aegis an automated permission generation and verification
play

AEGIS : An Automated Permission Generation and Verification System - PowerPoint PPT Presentation

Nov 16, 2022 •293 likes •585 views

AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018 Workshop on SecSoN Heedo Kang, Seungwon Shin, Vinod Yegneswaran*, Shalini Ghosh*, Phillip Porras* KAIST, SRI International* Contents 1. B Background

  1. AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018 Workshop on SecSoN Heedo Kang, Seungwon Shin, Vinod Yegneswaran*, Shalini Ghosh*, Phillip Porras* KAIST, SRI International*

  2. Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 2

  3. Backg kgrou ound Software Defined Networking(SDN)? Control Plane (Network Control) ……… App 1 App 2 App 3 App N • Network decoupling North-bound Interface • Network control and forwarding functions Core Services Storage South-bound Interface • Programmable network • Flexible and dynamic network control SDN Controller • Innovative network service • Potential abuse • SDN controller API can be abused by SDN app • Entire resources can be manipulated Data Plane (Forwarding Function) 3

  4. Backg kgrou ound Abusing SDN controller API • Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, “DELTA: A Security Assessment Framework for Software-Defined Networks”, NDSS 2017. • Changhoon Yoon, Seungsoo Lee, “Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?”, Blackhat 2016. • Seungsoo Lee, Changhoon Yoon and Seungwon Shin. “The smaller, the shrewder: a simple malicious application can kill an entire SDN environment”, SDN-NFV Security 2016. • Shin, Seungwon, et al. "Rosemary: A robust, secure, and high-performance network operating system." CCS 2014. 4

  5. Backg kgrou ound Existing SDN permission systems • SE-Floodlight • Porras, Phillip A., et al. "Securing the Software Defined Network Control Layer." NDSS 2015. • Role based access control (for only Data-Plane related resources) • SDNShield • Wen, Xitao, et al. "SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets." DSN 2016. • Permission & policy based access control (for only Data-Plane related resources) • Security-Mode ONOS • Changhoon Yoon, et al. "A Security-Mode for Carrier-Grade SDN Controllers", ACSAC 2017. • Permission based access control (for all resources) 5

  6. Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 6

  7. Motivation 1. Automation deficiency (i) analysis  To build SDN permission system.. List of SDN Resources(assets) (i) Analyze what resources(assets) should be protected (ii) Inpsect (ii) Inspect what resources are accessed by each APIs SDN Controller (iii) Design permission model SDN Security source code expert API Map (iv) Implement permission system (API - Assets & action) (iv) Implement (iii) Design APP_WRITE should be checked! This is WRITE action! Example of human error existed in Security-Mode ONOS Permission Permission system model

  8. Motivation 2. Portability deficiency • Procedure for building SDN permission system • Too complicated task • Error prone • Existing SDN permission systems • Tightly coupled with SDN controller implementation • e.g ) SE-Floodlight (Floodlight), Security-Mode ONOS (ONOS) • Cannot be ported to any other controller 8

  9. Motivation 3. Flexbility deficiency • Different security requirements Our network needs fine- Our network needs fine- grained access control over grained access control only topology resource . over all resources Bob Alice (Network operator) (Network operator) • Existing SDN permission systems • Permission model is fixed 9

  10. Challenges es ● Ultimate goal • Suggest new automated permission generation and verification system for SDN ● Summary of challenges • Automation ⁃ Automatically generate permission model for SDN controller • Portability ⁃ Independently designed and implemented from specific SDN controller implementation • Flexibility ⁃ Provide way to flexibly generate permission model 10

  11. Contents 1. B Background und 2. M Motivation & n & Challeng enge 3. 3. AE AEGIS D Desi esign St Static ic E Engin ine • Dyna namic E Engine ne • 4. E Eva valu luatio ion 5. 5. C Conc nclusi sion 11

  12. AEGIS Des Design gn ● Overview Invoked API • Static Engine (execute before run-time) APP 1 APP 2 APP 3 APP N information  Automatically generates permission Northbound APIs model SDN controller  Various NLP techniques Controller Static Dynamic • Dynamic Engine (execute on run-time) API Document Engine Engine Decision  Verifies if application has right permissions to execute API Permission Permission model model policy Network (API-Permission mappings) AEGIS  Hooking & Code injection technique Operator Input Output 12

  13. AEGIS Des Design gn ● Static Engine Controller API Document Controller API Document, Network Permission model policy, Operator • Consists of seven modules Static Controller Input ⁃ API Document Parser API Document Intermediate Engine ⁃ Preprocessor processor Output ⁃ Semantic Role Labeler API Document Dependency ⁃ Intermediate processor Parser Analyzer ⁃ Dependency Analyzer SDN Asset Map Preprocessor ⁃ SDN Asset Map Generator Generator ⁃ API-Permission Mapping Constructor Semantic Role API-Permission Labeler Mapping Constructor • Takes controller API document & SDN Asset Map Permission model policy permission model policy as inputs • Generates permission model as output Permission model (API-Permission mappings) 13

  14. AEGIS Des Design gn ● API document Parser  Extract following features from API document ONOS controller API document ⁃ Package path ⁃ Class name ⁃ API name ⁃ API description SDN controller API document API document Parser API = org.onosproject.net.flow.FlowRuleService.getFlowRuleCount Description = Returns the number of flow rules in the system. 14

  15. AEGIS Des Design gn ● Preprocessor • Replace all uppercase letters with lowercase letters • Remove special characters Returns the number of flow rules in the system. • Inject fake subject Preprocessor • Converge entity n-grams into one word It read the number of flow_rule in the system • Change verb into three types of action word ⁃ e.g) ・ obtain, fetch, get, find, check …… -> read ・ Send, create, remove, add, unregister ……-> write ・ Invoke, activate, stop, perform……-> execute 15

  16. AEGIS Des Design gn ● Semantic Role Labeler • Classifies description into semantic constituents ⁃ Object contains resources that API access It read the number of flow_rule in the system • Investigates classified object Semantic Role Labeler  Starts with to-infinitive or gerund?  Re-classifies object sentence (S It) (V read) (O the number of flow_rule in the system) eg.) It attempts to assign leadership for a topic to a specified node (S It) (V attempts) (O to assign leadership for a topic to a specified node) (S It) (V assign) (O leadership for a topic to a specified node) Re-classify 16

  17. AEGIS Des Design gn ● Intermediate processor • Tags Part of speeches(POS) the number of flow_rule in the system ⁃ e.g. ) ~ flow_rule) (NN/ in) ~ (IN/ Intermediate processor • Removes determiner words ⁃ e.g. ) the number of ~ (NN/ number) (IN/ of) (NN/ flow_rule) (IN/ in) (NN/ system) • Converts word to stem of the word ⁃ e.g. ) ~ devices 17

  18. AEGIS Des Design gn ● Dependency Analyzer • Analyzes relationships between each word ⁃ Dependency parsing (NN/ number) (IN/ of) (NN/ flow_rule) (IN/ in) (NN/ system) root (Root-0, number-1) Dependency case(flow_rule-3, of-2) Example: Analyzer nmod:of(number-1, flow_rule-3) case(system-5, in-4) system nmod:in(number-1, system-5) READ , org.onosproject.net.flow.FlowRuleService. flow_rule getFlowRuleCount ⁃ Extract set of nominal modifier(nmod) relation number Asset linked-list ⁃ Generates asset-linked list  Based on predefined rules  Tag API path & action 18

  19. AEGIS Des Design gn ● SDN Asset Map Generator Integrates all asset-linked list • • Flexible permission model generation ⁃ Pruning map based on permission model policy ・ e.g ) Remove STATSTIC node and move tags to PORT node ● API-permission Mapping Constructor Creates permission type • • By concatenating node name from each starting node to root node and action word Maps each generated permission type to API path • ONOS Asset map 19

  20. AEGIS Des Design gn ● Permission model Example of ONOS API – permission mappings 20

  21. AEGIS Des Design gn ● Dynamic Engine Manifest.xml Network (Declared permissions) • Consists of four modules Operator Dynamic ⁃ API Hooker Engine Input Application granted ⁃ Permission Enforcer permissions Permission SDN App Output ⁃ Permission Checker Permission Checker Enforcer ……. Permission model ⁃ Injector Decision (API-Permission mappings) …... Injector API Hooker • Takes permission model and SDN App invoked API information as inputs Invoked API Security information Exception Access SDN Northbound APIs • Generates and injects SDN Resources (Assets) security exception code as output SDN Controller 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

ASYNC08 Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT asynchronous CIRCUITS USING CIRCUIT Petri nets Petri nets Iva n Polia kov, Andre y Mokhov, Da nil Sokolov, Ashur Ra fie v, Ale x Ya kovle v

474 views • 25 slides
Week 3 Video 4 Automated Feature Generation Automated Feature Selection Automated Feature

Week 3 Video 4 Automated Feature Generation Automated Feature Selection Automated Feature

Week 3 Video 4 Automated Feature Generation Automated Feature Selection Automated Feature Generation The creation of new data features in an automated fashion from existing data features Multiplicative Interactions You have variables A

513 views • 33 slides
Viper A Verification Infrastructure for Permission based Reasoning Peter Mller, ETH Zurich

Viper A Verification Infrastructure for Permission based Reasoning Peter Mller, ETH Zurich

Viper A Verification Infrastructure for Permission based Reasoning Peter Mller, ETH Zurich Joint work with Pietro Ferrara, Uri Juhasz, Ioannis Kassios, Milos Novacek, Malte Schwerhoff, and Alex Summers 2 Automatic Program Verification

134 views • 10 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

524 views • 18 slides
Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS

Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS

Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS Teams Supported by CARA, UCO/Lick Observatory, the National Science Foundation, and NASA DEEP2 basics Officially finished: 53,000 spectra

505 views • 31 slides
COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme: Ontology Engineering and Automated Reasoning K. Korovin & R. Schmidt Automated Reasoning and Verification 1 / 10 Outline 1 Why Automated

371 views • 22 slides
Viper A Verification Infrastructure for Permission-Based Reasoning Alex Summers, ETH Zurich

Viper A Verification Infrastructure for Permission-Based Reasoning Alex Summers, ETH Zurich

Viper A Verification Infrastructure for Permission-Based Reasoning Alex Summers, ETH Zurich Joint work with Uri Juhasz, Ioannis Kassios, Peter Mller, Milos Novacek, Malte Schwerhoff (and many students) 16 th July 2015, Imperial Concurrency

842 views • 14 slides
Automated Item Generation Andr F. De Champlain, PhD Director, Psychometrics and Assessment

Automated Item Generation Andr F. De Champlain, PhD Director, Psychometrics and Assessment

Automated Item Generation Andr F. De Champlain, PhD Director, Psychometrics and Assessment Services Medical Council of Canada What is Automated Item Generation (AIG)? Aut utomat ated ed it item em gener generat atio ion (A n (AIG

264 views • 10 slides
An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing Marcelo dAmorim (UIUC) Carlos Pacheco (MIT) Tao Xie (NCSU) Darko Marinov (UIUC) Michael D. Ernst (MIT) Automated Software

513 views • 33 slides
Formal Technical Process Specification and Verification for Automated Production Systems Georg

Formal Technical Process Specification and Verification for Automated Production Systems Georg

Formal Technical Process Specification and Verification for Automated Production Systems Georg Hackenberg, Alarico Campetelli, Christoph Legat, Jakob Mund, Sabine Teufl and Birgit Vogel-Heuser Motivation Automated Production Systems (Google)

301 views • 26 slides
AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz

AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz

AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz (NGI_AEGIS Technical Manager) Dusan Vudragovic (NGI_AEGIS Deputy Manager) SCL, Institute of Physics Belgrade EGI-InSPIRE SA1 Kickoff Meeting 1

506 views • 15 slides
AUTOMATED STORY GENERATION WITH DEEP NEURAL NETS LARA J. MARTIN , PRITHVIRAJ AMMANABROLU, WILLIAM

AUTOMATED STORY GENERATION WITH DEEP NEURAL NETS LARA J. MARTIN , PRITHVIRAJ AMMANABROLU, WILLIAM

EVENT REPRESENTATIONS FOR AUTOMATED STORY GENERATION WITH DEEP NEURAL NETS LARA J. MARTIN , PRITHVIRAJ AMMANABROLU, WILLIAM HANCOCK, SHRUTI SINGH, BRENT HARRISON, AND MARK O. RIEDL GEORGIA INSTITUTE OF TECHNOLOGY AUTOMATED STORY GENERATION

486 views • 15 slides
Automated Reasoning in Complex Theories and Applications to Verification Viorica

Automated Reasoning in Complex Theories and Applications to Verification Viorica

Automated Reasoning in Complex Theories and Applications to Verification Viorica Sofronie-Stokkermans University Koblenz-Landau (This presentation is based on joint work with W. Damm, J. Faber, M. Horbach, C. Ihlemann, S. Jacobs and D. Peuter)

932 views • 66 slides
Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1 Outline of Verification Process Objective: form one big automata, which Spin can use for verification.

1.01k views • 25 slides
A Case Study in Automated A Case Study in Automated Verification Verification Jason

A Case Study in Automated A Case Study in Automated Verification Verification Jason

A Case Study in Automated A Case Study in Automated Verification Verification Jason Kirschenbaum Kirschenbaum, , Jason Heather Harton Harton and and Murali Murali Heather Sitaraman Sitaraman Introduction Introduction Goal is to

369 views • 16 slides
Automated Test Case Generation or: How to not write test cases Stefan Klikovits EN-ICE-SCD

Automated Test Case Generation or: How to not write test cases Stefan Klikovits EN-ICE-SCD

Automated Test Case Generation Stefan Klikovits Automated Test Case Generation or: How to not write test cases Stefan Klikovits EN-ICE-SCD Universit e de Gen` eve 28 th September, 2015 Automated Test Reminder: Testing is not easy Case

609 views • 33 slides
F INANCIALLY D ISTRESSED : W HAT Y OU N EED TO K NOW A BOUT P ROTECTING Y OUR C LIENTS A SSETS

F INANCIALLY D ISTRESSED : W HAT Y OU N EED TO K NOW A BOUT P ROTECTING Y OUR C LIENTS A SSETS

E ASING THE S TRESS OF THE E ASING THE S TRESS OF THE F INANCIALLY D ISTRESSED : W HAT Y OU N EED TO K NOW A BOUT P ROTECTING Y OUR C LIENTS A SSETS B RENT W H ERRIN B RENT W. H ERRIN C OHEN P OLLOCK M ERLIN & S MALL , P.C. 3350 R IVERWOOD

181 views • 16 slides
How is Going Green Going? 1 Session Objective To discuss GAOs revision to the Standards

How is Going Green Going? 1 Session Objective To discuss GAOs revision to the Standards

Whats New in Government Internal Control Standards? How is Going Green Going? 1 Session Objective To discuss GAOs revision to the Standards for Internal Control in the Federal Government (Green Book) 2 Whats in Green Book for

454 views • 28 slides
Financial Results Q3 2020 NYSE: RDN www.radian.com Safe Harbor Statements All statements in

Financial Results Q3 2020 NYSE: RDN www.radian.com Safe Harbor Statements All statements in

Financial Results Q3 2020 NYSE: RDN www.radian.com Safe Harbor Statements All statements in this presentation that address events, developments or results that we Radian Guaranty Inc.s (Radian Guaranty) ability to remain

599 views • 27 slides
Users and Coverage Initial Consultation Meeting with the State of Nevada Users and Coverage Goals

Users and Coverage Initial Consultation Meeting with the State of Nevada Users and Coverage Goals

Users and Coverage Initial Consultation Meeting with the State of Nevada Users and Coverage Goals Users and Coverage Goals 1. First Responder Users / Operations Identify potential user base and their operational areas Estimate current usage

471 views • 29 slides
Market Cycle Analysis UW Results and Trends Casualty Market: Workers Compensation General

Market Cycle Analysis UW Results and Trends Casualty Market: Workers Compensation General

Market Cycle Analysis UW Results and Trends Casualty Market: Workers Compensation General Liability (Occurrence) 2012 Year-end Data CARe Reinsurance Seminar 2013 Is This Really a Hard Market Raju Bohra EVP, Willis Re

202 views • 19 slides
Fixed Asset Financing Differences with working capital o Implications or firms o Implications

Fixed Asset Financing Differences with working capital o Implications or firms o Implications

Fixed Asset Financing Differences with working capital o Implications or firms o Implications for lenders Financial instruments used Fixed asset debt sources Fixed asset financing gaps Cambridge Biotech case 1 Fixed Asset vs.

836 views • 8 slides
Market Design for the Clean Energy Transition: The Role of New Generator Finance Resources for

Market Design for the Clean Energy Transition: The Role of New Generator Finance Resources for

Market Design for the Clean Energy Transition: The Role of New Generator Finance Resources for the Future and World Resources Institute November 28, 2018 Washington, D.C. Dan Reicher Steyer-Taylor Center for Energy Policy & Finance

490 views • 23 slides
THE COURSE CORPORATE FINANCE AND MANAGEMENT OVERVIEW University Gavar State Univercity Teacher

THE COURSE CORPORATE FINANCE AND MANAGEMENT OVERVIEW University Gavar State Univercity Teacher

Reforming Master Programmes in Finance in Armenia and Moldova / REFINE An Erasmus+ Capacity Building Project (2017-2020) THE COURSE CORPORATE FINANCE AND MANAGEMENT OVERVIEW University Gavar State Univercity Teacher Hakob Ghuloyan BASIC

503 views • 26 slides

More recommend