EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

Goltzsche, David; Rüsch, Signe; Nieke, Manuel; Vaucher, Sébastien; Weichbrodt, Nico; Schiavoni, Valerio; Aublin, Pierre-Louis; Cosa, Paolo; Fetzer, Christof; Felber, Pascal; Pietzuch, Peter; Kapitza, Rüdiger

doi:10.1109/dsn.2018.00048

Cited by 33 publications

(31 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work is also related to secure networked systems based on Intel SGX [27], [31], [36], [58], [67]. With the help of trusted hardware, these systems can securely process network traffic for a variety of network functions, e.g., IDS [27], [31], [36], [67], firewall [27], [31], [58], load balancer [31], [58], NAT [58], etc. We note that the above systems do not consider mitigating side-channel attacks against Intel SGX.…”

Section: Related Workmentioning

confidence: 99%

“…A practical alternative for securing network measurement services is to resort to hardware-assisted security, i.e., Intel SGX, a trusted execution environment. Due to its advantages on functionality and performance, SGX has recently been applied to develop a wide spectrum of secure networked applications and systems, e.g., IDS [27], [58], load balancer [31], [58], and firewall [27], [58]. At first glance, migrating existing implementation of network measurements into the SGX enclave would solve the problem.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

OblivSketch: Oblivious Network Measurement as a Cloud Service

Lai

Yuan

Liu

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Network function virtualisation enables versatile network functions as cloud services with reduced cost. Specifically, network measurement tasks such as heavy-hitter detection and flow distribution estimation serve many core network functions for improved performance and security of enterprise networks. However, deploying network measurement services in third-party multi-tenant cloud service providers raises critical privacy and security concerns. Recent studies demonstrate that leaking and abusing flow statistics can lead to severe network attacks such as DDoS, network topology manipulation and poisoning, etc. In this paper, we propose OblivSketch, an oblivious network measurement service using Intel SGX. It employs hardware enclave for secure network statistics generation and queries. The statistics are maintained in newly designed oblivious data structures inside the SGX enclave and queried by data-oblivious algorithms to prevent data leakage caused by access patterns to the memory of SGX. To demonstrate the practicality, we implement OblivSketch as a full-fledge service integrated with the off-the-shelf SDN framework. The evaluations demonstrate that OblivSketch consumes a constant and small memory space (6MB) to track a massive amount of flows (from 30k to 1.45m), and it takes no more than 15ms to respond six widely adopted measurement queries for a 5s-trace with 70k flows.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

OblivSketch: Oblivious Network Measurement as a Cloud Service

Lai

Yuan

Liu

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Specifically, SGX has been used to protect network functions, especially middle-boxes. For example, Endbox [17] aims to distribute middle-boxes to client edges: clients connect through VPN to ensure confidentiality of their traffic while remaining maintainable. LightBox [14] is another middle-box that runs in an enclave; its goal is to protect the client's traffic from the third-party middle-box service provider while maintaining adequate performance.…”

Section: Related Workmentioning

confidence: 99%

PDoT

Nakatsuka

Paverd

Tsudik

2019

Proceedings of the 35th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture.PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver. CCS CONCEPTS• Security and privacy → Web protocol security; Hardwarebased security protocols; Network security; Privacy protections.

show abstract

“…With the advent of Intel's Software Guard Extensions (SGX) [14,28], the situation is about to change as this novel trusted execution technology enables confidentiality and integrity protection of code and data -even from privileged software and physical attacks. Accordingly, researchers from academia and industry alike recently published research works in rapid succession to secure applications in clouds [2,5,33], enable secure networking [9,11,34,39] and fortify local applications [22,23,35].…”

mentioning

confidence: 99%

sgx-perf

Weichbrodt

Aublin

Kapitza

2018

Proceedings of the 19th International Middleware Conference

Self Cite

View full text Add to dashboard Cite

Novel trusted execution technologies such as Intel's Software Guard Extensions (SGX) are considered a cure to many security risks in clouds. This is achieved by offering trusted execution contexts, so called enclaves, that enable confidentiality and integrity protection of code and data even from privileged software and physical attacks. To utilise this new abstraction, Intel offers a dedicated Software Development Kit (SDK). While it is already used to build numerous applications, understanding the performance implications of SGX and the offered programming support is still in its infancy. This inevitably leads to time-consuming trial-and-error testing and poses the risk of poor performance. To enable the development of well-performing SGX-based applications, this paper makes the following three contributions: First, it summarises identified performance critical factors of SGX. Second, it presents sgx-perf , a collection of tools for high-level dynamic performance analysis of SGX-based applications. In particular, sgx-perf performs not only fined-grained profiling of performance critical events in enclaves but also offers recommendations on how to improve enclave performance. Third, it demonstrates how we used sgx-perf in four non-trivial SGX workloads to increase their performance by up to 2.16x. CCS CONCEPTS • Software and its engineering → Software maintenance tools; • Security and privacy → Software security engineering;

show abstract

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

Cited by 33 publications

References 33 publications

OblivSketch: Oblivious Network Measurement as a Cloud Service

OblivSketch: Oblivious Network Measurement as a Cloud Service

PDoT

sgx-perf

Contact Info

Product

Resources

About