GuardBox: A High-Performance Middlebox Providing Confidentiality and Integrity for Packets
Authors: 
Mengqi Zhan, Yang Li, Guangxi Yu, Yan Zhang, Bo Li, Weiping WangAuthors Info & Claims
Pages 2413 - 2426
Abstract
The deepening of digital transformation has led to an increasing amount of data from industries being transmitted over the Internet. However, packets in plaintext originally designed for transmission in private networks suffer from significant security threats on the Internet. Unfortunately, existing encryption schemes, such as the representative TLS, are difficult to be applied to these industrial protocols due to their specific requirements and conditions such as low latency requirements and restricted operating environments. In this paper, we present a high-performance encryption/decryption middlebox called GuardBox to provide confidentiality and integrity for packets. GuardBox is expected to transparently encrypt/decrypt packets sent/received by protected industrial equipment with low latency and supports almost any application-layer protocol. To do that, we design a high-performance packet I/O framework and an optimized encryption/decryption scheme for GuardBox. More importantly, we use commodity trusted hardware, Intel SGX, to ensure the security of keys and the encryption/decryption process. Our extensive evaluation demonstrates that GuardBox can provide confidentiality and integrity for packets transmitted over the Internet with low latency and a near-native throughput.
References
[1]
A. G. Frank, L. S. Dalenogare, and N. F. Ayala, “Industry 4.0 technologies: Implementation patterns in manufacturing companies,” Int. J. Prod. Econ., vol. 210, pp. 15–26, Apr. 2019.
[2]
M. Lezzi, M. Lazoi, and A. Corallo, “Cybersecurity for Industry 4.0 in the current literature: A reference framework,” Comput. Ind., vol. 103, pp. 97–110, Dec. 2018.
[3]
K. Tange, M. De Donno, X. Fafoutis, and N. Dragoni, “A systematic survey of industrial Internet of Things security: Requirements and fog computing opportunities,” IEEE Commun. Surveys Tuts., vol. 22, no. 4, pp. 2489–2520, 4th Quart., 2020.
[4]
Http Over TLS, document RFC2818, 2000. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc2818
[5]
The Transport Layer Security (TLS) Protocol Version 1.2, document RFC5246, 2008. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc5246
[6]
The Transport Layer Security (TLS) Protocol Version 1.3, document RFC8446, 2018. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8446
[7]
DNS Over TLS, document RFC7858, 2016. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7858
[8]
S. M. S. Hussain, T. S. Ustun, and A. Kalam, “A review of IEC 62351 security mechanisms for IEC 61850 message exchanges,” IEEE Trans. Ind. Informat., vol. 16, no. 9, pp. 5643–5654, Sep. 2020.
[9]
C.-S. Park, “Security architecture for secure multicast CoAP applications,” IEEE Internet Things J., vol. 7, no. 4, pp. 3441–3452, Apr. 2020.
[10]
Goproxy. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/snail007/goproxy
[11]
Goldy. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/ibm-security-innovation/goldy
[12]
R. Poddar, C. Lan, R. A. Popa, and S. Ratnasamy, “SafeBricks: Shielding network functions in the cloud,” in Proc. 15th USENIX Symp. Networked Syst. Design Implement. (NSDI), 2018, pp. 201–216.
[13]
H. Duan, C. Wang, X. Yuan, Y. Zhou, Q. Wang, and K. Ren, “LightBox: Full-stack protected stateful middlebox at lightning speed,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2019, pp. 2351–2367.
[14]
Intel SGX. Accessed: Dec.20, 2022. [Online]. Available: https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html
[15]
T. D. Ngoc et al., “Everything you should know about Intel SGX performance on virtualized systems,” Proc. ACM Meas. Anal. Comput. Syst., vol. 3, no. 1, pp. 1–21, Mar. 2019.
[16]
IEC 61850-Communication Networks and Systems for Power Utility Automation, document IEC-61850, 2013. [Online]. Available: https://webstore.iec.ch/searchform&q=61850
[17]
N. Kumari et al., “Enabling process bus communication for digital substations using 5G wireless system,” in Proc. IEEE 30th Annu. Int. Symp. Pers., Indoor Mobile Radio Commun. (PIMRC), Sep. 2019, pp. 1–7.
[18]
V.-G. Nguyen, K.-J. Grinnemo, J. Cheng, J. Taheri, and A. Brunstrom, “On the use of a virtualized 5G core for time critical communication in smart grid,” in Proc. 8th IEEE Int. Conf. Mobile Cloud Comput., Services, Eng. (MobileCloud), Aug. 2020, pp. 1–8.
[19]
IEC 62351-Cyber Security Series of Standards for the Smart Grid, document IEC-62351, 2017. [Online]. Available: https://webstore.iec.ch/searchform&q=62351
[20]
J. Hoyos, M. Dehus, and T. X. Brown, “Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure,” in Proc. IEEE Globecom Workshops, Dec. 2012, pp. 1508–1513.
[21]
Relion 670 Series. Accessed: Dec.20, 2022. [Online]. Available: https://www.hitachienergy.com/products-and-solutions/substation-automation-protection-and-control/products/protection-and-control/relion-product-family/relion-670-series
[22]
Relion 670/650 Series IEC and Ansi Hardware. Accessed: Dec.20, 2022. [Online]. Available: https://library.e.abb.com/public/3c51f878cc617834c1257cdd0055ebb3/1MRG014097_en_Relion_670-650_series_Hardware_650_1.3_IEC_and_ANSI.pdf
[23]
S. Fuloria, R. Anderson, K. McGrath, K. Hansen, and F. Alvarez, “The protection of substation communications,” in Proc. SCADA Secur. Sci. Symp., 2010, pp. 1–13.
[24]
E. Esiner, D. Mashima, B. Chen, Z. Kalbarczyk, and D. Nicol, “F-Pro: A fast and flexible provenance-aware message authentication scheme for smart grid,” in Proc. IEEE Int. Conf. Commun., Control, Comput. Technol. for Smart Grids (SmartGridComm), Oct. 2019, pp. 1–7.
[25]
F. Schwarz and C. Rossow, “SENG, the SGX-enforcing network gateway: Authorizing communication from shielded clients,” in Proc. 29th USENIX Secur. Symp., 2020, pp. 753–770.
[26]
Data Plane Development Kit (DPDK). Accessed: Dec.20, 2022. [Online]. Available: https://www.dpdk.org/
[27]
B. Trach, A. Krohmer, F. Gregor, S. Arnautov, P. Bhatotia, and C. Fetzer, “ShieldBox: Secure middleboxes using shielded execution,” in Proc. Symp. SDN Res., Mar. 2018, pp. 1–14.
[28]
P. P. C. Lee, T. Bu, and G. Chandranmenon, “A lock-free, cache-efficient multi-core synchronization mechanism for line-rate network traffic monitoring,” in Proc. IEEE Int. Symp. Parallel Distrib. Process. (IPDPS), Apr. 2010, pp. 1–12.
[29]
SGX Remote Attestation. Accessed: Dec.20, 2022. [Online]. Available: https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions/attestation-services.html
[30]
T. Knauth, M. Steiner, S. Chakrabarti, L. Lei, C. Xing, and M. Vij, “Integrating remote attestation with transport layer security,” 2018, arXiv:1801.05863.
[31]
Intel SGX SDK. Accessed: Dec.20, 2022. [Online]. Available: https://01.org/intel-software-guard-extensions
[32]
Intel SGX SSL. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/intel/intel-sgx-ssl
[33]
Pktgen. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/pktgen/Pktgen-DPDK
[34]
L. Deri et al., “Improving passive packet capture: Beyond device polling,” in Proc. SANE, 2004, pp. 85–93.
[35]
M.-A. Kourtis et al., “Enhancing VNF performance by exploiting SR-IOV and DPDK packet processing acceleration,” in Proc. IEEE Conf. Netw. Function Virtualization Softw. Defined Netw. (NFV-SDN), Nov. 2015, pp. 74–78.
[36]
L. Rizzo, “netmap: A novel framework for fast packet I/O,” in Proc. USENIX Annu. Tech. Conf. (USENIX ATC), 2012, pp. 101–112.
[37]
P. Emmerich, M. Pudelko, S. Bauer, and G. Carle, “User space network drivers,” in Proc. Appl. Netw. Res. Workshop, Jul. 2018, pp. 1–12.
[38]
N. Bonelli, F. Del Vigna, S. Giordano, and G. Procissi, “Packet fan-out extension for the pcap library,” IEEE Trans. Netw. Service Manag., vol. 15, no. 3, pp. 976–990, Sep. 2018.
[39]
DPDK IPV4 Multicast Sample Application. Accessed: Dec.20, 2022. [Online]. Available: https://doc.dpdk.org/guides/sample_app_ug/ipv4_multicast.html
[40]
DPDK-Based Network Emulator. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/ryousei/demu
[41]
A. Bogdanov et al., “PRESENT: An ultra-lightweight block cipher,” in Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst. Cham, Switzerland: Springer, 2007, pp. 450–466.
[42]
D. Irwin, P. Liu, S. R. Chaudhry, M. Collier, and X. Wang, “A performance comparison of the PRESENT lightweight cryptography algorithm on different hardware platforms,” in Proc. 29th Irish Signals Syst. Conf. (ISSC), Jun. 2018, pp. 1–5.
[43]
C. A. Lara-Nino, M. Morales-Sandoval, and A. Diaz-Perez, “An evaluation of AES and present ciphers for lightweight cryptography on smartphones,” in Proc. Int. Conf. Electron., Commun. Comput. (CONIELECOMP), Feb. 2016, pp. 87–93.
[44]
G. Chen, S. Chen, Y. Xiao, Y. Zhang, Z. Lin, and T. H. Lai, “SgxPectre: Stealing Intel secrets from SGX enclaves via speculative execution,” in Proc. IEEE Eur. Symp. Secur. Privacy, Jun. 2019, pp. 142–157.
[45]
S. Fei, Z. Yan, W. Ding, and H. Xie, “Security vulnerabilities of SGX and countermeasures: A survey,” ACM Comput. Surv., vol. 54, no. 6, pp. 1–36, Jul. 2022.
[46]
Sgxtop. Accessed: Dec.20, 2022. [Online]. Available: https://github.com/fortanix/sgxtop
[47]
P. Satyanarayana, “Detection and blocking of replay, false command, and false access injection commands in SCADA systems with modbus protocol,” Secur. Commun. Netw., vol. 2021, pp. 1–15, Sep. 2021.
[48]
M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska, “S-NFV: Securing NFV states by using SGX,” in Proc. ACM Int. Workshop Secur. Softw. Defined Netw. Netw. Function Virtualization, Mar. 2016, pp. 45–48.
[49]
D. Naylor, R. Li, C. Gkantsidis, T. Karagiannis, and P. Steenkiste, “And then there were more: Secure communication for more than two parties,” in Proc. 13th Int. Conf. Emerg. Netw. Exp. Technol., Nov. 2017, pp. 88–100.
[50]
D. Goltzsche et al., “EndBox: Scalable middlebox functions using client-side trusted execution,” in Proc. 48th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), Jun. 2018, pp. 386–397.
[51]
D. E. Asoni, T. Sasaki, and A. Perrig, “Alcatraz: Data exfiltration-resilient corporate network architecture,” in Proc. IEEE 4th Int. Conf. Collaboration Internet Comput. (CIC), Oct. 2018, pp. 176–187.
[52]
J. Han, S. Kim, D. Cho, B. Choi, J. Ha, and D. Han, “A secure middlebox framework for enabling visibility over multiple encryption protocols,” IEEE/ACM Trans. Netw., vol. 28, no. 6, pp. 2727–2740, Dec. 2020.
[53]
H. Wang et al., “SICS: Secure and dynamic middlebox outsourcing,” IEEE/ACM Trans. Netw., vol. 28, no. 6, pp. 2713–2726, Dec. 2020.
[54]
J. Thalheim, H. Unnibhavi, C. Priebe, P. Bhatotia, and P. Pietzuch, “rkt-io: A direct I/O stack for shielded execution,” in Proc. 16th Eur. Conf. Comput. Syst., Apr. 2021, pp. 490–506.
[55]
C. Lan et al., “Embark: Securely outsourcing middleboxes to the cloud,” in Proc. 13th USENIX Symp. Networked Syst. Design Implement. (NSDI), 2016, pp. 255–273.
[56]
J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy, “BlindBox: Deep packet inspection over encrypted traffic,” in Proc. ACM Conf. Special Interest Group Data Commun., Aug. 2015, pp. 213–226.
[57]
X. Yuan, X. Wang, J. Lin, and C. Wang, “Privacy-preserving deep packet inspection in outsourced middleboxes,” in Proc. IEEE INFOCOM 35th Annu. IEEE Int. Conf. Comput. Commun., Apr. 2016, pp. 1–9.
[58]
J. Ning et al., “Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment,” in Proc. Eur. Symp. Res. Comput. Secur., 2020, pp. 3–22.
[59]
A. Baumann, M. Peinado, and G. Hunt, “Shielding applications from an untrusted cloud with haven,” in Proc. 11th USENIX Symp. Operating Syst. Design Implement. (OSDI), 2014, pp. 267–283.
[60]
S. Arnautov et al., “SCONE: Secure Linux containers with Intel SGX,” in Proc. 12th USENIX (OSDI), 2016, pp. 689–703.
[61]
C.-C. Tsai, D. E. Porter, and M. Vij, “Graphene-SGX: A practical library OS for unmodified applications on SGX,” in Proc. USENIX Annu. Tech. Conf., 2017, pp. 645–658.
[62]
H. Wang et al., “Towards memory safe enclave programming with rust-SGX,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2019, pp. 2333–2350.
[63]
C. Priebe et al., “SGX-LKL: Securing the host OS interface for trusted execution,” 2019, arXiv:1908.11143.
[64]
E. Jeong et al., “mTCP: A highly scalable user-level TCP stack for multicore systems,” in Proc. 11th USENIX Symp. Networked Syst. Design Implement. (NSDI), 2014, pp. 489–502.
[65]
A. Ousterhout, J. Fried, J. Behrens, A. Belay, and H. Balakrishnan, “Shenango: Achieving high CPU efficiency for latency-sensitive datacenter workloads,” in Proc. 16th USENIX NSDI, 2019, pp. 361–378.
[66]
M. Marty et al., “Snap: A microkernel approach to host networking,” in Proc. 27th ACM Symp. Operating Syst. Princ., Oct. 2019, pp. 399–413.
[67]
Pf_ring. Accessed: Dec.20, 2022. [Online]. Available: https://www.ntop.org/products/packet-capture/pf_ring/
[68]
S. Mocanu and J.-M. Thiriet, “Experimental study of performance and vulnerabilities of IEC 61850 process bus communications on HSR networks,” in Proc. IEEE Eur. Symp. Secur. Privacy Workshops, Sep. 2020, pp. 584–593.
[69]
A. Bohara, J. Ros-Giralt, G. Elbez, A. Valdes, K. Nahrstedt, and W. H. Sanders, “ED4GAP: Efficient detection for GOOSE-based poisoning attacks on IEC 61850 substations,” in Proc. IEEE Int. Conf. Commun., Control, Comput. Technol. Smart Grids (SmartGridComm), Nov. 2020, pp. 1–7.
[70]
P. Radoglou-Grammatikis et al., “SPEAR SIEM: A security information and event management system for the smart grid,” Comput. Netw., vol. 193, Jul. 2021, Art. no.
Recommendations
Confidentiality and integrity: a constructive perspective
TCC'12: Proceedings of the 9th international conference on Theory of CryptographyTraditional security definitions in the context of secure communication specify properties of cryptographic schemes. For symmetric encryption schemes, these properties are intended to capture the protection of the confidentiality or the integrity of the ...
On protecting integrity and confidentiality of cryptographic file system for outsourced storage
CCSW '09: Proceedings of the 2009 ACM workshop on Cloud computing securityA cryptographic network file system has to guarantee confidentiality and integrity of its files, and also it has to support random access. For this purpose, existing designs mainly rely on(often ad-hoc) combination of Merkle hash tree with a block ...
An integrated security mechanism for network coding combining confidentiality and integrity
ICACT'09: Proceedings of the 11th international conference on Advanced Communication Technology - Volume 1Network coding, whose intermediate nodes decode and encode packets to forward incoming packets, increases the capacity the multicast network. However there are security issues of confidentiality and integrity which degrade and threat network coding. In ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1556-6021 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 01 January 2023
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 17 Dec 2024