LightBox: SGX-assisted Secure Network Functions at Near-native Speed

  title={LightBox: SGX-assisted Secure Network Functions at Near-native Speed},
  author={Huayi Duan and Xingliang Yuan and Cong Wang},
The recent trend of outsourcing network functions, aka. middleboxes, raises confidentiality and integrity concern on redirected packet, runtime state, and processing result. The outsourced middleboxes must be protected against cyber attacks and malicious service provider. It is challenging to simultaneously achieve strong security, practical performance, complete functionality and compatibility. Prior software-centric approaches relying on customized cryptographic primitives fall short of… 

Figures and Tables from this paper

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

EndBox is described, a system that securely executes middlebox functions on client machines at the network edge that is centrally controlled and can be updated efficiently and evaluated by comparing it to centralised deployments of common middle box functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention.

vEPC-sec: Securing LTE Network Functions Virtualization on Public Cloud

Public cloud offers economy of scale to adapt workload changes in an autonomic manner, maximizing the use of resources. Through network function virtualization (NFV), network operators can move LTE

Fast privacy-preserving network function outsourcing

S-Blocks: Lightweight and Trusted Virtual Security Function With SGX

This article proposes S-Blocks, an architecture to modularize virtual security functions (VSFs) and protect crucial modules with SGX in an efficient manner and designs a fine-grained state synchronization and migration mechanism to ensure loss-free, order-preserving, and state security for VSFs.

Aurora: Providing Trusted System Services for Enclaves On an Untrusted System

A novel architecture that provides TSSes via a secure channel between enclaves and devices on top of an untrusted system, and implement two types of TSSs, i.e. clock and end-to-end network is presented.

PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules

The performance gain is based on a new technique for generating encrypted rules as well as the idea of reusing intermediate results generated in previous sessions across subsequent sessions, which could further speedup token encryption.

A Survey of Privacy-Preserving Techniques for Encrypted Traffic Inspection over Network Middleboxes

Practical constraints, advantages and pitfalls towards adopting the MitM techniques are described, followed by insights on the gaps between research work and practical implementation in the industries, which leads to the discussion on the challenges and research directions.

Assuring String Pattern Matching in Outsourced Middleboxes

This paper proposes the first practical system that enables runtime execution assurances of outsourced middleboxes with high confidence, helping enterprises to extend their visibility into untrusted service providers and the dynamic network effect.

Toward Scalable Fully Homomorphic Encryption Through Light Trusted Computing Assistance

A hybrid solution that uses the latest hardware Trusted Execution Environments to assist FHE by moving the bootstrapping step, which is one of the major obstacles in designing practical FHE schemes, to a secured SGX enclave is proposed.

TVIDS: Trusted virtual IDS with SGX

For TVIDS, a trusted execution environment is built for security policy, packets processing, and internal state so that cloud service providers and other malicious tenants can't access the protected code, policy, processing states, and packets information of the intrusion detection system.



Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS

This paper introduces multi-context TLS (mcTLS), which extends TLS to support middleboxes and breaks the current "all-or-nothing" security model by allowing endpoints and content providers to explicitly introduce middleboxes in secure end-to-end sessions while controlling which parts of the data they can read or write.

Privacy-preserving deep packet inspection in outsourced middleboxes

An encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection, and elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets.

Private Processing of Outsourced Network Functions: Feasibility and Constructions

A cryptographic treatment of privacy-preserving outsourcing of network functions is presented, introducing security definitions as well as an abstract model of generic network functions, and a few instantiations using partial homomorphic encryption and public-key encryption with keyword search are proposed.

SplitBox: Toward Efficient Private Network Function Virtualization

This paper presents SplitBox, an efficient system for privacy-preserving processing of network functions that are outsourced as software processes to the cloud, and proposes an abstract model of a generic network function based on match-action pairs.

A First Step Towards Leveraging Commodity Trusted Execution Environments for Network Applications

This paper explores the possibility of using Intel SGX to provide security and privacy in a wide range of network applications and shows that leveraging hardware protection of TEEs opens up new possibilities, often at the benefit of a much simplified application/protocol design.

Embark: Securely Outsourcing Middleboxes to the Cloud

Embark is the first system that enables a cloud provider to support middlebox outsourcing while maintaining the client's confidentiality and encrypts the traffic that reaches the cloud and enables the cloud to process the encrypted traffic without decrypting it.

STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud

STEALTHMEM is presented, a system-level protection mechanism against cache-based side channel attacks in the cloud and a novel idea and prototype for isolating cache lines while fully utilizing memory by exploiting architectural properties of set-associative caches.

S-NFV: Securing NFV states by using SGX

This paper proposes a new protection scheme, S-NFV that incorporates Intel Software Guard Extensions (Intel SGX) to securely isolate the states of NFV applications.

Shielding Applications from an Untrusted Cloud with Haven

The notion of shielded execution is introduced, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator’s OS, VM, and firmware).

Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud

This paper presents a novel covert channel attack that is capable of high-bandwidth and reliable data transmission in the cloud, and designs and implements a robust communication protocol, and demonstrates realistic covert channel attacks on various virtualized ×86 systems.