Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX).
作者: Dmitrii Kuvaiskii , Mona Vij , Somnath Chakrabarti
DOI:
关键词:
摘要: Network Function Virtualization (NFV) promises the benefits of reduced infrastructure, personnel, and management costs by outsourcing network middleboxes to public or private cloud. Unfortunately, running functions in cloud entails security challenges, especially for complex stateful services. In this paper, we describe our experiences with hardening king - Intrusion Detection Systems (IDS) using Intel Software Guard Extensions (Intel SGX) technology. Our IDS secured SGX, called SEC-IDS, is an unmodified Snort 3 a DPDK layer that achieves 10Gbps line rate. SEC-IDS guarantees computational integrity all code inside SGX enclave. At same time, near-native performance, throughput close 100 percent vanilla 3, retaining I/O outside experiments indicate performance only constrained modest Enclave Page Cache size available on current Skylake based E3 Xeon platforms. Finally, kept porting effort minimal Graphene-SGX library OS. Only 27 Lines Code (LoC) were modified 178 LoC itself.
arxiv.org
harvard.edu参考文章(4)
Luca Melis, Hassan Jameel Asghar, Emiliano De Cristofaro, Mohamed Ali Kaafar, Private Processing of Outsourced Network Functions: Feasibility and Constructions international workshop on security. pp. 39- 44 ,(2016) , 10.1145/2876019.2876021
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard, Malware Guard Extension: Using SGX to Conceal Cache Attacks international conference on detection of intrusions and malware, and vulnerability assessment. pp. 3- 24 ,(2017) , 10.1007/978-3-319-60876-1_1
Pramod Bhatotia, Christof Fetzer, Sergei Arnautov, Franz Gregor, Bohdan Trach, Alfred Krohmer, Slick: Secure Middleboxes using Shielded Execution. arXiv: Cryptography and Security. ,(2017)
Huayi Duan, Cong Wang, Xingliang Yuan, Yajin Zhou, Qian Wang, Kui Ren, LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed computer and communications security. pp. 2351- 2367 ,(2019) , 10.1145/3319535.3339814