middlebox technologies with intel sgx
play

Middlebox Technologies with Intel SGX A Literature Survey Shiv - PowerPoint PPT Presentation

Aug 24, 2022 •283 likes •668 views

Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1 Whats all the fuss with middleboxes? 2 Background 3 What are middleboxes? 4 Middleboxes in the Cloud Cloud APLOMB gateway Enterprise

  1. Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1

  2. What’s all the fuss with middleboxes? 2

  3. Background 3

  4. What are middleboxes? 4

  5. Middleboxes in the Cloud Cloud APLOMB gateway Enterprise APLOMB: Making Middleboxes Someone Else’s Problem - Network Processing as a Cloud 5 Service

  6. Problems with current Middlebox approaches 6

  7. Alternatives “Break and Inspect” 7

  8. Alternatives Homomorphic-Based 8

  9. What are Enclaves? Issues Untrusted App Code ● Memory Constrained Intel SGX Enclave No Network Calls ● Trusted App Code OCALL Syscalls, ● No Trusted Clock Network Calls ECALL Untrusted OS

  10. What are Enclaves? Host Expected Enclave Int x = 7; … Quoting Enclave Remote Attestation

  11. What are Enclaves? Host Expected Enclave Int x = 8; … Quoting Enclave Remote Attestation

  12. How can SGX help Middleboxes? ● SGX provides confidentiality and integrity ● Remotely attest SGX-enabled middleboxes ○ Enforce correct and secure program behavior ○ Bootstrap secure channel of communication 12

  13. SGX Solutions for Middleboxes Decrypting and Inspecting packets safely ● Processing and Saving information safely ● Resource efficiency ● 13

  14. Evaluation Metrics 14

  15. Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 15

  16. Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 16

  17. Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 17

  18. Metrics/Comparison Points Security Features Usability ● Network data protection ● Read encrypted packets? ● Implementation? ● Performance ● Processing inside ● Network function enclave? chaining ? ● Expressivity? ● Programmability? ● Network metadata ● Stateful processing? protection? ● Protects NF Vendor code? 18

  19. Overview of Space Resource Decrypt and Inspect Secure Processing in Third Parties Efficiencies PRI Snort w/ SGX S-NFV SGX-Box Safebricks LightBox EndBox mbTLS ShieldBox Trusted Click 19

  20. Lineage Diagram 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 20

  21. Category 1: Decrypt and Inspect 21

  22. Decrypt and Inspect 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 22

  23. Decrypt and Inspect Remote Attestation Middlebox Enclave Network I/O Untrusted App SGX-BOX: Enabling PRI: Privacy Preserving Visibility on Encrypted Inspection Inspection of Traffic using a Secure Encrypted Network Middlebox Module Traffic 23

  24. Multiple Middleboxes mbTLS : And Then There Were More - Secure Communication for More Than Two Parties 24

  25. Category 2: Secure Processing in the Cloud 25

  26. Lineage Diagram 2016 PRI [May 2016] S-NFV [Nov 2016] 2017 Attestation for Snort key sharing based Trusted Click [March 2017] SGX-Box [Aug 2017] Attestation for Packet Click key sharing decryption Based ShieldBox [Sept 2017] mbTLS Click 2018 [Dec 2017] Based Snort w/ SGX EndBox [Feb 2018] [June 2018] Stateful Framework Safebricks [April 2018] 2019 LightBox [Nov 2019] 26

  27. Main Ideas ● Approaches are concerned with problems of running NFs on cloud Need to protect confidentiality of traffic ○ ○ Securely and efficiently read packets ○ Securely enable NF chaining ○ Protect NF vendor code ● Build on existing NF technologies ○ Click ○ Snort NF-enclave specific approaches ○ 27

  28. Middleboxes in the Cloud Cloud APLOMB Enterprise 28

  29. What is Click? ● Software framework for packet processing ● Elements implement router functions ● Click configurations are modular and easy to extend 29

  30. Click Based Approaches Middlebox Enclave Network I/O Enclave Untrusted Enclave 30 Trusted Click: Overcoming Security issues of NFV in the Cloud

  31. What is Snort? ● Signature-based Intrusion Detection/Prevention system ● Real time traffic analysis and packet logging ● Stateful (based on flows) 31

  32. Snort Based Approaches Middlebox Enclave NIC Untrusted Snort Graphene-SGX Snort IDS with Intel Software Guard Extensions 32

  33. Recent Approaches Middlebox Enclave etap Network etap client I/O Stateful Processing Gateway State management 33 LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed

  34. Category 3: Resource Efficiency 34

  35. Resource Efficiency Run SGX middleboxes on client machines ● ○ Connections go through client SGX middleboxes because of VPN keys Connections sent directly are refused ■ ○ After, necessary processing, SGX middlebox forwards traffic accordingly https://www.ibr.cs.tu-bs.de/users/goltz sch/slides/endbox-dsn18.pdf EndBox : Scalable Middlebox Functions Using Client-Side Trusted Execution 35

  36. Future Work 36

  37. Future Directions ● Decentralized Approach ○ Stateful processing ○ Least Privilege to keep NFs “honest” ● Side Channels ○ Existing work focuses on metadata protection, not on timing related or other side channels 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox Discovery ID Summary and Status Discussion of Middlebox Needs Other Common Middlebox Issues of Potential Interest to IETF References ID

474 views • 12 slides
A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert

A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert

A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert Beverly (NPS) Mark Allman (ICSI) Support from: ACM SIGCOMM 19 Aug 2014 1 TCPs knowledge of end -to-end path conditions a priori ??? ???

557 views • 38 slides
On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

581 views • 46 slides
Niko Neufeld, CERN/PH-Department niko.neufeld@cern.ch Apply upcoming Intel technologies in an

Niko Neufeld, CERN/PH-Department niko.neufeld@cern.ch Apply upcoming Intel technologies in an

Niko Neufeld, CERN/PH-Department niko.neufeld@cern.ch Apply upcoming Intel technologies in an Online / Trigger & DAQ context Application domains: L1-trigger, data acquisition and event-building, accelerator-assisted processing for

576 views • 18 slides
Optimizing i965 for the Future Kenneth Graunke Intel Visual Technologies Team & The Mesa

Optimizing i965 for the Future Kenneth Graunke Intel Visual Technologies Team & The Mesa

Optimizing i965 for the Future Kenneth Graunke Intel Visual Technologies Team & The Mesa Community Driver CPU Overhead Graphics is always trying to push the limits Time spent by the driver is time wasted for the app In the

687 views • 37 slides
Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel Intel had a 99.2 percent market share in server chips (IDC, 2015 Quoted on InfoWorld) We started experimenting with SoCs two

838 views • 47 slides
fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel

fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel

fundamental technologies to work on for cloud-native networking Magnus Karlsson, Intel Cloud-Native Network Functions My View Many small network functions App App App App Runs in containers / processes Routing / Switching

207 views • 16 slides
Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science

Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science

Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science Department California State University Dominguez Hills Some slides are from www.cs.berkeley.edu/~randy/Courses/CS268.F08/lectures/22-

867 views • 30 slides
Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang Chen en, Jie Wu, and Bo Ji Center for Networked Computing Temple University, USA VNF: Evolution of Network Service l Network Function Virtualization

315 views • 19 slides
LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI

LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI

LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI DEPARTMENT OF COMPUTER SCIENCE CALIFORNIA STATE UNIVERSITY DOMINGUEZ HILLS 1 INTRODUCTION - Middleboxes network appliances or network functions

489 views • 25 slides
Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network functionality can be really helpful Security (IPS) Performance (proxies) Fairness (traffic management) 2 Middleboxes are pervasive

617 views • 37 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
fling: A Flexible Ping for Middlebox Measurements Ahmed Elmokashfi, Runa Barik, Michael Welzel,

fling: A Flexible Ping for Middlebox Measurements Ahmed Elmokashfi, Runa Barik, Michael Welzel,

fling: A Flexible Ping for Middlebox Measurements Ahmed Elmokashfi, Runa Barik, Michael Welzel, Thomas Dreibholz, Stein Gjessing AIMs 2018 March 14 th 2018 Metropolitan Center for Digital Engineering Motivation Lack of a generic tool that

538 views • 19 slides
BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are today Technology World leaders in Advance Processing Technologies for small fruits and vegetables. R&D Strong focus on research

383 views • 17 slides
Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @

Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @

Intel IT OpenStack Practice Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @ Intel Information Technology Intel Confidential Do Not Forward Agenda About Me Intel IT with OpenStack

405 views • 39 slides
Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda

Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda

Causes of Performance Swings Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda The purpose of this presentation Intel Architecture FE 101 Lets look at some example So can we do

289 views • 24 slides
Parametric completeness for separation theories (via hybrid logic) James Brotherston University

Parametric completeness for separation theories (via hybrid logic) James Brotherston University

Parametric completeness for separation theories (via hybrid logic) James Brotherston University College London New York University, 11 December 2014 Joint work with Jules Villard 1/ 26 Part I Introduction, motivation and background 2/ 26

1.39k views • 118 slides
(LMCS, p. 317) V.1 FirstOrder Logic This is the most powerful, most expressive logic that we

(LMCS, p. 317) V.1 FirstOrder Logic This is the most powerful, most expressive logic that we

(LMCS, p. 317) V.1 FirstOrder Logic This is the most powerful, most expressive logic that we will examine. Our version of first-order logic will use the following symbols: variables connectives ( , , , , )

1.09k views • 97 slides
On the Number of Linear Regions of Convolutional Neural Networks (joint with L. Huang, M. Yu, L.

On the Number of Linear Regions of Convolutional Neural Networks (joint with L. Huang, M. Yu, L.

On the Number of Linear Regions of Convolutional Neural Networks (joint with L. Huang, M. Yu, L. Liu, F . Zhu and L. Shao) Huan Xiong Mohamed bin Zayed University of Artificial Intelligence (MBZUAI) ICML 2020 Huan Xiong Number of Linear

662 views • 10 slides
Statistical mechanics of deep learning Surya Ganguli Dept. of Applied Physics, Neurobiology,

Statistical mechanics of deep learning Surya Ganguli Dept. of Applied Physics, Neurobiology,

Statistical mechanics of deep learning Surya Ganguli Dept. of Applied Physics, Neurobiology, and Electrical Engineering Stanford University NIH NIH Funding: Bio-X Neuroventures Bio-X Neuroventures Burroughs Burroughs Wellcome

3.2k views • 35 slides
A Type-coherent, Expressive Representation as an Initial Step to Language Understanding Gene

A Type-coherent, Expressive Representation as an Initial Step to Language Understanding Gene

A Type-coherent, Expressive Representation as an Initial Step to Language Understanding Gene Louis Kim and Lenhart Schubert Presented by: Gene Louis Kim May 2019 Introduction Unscoped {Episodic} Logical Form (ULF) An underspecified

1.31k views • 55 slides
Linear Classifiers: Expressiveness Machine Learning 1 Lecture outline Linear models:

Linear Classifiers: Expressiveness Machine Learning 1 Lecture outline Linear models:

Linear Classifiers: Expressiveness Machine Learning 1 Lecture outline Linear models: Introduction What functions do linear classifiers express? 2 Where are we? Linear models: Introduction What functions do linear classifiers

459 views • 27 slides
Gaussian Process Behaviour in Wide Deep Neural Networks Alexander G. de G. Matthews DeepMind

Gaussian Process Behaviour in Wide Deep Neural Networks Alexander G. de G. Matthews DeepMind

Gaussian Process Behaviour in Wide Deep Neural Networks Alexander G. de G. Matthews DeepMind Alexander G. de G. Matthews, Jiri Hron, Mark Rowland, Richard E. Turner, and Zoubin Ghahramani. Gaussian Process Behaviour in Wide Deep Neural Networks

274 views • 25 slides
Symmetric categorial grammar Michael Moortgat British Logic Colloquium, Nottingham, Sept 2008

Symmetric categorial grammar Michael Moortgat British Logic Colloquium, Nottingham, Sept 2008

Symmetric categorial grammar Michael Moortgat British Logic Colloquium, Nottingham, Sept 2008 Abstract Fifty years ago, Jim Lambek published the seminal Mathematics of sentence structure. In that paper, the familiar parts of speech

747 views • 47 slides

More recommend