TY - GEN
T1 - ShieldBox
T2 - 2018 Symposium on SDN Research, SOSR 2018
AU - Trach, Bohdan
AU - Krohmer, Alfred
AU - Gregor, Franz
AU - Arnautov, Sergei
AU - Bhatotia, Pramod
AU - Fetzer, Christof
N1 - Publisher Copyright:
© 2018 held by the owner/author(s).
PY - 2018/3/28
Y1 - 2018/3/28
N2 - Middleboxes that process confidential data cannot be securely deployed in untrusted cloud environments. To securely outsource middleboxes to the cloud, state-of-the-art systems advocate network processing over the encrypted traffic. Unfortunately, these systems support only restrictive functionalities, and incur prohibitively high overheads. This motivated the design of ShieldBox-a secure middlebox framework for deploying high-performance network functions (NFs) over untrusted commodity servers. Shield- Box securely processes encrypted traffic inside a secure container by leveraging shielded execution. More specifically, ShieldBox builds on hardware-assisted memory protection based on Intel SGX to provide strong confidentiality and integrity guarantees. For middlebox developers, ShieldBox exposes a generic interface based on Click to design and implement a wide-range of NFs using its out-of-the-box elements and C++ extensions. For network operators, ShieldBox provides configuration and attestation service for seamless and verifiable deployment of middleboxes. We have implemented ShieldBox supporting important end-to-end features required for secure network processing, and performance optimizations. Our extensive evaluation shows that ShieldBox achieves a near-native throughput and latency to securely process confidential data at line rate.
AB - Middleboxes that process confidential data cannot be securely deployed in untrusted cloud environments. To securely outsource middleboxes to the cloud, state-of-the-art systems advocate network processing over the encrypted traffic. Unfortunately, these systems support only restrictive functionalities, and incur prohibitively high overheads. This motivated the design of ShieldBox-a secure middlebox framework for deploying high-performance network functions (NFs) over untrusted commodity servers. Shield- Box securely processes encrypted traffic inside a secure container by leveraging shielded execution. More specifically, ShieldBox builds on hardware-assisted memory protection based on Intel SGX to provide strong confidentiality and integrity guarantees. For middlebox developers, ShieldBox exposes a generic interface based on Click to design and implement a wide-range of NFs using its out-of-the-box elements and C++ extensions. For network operators, ShieldBox provides configuration and attestation service for seamless and verifiable deployment of middleboxes. We have implemented ShieldBox supporting important end-to-end features required for secure network processing, and performance optimizations. Our extensive evaluation shows that ShieldBox achieves a near-native throughput and latency to securely process confidential data at line rate.
UR - http://www.scopus.com/inward/record.url?scp=85049390132&partnerID=8YFLogxK
U2 - 10.1145/3185467.3185469
DO - 10.1145/3185467.3185469
M3 - Conference contribution
AN - SCOPUS:85049390132
T3 - Proceedings of the Symposium on SDN Research, SOSR 2018
BT - Proceedings of the Symposium on SDN Research, SOSR 2018
PB - Association for Computing Machinery, Inc
Y2 - 28 March 2018 through 29 March 2018
ER -