[SDN Security vulnerability genome project]
The goal of this project is to establish and maintain a centralized database of the security vulnerabilities exist in various SDN components, including SDN controllers, switches and protocols. Our research group has been not only collecting the known vulnerabilities from various sources, but also simultaneously running DELTA (introduced below) to reveal and disclose new vulnerabilities.
[SDN Security Evaluation]
Project Leader : Seungsoo Lee
In short, this research is motivated by security penetration testing (or pen-testing) tools in the traditional network security domain, Delta represents the first pen-testing tool for SDN environments. It is envisaged that this tool will be used for security conformance benchmarking of SDN devices.
Developing a systematic understanding of the attack surface of emergent networks, such as software defined networks (SDNs), is necessary and arguably the starting point toward making it more secure. Prior work have largely relied on ad-hoc empirical methods to evaluate the security of various SDN elements from different perspectives. However, they have stopped short of converging on a systematic methodology or developing automated systems to rigorously test for security flaws in SDNs. Thus conducting security assessment of new SDN software remains a non-replicable and unregimented process. This work makes the case for automating and standardizing the vulnerability identification process in SDNs. As a first step, we develop a penetration testing tool, DELTA, that reinstantiates published SDN attacks in diverse test environments. Furthermore, we enhance our tool with a fuzzing module to potentially detect other unknown vulnerabilities.
[Designing and implementing new and innovative security services with SDN]
Our research group has already designed and implemented existing security services, such as firewall, IDS, IPS and network anomaly detectors, in SDN applications, and verified the feasibility, effectiveness and capability of each security service SDN application. In addition to the existing security services, with SDN, it is possible to provide new and innovative security services that were difficult to realize in the traditional networks. We have been designing and implementing different types of security services in SDN applications for different SDN controller platforms. The figure below illustrates the design of SDN-based NIPS application for Floodlight controller.
[Profiling SDN Application]
Project Leader : Heedo Kang
In short, this research introduces the new automatic profiling framework, which analyse the critical path and hotspot of SDN application automatically. We believe that methods and findings presented in this paper can encourage the SDN researchers or developers to devise more and better SDN applications.
Software-Defined Networking (SDN), which separates the control and data plane of network, is strongly considered as a promising future networking architecture. Compared with legacy networking architecture, it allows to enable a variety of innovative network functions at much less cost and effort. Accordingly, each component of SDN is also being rapidly realized, and one of the most noticeable SDN component implementations would be SDN controllers, such as ONOS or Floodlight. One advantage of these SDN controllers is capability of hosting various network applications to enable innovative network functions; however, it is crucial to analyze these applications before the actual deployment as they may directly affect the performance of the managed network. To be more specific, SDN applications may contain performance bugs that unnecessarily consume significant system resource or produce critical bottlenecks in the controller. In this paper, we introduce an automatic SDN application profiling framework, SPIRIT, which reduces the human effort in revealing any performance bugs that might exist in SDN applications. In order to show the effectiveness of our framework, we reveal new performance bugs exist in ONOS and Floodlight applications.
[Static Analysis of SDN Application]
Project Leader : Chanhee Lee
In this research, we tackle threats from malicious SDN applications directly. The SHIELD discovers the critical activities of SDN applications concerning security.
Software-Dened Networks (SDNs) achieve sustained growth in both academic and industrial circles. As SDN is getting popular, its security issue is being magnified as a critical controversy. In this context, some pioneering researchers have investigated the security issues of SDN to comprehend what kinds of vulnerabilities are existing in SDN. Especially, malicious network application running on an SDN controller can kill an SDN control plane since it has unlimited power to access the resources of SDN controller. To tackle these issues, we propose a method of analyzing SDN application in a static manner before running. If we understand the activities of SDN application and verify what application do then, we can prevent the installation of malicious SDN applications. So, we present SHIELD, a new automated framework for static analysis of SDN applications. The SHIELD provides the critical activities of SDN applications as Security-Sensitive Behavior Graphs (SSBGs). By using our framework, a network administrator can make a clear decision whether the application will be installed or denied. Now, we are working on a powerful malware detection system for SDN environment.
[Enrich security functions/features in SDN]
Project Leader : Taejune Park
In short, this research consider that how we can enrich security functions/features in software-defined environments. In this context, we propose a new software switch architecture – with the name of UNISAFE which is a union of security actions for software switches – that can enable diverse security actions.
As Software-dened architectures, such as Software-DefinedNetworking (SDN) and Network Function Virtualization (NFV), are getting popular, the necessity of software-based switch (a.k.a., software switch) is also increasing because it can adopt new functions/features without much diculty compared with hardware-based switches. Nowadays we can easily observe that researchers devise new network functions and embed them into a software switch. However, most those proposals are highly biased at network communities, and thus it is hard to nd some trials of leveraging the abilities of a software switch for security. In this paper, we consider that how we can enrich security functions/features in software-dened environments, and in this context we propose a new software switch architecture – with the name of Unisafe – that can enable diverse security actions. Furthermore, Unisafe provides action clustering which joins Unisafe actions of multiple-ows together. It makes that Unisafe can check ows synthetically, and thus a user can establish eective security policies and save system resources. In addition, we describe the design and implementation of Unisafe and suggest some use-cases for how Unisafe works.