SafeBricks: Shielding Network Functions in the Cloud

Similar documents
Embark: Securely Outsourcing Middleboxes to the Cloud

NetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

SCONE: Secure Linux Container Environments with Intel SGX

And Then There Were More:

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Firewalls, Tunnels, and Network Intrusion Detection

Influential OS Research Security. Michael Raitza

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

G-NET: Effective GPU Sharing In NFV Systems

ResQ: Enabling SLOs in Network Function Virtualization

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Rule-Based Forwarding

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

Intel Software Guard Extensions

CSC Network Security

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

IPSec. Overview. Overview. Levente Buttyán

CPS 510 final exam, 4/27/2015

Buffer overflow background

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. 5 March,

Operating System Security

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Virtual Private Networks (VPN)

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

OpenADN: A Case for Open Application Delivery Networking

Stateless Network Functions:

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Messaging Overview. Introduction. Gen-Z Messaging

Network Control, Con t

SYN Flood Attack Protection Technology White Paper

Networking interview questions

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

PROTECTING INFORMATION ASSETS NETWORK SECURITY

0x1A Great Papers in Computer Security

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)

CIS 4360 Secure Computer Systems SGX

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Firewalls for Secure Unified Communications

Creating VPN s with IPsec

Model Checking Dynamic Datapaths

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Computer Security and Privacy

Network Security Fundamentals

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

Network Security. Thierry Sans

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

COMPUTER NETWORK SECURITY

Identity-Based Cyber Defense. March 2017

Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

SGXBounds Memory Safety for Shielded Execution

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

Announcements. Reading. Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) CMSC 412 S14 (lect 5)

Cyber Moving Targets. Yashar Dehkan Asl

Microsoft Architecting Microsoft Azure Solutions.

Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

Using a Certified Hypervisor to Secure V2X communication

PDP : A Flexible and Programmable Data Plane. Massimo Gallo et al.

SECURITY ARCHITECTURES CARSTEN WEINHOLD

NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains

Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Software Security: Buffer Overflow Defenses

A Comparison of Performance and Accuracy of Measurement Algorithms in Software

Chapter 9. Firewalls

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Virtual Private Cloud. User Guide. Issue 03 Date

ISOLATION DEFENSES GRAD SEC OCT

The IPsec protocols. Overview

0x1A Great Papers in Computer Security

Configuring SSL CHAPTER

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Transport Level Security

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Chapter 26: Network Security

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

PrecisionAccess Trusted Access Control

A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc.

CSE 565 Computer Security Fall 2018

Transcription:

SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley

Network Functions (NFs) in the cloud Clients 2 Enterprise Destination

Network Functions (NFs) in the cloud Clients 3 Enterprise Destination

Network Functions (NFs) in the cloud NF NF providers providers Clients 4 Enterprise Destination

Problem: Security NF NF providers providers Email Clients 5 Enterprise Destination

Problem: Security 1 Need to protect traffic from the cloud provider NF NF providers providers Hackers / curious employees Email Clients 6 Enterprise Destination

Problem: Security 2 Need to protect traffic from the Exfiltration NF NF providers providers Email Clients 7 Enterprise Destination

Problem: Security 3 Need to protect NF code and rulesets from client enterprise and cloud NF NF providers providers Email Clients 8 Enterprise Destination

Cryptographic solutions do not suffice NF NF providers providers Email Clients 9 Enterprise Destination

Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS NF NF providers providers Email Clients 10 Enterprise Destination

Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload NF NF providers providers? Email Clients 11 Enterprise Destination

Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload Security: Unencrypted fields (e.g. IP headers) still leak information NF NF providers providers? Email Clients 12 Enterprise Destination

Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark [Sherry et al. (SIGCOMM 15)] [Lan et al. (NSDI 16)] 13

Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark Too limited in functionality! Header-based comparisons Regular expressions Keyword matching Cross-flow analysis Statistical computations 14

How to achieve full functionality and our security goals simultaneously? 15

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 16

SafeBricks Hardware enclaves + language-based isolation 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 17

Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Enclave (trusted) Operating System (untrusted) 18

Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Enclave (trusted) Operating System (untrusted) 19

Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Operating System (untrusted) 20

Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) 21

Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) Establish a secure channel with enclave 22

Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs Programming abstractions NetBricks Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 23

Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing Programming abstractions State abstractions NetBricks Scheduler I/O interface DPDK Poll for I/O NICs 24

Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing NFs represented as a directed graph with operators as nodes Programming abstractions State abstractions NetBricks I/O interface DPDK Scheduler Poll for I/O NICs 25

Background: NetBricks Written in Rust Fast, safe, zero-copy semantics NetBricks NF 1 NF 1 Isolates NFs deployed in a chain while running them in the same address space NICs 26

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 27

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 28

Outsourcing NFs using hardware enclaves Cloud (untrusted) Enclave OS (untrusted) Clients Gateway Destination 29 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 30 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 31 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec OS (untrusted) Clients Gateway Destination 32 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients Interception proxy Gateway Destination 33 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS Gateway Destination 34 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Destination 35 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Packet headers also encrypted Destination 36 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 37 Enterprise

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS 38 Enterprise Gateway SafeBricks also supports direct delivery of traffic Destination

Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave Can use general purpose frameworks, e.g. Haven, Scone IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 39 Enterprise

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 40

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 41

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that may lead to a VMEXIT 42

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 43

1 NetBricks Programming abstractions Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 44

1 Enclave Programming abstractions Scheduler Maximal TCB: NetBricks State abstractions stack entirely within enclave I/O interface DPDK Poll for I/O NICs 45

1 Enclave Programming abstractions Scheduler State abstractions Minimal TCB: Only securitycritical components within enclave I/O interface One enclave transition per node per packet batch DPDK Poll for I/O NICs 46

1 Enclave Programming abstractions Scheduler Intermediate TCB State abstractions One enclave transition per packet batch I/O interface DPDK Poll for I/O NICs 47

1 Programming abstractions Scheduler SafeBricks enclave (trusted) State abstractions Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 48 NICs

1 SafeBricks enclave (trusted) Programming abstractions State abstractions Scheduler Two new operators for packet transfer to/from enclave: toenclave and tohost Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 49 NICs

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 50

2 SafeBricks enclave NF toenclave tohost One enclave transition per packet batch SafeBricks host NICs 51

2 SafeBricks enclave NF toenclave tohost Shared queues in non-enclave Enclave I/O heap recv send Separate enclave and host threads Access queues without exiting Host I/O SafeBricks host enclave zero enclave transitions 52 NICs

Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 53

3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs 54

3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) 55

3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) SafeBricks designs custom solutions for these operations without enclave transitions 56

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 57

Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! 58

Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload 59

Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but IP not addresses; to packet payload TCP ports; HTTP payload 60

Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload SafeBricks enforces least privilege across NFs within the enclave 61

Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 62

Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 63

Least privilege enforcement Run NFs within the same enclave Firewall NAT Stitch NFs together interspersed with an operator ( wlist ) that embeds a vector of permissions in packets two bits per packet field wlist wlist toenclave tohost Host 64

Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model SafeBricks Controller 65

Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller 66

Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT 67

Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT Returns an immutable reference for readonly access, and a mutable reference for write access 68

Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! 69

Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! E.g. Check array bounds, no pointer arithmetic, no unsafe type casts 70

Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Client Enterprise 71

Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Problem: This violates the confidentiality of NF source code! Enterprise 72

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 73

Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler 74

Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler Both client and can verify the agreed upon compiler using remote attestation 75

Assembling NFs Assembly enclave Loader Compiler 76 Enterprise

Assembling NFs Assembly enclave Loader Compiler Remote attestation 77 Enterprise

Assembling NFs Assembly enclave Loader Compiler Remote attestation 78 Enterprise

Assembling NFs Assembly enclave Loader Compiler Remote attestation 79 Enterprise

Assembling NFs Assembly enclave NF code + rulesets Loader Compiler 80 Enterprise

Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 81 Enterprise

Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 82 Enterprise Placement of NFs, least privilege policies per NF

Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 83 Enterprise

Assembling NFs Assembly enclave Loader Compiler Deployment enclave 84 Enterprise

SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 85

86 Performance

Throughput decline across NFs 40% Firewall NAT Throughput decline 30% 20% 10% Load Balancer DPI 0% 64 256 512 1024 Packet size (bytes) ~0 15% overhead across applications for different packet sizes 87

DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% 0% 0 5000 10000 15000 20000 25000 Number of rules 88 Overhead spikes when NF working set exceeds enclave memory

DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% Not a fundamental limitation 0% 0 5000 10000 15000 20000 25000 Number of rules 89 Overhead spikes when NF working set exceeds enclave memory

Summary rishabhp@eecs.berkeley.edu SafeBricks uses a combination of hardware enclaves and language-based isolation to: Protect client traffic from the cloud provider Enforce least privilege across NFs Protect the confidentiality of NF code and rulesets Modest overhead across a range of applications 90

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback