LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
作者: Huayi Duan , Cong Wang , Xingliang Yuan , Yajin Zhou , Qian Wang
关键词:
摘要: Running off-site software middleboxes at third-party service providers has been a popular practice. However, routing large volumes of raw traffic, which may carry sensitive information, to remote site for processing raises severe security concerns. Prior solutions often abstract away important factors pertinent real-world deployment. In particular, they overlook the significance metadata protection and stateful processing. Unprotected traffic like low-level headers, size count, can be exploited learn supposedly encrypted application contents. Meanwhile, tracking states 100,000s flows concurrently is indispensable in production-level deployed real networks. We present LightBox, first system that drive near-native speed with most comprehensive date. Built upon commodity trusted hardware, Intel SGX, LightBox product our systematic investigation how overcome inherent limitations secure enclaves using domain knowledge customization. First, we introduce an elegant virtual network interface allows convenient access fully protected packets line rate without leaving enclave, as if from source network. Second, provide complete flow state management efficient processing, by tailoring set data structures algorithms optimized highly constrained enclave space. Extensive evaluations demonstrate all benefits, achieve 10Gbps packet I/O, case studies on three middleboxes, it operate speed.
acm.org
harvard.edu
arxiv-vanity.com参考文章(76)
Gregory L. Heileman, Wenbin Luo, How Caching Affects Hashing. ALENEX/ANALCO. pp. 141- 154 ,(2005)
Úlfar Erlingsson, Frank McSherry, Mark Manasse, A cool and practical alternative to traditional hash tables ,(2006)
Felix Schuster, Manuel Costa, Cedric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, Mark Russinovich, VC3: Trustworthy Data Analytics in the Cloud Using SGX ieee symposium on security and privacy. pp. 38- 54 ,(2015) , 10.1109/SP.2015.10
Michael Walfish, Jeremy Stribling, Maxwell N Krohn, Hari Balakrishnan, Robert Tappan Morris, Scott Shenker, None, Middleboxes no longer considered harmful operating systems design and implementation. pp. 15- 15 ,(2004)
Marcus Peinado, Galen Hunt, Andrew Baumann, Shielding applications from an untrusted cloud with Haven operating systems design and implementation. pp. 267- 283 ,(2014) , 10.5555/2685048.2685070
Jelle van den Hooff, David Lazar, Matei Zaharia, Nickolai Zeldovich, Vuvuzela: scalable private messaging resistant to traffic analysis symposium on operating systems principles. pp. 137- 152 ,(2015) , 10.1145/2815400.2815417
Lorenzo De Carli, Robin Sommer, Somesh Jha, Beyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection computer and communications security. pp. 1378- 1390 ,(2014) , 10.1145/2660267.2660361
Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, M. Frans Kaashoek, The click modular router ACM Transactions on Computer Systems. ,vol. 18, pp. 263- 297 ,(2000) , 10.1145/354871.354874
Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, Thomas Shrimpton, Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail ieee symposium on security and privacy. pp. 332- 346 ,(2012) , 10.1109/SP.2012.28
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, Uday R. Savagaonkar, Innovative instructions and software model for isolated execution hardware and architectural support for security and privacy. pp. 10- ,(2013) , 10.1145/2487726.2488368