EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems. We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its design combines a virtual private network (VPN) with middlebox functions that are hardware-protected by a trusted execution environment (TEE), as offered by Intel's Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside SGX enclaves, EndBox ensures that all client traffic, including encrypted communication, is processed by the middlebox. Despite its decentralised model, EndBox's middlebox functions remain maintainable: they are centrally controlled and can be updated efficiently. We demonstrate EndBox with two scenarios involving (i) a large company; and (ii) an Internet service provider that both need to protect their network and connected clients. We evaluate EndBox by comparing it to centralised deployments of common middlebox functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales linearly with the number of clients.

[1]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[2]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[3]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[4]  A.L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[5]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[6]  Insik Shin,et al.  SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs , 2017, NDSS.

[7]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[8]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[9]  Mona Vij,et al.  Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX) , 2018, ArXiv.

[10]  Christos Gkantsidis,et al.  Enabling End-Host Network Functions , 2015, Comput. Commun. Rev..

[11]  Ralph Droms,et al.  Data Center use of Static Diffie-Hellman in TLS 1.3 , 2017 .

[12]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[13]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Antony I. T. Rowstron,et al.  Network exception handlers: host-network control in enterprise networks , 2008, SIGCOMM '08.

[15]  Vinod Ganapathy,et al.  EnGarde: Mutually-Trusted Inspection of SGX Enclaves , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[16]  Yan Grunenberger,et al.  The Cost of the "S" in HTTPS , 2014, CoNEXT.

[17]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[18]  Susana Sargento,et al.  Toward a telco cloud environment for service functions , 2015, IEEE Communications Magazine.

[19]  Mark Silberstein,et al.  Eleos: ExitLess OS Services for SGX Enclaves , 2017, EuroSys.

[20]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[21]  Robert Ricci,et al.  Fast and flexible: Parallel packet processing with GPUs and click , 2013, Architectures for Networking and Communications Systems.

[22]  Cong Wang,et al.  Privacy-preserving deep packet inspection in outsourced middleboxes , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[23]  Thomas E. Anderson,et al.  ETTM: A Scalable Fault Tolerant Network Manager , 2011, NSDI.

[24]  Eric Wustrow,et al.  Trusted Click: Overcoming Security issues of NFV in the Cloud , 2017, SDN-NFV@CODASPY.

[25]  Markus Feilner,et al.  OpenVPN: Building and Integrating Virtual Private Networks: Learn how to build secure VPNs using this powerful Open Source application , 2006 .

[26]  Shay Gueron,et al.  A Memory Encryption Engine Suitable for General Purpose Processors , 2016, IACR Cryptol. ePrint Arch..

[27]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[28]  Leslie Lamport,et al.  Paxos Made Simple , 2001 .

[29]  Seungjoon Lee,et al.  Network function virtualization: Challenges and opportunities for innovations , 2015, IEEE Communications Magazine.

[30]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[31]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[32]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[33]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[34]  Cong Wang,et al.  LightBox: SGX-assisted Secure Network Functions at Near-native Speed , 2017, ArXiv.

[35]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[36]  Marko Vukolic,et al.  The Quest for Scalable Blockchain Fabric: Proof-of-Work vs. BFT Replication , 2015, iNetSeC.

[37]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[38]  Christof Fetzer,et al.  TaLoS : Secure and Transparent TLS Termination inside SGX Enclaves , 2017 .

[39]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[40]  Guyue Liu,et al.  SDNFV: Flexible and Dynamic Software Defined Control of an Application- and Flow-Aware Data Plane , 2016, Middleware.

[41]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[42]  SekarVyas,et al.  Making middleboxes someone else's problem , 2012 .

[43]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[44]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.