Change search
Link to record
Permanent link

Direct link
BETA
Publications (10 of 24) Show all publications
Paladi, N. & Gehrmann, C. (2019). SDN Access Control for the Masses. Computers & security (Print), 80, 155-172
Open this publication in new window or tab >>SDN Access Control for the Masses
2019 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 80, p. 155-172Article in journal (Refereed) Published
Abstract [en]

The evolution of Software-Defined Networking (SDN) has so far been predominantly geared towards defining and refining the abstractions on the forwarding and control planes. However, despite a maturing south-bound interface and a range of proposed network operating systems, the network management application layer is yet to be specified and standardized. It has currently poorly defined access control mechanisms that could be exposed to network applications. Available mechanisms allow only rudimentary control and lack procedures to partition resource access across multiple dimensions. We address this by extending the SDN north-bound interface to provide control over shared resources to key stakeholders of network infrastructure: network providers, operators and application developers. We introduce a taxonomy of SDN access models, describe a comprehensive design for SDN access control and implement the proposed solution as an extension of the ONOS network controller intent framework.

Place, publisher, year, edition, pages
Elsevier Ltd, 2019
Keywords
Access control, Network abstractions, North-bound interface, Security, Software-defined networking, Abstracting, Flight control systems, Network layers, Software defined networking, Access control mechanism, Application developers, Management applications, Network infrastructure, Network operating system, Software defined networking (SDN)
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-35566 (URN)10.1016/j.cose.2018.10.003 (DOI)2-s2.0-85054899526 (Scopus ID)
Note

Funding details: 731574; Funding text: The research was conducted within the COLA project and received funding from the European Union’s Horizon 2020 research and innovation programme under grant No 731574.

Available from: 2018-11-06 Created: 2018-11-06 Last updated: 2018-11-06Bibliographically approved
Paladi, N., Michalas, A. & Dang, H.-V. (2018). Towards secure cloud orchestration for multi-cloud deployments. In: CrossCloud 2018 - 5th Workshop on CrossCloud Infrastructures and Platforms, colocated with EuroSys 2018: . Paper presented at 5th Workshop on CrossCloud Infrastructures and Platforms, CrossCloud 2018, 23 April 2018 through 23 April 2018.
Open this publication in new window or tab >>Towards secure cloud orchestration for multi-cloud deployments
2018 (English)In: CrossCloud 2018 - 5th Workshop on CrossCloud Infrastructures and Platforms, colocated with EuroSys 2018, 2018Conference paper, Published paper (Refereed)
Abstract [en]

Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multi-cloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

Keywords
Cloud infrastructure, Microser-vices, Orchestration, Security, Virtualization, Attack scenarios, Cloud infrastructures, Multi-clouds, Resource providers, Security enforcement
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-35793 (URN)10.1145/3195870.3195874 (DOI)2-s2.0-85049685222 (Scopus ID)9781450356534 (ISBN)
Conference
5th Workshop on CrossCloud Infrastructures and Platforms, CrossCloud 2018, 23 April 2018 through 23 April 2018
Available from: 2018-11-07 Created: 2018-11-07 Last updated: 2018-11-07Bibliographically approved
Paladi, N., Michalas, A. & Hai-Van, D. (2018). Towards Secure Cloud Orchestration for Multi-Cloud Deployments. In: EuroSys'18 companion proceedings: . Paper presented at EuroSys - CrossCloud.
Open this publication in new window or tab >>Towards Secure Cloud Orchestration for Multi-Cloud Deployments
2018 (English)In: EuroSys'18 companion proceedings, 2018Conference paper, Published paper (Refereed)
Abstract [en]

Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multicloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

Keywords
cloud, security, orchestration
National Category
Computer Systems
Identifiers
urn:nbn:se:ri:diva-33491 (URN)10.1145/3195870.3195874 (DOI)2-s2.0-85049685222 (Scopus ID)
Conference
EuroSys - CrossCloud
Funder
EU, Horizon 2020, 731574
Available from: 2018-03-16 Created: 2018-03-16 Last updated: 2019-01-10Bibliographically approved
Paladi, N., Michalas, A. & Dan, H.-V. (2018). Towards secure cloud orchestration for multi-cloud deployments. In: Proceedings of the 5th Workshop on CrossCloud Infrastructures & Platforms: . Paper presented at CrossCloud'18.5th Workshop on CrossCloud Infrastructures & Platforms. Porto, Portugal — April 23 - 26, 2018. Porto, Article ID 4.
Open this publication in new window or tab >>Towards secure cloud orchestration for multi-cloud deployments
2018 (English)In: Proceedings of the 5th Workshop on CrossCloud Infrastructures & Platforms, Porto, 2018, article id 4Conference paper, Published paper (Refereed)
Abstract [en]

Cloud orchestration frameworks are commonly used to deploy and operate cloud infrastructure. Their role spans both vertically (deployment on infrastructure, platform, application and microservice levels) and horizontally (deployments from many distinct cloud resource providers). However, despite the central role of orchestration, the popular orchestration frameworks lack mechanisms to provide security guarantees for cloud operators. In this work, we analyze the security landscape of cloud orchestration frameworks for multi-cloud infrastructure. We identify a set of attack scenarios, define security enforcement enablers and propose an architecture for a security-enabled cloud orchestration framework for multi-cloud application deployments.

Place, publisher, year, edition, pages
Porto: , 2018
Keywords
Orchestration, cloud infrastructure, microservices
National Category
Computer Systems
Identifiers
urn:nbn:se:ri:diva-39302 (URN)10.1145/3195870.3195874 (DOI)978-1-4503-5653-4 (ISBN)
Conference
CrossCloud'18.5th Workshop on CrossCloud Infrastructures & Platforms. Porto, Portugal — April 23 - 26, 2018
Projects
COLA
Available from: 2019-07-01 Created: 2019-07-01 Last updated: 2019-07-02Bibliographically approved
Paladi, N., Karlsson, L. & Elbashir, K. (2018). Trust Anchors in Software Defined Networks. In: Javier Lopez · Jianying Zhou Miguel Soriano (Ed.), Computer Security: 23rd European Symposium on Research in Computer Security, ESORICS 2018 Barcelona, Spain, September 3–7, 2018, Proceedings, Part II. Paper presented at ESORICS (pp. 485-594). Springer, 11099
Open this publication in new window or tab >>Trust Anchors in Software Defined Networks
2018 (English)In: Computer Security: 23rd European Symposium on Research in Computer Security, ESORICS 2018 Barcelona, Spain, September 3–7, 2018, Proceedings, Part II / [ed] Javier Lopez · Jianying Zhou Miguel Soriano, Springer, 2018, Vol. 11099, p. 485-594Conference paper, Published paper (Refereed)
Abstract [en]

Advances in software virtualization and network processing lead to increasing network softwarization. Software network elements running on commodity platforms replace or complement hardware com- ponents in cloud and mobile network infrastructure. However, such com- modity platforms have a large attack surface and often lack granular control and tight integration of the underlying hardware and software stack. Often, software network elements are either themselves vulnerable to software attacks or can be compromised through the bloated trusted computing base. To address this, we protect the core security assets of network elements - authentication credentials and cryptographic context - by provisioning them to and maintaining them exclusively in isolated execution environments. We complement this with a secure and scalable mechanism to enroll network elements into software defined networks. Our evaluation results show a negligible impact on run-time performance and only a moderate performance impact at the deployment stage.

Place, publisher, year, edition, pages
Springer, 2018
Keywords
Software Defined Networking, Software Guard Extensions, Open vSwitch, Network Function Virtualization
National Category
Computer Systems
Identifiers
urn:nbn:se:ri:diva-35117 (URN)10.1007/978-3-319-98989-1_24 (DOI)2-s2.0-85051855924 (Scopus ID)978-3-319-98988-4 (ISBN)
Conference
ESORICS
Funder
EU, European Research Council, 731574
Available from: 2018-09-05 Created: 2018-09-05 Last updated: 2019-01-10Bibliographically approved
Dowsley, R., Michalas, A., Nagel, M. & Paladi, N. (2017). A survey on design and implementation of protected searchable data in the cloud. Computer Science Review, 26, 17-30
Open this publication in new window or tab >>A survey on design and implementation of protected searchable data in the cloud
2017 (English)In: Computer Science Review, ISSN 1574-0137, E-ISSN 1876-7745, Vol. 26, p. 17-30Article in journal (Refereed) Published
Abstract [en]

While cloud computing has exploded in popularity in recent years thanks to the potential efficiency and cost savings of outsourcing the storage and management of data and applications, a number of vulnerabilities that led to multiple attacks have deterred many potential users. As a result, experts in the field argued that new mechanisms are needed in order to create trusted and secure cloud services. Such mechanisms would eradicate the suspicion of users towards cloud computing by providing the necessary security guarantees. Searchable Encryption is among the most promising solutions—one that has the potential to help offer truly secure and privacy-preserving cloud services. We start this paper by surveying the most important searchable encryption schemes and their relevance to cloud computing. In light of this analysis we demonstrate the inefficiencies of the existing schemes and expand our analysis by discussing certain confidentiality and privacy issues. Further, we examine how to integrate such a scheme with a popular cloud platform. Finally, we have chosen – based on the findings of our analysis – an existing scheme and implemented it to review its practical maturity for deployment in real systems. The survey of the field, together with the analysis and with the extensive experimental results provides a comprehensive review of the theoretical and practical aspects of searchable encryption.

Keywords
Cloud computing, Cloud storage, Searchable encryption, Security, Data privacy, Digital storage, Distributed database systems, Information management, Network function virtualization, Outsourcing, Surveys, Web services, Cloud platforms, Cloud services, Cloud storages, Design and implementations, Potential efficiency, Privacy preserving, Searchable encryptions, Cryptography
National Category
Natural Sciences
Identifiers
urn:nbn:se:ri:diva-33201 (URN)10.1016/j.cosrev.2017.08.001 (DOI)2-s2.0-85028031885 (Scopus ID)
Available from: 2018-01-31 Created: 2018-01-31 Last updated: 2019-07-05Bibliographically approved
Girtler, D. & Paladi, N. (2017). Component integrity guarantees in software-defined networking infrastructure. In: 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks, NFV-SDN 2017: . Paper presented at 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks, NFV-SDN 2017, 6 November 2017 through 8 November 2017 (pp. 292-296). Institute of Electrical and Electronics Engineers Inc.
Open this publication in new window or tab >>Component integrity guarantees in software-defined networking infrastructure
2017 (English)In: 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks, NFV-SDN 2017, Institute of Electrical and Electronics Engineers Inc. , 2017, p. 292-296Conference paper, Published paper (Refereed)
Abstract [en]

Operating system level virtualization containers are commonly used to deploy virtual network functions (VNFs) which access the centralized network controller in software-defined networking (SDN) infrastructure. While this allows flexible network configuration, it also increases the attack surface, as sensitive information is transmitted between the controller and the virtual network functions. In this work we propose a mechanism for bootstrapping secure communication between the SDN controller and deployed network applications. The proposed mechanism relies on platform integrity evaluation and execution isolation mechanisms, such as Linux Integrity Measurement Architecture and Intel Software Guard Extensions. To validate the feasibility of the proposed approach, we have implemented a proof of concept which was further tested and evaluated to assess its performance. The prototype can be seen as the first step into providing users with security guarantees regarding the integrity of components in the SDN infrastructure.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers Inc., 2017
Keywords
Docker, IMA, NFV, SDN, Security, SGX, Computer operating systems, Controllers, Network security, Software defined networking, Transfer functions, Virtual reality, Virtualization, Centralized networks, Integrity measurement, Network applications, Platform integrity, Sensitive informations, Software defined networking (SDN), Network function virtualization
National Category
Engineering and Technology
Identifiers
urn:nbn:se:ri:diva-38634 (URN)10.1109/NFV-SDN.2017.8169858 (DOI)2-s2.0-85043275103 (Scopus ID)9781538632857 (ISBN)
Conference
2017 IEEE Conference on Network Function Virtualization and Software Defined Networks, NFV-SDN 2017, 6 November 2017 through 8 November 2017
Available from: 2019-05-09 Created: 2019-05-09 Last updated: 2019-05-09Bibliographically approved
Paladi, N., Gehrmann, C. & Michalas, A. (2017). Providing User Security Guarantees in Public Infrastructure Clouds (11ed.). IEEE Transactions on Cloud Computing, 5(3), 405-419, Article ID 7399365.
Open this publication in new window or tab >>Providing User Security Guarantees in Public Infrastructure Clouds
2017 (English)In: IEEE Transactions on Cloud Computing, ISSN 2168-7161, Vol. 5, no 3, p. 405-419, article id 7399365Article in journal (Refereed) Published
Abstract [en]

The infrastructure cloud (IaaS) service model offers improved resource flexibility and availability, where tenants – insulated from the minutiae of hardware maintenance – rent computing resources to deploy and operate complex systems. Large-scale services running on IaaS platforms demonstrate the viability of this model; nevertheless, many organisations operating on sensitive data avoid migrating operations to IaaS platforms due to security concerns. In this paper, we describe a framework for data and operation security in IaaS, consisting of protocols for a trusted launch of virtual machines and domain-based storage protection. We continue with an extensive theoretical analysis with proofs about protocol resistance against attacks in the defined threat model. The protocols allow trust to be established by remotely attesting host platform configuration prior to launching guest virtual machines and ensure confidentiality of data in remote storage, with encryption keys maintained outside of the IaaS domain. Presented experimental results demonstrate the validity and efficiency of the proposed protocols. The framework prototype was implemented on a test bed operating a public electronic health record system, showing that the proposed protocols can be integrated into existing cloud environments.

National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-24528 (URN)10.1109/TCC.2016.2525991 (DOI)2-s2.0-85029938241 (Scopus ID)
Projects
Infracloud
Available from: 2016-10-31 Created: 2016-10-31 Last updated: 2019-01-10Bibliographically approved
Paladi, N. & Karlsson, L. (2017). Safeguarding VNF Credentials with Intel SGX. In: SIGCOMM Posters and Demos '17 Proceedings of the SIGCOMM Posters and Demos: . Paper presented at SIGCOMM 2017, August 22-24, 2017, Los Angeles, California, USA (pp. 144-146). Association for Computing Machinery (ACM)
Open this publication in new window or tab >>Safeguarding VNF Credentials with Intel SGX
2017 (English)In: SIGCOMM Posters and Demos '17 Proceedings of the SIGCOMM Posters and Demos, Association for Computing Machinery (ACM), 2017, p. 144-146Conference paper, Poster (with or without abstract) (Refereed)
Abstract [en]

Operators use containers – enabled by operating system (OS) level virtualization – to deploy virtual network functions (VNFs) that access the centralized network controller in software-defined net- working (SDN) deployments. While SDN allows flexible network configuration, it also increases the attack surface on the network deployment [8]. For example, insecure communication channels may be tapped to extract or inject sensitive data transferred on the north-bound interface, between the network controller and VNFs; furthermore, to protect the network controller from malicious VNF instances, the integrity and authenticity of VNFs must be verified prior to deployment.o mitigate the risks described above, we implemented a prototype that leverages hardware-based mechanisms for isolated execution implemented by Intel SGX in combination with a run-time integrity measurement subsystem, namely Linux Integrity Measure- ment Architecture (IMA)1. This prototype is a first step towards providing to tenants and end-users integrity guarantees regarding the network components in SDN deployments.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2017
Keywords
SGX, security, VNF, NFV, SDN
National Category
Computer Sciences
Identifiers
urn:nbn:se:ri:diva-32952 (URN)10.1145/3123878.3132016 (DOI)2-s2.0-85029694166 (Scopus ID)978-1-4503-5057-0 (ISBN)
Conference
SIGCOMM 2017, August 22-24, 2017, Los Angeles, California, USA
Available from: 2018-01-02 Created: 2018-01-02 Last updated: 2019-01-10Bibliographically approved
Paladi, N. & Gehrmann, C. (2017). TruSDN: Bootstrapping trust in cloud network infrastructure. In: Security and Privacy in Communication Networks: . Paper presented at 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2016), October 10-12, 2016, Guangzhou, China (pp. 104-124).
Open this publication in new window or tab >>TruSDN: Bootstrapping trust in cloud network infrastructure
2017 (English)In: Security and Privacy in Communication Networks, 2017, p. 104-124Conference paper, Published paper (Refereed)
Abstract [en]

Software-Defined Networking (SDN) is a novel architectural model for cloud network infrastructure, improving resource utilization, scalability and administration. SDN deployments increasingly rely on virtual switches executing on commodity operating systems with large code bases, which are prime targets for adversaries attacking the network infrastructure. We describe and implement TruSDN, a framework for bootstrapping trust in SDN infrastructure using Intel Software Guard Extensions (SGX), allowing to securely deploy SDN components and protect communication between network endpoints. We introduce ephemeral flow-specific pre-shared keys and propose a novel defense against cuckoo attacks on SGX enclaves. TruSDN is secure under a powerful adversary model, with a minor performance overhead.

Series
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST), ISSN 1867-8211 ; 198
Keywords
Integrity, Software defined networking, Trust, Virtual switches, Trusted computing, Adversary modeling, Architectural modeling, Commodity operating systems, Network infrastructure, Resource utilizations, Software defined networking (SDN), Network security
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:ri:diva-31100 (URN)10.1007/978-3-319-59608-2_6 (DOI)2-s2.0-85021707665 (Scopus ID)978-3-319-59607-5 (ISBN)978-3-319-59608-2 (ISBN)
Conference
12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2016), October 10-12, 2016, Guangzhou, China
Projects
5G-ENSURE
Available from: 2017-08-28 Created: 2017-08-28 Last updated: 2019-06-26Bibliographically approved
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0003-0132-857x

Search in DiVA

Show all publications
v. 2.35.7