Middlebox Technologies with Intel SGX A Literature Survey Shiv - - PowerPoint PPT Presentation

middlebox technologies with intel sgx
SMART_READER_LITE
LIVE PREVIEW

Middlebox Technologies with Intel SGX A Literature Survey Shiv - - PowerPoint PPT Presentation

Aug 24, 2022 283 likes •673 views

Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1 Whats all the fuss with middleboxes? 2 Background 3 What are middleboxes? 4 Middleboxes in the Cloud Cloud APLOMB gateway Enterprise

slide-1
SLIDE 1

Middlebox Technologies with Intel SGX

Shiv Kushwah & Sumukh Shivakumar

1

A Literature Survey

slide-2
SLIDE 2

What’s all the fuss with middleboxes?

2

slide-3
SLIDE 3

Background

3

slide-4
SLIDE 4

What are middleboxes?

4

slide-5
SLIDE 5

Middleboxes in the Cloud

5

APLOMB gateway Enterprise Cloud

APLOMB: Making Middleboxes Someone Else’s Problem - Network Processing as a Cloud Service

slide-6
SLIDE 6

Problems with current Middlebox approaches

6

slide-7
SLIDE 7

Alternatives

7

“Break and Inspect”

slide-8
SLIDE 8

Alternatives

8

Homomorphic-Based

slide-9
SLIDE 9

What are Enclaves?

Intel SGX Enclave Untrusted App Code Untrusted OS Syscalls, Network Calls

ECALL

Trusted App Code

OCALL

Issues

  • Memory Constrained
  • No Network Calls
  • No Trusted Clock
slide-10
SLIDE 10

What are Enclaves?

Enclave Host Int x = 7; …

Remote Attestation

Quoting Enclave Expected

slide-11
SLIDE 11

What are Enclaves?

Enclave Host Int x = 8; …

Remote Attestation

Quoting Enclave Expected

slide-12
SLIDE 12

How can SGX help Middleboxes?

12

  • SGX provides confidentiality and integrity
  • Remotely attest SGX-enabled middleboxes

○ Enforce correct and secure program behavior ○ Bootstrap secure channel of communication

slide-13
SLIDE 13
  • Decrypting and Inspecting packets safely
  • Processing and Saving information safely
  • Resource efficiency

SGX Solutions for Middleboxes

13

slide-14
SLIDE 14

Evaluation Metrics

14

slide-15
SLIDE 15

Metrics/Comparison Points

15

Security

  • Network data protection
  • Processing inside

enclave?

  • Network metadata

protection?

  • Protects NF Vendor

code? Features

  • Read encrypted packets?
  • Network function

chaining?

  • Stateful processing?

Usability

  • Implementation?
  • Performance
  • Expressivity?
  • Programmability?
slide-16
SLIDE 16

Metrics/Comparison Points

16

Security

  • Network data protection
  • Processing inside

enclave?

  • Network metadata

protection?

  • Protects NF Vendor

code? Features

  • Read encrypted packets?
  • Network function

chaining?

  • Stateful processing?

Usability

  • Implementation?
  • Performance
  • Expressivity?
  • Programmability?
slide-17
SLIDE 17

Metrics/Comparison Points

17

Security

  • Network data protection
  • Processing inside

enclave?

  • Network metadata

protection?

  • Protects NF Vendor

code? Features

  • Read encrypted packets?
  • Network function

chaining?

  • Stateful processing?

Usability

  • Implementation?
  • Performance
  • Expressivity?
  • Programmability?
slide-18
SLIDE 18

Metrics/Comparison Points

18

Security

  • Network data protection
  • Processing inside

enclave?

  • Network metadata

protection?

  • Protects NF Vendor

code? Features

  • Read encrypted packets?
  • Network function

chaining?

  • Stateful processing?

Usability

  • Implementation?
  • Performance
  • Expressivity?
  • Programmability?
slide-19
SLIDE 19

Overview of Space

19

Decrypt and Inspect Secure Processing in Third Parties Resource Efficiencies

PRI SGX-Box mbTLS S-NFV Safebricks ShieldBox Snort w/ SGX LightBox Trusted Click EndBox

slide-20
SLIDE 20

Lineage Diagram

20

2016

Attestation for key sharing Snort based Click Based Framework Stateful Attestation for key sharing Click Based Packet decryption

EndBox [June 2018] Trusted Click [March 2017] LightBox [Nov 2019] Snort w/ SGX [Feb 2018] ShieldBox [Sept 2017] Safebricks [April 2018] S-NFV [Nov 2016] SGX-Box [Aug 2017] mbTLS [Dec 2017] PRI [May 2016] 2017 2018 2019

slide-21
SLIDE 21

Category 1: Decrypt and Inspect

21

slide-22
SLIDE 22

Decrypt and Inspect

22

2016

Attestation for key sharing Snort based Click Based Framework Stateful Attestation for key sharing Click Based Packet decryption

EndBox [June 2018] Trusted Click [March 2017] LightBox [Nov 2019] Snort w/ SGX [Feb 2018] ShieldBox [Sept 2017] Safebricks [April 2018] S-NFV [Nov 2016] SGX-Box [Aug 2017] mbTLS [Dec 2017] PRI [May 2016] 2017 2018 2019

slide-23
SLIDE 23

Enclave Middlebox

Network I/O

Untrusted App

Decrypt and Inspect

23

Inspection Remote Attestation

SGX-BOX: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module PRI: Privacy Preserving Inspection of Encrypted Network Traffic

slide-24
SLIDE 24

Multiple Middleboxes

mbTLS: And Then There Were More - Secure Communication for More Than Two Parties

24

slide-25
SLIDE 25

Category 2: Secure Processing in the Cloud

25

slide-26
SLIDE 26

Lineage Diagram

26

2016

Attestation for key sharing Snort based Click Based Framework Stateful Attestation for key sharing Click Based Packet decryption

EndBox [June 2018] Trusted Click [March 2017] LightBox [Nov 2019] Snort w/ SGX [Feb 2018] ShieldBox [Sept 2017] Safebricks [April 2018] S-NFV [Nov 2016] SGX-Box [Aug 2017] mbTLS [Dec 2017] PRI [May 2016] 2017 2018 2019

slide-27
SLIDE 27

Main Ideas

27

  • Approaches are concerned with problems of running NFs on cloud

○ Need to protect confidentiality of traffic ○ Securely and efficiently read packets ○ Securely enable NF chaining ○ Protect NF vendor code

  • Build on existing NF technologies

○ Click ○ Snort ○ NF-enclave specific approaches

slide-28
SLIDE 28

Middleboxes in the Cloud

28

APLOMB Enterprise Cloud

slide-29
SLIDE 29
  • Software framework for packet processing
  • Elements implement router functions
  • Click configurations are modular and easy to extend

What is Click?

29

slide-30
SLIDE 30

Click Based Approaches

30

Middlebox Untrusted

Network I/O

Trusted Click: Overcoming Security issues of NFV in the Cloud

Enclave Enclave Enclave

slide-31
SLIDE 31

What is Snort?

  • Signature-based Intrusion Detection/Prevention system
  • Real time traffic analysis and packet logging
  • Stateful (based on flows)

31

slide-32
SLIDE 32

Snort Based Approaches

32

Enclave Middlebox Untrusted

NIC

Snort IDS with Intel Software Guard Extensions

Graphene-SGX

Snort

slide-33
SLIDE 33

33

etap client Enclave Middlebox

Network I/O etap Stateful Processing

State management Gateway

Recent Approaches

LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed

slide-34
SLIDE 34

Category 3: Resource Efficiency

34

slide-35
SLIDE 35
  • Run SGX middleboxes on client machines

○ Connections go through client SGX middleboxes because of VPN keys ■ Connections sent directly are refused ○ After, necessary processing, SGX middlebox forwards traffic accordingly

Resource Efficiency

35

https://www.ibr.cs.tu-bs.de/users/goltz sch/slides/endbox-dsn18.pdf

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

slide-36
SLIDE 36

Future Work

36

slide-37
SLIDE 37

Future Directions

  • Decentralized Approach

○ Stateful processing ○ Least Privilege to keep NFs “honest”

  • Side Channels

○ Existing work focuses on metadata protection, not on timing related or other side channels

37