endbox scalable m iddlebox functions using client side
play

EndBox: Scalable M iddlebox Functions Using Client-Side Trusted - PowerPoint PPT Presentation

May 20, 2023 •164 likes •630 views

Institute of Operating Systems and Computer Networks EndBox: Scalable M iddlebox Functions Using Client-Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rsch, 1 Manuel Nieke, 1 Sbastien Vaucher, 2 Nico Weichbrodt, 1

  1. Institute of Operating Systems and Computer Networks EndBox: Scalable M iddlebox Functions Using Client-Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rüsch, 1 Manuel Nieke, 1 Sébastien Vaucher, 2 Nico Weichbrodt, 1 Valerio Schiavoni, 2 Pierre-Louis Aublin, 3 Paolo Costa, 4 Christof Fetzer, 5 Pascal Felber, 2 Peter Pietzuch 3 and Rüdiger Kapitza 1 1 TU Braunschweig goltzsche@ibr.cs.tu-bs.de @d_goltzsche 2 University of Neuchâtel 3 Imperial College London 4 Microsoft Research 5 TU Dresden

  2. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion What Are M iddleboxes? Middleboxes are essential parts of large networks Example: enterprise networks Server Server Server Functions related to security or performance Middlebox Enterprise Current best practice: Network Gateway central deployment as physical boxes Client Client Client High infrastructure and management costs (Sherry et al. SIGCOMM’12) Scalability issues with growing client numbers 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 2 Institute of Operating Systems and Computer Networks

  3. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion What Are M iddleboxes? Middleboxes are essential parts of large networks Example: enterprise networks Server Server Server Functions related to security or performance Middlebox Enterprise Current best practice: Network Gateway central deployment as physical boxes Client Client Client High infrastructure and management costs (Sherry et al. SIGCOMM’12) Scalability issues with growing client numbers Problem: Middleboxes are necessary for large networks, but come at high costs and do not scale well with number of clients. 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 2 Institute of Operating Systems and Computer Networks

  4. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost Network Gateway Client Cloud Middle Low latency Client box Good scalability Client Client Client Client Trusted infrastructure (a) Centralised (b) Cloud-based Easy administration Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway Client Client Client Middle Middle Middle Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  5. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost ✗ Network Gateway Client Cloud Middle Low latency ✔ Client box Good scalability Client Client Client ✗ Client Trusted infrastructure ✔ (a) Centralised (b) Cloud-based Easy administration ✔ Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway Client Client Client Middle Middle Middle Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  6. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost ✗ ✔ Network Gateway Client Cloud Middle Low latency ✔ ✗ Client box Good scalability Client Client Client ✗ ✔ Client Trusted infrastructure ✔ ✗ (a) Centralised (b) Cloud-based Easy administration ✔ ✔ Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway Client Client Client Middle Middle Middle Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  7. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost ✗ ✔ ✔ Network Gateway Client Cloud Middle Low latency ✔ ✗ ✔ Client box Good scalability ✗ ✔ ✗ Client Client Client Client Trusted infrastructure ✔ ✗ ✔ (a) Centralised (b) Cloud-based Easy administration ✔ ✔ ✗ Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway Client Client Client Middle Middle Middle Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  8. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost ✗ ✔ ✔ ✔ Network Gateway Client Cloud Middle Low latency ✔ ✗ ✔ ✔ Client box Good scalability ✗ ✔ ✗ ✔ Client Client Client Client Trusted infrastructure ✔ ✗ ✔ ✗ (a) Centralised (b) Cloud-based Easy administration ✔ ✔ ✗ ✗ Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway Client Client Client Middle Middle Middle Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  9. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion P lacement of Middleboxes Server Server Server Server Server Server (a) (b) (c) (d) Middlebox Enterprise Network Gateway Enterprise Low infra. cost ✗ ✔ ✔ ✔ Network Gateway Client Cloud Middle Low latency ✔ ✗ ✔ ✔ Client box Good scalability Client Client Client ✗ ✔ ✗ ✔ Client Trusted infrastructure ✔ ✗ ✔ ✔ (a) Centralised (b) Cloud-based Easy administration ✔ ✔ ✗ ✔ ✔ with EndBox Server Server Server Server Server Server Middle Middle Middle box box box Enterprise Network Gateway Enterprise Network Gateway EndBox targets enterprise networks and Client Client Client Middle Middle Middle places middleboxes on untrusted clients . Client Client Client box box box (c) Server-side (d) Client-side 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 3 Institute of Operating Systems and Computer Networks

  10. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion Outline Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 4 Institute of Operating Systems and Computer Networks

  11. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion Approach of EndBox Enterprise Client machine Network Applications configures Admin FW/GW EndBox Client EndBox Server TEE Untrusted clients can manipulate or circumvent traffic analysis Client traffic routed through trusted execution environments (TEEs) Inside TEE, packets are processed, signed and encrypted Unsigned outgoing traffic dropped by firewall/gateway (FW/GW) Encrypted incoming traffic cannot be encrypted outside of TEE 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 5 Institute of Operating Systems and Computer Networks

  12. Introduction to Middleboxes Design of EndBox Evaluation of EndBox Related Work Conclusion Approach of EndBox Enterprise Client machine Apps Network EndBox Applications configures Client Admin FW/GW TEE EndBox Client EndBox Server TEE Untrusted clients can manipulate or circumvent traffic analysis Client traffic routed through trusted execution environments (TEEs) Inside TEE, packets are processed, signed and encrypted Unsigned outgoing traffic dropped by firewall/gateway (FW/GW) Encrypted incoming traffic cannot be encrypted outside of TEE 2018-06-27 D. Goltzsche, TU Braunschweig, Germany DSN’18: EndBox Page 5 Institute of Operating Systems and Computer Networks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Right hemisphere Motor functions on left side of body Perceives left side of space Left

Right hemisphere Motor functions on left side of body Perceives left side of space Left

Week 6 Lab: Hemispheric Functions - Contralateral processing Back to Index Right hemisphere Motor functions on left side of body Perceives left side of space Left hemisphere Motor functions on right side of body Perceives right side of space

276 views • 13 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Content Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt 3. Server Side Programming Universitt Karlsruhe Fakultt fr Informatik Institut fr Telematik Wintersemester

395 views • 17 slides
Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Content Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt 3. Server Side Programming Universitt Karlsruhe Fakultt fr Informatik Institut fr Telematik Wintersemester

532 views • 14 slides
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko , Sergei Arnautov , Bohdan Trach , Pramod Bhatotia * , Pascal Felber , Christof Fetzer TU Dresden, * The University of Edinburgh,

1.51k views • 87 slides
SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor,

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor,

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universitt Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College

820 views • 52 slides
Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor, Pramod Bhatotia, Christof Fetzer ACM SYSTOR 2019 FaaS Paradigm of Cloud Computing Function Runtime Guest OS Function Hypervisor Host OS FaaS

1.34k views • 98 slides
Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel

Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel

Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel Brendel Kevin Londeen, CPA CONTACT INFORMATION Myers and Stauffer 700 W. 47 th Street, Suite 1100 Kansas City, MO 64112 PH: (800) 374-6858 Email:

1.17k views • 91 slides
E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20

E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20

E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20 Imperial College London Plan Why do we need another framework? The framework Fundamentals Messaging System Components Benchmark Examples

527 views • 38 slides
Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING

Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING

Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING (MAID) Dr. Kim Wiebe WRHA & CAMAP CSIM Annual Meeting 2018 The following presentation represents the views of the speaker at the time of the

397 views • 28 slides
Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1

Position Paper: Challenges Towards Securing Hardware-assisted Execution Environments Zhenyu Ning 1 Fengwei Zhang 1 Weisong Shi 1 Larry Shi 2 1 Wayne State University 2 University of Houston November 21, 2019 1 Overview of The Talk Motivation

575 views • 24 slides
Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation data security:

423 views • 31 slides

More recommend