Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1
What’s all the fuss with middleboxes? 2
Background 3
What are middleboxes? 4
Middleboxes in the Cloud Cloud APLOMB gateway Enterprise APLOMB: Making Middleboxes Someone Else’s Problem - Network Processing as a Cloud 5 Service
Problems with current Middlebox approaches 6
Alternatives “Break and Inspect” 7
Alternatives Homomorphic-Based 8
What are Enclaves? Issues Untrusted App Code ● Memory Constrained Intel SGX Enclave No Network Calls ● Trusted App Code OCALL Syscalls, ● No Trusted Clock Network Calls ECALL Untrusted OS
What are Enclaves? Host Expected Enclave Int x = 7; … Quoting Enclave Remote Attestation
What are Enclaves? Host Expected Enclave Int x = 8; … Quoting Enclave Remote Attestation
How can SGX help Middleboxes? ● SGX provides confidentiality and integrity ● Remotely attest SGX-enabled middleboxes ○ Enforce correct and secure program behavior ○ Bootstrap secure channel of communication 12
SGX Solutions for Middleboxes Decrypting and Inspecting packets safely ● Processing and Saving information safely ● Resource efficiency ● 13
Evaluation Metrics 14
Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 15
Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 16
Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 17
Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 18
Overview of Space Resource Decrypt and Inspect Secure Processing in Third Parties Efficiencies PRI Snort w/ SGX S-NFV SGX-Box Safebricks LightBox EndBox mbTLS ShieldBox Trusted Click 19
Lineage Diagram 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 20
Category 1: Decrypt and Inspect 21
Decrypt and Inspect 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 22
Decrypt and Inspect Remote Attestation Middlebox Enclave Network I/O Untrusted App SGX-BOX: Enabling PRI: Privacy Preserving Visibility on Encrypted Inspection Inspection of Traffic using a Secure Encrypted Network Middlebox Module Traffic 23
Multiple Middleboxes mbTLS : And Then There Were More - Secure Communication for More Than Two Parties 24
Category 2: Secure Processing in the Cloud 25
Lineage Diagram 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 26
Main Ideas ● Approaches are concerned with problems of running NFs on cloud Need to protect confidentiality of traffic ○ ○ Securely and efficiently read packets ○ Securely enable NF chaining ○ Protect NF vendor code ● Build on existing NF technologies ○ Click ○ Snort NF-enclave specific approaches ○ 27
Middleboxes in the Cloud Cloud APLOMB Enterprise 28
What is Click? ● Software framework for packet processing ● Elements implement router functions ● Click configurations are modular and easy to extend 29
Click Based Approaches Middlebox Enclave Network I/O Enclave Untrusted Enclave 30 Trusted Click: Overcoming Security issues of NFV in the Cloud
What is Snort? ● Signature-based Intrusion Detection/Prevention system ● Real time traffic analysis and packet logging ● Stateful (based on flows) 31
Snort Based Approaches Middlebox Enclave NIC Untrusted Snort Graphene-SGX Snort IDS with Intel Software Guard Extensions 32
Recent Approaches Middlebox Enclave etap Network etap client I/O Stateful Processing Gateway State management 33 LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Category 3: Resource Efficiency 34
Resource Efficiency Run SGX middleboxes on client machines ● ○ Connections go through client SGX middleboxes because of VPN keys Connections sent directly are refused ■ ○ After, necessary processing, SGX middlebox forwards traffic accordingly https://www.ibr.cs.tu-bs.de/users/goltz sch/slides/endbox-dsn18.pdf EndBox : Scalable Middlebox Functions Using Client-Side Trusted Execution 35
Future Work 36
Future Directions ● Decentralized Approach ○ Stateful processing ○ Least Privilege to keep NFs “honest” ● Side Channels ○ Existing work focuses on metadata protection, not on timing related or other side channels 37
Recommend
More recommend
