Protecting Virtual Programmable Switches from Cross-App Poisoning (CAP) Attacks

Cross-App Poisoning (CAP) is an emerging class of network integrity attacks against Software Defined Networking (SDN). In a CAP attack, a malicious app poison shared data objects maintained by the controller, thus co-opting legitimate apps into carrying out bogus actions that the malicious app itself cannot perform due to insufficient privileges. Existing solutions, such as ProvSDN, demonstrated that Information Flow Control (IFC) can track and thus prevent such attacks. However, these solutions cannot prevent CAP attacks in networks where malicious apps can take advantage of programmable virtual switches to bypass IFC. In this paper, we propose Virtual Information Flow Control (vIFC), a solution for defending against CAP attacks that exploit virtual switches to obfuscate malicious information flow. vIFC has shown high effectivity while posing low performance overhead. We also propose a policy model that offers flexibility to the network manager to determine IFC between apps running on multiple controllers.