DACAS: integration of attribute-based access control for northbound interface security in SDN

Since Software-Defined Networking (SDN) allows apps to interact with network-critical resources at the control plane through northbound interface, people hope that these apps have the same level of trust as the controller. Most researchers use static access control policies to solve this problem. In this paper, we achieve a dynamic access control model called DACAS, which is an implementation of attribute-based access control (ABAC) model in the context of the SDN control plane. We analyze how applications can influence SDN through northbound interface and the security requirements of the permission on mainstream controllers. In addition to the security issues caused by the misuse of sensitive APIs, it is found that the northbound and southbound interfaces share the same bandwidth in the network. Once the bandwidth is saturated with requests from the northbound interface, the southbound interface may lose packets. In addition, the storage space of switches is limited. Malicious applications can occupy the living space of normal flow tables by inserting a large number of redundant flow rules. In order to solve these problems, we use the linear quadratic exponential smoothing method to calculate the threshold of inserting flow entries and the upper limit of access time, which can help us implement dynamic access control scheme. In addition, the existing static access control scheme do not take the dynamic or random behavior of the apps into account, which means they cannot adapt to the changing situation in reality. DACAS achieves fine-grained permission management by designing single-case filters and multi-case filters. The prototype system of DACAS is implemented on Ryu controller. Through feasibility analysis, functional evaluation, performance evaluation and security analysis, we demonstrate the robustness and extensibility of DACAS.The run-time overhead introduced by DACAS is on the order of microseconds, which is about 2 ms, but the flexibility of the system is greatly increased by increasing the context attribute in DACAS.