Cross-layer access control in publish/subscribe middleware over software-defined networks

When technologies of software-defined networks (SDNs) provide a chance to improve the quality of service (QoS) of publish/subscribe middlewares, new chances are also arising for adversaries to attack the networks and the middlewares. We here propose a cross-layer access control solution to protect the publish/subscribe middleware over SDNs. Applications over a publish/subscribe middleware interact by an indirect, anonymous and multicast event communication paradigm, where we hope that the applications, the middleware, and the underlying network collaborate to realize the access control of reading/writing events. The key issue is how to use the flow matching capability of SDN switches to efficiently and securely enforce complex authorization policies that include multiple conjunction and disjunction structures. It is required to resist against the collusion attacks of SDN controllers and subscribers when the middleware/network is partially delegated to enforce the authorization policies of publishers. In our cross-layer solution, a policy representation method is presented to encode authorization policies into flow entries with high data compression and security, and a two-party computation method is presented to carry out secret sharing for defeating malicious SDN controllers and subscribers. Finally, our solution is evaluated to show its effectiveness.