Towards Practical Encrypted Network Traffic Pattern Matching for Secure Middleboxes

Network Function Virtualisation (NFV) advances the development of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require tokenisation of packet payloads via sliding windows at the enterprise gateway. Such tokenisation introduces a considerable communication overhead, which can be over 100$\times$ to the packet size. To overcome the above bottleneck, in this paper, we propose the first bandwidth-efficient encrypted pattern matching protocols for secure middleboxes. We start from a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to enable encrypted pattern matching with constant, moderate communication overhead. To speed up, we devise encrypted filters to further reduce the number of accesses to SHVE+ during matching. We formalise the security of our proposed protocols, and implement a prototype and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20k rules within 100 $\mu$s. Compared to prior work, it brings a saving of 94% in bandwidth consumption.

[1]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[2]  Cong Wang,et al.  Privacy-preserving deep packet inspection in outsourced middleboxes , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[3]  Emiliano De Cristofaro,et al.  SplitBox: Toward Efficient Private Network Function Virtualization , 2016, HotMiddlebox@SIGCOMM.

[4]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Cong Wang,et al.  Toward Secure Outsourced Middlebox Services: Practices, Challenges, and Beyond , 2018, IEEE Network.

[6]  Zhenyu Zhou,et al.  Towards a Safe Playground for HTTPS and Middle Boxes with QoS2 , 2015, HotMiddlebox '15.

[7]  Cong Wang,et al.  Bringing execution assurances of pattern matching in outsourced middleboxes , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[8]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[9]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[10]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[11]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[12]  Yu Guo,et al.  Enabling Privacy-Preserving Header Matching for Outsourced Middleboxes , 2018, 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS).

[13]  Melissa Chase,et al.  Substring-Searchable Symmetric Encryption , 2015, Proc. Priv. Enhancing Technol..

[14]  Vincenzo Iovino,et al.  Hidden-Vector Encryption with Groups of Prime Order , 2008, Pairing.

[15]  Dongsu Han,et al.  DFC: Accelerating String Pattern Matching for Network Applications , 2016, NSDI.

[16]  Florian Kerschbaum,et al.  Practical and Secure Substring Search , 2018, SIGMOD Conference.

[17]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[18]  Dongxi Liu,et al.  Result Pattern Hiding Searchable Encryption for Conjunctive Queries , 2018, CCS.

[19]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[20]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[21]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[22]  Nicolas Desmoulins,et al.  Pattern Matching on Encrypted Streams , 2018, ASIACRYPT.

[23]  Magnus Almgren,et al.  Multiple Pattern Matching for Network Security Applications: Acceleration through Vectorization , 2017, 2017 46th International Conference on Parallel Processing (ICPP).

[24]  Chunming Qiao,et al.  SPABox: Safeguarding Privacy During Deep Packet Inspection at a MiddleBox , 2017, IEEE/ACM Transactions on Networking.

[25]  Yajin Zhou,et al.  LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed , 2017, CCS.

[26]  Markulf Kohlweiss,et al.  Light at the middle of the tunnel: middleboxes for selective disclosure of network monitoring to distrusted parties , 2016, HotMiddlebox@SIGCOMM.