LightBox: SGX-assisted Secure Network Functions at Near-native Speed

@article{Duan2017LightBoxSS,
  title={LightBox: SGX-assisted Secure Network Functions at Near-native Speed},
  author={Huayi Duan and Xingliang Yuan and Cong Wang},
  journal={ArXiv},
  year={2017},
  volume={abs/1706.06261}
}
The recent trend of outsourcing network functions, aka. middleboxes, raises confidentiality and integrity concern on redirected packet, runtime state, and processing result. The outsourced middleboxes must be protected against cyber attacks and malicious service provider. It is challenging to simultaneously achieve strong security, practical performance, complete functionality and compatibility. Prior software-centric approaches relying on customized cryptographic primitives fall short of… Expand
Challenges Towards Protecting VNF With SGX
TLDR
This paper proposes a lightweight and trusted execution environment for securing VNFs based on SGX and Click and implements a DDoS defense function on top of this environment and conducts paramilitary evaluations. Expand
EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution
TLDR
EndBox is described, a system that securely executes middlebox functions on client machines at the network edge that is centrally controlled and can be updated efficiently and evaluated by comparing it to centralised deployments of common middle box functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. Expand
vEPC-sec: Securing LTE Network Functions Virtualization on Public Cloud
Public cloud offers economy of scale to adapt workload changes in an autonomic manner, maximizing the use of resources. Through network function virtualization (NFV), network operators can move LTEExpand
Fast privacy-preserving network function outsourcing
TLDR
The design and implementation of SplitBox are presented, a system for privacy-preserving processing of network functions outsourced to cloud middleboxes—i.e., without revealing the policies governing these functions, while providing provably secure guarantees. Expand
Aurora: Providing Trusted System Services for Enclaves On an Untrusted System
TLDR
A novel architecture that provides TSSes via a secure channel between enclaves and devices on top of an untrusted system, and implement two types of TSSs, i.e. clock and end-to-end network is presented. Expand
PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules
TLDR
The performance gain is based on a new technique for generating encrypted rules as well as the idea of reusing intermediate results generated in previous sessions across subsequent sessions, which could further speedup token encryption. Expand
A Survey of Privacy-Preserving Techniques for Encrypted Traffic Inspection over Network Middleboxes
TLDR
Practical constraints, advantages and pitfalls towards adopting the MitM techniques are described, followed by insights on the gaps between research work and practical implementation in the industries, which leads to the discussion on the challenges and research directions. Expand
Assuring String Pattern Matching in Outsourced Middleboxes
TLDR
This paper proposes the first practical system that enables runtime execution assurances of outsourced middleboxes with high confidence, helping enterprises to extend their visibility into untrusted service providers and the dynamic network effect. Expand
Zero-Knowledge Middleboxes
This paper initiates research on zero-knowledge middleboxes (ZKMBs). A ZKMB is a network middlebox that enforces network usage policies on encrypted traffic. Clients send the middlebox zero-knowledgeExpand
Toward Scalable Fully Homomorphic Encryption Through Light Trusted Computing Assistance
TLDR
A hybrid solution that uses the latest hardware Trusted Execution Environments to assist FHE by moving the bootstrapping step, which is one of the major obstacles in designing practical FHE schemes, to a secured SGX enclave is proposed. Expand
...
1
2
3
...

References

SHOWING 1-10 OF 56 REFERENCES
Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS
TLDR
This paper introduces multi-context TLS (mcTLS), which extends TLS to support middleboxes and breaks the current "all-or-nothing" security model by allowing endpoints and content providers to explicitly introduce middleboxes in secure end-to-end sessions while controlling which parts of the data they can read or write. Expand
Privacy-preserving deep packet inspection in outsourced middleboxes
TLDR
An encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection, and elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. Expand
Private Processing of Outsourced Network Functions: Feasibility and Constructions
TLDR
A cryptographic treatment of privacy-preserving outsourcing of network functions is presented, introducing security definitions as well as an abstract model of generic network functions, and a few instantiations using partial homomorphic encryption and public-key encryption with keyword search are proposed. Expand
SplitBox: Toward Efficient Private Network Function Virtualization
TLDR
This paper presents SplitBox, an efficient system for privacy-preserving processing of network functions that are outsourced as software processes to the cloud, and proposes an abstract model of a generic network function based on match-action pairs. Expand
A First Step Towards Leveraging Commodity Trusted Execution Environments for Network Applications
TLDR
This paper explores the possibility of using Intel SGX to provide security and privacy in a wide range of network applications and shows that leveraging hardware protection of TEEs opens up new possibilities, often at the benefit of a much simplified application/protocol design. Expand
Privacy-preserving Network Functionality Outsourcing
TLDR
This work uses firewall as an sample functionality and proposes the first privacy preserving outsourcing framework and schemes in SDN that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Expand
Embark: Securely Outsourcing Middleboxes to the Cloud
TLDR
Embark is the first system that enables a cloud provider to support middlebox outsourcing while maintaining the client's confidentiality and encrypts the traffic that reaches the cloud and enables the cloud to process the encrypted traffic without decrypting it. Expand
STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud
TLDR
STEALTHMEM is presented, a system-level protection mechanism against cache-based side channel attacks in the cloud and a novel idea and prototype for isolating cache lines while fully utilizing memory by exploiting architectural properties of set-associative caches. Expand
S-NFV: Securing NFV states by using SGX
TLDR
This paper proposes a new protection scheme, S-NFV that incorporates Intel Software Guard Extensions (Intel SGX) to securely isolate the states of NFV applications. Expand
Shielding Applications from an Untrusted Cloud with Haven
TLDR
The notion of shielded execution is introduced, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator’s OS, VM, and firmware). Expand
...
1
2
3
4
5
...