achieving keyless cdns with conclaves
play

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina - PowerPoint PPT Presentation

Oct 08, 2022 •232 likes •1.21k views

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin User Bank Content Delivery Networks host their customers websites customers origin server Content Delivery Networks host their customers websites

  1. Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin

  2. User Bank

  3. Content Delivery Networks host their customers’ websites customer’s origin server

  4. Content Delivery Networks host their customers’ websites CDN’s CDNs edge server customer’s origin server

  5. CDNs CDNs reduce page load times CDN’s edge server customer’s origin server

  6. CDNs CDNs reduce page load times CDN’s edge server customer’s origin server

  7. CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server

  8. CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server

  9. Customers share their keys with CDNs CDN’s edge server

  10. Customers share their keys with CDNs CDN’s edge server bank’s private key

  11. Key sharing is widespread Cangialosi et al., CCS 2016

  12. Key sharing is widespread 43% of the top 10k 
 most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016

  13. Key sharing is widespread 43% of the top 10k 
 most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016 The web has consolidated keys in the hands of a few CDNs

  14. Keyless SSL Introduced by Cloudflare to mitigate key sharing

  15. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin)

  16. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  17. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  18. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  19. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  20. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  21. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  22. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys

  23. Keyless SSL Introduced by Cloudflare to mitigate key sharing In practice: 
 CDN Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys

  24. Can we Maintain privacy using Legacy applications on Third-party resources ?

  25. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications Third-party resources

  26. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources

  27. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  28. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  29. Phoenix Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  30. Trusted execution environments By default, assume all system components are untrusted Application Code Operating 
 Service System Hardware

  31. Trusted execution environments By default, assume all system components are untrusted Application Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks

  32. Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated 
 application memory Application Enclave Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks

  33. Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated 
 application memory Application Enclave Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks Model: Code and data can safely reside inside an enclave

  34. Practical limitations of TEEs Applications inside enclaves cannot make syscalls Application Enclave Code Syscalls Operating 
 Service System Untrusted Hardware

  35. libOSes Idea: Implement a small “OS” inside the enclave Enclave Operating 
 Service System Hardware

  36. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code libOS Service Operating 
 Service System Hardware

  37. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" libOS Service Operating 
 Service System Hardware

  38. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally 
 libOS Service when possible Operating 
 Service System Hardware

  39. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally 
 libOS Service when possible Syscalls Operating 
 Service System Hardware

  40. Graphene-SGX A libOS for Intel SGX that supports some services Tsai et al., ATC 2017

  41. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: fork exec pipes, signals, semaphores Tsai et al., ATC 2017

  42. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Web Application 
 Needs 
 plaintext Firewall Needs 
 Key Server safe 
 storage

  43. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Also critical to a CDN: Web Application 
 Reading & writing files Needs 
 plaintext Firewall Shared memory Access to private keys Needs 
 Key Server safe 
 storage

  44. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Web Application 
 Needs 
 plaintext Firewall Needs 
 Key Server safe 
 storage

  45. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Also critical to a CDN: Web Application 
 Reading & writing files Needs 
 plaintext Firewall Shared memory Access to private keys Needs 
 Key Server safe 
 storage

  46. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache Cache Key Server Cache Web Application 
 Firewall Web Application 
 Firewall Web Application 
 Firewall Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

  47. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache TLS Cache Key Server Cache Web Application 
 Firewall Web Application 
 Enclaves mutually 
 Firewall Web Application 
 authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

  48. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Private key operation Web server Enclave Cache TLS Cache Key Server Cache Web Application 
 Firewall Web Application 
 Enclaves mutually 
 Firewall Web Application 
 authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set

1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set

1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set up Only cost effective at massive scale Purchase from provider Expensive Requires prior knowledge of demand Existing Free CDNs 4

557 views • 21 slides
bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form

bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form

bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form Convenience bolt Degrees of Freedom bolt Degrees of Freedom bolt Keyless Unlocking > 5 ft < 5 ft bolt Keyless Unlocking > 5 ft

693 views • 30 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

627 views • 34 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

487 views • 37 slides
Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs

Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs

Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs About this talk 1. The problem with CDNs 2. How does a CDN work? About this talk 1. The problem with CDNs 2. How does a CDN work? 3. Static

1.32k views • 95 slides
Use Cases for ALTO within CDNs

Use Cases for ALTO within CDNs

Use Cases for ALTO within CDNs dra6-jenkins-alto-cdn-use-cases-01 Ben Niven-Jenkins Grant Watson, Nabil Bitar, Jan Medved, Stevano Previdi,

419 views • 5 slides
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular

585 views • 25 slides
Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Introduction Theory Results Conclusion Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009 Dick Visser and Jarno van de Moosdijk Car security: remote keyless entry and go Introduction

388 views • 24 slides
ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO KASPER, PIERRE PAVLIDES PRESENTED BY JACOB BEDNARD, WAYNE STATE UNIVERSITY CSC5991 MAJOR CONTRIBUTIONS VW Group

668 views • 40 slides
The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving

The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving

The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving More Together Operations Achieving More Together / Cyflawni Mwy Gydan Gilydd Y Dirprwy Weinidog dros y Gwasanaethau Cymdeithasol, Rhagfyr 2012

538 views • 14 slides
achieving better outcomes achieving better outcomes and some thoughts on wellbeing and

achieving better outcomes achieving better outcomes and some thoughts on wellbeing and

The role of science and modelling in achieving better outcomes achieving better outcomes and some thoughts on wellbeing and sustainability Professor Steve Hatfield-Dodds Presentation to ESCAP Study Tour, Canberra, 11 September 2013 CSIRO

224 views • 21 slides
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon, Boris Danev, Srdjan apkun Monday February 7, 2011 System Security Group 1 Modern Cars Evolution Increasing amount of electronics in cars

552 views • 24 slides
New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017

New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017

New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017 Falk von Bornstaedt, DTAG ICSS 1 LACK OF TRANSPARENCY IMPAIRS internet performance Clouds & Content Traffic Generators Operators Users

485 views • 11 slides
Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens,

Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens,

Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens, Tim Wauters, Filip De Turck, Bart Dhoedt and Piet Demeester IFIP/IEEE International Workshop onSelf-Managed Systems & Services (SELFMAN)

772 views • 18 slides
DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer

DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer

DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer Networking: A Top Down Approach, 6 th edition. J.F. Kurose and K.W. Ross Administrivia HW #1 is posted Mission: Learn to use network tools to gather

1.23k views • 59 slides
scrypt: A new key derivation function Doing our best to thwart TLAs armed with ASICs Colin

scrypt: A new key derivation function Doing our best to thwart TLAs armed with ASICs Colin

scrypt: A new key derivation function Doing our best to thwart TLAs armed with ASICs Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Colin Percival Tarsnap cperciva@tarsnap.com scrypt: A new key derivation function scrypt: A new key

507 views • 21 slides
Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its origins can be traced back to the 90s. But what is IKE and why should it run on NetBSD? BSDCan 2020 Andrew Cagney freenode.net #swan cagney

681 views • 40 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1

Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1

Faster WAN Volume Operations with DPF Andrew Deason June 2019 OpenAFS Workshop 2019 1 Background High latency slow Rx slow AFS 32 window 1389 packetsize / 10 msRTT = 4 . 24 MiB / s 255 window 1389 packetsize / 10

295 views • 11 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . . . . C x C x C x C C c obfuscation [ BGIRSVY01, H00, GR07, GGHRSW13 ] . . . . . . . . C x C x C x C C c obfuscation [

1.03k views • 92 slides
How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email:

How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email: sebastian.porst@zynamics.com Twitter: @LambdaCube 1 Targeted Attacks 2008 Adobe Acrobat Reader; 28.61% Microsoft Word; 34.55% Microsoft PowerPoint; 16.87%

944 views • 52 slides
Lecture 2 : Interactive Proofs in EasyCrypt July 16th, 2013 The Ambient Logic EasyCrypt ambient

Lecture 2 : Interactive Proofs in EasyCrypt July 16th, 2013 The Ambient Logic EasyCrypt ambient

Lecture 2 : Interactive Proofs in EasyCrypt July 16th, 2013 The Ambient Logic EasyCrypt ambient logic is a general higher-order logic. In this talk How define facts about user defined operators How to prove them when automatic techniques

1.08k views • 71 slides

More recommend