SafeBricks: Shielding Network Functions in the Cloud
|
|
- Ellen Lucas
- 5 years ago
- Views:
Transcription
1 SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley
2 Network Functions (NFs) in the cloud Clients 2 Enterprise Destination
3 Network Functions (NFs) in the cloud Clients 3 Enterprise Destination
4 Network Functions (NFs) in the cloud NF NF providers providers Clients 4 Enterprise Destination
5 Problem: Security NF NF providers providers Clients 5 Enterprise Destination
6 Problem: Security 1 Need to protect traffic from the cloud provider NF NF providers providers Hackers / curious employees Clients 6 Enterprise Destination
7 Problem: Security 2 Need to protect traffic from the Exfiltration NF NF providers providers Clients 7 Enterprise Destination
8 Problem: Security 3 Need to protect NF code and rulesets from client enterprise and cloud NF NF providers providers Clients 8 Enterprise Destination
9 Cryptographic solutions do not suffice NF NF providers providers Clients 9 Enterprise Destination
10 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS NF NF providers providers Clients 10 Enterprise Destination
11 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload NF NF providers providers? Clients 11 Enterprise Destination
12 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload Security: Unencrypted fields (e.g. IP headers) still leak information NF NF providers providers? Clients 12 Enterprise Destination
13 Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark [Sherry et al. (SIGCOMM 15)] [Lan et al. (NSDI 16)] 13
14 Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark Too limited in functionality! Header-based comparisons Regular expressions Keyword matching Cross-flow analysis Statistical computations 14
15 How to achieve full functionality and our security goals simultaneously? 15
16 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 16
17 SafeBricks Hardware enclaves + language-based isolation 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 17
18 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Enclave (trusted) Operating System (untrusted) 18
19 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Enclave (trusted) Operating System (untrusted) 19
20 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Operating System (untrusted) 20
21 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) 21
22 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) Establish a secure channel with enclave 22
23 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs Programming abstractions NetBricks Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 23
24 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing Programming abstractions State abstractions NetBricks Scheduler I/O interface DPDK Poll for I/O NICs 24
25 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing NFs represented as a directed graph with operators as nodes Programming abstractions State abstractions NetBricks I/O interface DPDK Scheduler Poll for I/O NICs 25
26 Background: NetBricks Written in Rust Fast, safe, zero-copy semantics NetBricks NF 1 NF 1 Isolates NFs deployed in a chain while running them in the same address space NICs 26
27 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 27
28 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 28
29 Outsourcing NFs using hardware enclaves Cloud (untrusted) Enclave OS (untrusted) Clients Gateway Destination 29 Enterprise
30 Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 30 Enterprise
31 Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 31 Enterprise
32 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec OS (untrusted) Clients Gateway Destination 32 Enterprise
33 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients Interception proxy Gateway Destination 33 Enterprise
34 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS Gateway Destination 34 Enterprise
35 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Destination 35 Enterprise
36 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Packet headers also encrypted Destination 36 Enterprise
37 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 37 Enterprise
38 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS 38 Enterprise Gateway SafeBricks also supports direct delivery of traffic Destination
39 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave Can use general purpose frameworks, e.g. Haven, Scone IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 39 Enterprise
40 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 40
41 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 41
42 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that may lead to a VMEXIT 42
43 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 43
44 1 NetBricks Programming abstractions Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 44
45 1 Enclave Programming abstractions Scheduler Maximal TCB: NetBricks State abstractions stack entirely within enclave I/O interface DPDK Poll for I/O NICs 45
46 1 Enclave Programming abstractions Scheduler State abstractions Minimal TCB: Only securitycritical components within enclave I/O interface One enclave transition per node per packet batch DPDK Poll for I/O NICs 46
47 1 Enclave Programming abstractions Scheduler Intermediate TCB State abstractions One enclave transition per packet batch I/O interface DPDK Poll for I/O NICs 47
48 1 Programming abstractions Scheduler SafeBricks enclave (trusted) State abstractions Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 48 NICs
49 1 SafeBricks enclave (trusted) Programming abstractions State abstractions Scheduler Two new operators for packet transfer to/from enclave: toenclave and tohost Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 49 NICs
50 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 50
51 2 SafeBricks enclave NF toenclave tohost One enclave transition per packet batch SafeBricks host NICs 51
52 2 SafeBricks enclave NF toenclave tohost Shared queues in non-enclave Enclave I/O heap recv send Separate enclave and host threads Access queues without exiting Host I/O SafeBricks host enclave zero enclave transitions 52 NICs
53 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 53
54 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs 54
55 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) 55
56 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) SafeBricks designs custom solutions for these operations without enclave transitions 56
57 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 57
58 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! 58
59 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload 59
60 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but IP not addresses; to packet payload TCP ports; HTTP payload 60
61 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload SafeBricks enforces least privilege across NFs within the enclave 61
62 Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 62
63 Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 63
64 Least privilege enforcement Run NFs within the same enclave Firewall NAT Stitch NFs together interspersed with an operator ( wlist ) that embeds a vector of permissions in packets two bits per packet field wlist wlist toenclave tohost Host 64
65 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model SafeBricks Controller 65
66 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller 66
67 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT 67
68 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT Returns an immutable reference for readonly access, and a mutable reference for write access 68
69 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! 69
70 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! E.g. Check array bounds, no pointer arithmetic, no unsafe type casts 70
71 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Client Enterprise 71
72 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Problem: This violates the confidentiality of NF source code! Enterprise 72
73 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 73
74 Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler 74
75 Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler Both client and can verify the agreed upon compiler using remote attestation 75
76 Assembling NFs Assembly enclave Loader Compiler 76 Enterprise
77 Assembling NFs Assembly enclave Loader Compiler Remote attestation 77 Enterprise
78 Assembling NFs Assembly enclave Loader Compiler Remote attestation 78 Enterprise
79 Assembling NFs Assembly enclave Loader Compiler Remote attestation 79 Enterprise
80 Assembling NFs Assembly enclave NF code + rulesets Loader Compiler 80 Enterprise
81 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 81 Enterprise
82 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 82 Enterprise Placement of NFs, least privilege policies per NF
83 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 83 Enterprise
84 Assembling NFs Assembly enclave Loader Compiler Deployment enclave 84 Enterprise
85 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 85
86 86 Performance
87 Throughput decline across NFs 40% Firewall NAT Throughput decline 30% 20% 10% Load Balancer DPI 0% Packet size (bytes) ~0 15% overhead across applications for different packet sizes 87
88 DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% 0% Number of rules 88 Overhead spikes when NF working set exceeds enclave memory
89 DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% Not a fundamental limitation 0% Number of rules 89 Overhead spikes when NF working set exceeds enclave memory
90 Summary SafeBricks uses a combination of hardware enclaves and language-based isolation to: Protect client traffic from the cloud provider Enforce least privilege across NFs Protect the confidentiality of NF code and rulesets Modest overhead across a range of applications 90
Embark: Securely Outsourcing Middleboxes to the Cloud
Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic
More informationNetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI
NetBricks: Taking the V out of NFV Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI What the heck is NFV? A Short Introduction to NFV A Short
More informationEndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution
: Scalable Functions Using -Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rüsch, 1 Manuel Nieke, 1 Sébastien Vaucher, 2 Nico Weichbrodt, 1 Valerio Schiavoni, 2 Pierre-Louis
More informationGraphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij
Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)
More informationSCONE: Secure Linux Container Environments with Intel SGX
SCONE: Secure Linux Container Environments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe,
More informationAnd Then There Were More:
David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research
More informationIntroduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017
Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationApplication Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )
Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide
More informationG-NET: Effective GPU Sharing In NFV Systems
G-NET: Effective Sharing In NFV Systems Kai Zhang*, Bingsheng He^, Jiayu Hu #, Zeke Wang^, Bei Hua #, Jiayi Meng #, Lishan Yang # *Fudan University ^National University of Singapore #University of Science
More informationResQ: Enabling SLOs in Network Function Virtualization
ResQ: Enabling SLOs in Network Function Virtualization Amin Tootoonchian* Aurojit Panda Chang Lan Melvin Walls Katerina Argyraki Sylvia Ratnasamy Scott Shenker *Intel Labs UC Berkeley ICSI NYU Nefeli EPFL
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationRule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs
Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Motivation Improve network s flexibility Middlebox support,
More informationRule-Based Forwarding
Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible
More informationFirewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng
Firewalls IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response: Recovery, Forensics
More informationSlicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)
Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:
More informationIntel Software Guard Extensions
Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel
More informationCSC Network Security
CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet
More informationRyoan: A Distributed Sandbox for Untrusted Computation on Secret Data
Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel University of Texas at Austin OSDI 2016 Presented by John Alsop
More informationIX: A Protected Dataplane Operating System for High Throughput and Low Latency
IX: A Protected Dataplane Operating System for High Throughput and Low Latency Adam Belay et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Presented by Han Zhang & Zaina Hamid Challenges
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationCPS 510 final exam, 4/27/2015
CPS 510 final exam, 4/27/2015 Your name please: This exam has 25 questions worth 12 points each. For each question, please give the best answer you can in a few sentences or bullets using the lingo of
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationDistributed Systems. Lecture 14: Security. Distributed Systems 1
06-06798 Distributed Systems Lecture 14: Security Distributed Systems 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationDistributed Systems. Lecture 14: Security. 5 March,
06-06798 Distributed Systems Lecture 14: Security 5 March, 2002 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationBUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX
BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE
More informationVirtual Private Networks (VPN)
CYBR 230 Jeff Shafer University of the Pacific Virtual Private Networks (VPN) 2 Schedule This Week Mon September 4 Labor Day No class! Wed September 6 VPN Project 1 Work Fri September 8 IPv6? Project 1
More informationChapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,
Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls 32.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 32.2 Figure 32.1 Common structure
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More informationStateless Network Functions:
Stateless Network Functions: Breaking the Tight Coupling of State and Processing Murad Kablan, Azzam Alsudais, Eric Keller, Franck Le University of Colorado IBM Networks Need Network Functions Firewall
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationTown Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016
Town Crier Authenticated Data Feeds For Smart Contracts CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016 Smart Contract Decentralized App: Programs are executed by all miners who reach consensus
More informationFirewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003
Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationDesign and Performance of the OpenBSD Stateful Packet Filter (pf)
Usenix 2002 p.1/22 Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.2/22 Introduction part of a firewall, working on IP packet
More informationMessaging Overview. Introduction. Gen-Z Messaging
Page 1 of 6 Messaging Overview Introduction Gen-Z is a new data access technology that not only enhances memory and data storage solutions, but also provides a framework for both optimized and traditional
More informationNetwork Control, Con t
Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationSYN Flood Attack Protection Technology White Paper
Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Keywords: flood, Cookie, Safe Reset Abstract: This document describes the technologies and measures provided
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationMulti-Layered Security Framework for Metro-Scale Wi-Fi Networks
Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks A Security Whitepaper January, 2004 Photo courtesy of NASA Image exchange. Image use in no way implies endorsement by NASA of any of the
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,
More informationVerifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)
1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s,
More informationCIS 4360 Secure Computer Systems SGX
CIS 4360 Secure Computer Systems SGX Professor Qiang Zeng Spring 2017 Some slides are stolen from Intel docs Previous Class UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure
More informationControlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado
: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado 2 Goal Protect the data of applications running on remote hardware 3 New tech Trusted Platform Modules
More informationFirewalls for Secure Unified Communications
Firewalls for Secure Unified Communications Positioning Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12 Firewall protection for call control
More informationCreating VPN s with IPsec
2014 Creating VPN s with IPsec SPRING ENTERPRISE INFO SECURITY 4040/601 WILSON CHANCE HINCHMAN This paper will define the term VPN, explain for what and why VPNs are used. IPsec, which is vital to the
More informationModel Checking Dynamic Datapaths
Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from
More informationA Comparison Study of Intel SGX and AMD Memory Encryption Technology
A Comparison Study of Intel SGX and AMD Memory Encryption Technology Saeid Mofrad, Fengwei Zhang Shiyong Lu Wayne State University {saeid.mofrad, Fengwei, Shiyong}@wayne.edu Weidong Shi (Larry) University
More informationComputer Security and Privacy
CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationSlalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramèr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating
More informationTechnology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF
Technology Brief Page 1 This document discusses the key functionalities and benefits of (DMPO) that assures enterprise and cloud application performance over Internet and hybrid WAN. Contents Page 2 Introduction
More informationIntroduction to Computer Networks. CS 166: Introduction to Computer Systems Security
Introduction to Computer Networks CS 166: Introduction to Computer Systems Security Network Communication Communication in modern networks is characterized by the following fundamental principles Packet
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationIdentity-Based Cyber Defense. March 2017
Identity-Based Cyber Defense March 2017 Attackers Continue to Have Success Current security products are necessary but not sufficient Assumption is you are or will be breached Focus on monitoring, detecting
More informationLeverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users
Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users Daniel Künzli System Engineer ANG Switzerland Citrix Systems International GmbH Specifications and Architecture
More informationHUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date
HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationA Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley
A Ten Minute Introduction to Middleboxes Justine Sherry, UC Berkeley This Talk: Three Questions! What is a middlebox? What are some recent trends in middlebox engineering? What research challenges do middleboxes
More informationIX: A Protected Dataplane Operating System for High Throughput and Low Latency
IX: A Protected Dataplane Operating System for High Throughput and Low Latency Belay, A. et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Reviewed by Chun-Yu and Xinghao Li Summary In this
More informationAnnouncements. Reading. Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) CMSC 412 S14 (lect 5)
Announcements Reading Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) 1 Relationship between Kernel mod and User Mode User Process Kernel System Calls User Process
More informationCyber Moving Targets. Yashar Dehkan Asl
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system
More informationMicrosoft Architecting Microsoft Azure Solutions.
Microsoft 70-535 Architecting Microsoft Azure Solutions https://killexams.com/pass4sure/exam-detail/70-535 QUESTION: 106 Your organization has developed and deployed several Azure App Service Web and API
More informationControlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems
Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May
More informationUsing a Certified Hypervisor to Secure V2X communication
SYSGO AG PUBLIC 1 Using a Certified Hypervisor to Secure V2X communication Author(s): Date: Version Chris Berg 08/05/2017 v1.1 SYSGO AG PUBLIC 2 Protecting Assets People started protecting their assets
More informationPDP : A Flexible and Programmable Data Plane. Massimo Gallo et al.
PDP : A Flexible and Programmable Data Plane Massimo Gallo et al. Introduction Network Function evolution L7 Load Balancer TLS/SSL Server Proxy Server Firewall Introduction Network Function evolution Can
More informationSECURITY ARCHITECTURES CARSTEN WEINHOLD
Department of Computer Science Institute of System Architecture, Operating Systems Group SECURITY ARCHITECTURES CARSTEN WEINHOLD MOTIVATION Common observations: Complex software has security bugs Users
More informationNFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains
NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains Sameer G Kulkarni 1, Wei Zhang 2, Jinho Hwang 3, Shriram Rajagopalan 3, K.K. Ramakrishnan 4, Timothy Wood 2, Mayutan Arumaithurai 1 &
More informationLotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4
Lotus Protector Mail Security and Mail Encryption Interop Guide Lotus Protector Interop Guide Mail Encryption 2.1.0.1 Mail Security 2.5.1 Version 1.4 Lotus Protector Mail Security and Mail Encryption Configuration
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationA Comparison of Performance and Accuracy of Measurement Algorithms in Software
A Comparison of Performance and Accuracy of Measurement Algorithms in Software Omid Alipourfard, Masoud Moshref 1, Yang Zhou 2, Tong Yang 2, Minlan Yu 3 Yale University, Barefoot Networks 1, Peking University
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationIntegrating WX WAN Optimization with Netscreen Firewall/VPN
Application Note Integrating WX WAN Optimization with Netscreen Firewall/VPN Joint Solution for Firewall/VPN and WX Platforms Alan Sardella Portfolio Marketing Choh Mun Kok and Jaymin Patel Lab Configuration
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationVirtual Private Cloud. User Guide. Issue 03 Date
Issue 03 Date 2016-10-19 Change History Change History Release Date What's New 2016-10-19 This issue is the third official release. Modified the following content: Help Center URL 2016-07-15 This issue
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationConfiguring SSL CHAPTER
7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section
More informationXen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016
Xen and the Art of Virtualization CSE-291 (Cloud Computing) Fall 2016 Why Virtualization? Share resources among many uses Allow heterogeneity in environments Allow differences in host and guest Provide
More informationSpring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention
Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion Detection and Prevention Firewalls and IPSes effective means of protecting LANs internet connectivity essential
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationfirewalls perimeter firewall systems firewalls security gateways secure Internet gateways
Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public
More informationChapter 26: Network Security
Chapter 26: Network Security Introduction to the Drib Policy Development Network Organization Availability Anticipating Attacks Slide #26-1 Introduction Goal: apply concepts, principles, mechanisms discussed
More informationOn Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964
The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationA HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM
A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM BASED ON PHANTOM: PRACTICAL OBLIVIOUS COMPUTATION IN A SECURE PROCESSOR FROM CCS-2013! Martin Maas, Eric
More informationSteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)
Internet Communications Made Safe SteelGate Overview SteelGate Overview SteelGate is a high-performance VPN firewall appliance that Prevent Eliminate threats & attacks at the perimeter Stop unauthorized
More informationDYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc.
DYNAMIC SERVICE CHAINING WITH DYSCO forcing packets through es for security, optimizing performance, enhancing reachability, etc. Pamela Zave AT&T Labs Research Ronaldo A. Ferreira UFMS, Brazil Xuan Kelvin
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More information