype.
Sources of Performance Impact
introduces several potential sources of performance impact (Table 4). We distinguish between transient performance overhead, which occurs occasionally (e.g. TLS key negotiation) and continuous performance overhead, present throughout the infrastructure operation. We do not consider the one-time cost of infrastructure deployment, e.g. provisioning the software, attesting TEEs and enrolling the components.
|TLS negotiation all segments||transient||Negotiate session keys for TLS|
|PSK distribution||transient||Distribute PSK for segments|
|TLS protection all segments||continuous||Overhead induced by TLS|
|Compute task execution in TEEs||continuous||Overhead induced by TEE|
|Switch execution in TEEs||continuous||Overhead induced by TEE|
Measured Performance Impact
To evaluate the performance impact, we measured the footprint of establishing TLS sessions on and segments. We used iperf, openssl s_time and an own Ryu application (Table 5).
TLS overhead on the segment:
We measured the round-trip latency of packets sent in plaintext and with TLS, over 1000 tests, each request sending messages of 100 bytes with the 80 bit OpenFlow header. Furthermore, we measured the data transfer rates for plaintext and TLS communication. Use of TLS increased total transfer time by 14.2% and reduced the transfer rate by 15.98%.
|Total transfer time, ms||0.4||1.1||0.66||0.7||0.07|
|Total transfer time w. , ms||0.5||7.1||0.8||0.8||0.22|
|overhead, total transfer time||21.2%||14.2%|
|Transfer rate, bytes per second||1225||2095||1595||1583||98.07|
|Transfer rate w. , bytes per second||919||1589||1338||1330||64.86|
|overhead, transfer rate||16.11%||15.98%|
|First packet latency||1.53||6.50||3.48||3.38||0.42|
|First packet latency w.||3.35||10.7||5.37||5.14||0.93|
|overhead, first packet latency||54.31%||52.07%|
|TLS handshake, ms||36.53||77.72||67.97||67.48||7.42|
|TLS handshake w. , ms||52.35||76.44||67.15||66.53||3.93|
|overhead, TLS handshake||-2.21%||-2.41%|
|Key generation NC, ms||0.11||0.51||0.178||0.16||0.04|
|Key distribution , ms||0.37||1.06||0.54||0.53||0.08|
|Key total , ms||0.50||1.30||0.71||0.7||0.11|
Delay on segment
As mentioned above, the first packet of the flow is intercepted by the switch and forwarded to the NC in a packet_in message pfaff:2012 (). At this point the NC processes the flow and installs a flow rule on the switch. extends this procedure by generating and distributing to the communicating CTs a pre-shared key, to be used for communication protection. Since this must be done prior to both forwarding the message to the destination CT and installing the flow rule, generating and distributing the PSK would normally delay the installation of the flow rule and increase the latency of the first packet (all subsequent packets are forwarded according to the flow rule). To measure the introduced delay, we have sequentially established 1000 TLS sessions between compute tasks C1 and C2 (according to Figure 8). After each TLS session, we flushed the installed flow rules (with ovs-ofctl del-flows br0), which resulted in a packet_in message upon each new session. The latency of the first packet is shown in Figure 10, and compared against the latency of a first packet without the extension.
The induced delay is primarily caused by two operations performed by the NC: generating a 256-bit PSK and distributing it to the CTs. Figure 10 displays a fine-grained picture of the induced delay. Key generation lasted on average 0.178 ms, while key distribution on average 0.54 ms (Table 5). We remind that the test environment is fully virtualized and posit that overhead of key generation can be reduced in a production environment, either by using pre-generated keys or with specialized hardware (e.g. crypto processors). In our tests, the duration of establishing a TLS session with ephemeral flow-specific pre-shared keys using the PSK-AES256-CBC-SHA cipher suite was 2.41% less compared to the use of e.g. ECDH-RSA-AES128-SHA256. Thus, enables flexible use of pre-shared keys, which in turn reduces the duration of the TLS handshake, by avoiding expensive public key cryptographic operations kuo:2006 (). Moreover, it reduces the CPU utilization for key derivation in CTs, at the cost of a minimal flow rule installation delay. The above approach may be applicable to other protocols. For example, none of the differences between the datagram TLS (DTLS) and TLS protocols specified in rfcdtls:2012 () indicate that the above approach is incompatible with DTLS. We leave further investigation for future work.
Unmeasured Performance Overhead
Implementing TEEs with OpenSGX limits the level of detail when it comes to performance evaluation, since: (a) the OpenSGX emulator is not binary compatible with Intel SGX prerit:2016 (); (b) in its current version444Commit e0713c7 on https://github.com/sslab-gatech/opensgx and unlike Intel’s description of SGX anati:2013 (), OpenSGX has yet to implement support multithreaded applications555Issue #34 on https://github.com/sslab-gatech/opensgx/issues/34. Thus, a fully accurate measurement on TruSDN performance cannot be done until Intel SGX hardware and software is made available. However, we believe our experiments yield a fair picture of the expected performance impact.
0.7 Related work
Kreutz et al. presented a list of attack vectors in SDN kreutz:2013 () (forged traffic flows, vulnerabilities in switches and NCs, lack of trust establishment mechanisms, etc.). However, only part of the described attack vectors are exclusively relevant to SDN networks and no specific solutions are proposed. Work in paladi:2015 () introduced an adversary model, attack vectors, and security requirements towards multi-tenant SDN infrastructure, highlighting the need to limit the effect of NC vulnerabilities, protect internal SDN communication, verify integrity of SDN components prior to enrollment, and enforce policy and quota isolation. addresses several of the attack vectors described in kreutz:2013 (); paladi:2015 ().
Secure SDN controllers:
The “NOX” network OS gude:2008 () presents NMAs with a centralized programming model, allowing to operate with higher-level abstractions and apply graph processing algorithms to compute paths. It consists of several controller processes which use the global view for network management decisions and update switch FIBs over the OpenFlow API mckeown:2008 (). FortNOX porras:2012 () extends NOX with role-based authorization (RBA) and enforcement of security constraints. It translates high-level threats into flow rules to handle suspicious traffic as well as detects rule conflicts, resolves them depending on the authorization of the rule requestor and enforces least privilege authorization. Neither NOX nor FortNOX address malicious network components and Sybill attacks, addressed by . “Rosemary” NOS shin:2014 () uses NMA sandboxing to improve network resilience, by launching each NMA in a separate process context with access to the required libraries, along with a resource monitor to supervise NMA compliance. It does not address data plane security; complements it and creates a foundation for trusted deployment of a secure NOS. TopoGuard hong:2015 () detects network topology poisoning and mitigates this through port property management, network edge probing and verification of topology updates. complements this by verifying the integrity of switches prior to enrollment into the topology.
Software Guard Extensions:
SGX was introduced in mckeen:2013 () with a description of the software model, extensions to the x86 ISA and hardware modifications for isolated execution; work in anati:2013 () described CPU based attestation. SGX-based solutions in a cloud setting are first described in baumann:2014 (); schuster:2015 (). “Haven”baumann:2014 () is a modified version of Windows 8 OS ported to an SGX enclave, evaluated with Apache Web Server and SQL Server using synthetic data sets. It includes a mechanism to protect the enclave from a malicious kernel and a semantically secure data store protecting data and file metadata confidentiality against malicious hosts. protects network communication for a similar adversary model. While we deploy compute tasks in SGX enclave-based TEEs, the work in baumann:2014 () is largely complementary, and similar “Haven”-like OSs could be used.
“VC3” schuster:2015 () is a Map-Reduce deployment using SGX enclaves. Map and reduce functions are compiled into private (encrypted) code and public code implementing key exchange and job execution protocols. Code is initialized in enclaves and attested by the users. Public code performs the key exchange, decrypts the private code and runs the job execution protocol. To defend against cuckoo attacks, cloud quoting enclaves are created on each platform in the cloud provider data centers, to “countersign” quotes produced by the QE. The approach is largely complementary to protecting communication between CTs with . However, the proposed defense against cuckoo attacks increases the complexity of the attestation protocol and does not prevent from exploiting a compromised cloud QE outside of the physically secure datacenter perimeter. Instead, the approach described in Section 0.4.4 leverages the cryptographic properties of EPID scheme, without modifying the attestation protocol.
0.8 Future Work
Along with security guarantees, the use of Intel SGX imposes limitations on . Further performance evaluation may be done once software and hardware support for Intel SGX becomes available; moreover, we note several security limitations. Controlled-channel attacks xu:2015 () are a novel type of side-channel attacks allowing the OS to extract data from protected applications. They were successfully applied to “Haven” baumann:2014 () and could also be vulnerable; however, we explicitly excluded such attacks from the adversary model. Known mitigations are: rewriting applications to decouple memory access patterns from sensitive data, prohibiting paging by the OS, or obfuscating memory access patterns xu:2015 (). Another limitation stems from the reliance on the platform vendor, which could leak , to create a “deniable back-door” and allow person-in-the-middle attacks on attestation rutkowska:2013.b (). This challenge remains unaddressed.
In future work we aim to integrate TruSDN with other approaches to cloud infrastructure security, such as in paladi:2016 (), to provide a complete framework for secure cloud infrastructure deployments in the given adversarial model.
We described, implemented and evaluated – a framework for bootstrapping trust in SDN infrastructure. It isolates network endpoints and switches in SGX enclaves, remotely attests their integrity, and establishes secure communication channels. We leveraged the principles of SDN to introduce ephemeral flow-specific PSK distributed at flow creation, which reduce the overhead of key derivation and reduce the total time to establish protected channels, at the cost of a minor delay in the flow rule installation. Finally, we leveraged the properties of the EPID scheme to propose an improved approach to prevent cuckoo attacks.
This research has been performed within 5G-ENSURE project (www.5GEnsure.eu) and received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No 671562 and No 644814.
- (1) Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. p. 10. ACM (2013)
- (2) Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)
- (3) Bifulco, R., Cui, H., Karame, G.O., Klaedtke, F.: Fingerprinting software-defined networks. In: 2015 IEEE 23rd International Conference on Network Protocols (ICNP). pp. 453–459 (Nov 2015)
- (4) Brickell, E., Li, J.: Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities. Dependable and Secure Computing, IEEE Transactions on 9(3), 345–360 (May 2012)
- (5) Casado, M., Foster, N., Guha, A.: Abstractions for software-defined networks. Communications of the ACM 57(10), 86–95 (2014)
- (6) Checkoway, S., Shacham, H.: Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface. SIGARCH Comput. Archit. News 41(1), 253–264 (Mar 2013), http://doi.acm.org/10.1145/2490301.2451145
- (7) Dolev, D., Yao, A.C.: On the security of public key protocols. Information Theory, IEEE Transactions on 29(2), 198–208 (1983)
- (8) Douceur, J.: The Sybil Attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) Peer-to-Peer Systems, Lecture Notes in Computer Science, vol. 2429, pp. 251–260. Springer Berlin Heidelberg (2002)
- (9) Eronen, P., Tschofenig, H.: Pre-shared key ciphersuites for transport layer security (TLS). Tech. rep., RFC 4279, December (2005)
- (10) Farinacci, D., Traina, P., Hanks, S., Li, T.: Generic routing encapsulation (GRE). IETF, tools.ietf.org/html/rfc2784 (2000)
- (11) Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. ACM SIGCOMM Computer Communication Review 38(3), 105–110 (2008)
- (12) Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)
- (13) Hopps, C.: Analysis of an Equal-Cost Multi-Path Algorithm. IETF, tools.ietf.org/html/rfc2992 (2000)
- (14) Jain, P., Desai, S., Kim, S., Shih, M.W., Lee, J., Choi, C., Shin, Y., Kim, T., Kang, B.B., Han, D.: OpenSGX: An Open Platform for SGX Research. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016)
- (15) Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. pp. 55–60. ACM (2013)
- (16) Kuo, F.C., Tschofenig, H., Meyer, F., Fu, X.: Comparison studies between pre-shared and public key exchange mechanisms for transport layer security. In: INFOCOM 2006. 25th IEEE International Conference on Computer Communications. Proceedings. pp. 1–6. IEEE (2006)
- (17) McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative Instructions and Software Model for Isolated Execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. pp. 1–1. ACM (2013)
- (18) McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review 38(2), 69–74 (2008)
- (19) Nadeau, T.D., Gray, K.: SDN: Software Defined Networks. O’Reilly Media, Inc. (2013)
- (20) Paladi, N., Gehrmann, C., Michalas, A.: Providing User Security Guarantees in Public Infrastructure Clouds. IEEE Transactions on Cloud Computing PP(99), 1–1 (2016)
- (21) Paladi, N., Gehrmann, C.: Towards Secure Multi-tenant Virtualized Networks. In: Trustcom/BigDataSE/ISPA, 2015 IEEE. vol. 1, pp. 1180–1185. IEEE (2015)
- (22) Parno, B.: Bootstrapping trust in a “trusted” platform. In: HotSec (2008)
- (23) Pfaff, B., Lantz, B., Heller, B., et al.: OpenFlow switch specification, version 1.3.0. Open Networking Foundation (2012)
- (24) Pfaff, B., Pettit, J., Koponen, T., Jackson, E.J., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., et al.: The design and implementation of Open vSwitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (2015)
- (25) Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the first workshop on Hot topics in software defined networks. pp. 121–126. ACM (2012)
- (26) Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2015)
- (27) Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. In: ACM SIGCOMM Computer Communication Review. vol. 43, pp. 27–38. ACM (2013)
- (28) Rescorla, E., Modadugu, N.: RFC6347–Datagram Transport Layer Security Version 1.2. IETF, tools.ietf.org/html/rfc6347 (2012)
- (29) Ristenpart, T., Yilek, S.: When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)
- (30) Ruan, X.: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine. Apress, Berkely, CA, USA, 1st edn. (2014)
- (31) Rutkowska, J.: Thoughts on Intel’s upcoming Software Guard Extensions (Part 2) (2013), http://theinvisiblethings.blogspot.de/2013/09/thoughts-on-intels-upcoming-software.html, [Online; March 2016]
- (32) Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G., Russinovich, M.: VC3: Trustworthy Data Analytics in the Cloud Using SGX. In: Security and Privacy (SP), 2015 IEEE Symposium on. pp. 38–54 (May 2015)
- (33) Shin, S., Song, Y., Lee, T., Lee, S., Chung, J., Porras, P., Yegneswaran, V., Noh, J., Kang, B.B.: Rosemary: A Robust, Secure, and High-Performance Network Operating System. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. pp. 78–89. ACM (2014)
- (34) Walker, J., Li, J.: Key exchange with anonymous authentication using DAA-SIGMA protocol. In: Trusted Systems, pp. 108–127. Springer (2011)
- (35) Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In: Security and Privacy (SP), 2015 IEEE Symposium on. pp. 640–656. IEEE (2015)