Vulnerabilities of network OS and mitigation with state‐based permission system

The advancement of software defined networking (SDN) is redefining traditional computer networking architecture. The role of the control plane of SDN is of such importance that SDNs are referred to as network operating systems (OSs). However, the robustness and security of the network OS has been overlooked. In this paper, we report three main issues pertaining to network OSs. First, we identified vulnerabilities that could be exploited by malicious or buggy applications running on network OSs. We also identified four major attack vectors that could undermine network OS operations: denial of service, global data manipulation, control plane poisoning, and system shell execution. Further, it was demonstrated that real-world attacks can be launched on commonly used network OSs without significant effort. Second, we present a method to address the attacks by analyzing network applications running on network OSs to identify their behavioral features, which enabled the extraction of a permission set for each network application. Based on this work, a permission-based malicious network application detector was introduced, which examines the permission set of each application and prevents it from executing without permission. Our system shows almost no performance overhead. Copyright (c) 2015 John Wiley & Sons, Ltd.