Nothing Special   »   [go: up one dir, main page]

skip to main content
research-article

A Secure Middlebox Framework for Enabling Visibility Over Multiple Encryption Protocols

Published: 15 December 2020 Publication History

Abstract

Network middleboxes provide the first line of defense for enterprise networks. Many of them typically inspect packet payload to filter malicious attack patterns. However, the widespread use of end-to-end cryptographic protocols designed to promote security and privacy, either inhibits deep packet inspection in the network or forces enterprises to use solutions that are not secure. This article introduces a complete framework for building secure and practical network middleboxes, called EVE, which enables visibility over encrypted traffic. EVE securely processes encrypted traffic using a combination of hardware-based trusted execution and software security technology. For enhanced programmability and security, EVE provides a high-level programming interface based on the Rust language. The high-level APIs of EVE provide security and significantly ease the development effort by hiding the details of cryptographic operations, enclave processing, TCP reassembly, and out-of-band key sharing. Our evaluation shows EVE supports diverse use cases with multiple encryption protocols in a secure fashion while delivering high performance.

References

[1]
A. Alshalan, S. Pisharody, and D. Huang, “A survey of mobile VPN technologies,” IEEE Commun. Surveys Tuts., vol. 18, no. 2, pp. 1177–1196, 2nd Quart., 2016.
[2]
I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata, “Innovative technology for CPU based attestation and sealing,” in Proc. HASP, 2013, pp. 1–7.
[3]
S. Arnautovet al., “SCONE: Secure Linux containers with intel SGX,” in Proc. OSDI. Berkeley, CA, USA: USENIX Association, 2016, pp. 1–16.
[4]
P.-L. Aublinet al., “TaLoS: Secure and transparent TLS termination inside SGX enclaves,” Imperial College London, London, U.K., Tech. Rep. 2017, vol. 5, 2017.
[5]
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proc. IEEE Symp. Secur. Privacy (S&P), May 2007, pp. 321–334.
[6]
K. Bhardwaj, M.-W. Shih, P. Agarwal, A. Gavrilovska, T. Kim, and K. Schwan, “Fast, scalable and secure onloading of edge functions using AirBox,” in Proc. IEEE/ACM Symp. Edge Comput. (SEC), Oct. 2016, pp. 14–27.
[7]
S. Chen, X. Zhang, M. K. Reiter, and Y. Zhang, “Detecting privileged side-channel attacks in shielded execution with Déjá Vu,” in Proc. ACM Asia Conf. Comput. Commun. Secur., Apr. 2017, pp. 7–18.
[8]
B. Choi, J. Chae, M. Jamshed, K. Park, and D. Han, “DFC: Accelerating string pattern matching for network applications,” in Proc. 13th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2016, pp. 551–565.
[10]
M. Coughlin, E. Keller, and E. Wustrow, “Trusted click: Overcoming security issues of NFV in the cloud,” in Proc. ACM Int. Workshop Secur. Softw. Defined Netw. Netw. Function Virtualization (SDN-NFVSec), 2017, pp. 31–36.
[11]
H. Duan, C. Wang, X. Yuan, Y. Zhou, Q. Wang, and K. Ren, “LightBox: Full-stack protected stateful middlebox at lightning speed,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Nov. 2019, pp. 2351–2367.
[12]
Z. Durumericet al., “The matter of heartbleed,” in Proc. Conf. Internet Meas. Conf. (IMC), 2014, pp. 475–488.
[13]
ET Pro Ruleset. Accessed: Jun. 2019. [Online]. Available: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
[14]
N. Firasta, M. Buxton, P. Jinbo, K. Nasri, and S. Kuo, “Intel AVX: New frontiers in performance improvements and energy efficiency,” Intel, Mountain View, CA, USA, White Paper 20, vol. 19, no. 20, 2008.
[15]
Y. Fu, E. Bauman, R. Quinonez, and Z. Lin, “SGX-LAPD: Thwarting controlled side channel attacks via enclave verifiable page faults,” in Proc. Int. Symp. Res. Attacks, Intrusions, Defenses, 2017, pp. 357–380.
[16]
A. A. Gendreau and M. Moorman, “Survey of intrusion detection systems towards an end to end secure Internet of Things,” in Proc. IEEE 4th Int. Conf. Future Internet Things Cloud (FiCloud), Aug. 2016, pp. 84–90.
[17]
C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proc.41st Annu. ACM Symp. Theory Comput., 2009, pp. 169–178.
[18]
D. Goltzscheet al., “EndBox: Scalable middlebox functions using client-side trusted execution,” in Proc. 48th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), vol. 18, Jun. 2018, pp. 386–397.
[19]
J. Götzfried, M. Eckert, S. Schinzel, and T. Müller, “Cache attacks on intel SGX,” in Proc. 10th Eur. Workshop Syst. Secur. (EuroSec), 2017, pp. 1–6.
[20]
J. Han, S. Kim, J. Ha, and D. Han, “SGX-box: Enabling visibility on encrypted traffic using a secure middlebox module,” in Proc. 1st Asia–Pacific Workshop Netw., Aug. 2017, pp. 95–105.
[21]
HTTPS vs VPN Makes No Sense. Accessed: Aug. 2020. [Online]. Available: https://www.expressvpn.com/internet-privacy/https-vs-vpn
[22]
T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel, “Ryoan: A distributed sandbox for untrusted computation on secret data,” in Proc. 12th USENIX Symp. Operating Syst. Design Implement. Berkeley, CA, USA: USENIX, 2016, pp. 533–549.
[23]
Intel Data Plane Development Kit (DPDK). Accessed: Aug. 2020. [Online]. Available: http://dpdk.org/
[24]
Intel Software Guard Extensions SDK for Linux* OS. Accessed: Jun. 2019. [Online]. Available: https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_ pdf.pdf
[25]
Intel Software Guard Extensions SSL. Accessed: Jun. 2019. [Online]. Available: https://github.com/intel/intel-sgx-ssl
[26]
M. A. Jamshed, Y. Moon, D. Kim, D. Han, and K. Park, “mOS: A reusable networking stack for flow monitoring middleboxes,” in Proc. 14th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2017, pp. 113–129.
[27]
E. Jeonget al., “mTCP: A highly scalable user-level TCP stack for multicore systems,” in Proc. 11th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2014, pp. 489–502.
[28]
K. Kalkan and S. Zeadally, “Securing Internet of Things (IoT) with software defined networking (SDN),” IEEE Commun. Mag., vol. 56, no. 9, pp. 186–192, Sep. 2018.
[29]
M. R. Khandaker, Y. Cheng, Z. Wang, and T. Wei, “COIN attacks: On insecurity of enclave untrusted interfaces in SGX,” in Proc. 25th Int. Conf. Architectural Support for Program. Lang. Operating Syst., Mar. 2020, pp. 971–985.
[30]
S. Kim, J. Han, J. Ha, T. Kim, and D. Han, “Enhancing security and privacy of Tor’s ecosystem by using trusted execution environments,” in Proc. 14th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2017, pp. 145–161.
[31]
S. Kim, Y. Shin, J. Ha, T. Kim, and D. Han, “A first step towards leveraging commodity trusted execution environments for network applications,” in Proc. 14th ACM Workshop Hot Topics Netw. (HotNets), 2015, p. 7.
[32]
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, “The click modular router,” ACM Trans. Comput. Syst., vol. 18, no. 3, pp. 263–297, Aug. 2000.
[33]
T. Kothmayr, C. Schmitt, W. Hu, M. Brünig, and G. Carle, “DTLS based security and two-way authentication for the Internet of Things,” Ad Hoc Netw., vol. 11, no. 8, pp. 2710–2723, Nov. 2013.
[34]
D. Kuvaiskii, S. Chakrabarti, and M. Vij, “Snort intrusion detection system with intel software guard extension (Intel SGX),” 2018, arXiv:1802.00508. [Online]. Available: http://arxiv.org/abs/1802.00508
[35]
D. Kuvaiskiiet al., “SGXBOUNDS: Memory safety for shielded execution,” in Proc. 12th Eur. Conf. Comput. Syst., Apr. 2017, pp. 205–221.
[36]
C. Lan, J. Sherry, R. A. Popa, S. Ratnasamy, and Z. Liu, “Embark: Securely outsourcing middleboxes to the cloud,” in Proc. 13th USENIX Symp. Netw. Syst. Design Implement. (NSDI), 2016, pp. 255–273.
[37]
J. Leeet al., “Hacking in darkness: Return-oriented programming against secure enclaves,” in Proc. USENIX Secur. Symp. Berkeley, CA, USA: USENIX, 2017, pp. 523–539.
[38]
S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado, “Inferring fine-grained control flow inside SGX enclaves with branch shadowing,” in Proc. USENIX Secur. Symp. Berkeley, CA, USA: USENIX, 2017, pp. 16–18.
[39]
C. Liu, Y. Cui, K. Tan, Q. Fan, K. Ren, and J. Wu, “Building generic scalable middlebox services over encrypted protocols,” in Proc. IEEE INFOCOM-IEEE Conf. Comput. Commun., Apr. 2018, pp. 2195–2203.
[40]
N. D. Matsakis and F. S. Klock, “The rust language,” in Proc. ACM SIGAda Annu. Conf. High Integrity Lang. Technol. (HILT), vol. 34, 2014, pp. 103–104.
[41]
F. McKeenet al., “Innovative instructions and software model for isolated execution,” in Proc. 2nd Int. Workshop Hardw. Architectural Support Secur. Privacy (HASP), 2013, pp. 1–8.
[42]
ModSecurity. Accessed: Aug. 2020. [Online]. Available: https://www.modsecurity.org/
[43]
A. Moghimi, G. Irazoqui, and T. Eisenbarth, “CacheZoom: How SGX amplifies the power of cache attacks,” 2017, arXiv:1703.06986. [Online]. Available: http://arxiv.org/abs/1703.06986
[44]
D. Naylor, R. Li, C. Gkantsidis, T. Karagiannis, and P. Steenkiste, “And then there were more: Secure communication for more than two parties,” in Proc. 13th Int. Conf. Emerg. Netw. Exp. Technol., Nov. 2017, pp. 88–100.
[45]
D. Nayloret al., “Multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS,” in Proc. SIGCOMM. ACM, 2015, pp. 199–212.
[47]
OpenSSL-1.0.2l. Accessed: Jun. 2019. [Online]. Available: https://www.openssl.org
[48]
OpenVPN-2.4.3. Accessed: Jun. 2019. [Online]. Available: https://community.openvpn.net/openvpn
[49]
A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker, “NetBricks: Taking the V out of NFV,” in Proc. 12th USENIX Symp. Operating Syst. Design Implement. (OSDI), 2016, pp. 203–216.
[50]
V. Paxson, “Bro: A system for detecting network intruders in real-time,” Comput. Netw., vol. 31, nos. 23–24, pp. 2435–2463, Dec. 1999.
[51]
Perl Compatible Regular Expressions Library (PCRE2). Accessed: Jun. 2019. [Online]. Available: https://ftp.pcre.org/pub/pcre/
[52]
R. Poddar, C. Lan, R. A. Popa, and S. Ratnasamy, “SafeBricks: Securing network functions in the cloud,” in Proc. 15th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2018, pp. 201–216.
[53]
M. Rossberg and G. Schaefer, “A survey on automatic configuration of virtual private networks,” Comput. Netw., vol. 55, no. 8, pp. 1684–1699, Jun. 2011.
[54]
Rust-Openssl. Accessed: Jun. 2019. [Online]. Available: https://github.com/sfackler/rust-openssl
[55]
Rust SGX SDK. Accessed: Jun. 2019. [Online]. Available: https://github.com/baidu/rust-sgx-sdk
[56]
J. Seoet al., “SGX-shield: Enabling address space layout randomization for SGX programs,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2017.
[57]
J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy, “BlindBox: Deep packet inspection over encrypted traffic,” in Proc. ACM Conf. Special Interest Group Data Commun. (SIGCOMM), 2015, pp. 213–226.
[58]
M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska, “S-NFV: Securing NFV states by using SGX,” in Proc. ACM Int. Workshop Secur. Softw. Defined Netw. Netw. Function Virtualization, 2016, pp. 45–48.
[59]
M.-W. Shih, S. Lee, T. Kim, and M. Peinado, “T-SGX: Eradicating controlled-channel attacks against enclave programs,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2017, pp. 1–16.
[60]
Snort Intrusion Detection System. Accessed: Aug. 2020. [Online]. Available: https://snort.org
[61]
R. Stanton, “Securing VPNs: Comparing SSL and IPsec,” Comput. Fraud Secur., vol. 2005, no. 9, pp. 17–19, Sep. 2005.
[62]
L. Szekeres, M. Payer, T. Wei, and D. Song, “SoK: Eternal war in memory,” in Proc. IEEE Symp. Secur. Privacy, May 2013, pp. 48–62.
[63]
B. Trach, A. Krohmer, S. Arnautov, F. Gregor, P. Bhatotia, and C. Fetzer, “Slick: Secure middleboxes using shielded execution,” 2017, arXiv:1709.04226. [Online]. Available: http://arxiv.org/abs/1709.04226
[64]
B. Trach, A. Krohmer, F. Gregor, S. Arnautov, P. Bhatotia, and C. Fetzer, “ShieldBox: Secure middleboxes using shielded execution,” in Proc. Symp. SDN Res., Mar. 2018, p. 2.
[65]
C.-C. Tsai, D. E. Porter, and M. Vij, “Graphene-SGX: A practical library OS for unmodified applications on SGX,” in Proc. USENIX Annu. Tech. Conf. (ATC). Berkeley, CA, USA: USENIX, 2017, pp. 645–658.
[66]
J. V. Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx, “Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution,” in Proc. USENIX Secur. Symp. Berkeley, CA, USA: USENIX, 2017, pp. 1041–1056.
[67]
N. Weichbrodt, A. Kurmus, P. Pietzuch, and R. Kapitza, “Asyncshock: Exploiting synchronisation bugs in intel SGX enclaves,” in Proc. Eur. Symp. Res. Comut. Secur. (ESORICS). Cham, Switzerland: Springer, 2016, pp. 440–457.
[68]
O. Weisse, V. Bertacco, and T. Austin, “Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves,” in Proc. 44th Annu. Int. Symp. Comput. Archit., Jun. 2017, pp. 81–93.
[69]
Y. Xu, W. Cui, and M. Peinado, “Controlled-channel attacks: Deterministic side channels for untrusted operating systems,” in Proc. IEEE Symp. Secur. Privacy, May 2015, pp. 640–656.
[70]
Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A survey on security and privacy issues in Internet-of-Things,” IEEE Internet Things J., vol. 4, no. 5, pp. 1250–1258, Oct. 2017.
[71]
W. Zheng, A. Dave, G. J. Beekman, R. A. Popa, E. J. Gonzalez, and I. Stoica, “Opaque: An oblivious and encrypted distributed analytics platform,” in Proc. 14th USENIX Symp. Netw. Syst. Design Implement. (NSDI). Berkeley, CA, USA: USENIX, 2017, pp. 283–398.

Cited By

View all
  • (2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
  • (2023)GuardBox: A High-Performance Middlebox Providing Confidentiality and Integrity for PacketsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326662918(2413-2426)Online publication date: 1-Jan-2023
  • (2022)Fairness Audit of Machine Learning Models with Confidential ComputingProceedings of the ACM Web Conference 202210.1145/3485447.3512244(3488-3499)Online publication date: 25-Apr-2022
  • Show More Cited By

Index Terms

  1. A Secure Middlebox Framework for Enabling Visibility Over Multiple Encryption Protocols
          Index terms have been assigned to the content through auto-classification.

          Recommendations

          Comments

          Please enable JavaScript to view thecomments powered by Disqus.

          Information & Contributors

          Information

          Published In

          cover image IEEE/ACM Transactions on Networking
          IEEE/ACM Transactions on Networking  Volume 28, Issue 6
          Dec. 2020
          457 pages

          Publisher

          IEEE Press

          Publication History

          Published: 15 December 2020
          Published in TON Volume 28, Issue 6

          Qualifiers

          • Research-article

          Contributors

          Other Metrics

          Bibliometrics & Citations

          Bibliometrics

          Article Metrics

          • Downloads (Last 12 months)8
          • Downloads (Last 6 weeks)1
          Reflects downloads up to 06 Jan 2025

          Other Metrics

          Citations

          Cited By

          View all
          • (2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
          • (2023)GuardBox: A High-Performance Middlebox Providing Confidentiality and Integrity for PacketsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326662918(2413-2426)Online publication date: 1-Jan-2023
          • (2022)Fairness Audit of Machine Learning Models with Confidential ComputingProceedings of the ACM Web Conference 202210.1145/3485447.3512244(3488-3499)Online publication date: 25-Apr-2022
          • (2022)SlimBox: Lightweight Packet Inspection over Encrypted TrafficIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.322253320:5(4359-4371)Online publication date: 23-Nov-2022
          • (2021)Anti-Attack Scheme for Edge Devices Based on Deep Reinforcement LearningWireless Communications & Mobile Computing10.1155/2021/66197152021Online publication date: 1-Jan-2021

          View Options

          Login options

          Full Access

          View options

          PDF

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          Media

          Figures

          Other

          Tables

          Share

          Share

          Share this Publication link

          Share on social media