![Page 1: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/1.jpg)
SafeBricks: Shielding Network Functions in the Cloud
Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy
UC Berkeley
![Page 2: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/2.jpg)
Network Functions (NFs) in the cloud
�2
DestinationEnterprise
Clients
![Page 3: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/3.jpg)
Network Functions (NFs) in the cloud
�3
DestinationEnterprise
Clients
![Page 4: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/4.jpg)
Network Functions (NFs) in the cloud
�4
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
![Page 5: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/5.jpg)
Problem: Security
�5
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
![Page 6: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/6.jpg)
�6
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Need to protect traffic from the cloud provider1
Hackers /curious employees
Problem: Security
![Page 7: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/7.jpg)
Problem: Security
�7
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Need to protect traffic from the NF providers
Exfiltration
2
![Page 8: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/8.jpg)
Problem: Security
�8
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Need to protect NF code and rulesets from client enterprise and cloud3
![Page 9: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/9.jpg)
Cryptographic solutions do not suffice
�9
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
![Page 10: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/10.jpg)
Cryptographic solutions do not suffice
�10
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Standard encryption: e.g. end-to-end TLS1
![Page 11: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/11.jpg)
Cryptographic solutions do not suffice
�11
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Standard encryption: e.g. end-to-end TLS • Functionality: Doesn’t allow any computation on encrypted payload
?
1
![Page 12: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/12.jpg)
Cryptographic solutions do not suffice
�12
NF providersNF providersNF providersNF providers
Enterprise
Clients
Destination
Standard encryption: e.g. end-to-end TLS • Functionality: Doesn’t allow any computation on encrypted payload • Security: Unencrypted fields (e.g. IP headers) still leak information
?
1
![Page 13: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/13.jpg)
Cryptographic solutions do not suffice
�13
Specialized encryption: e.g. BlindBox, Embark [Sherry et al. (SIGCOMM’15)]
[Lan et al. (NSDI’16)]
2
![Page 14: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/14.jpg)
Cryptographic solutions do not suffice
�14
Specialized encryption: e.g. BlindBox, Embark • Too limited in functionality!
2
• Header-based comparisons
• Keyword matching
• Regular expressions
• Cross-flow analysis
• Statistical computations
![Page 15: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/15.jpg)
How to achieve full functionality and
our security goals simultaneously?
�15
![Page 16: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/16.jpg)
SafeBricks
�16
2
3
Protects traffic from the NF providers
Protects NF source code and rulesets from client enterprise and cloud
Protects traffic from the cloud provider1
![Page 17: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/17.jpg)
SafeBricks
�17
2
3
Protects traffic from the NF providers
Protects traffic from the cloud provider1
Hardware enclaves + language-based isolation
Protects NF source code and rulesets from client enterprise and cloud
![Page 18: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/18.jpg)
• Secure region of memory (enclaves) protected by hardware
Background: Hardware enclaves (e.g. Intel SGX)
�18
Operating System (untrusted)
Application (untrusted)
Enclave (trusted)
![Page 19: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/19.jpg)
• Secure region of memory (enclaves) protected by hardware
�19
Operating System (untrusted)
Application (untrusted)
Enclave (trusted)
Secretdata
Trustedcode
Background: Hardware enclaves (e.g. Intel SGX)
![Page 20: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/20.jpg)
• Secure region of memory (enclaves) protected by hardware
�20
Operating System (untrusted)
Application (untrusted)
Enclave (trusted)
Secretdata
Trustedcode
Client
• Remote attestation by clients
Background: Hardware enclaves (e.g. Intel SGX)
![Page 21: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/21.jpg)
• Secure region of memory (enclaves) protected by hardware
�21
Operating System (untrusted)
Application (untrusted)
Enclave (trusted)
Secretdata
Trustedcode
Client
• Remote attestation by clients • Remotely verify enclave contents
Background: Hardware enclaves (e.g. Intel SGX)
![Page 22: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/22.jpg)
• Secure region of memory (enclaves) protected by hardware
�22
Operating System (untrusted)
Application (untrusted)
Enclave (trusted)
Secretdata
Trustedcode
Client
• Remote attestation by clients • Remotely verify enclave contents • Establish a secure channel with enclave
Background: Hardware enclaves (e.g. Intel SGX)
![Page 23: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/23.jpg)
Background: NetBricks
�23
[Panda et al. (OSDI’16)]
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
NetBricks• Framework for developing arbitrary NFs
![Page 24: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/24.jpg)
�24
[Panda et al. (OSDI’16)]
• Framework for developing arbitrary NFs • MapReduce like programming
abstractions (operators) for packet processing
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
NetBricks
Background: NetBricks
![Page 25: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/25.jpg)
�25
[Panda et al. (OSDI’16)]
• Framework for developing arbitrary NFs • MapReduce like programming
abstractions (operators) for packet processing
• NFs represented as a directed graph with operators as nodes
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
NetBricks
Background: NetBricks
![Page 26: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/26.jpg)
�26
• Written in Rust
• Fast, safe, zero-copy semantics
• Isolates NFs deployed in a chain while running them in the same address space
NICs
NetBricks
NF 1 NF 1
Background: NetBricks
![Page 27: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/27.jpg)
SafeBricks
�27
Protects traffic from the NF providers
Protects traffic from the cloud provider
2
3
1
Protects NF source code and rulesets from client enterprise and cloud
![Page 28: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/28.jpg)
SafeBricks
�28
Protects traffic from the NF providers
Protects traffic from the cloud provider
2
3
1
Protects NF source code and rulesets from client enterprise and cloud
![Page 29: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/29.jpg)
Outsourcing NFs using hardware enclaves
�29 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
![Page 30: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/30.jpg)
Outsourcing NFs using hardware enclaves
�30 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
![Page 31: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/31.jpg)
Outsourcing NFs using hardware enclaves
�31 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
![Page 32: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/32.jpg)
Outsourcing NFs using hardware enclaves
�32 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
IPSec
IPSec
![Page 33: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/33.jpg)
Outsourcing NFs using hardware enclaves
�33 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
IPSec
IPSec
TLS
Interception proxy
![Page 34: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/34.jpg)
Outsourcing NFs using hardware enclaves
�34 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLS
IPSec
TLS
IPSec
![Page 35: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/35.jpg)
Outsourcing NFs using hardware enclaves
�35 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLSTLSTLSTLS
IPSecIPSec
TLS
IPSec
![Page 36: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/36.jpg)
Outsourcing NFs using hardware enclaves
�36 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLSTLSTLSTLS
IPSecIPSec
TLS
IPSec
Packet headers also encrypted
![Page 37: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/37.jpg)
Outsourcing NFs using hardware enclaves
�37 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLSTLSTLSTLS
IPSec
TLS
IPSec
TLS
IPSec
![Page 38: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/38.jpg)
Outsourcing NFs using hardware enclaves
�38 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLSTLSTLSTLS
IPSec
TLS
SafeBricks also supports “direct” delivery of traffic
IPSec
![Page 39: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/39.jpg)
Outsourcing NFs using hardware enclaves
�39 Enterprise
Clients
Gateway
Enclave
OS (untrusted)
Cloud (untrusted)
Destination
NF
TLSTLSTLSTLS
IPSec
TLS
Can use general purpose frameworks,
e.g. Haven, Scone
IPSec
TLS
IPSec
![Page 40: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/40.jpg)
Challenges
�40
Small trusted computing base (TCB) — enclave should contain minimal amount of code
1
![Page 41: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/41.jpg)
Challenges
�41
High performance — Transitioning into / out of enclaves is expensive!
Small trusted computing base (TCB) — enclave should contain minimal amount of code
2
1
![Page 42: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/42.jpg)
Challenges
�42
High performance — Transitioning into / out of enclaves is expensive!
Illegal enclave instructions — SGX does not support system calls or instructions that may lead to a VMEXIT
Small trusted computing base (TCB) — enclave should contain minimal amount of code
2
3
1
![Page 43: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/43.jpg)
Challenges
�43
2
3
High performance — Transitioning into / out of enclaves is expensive!
Illegal enclave instructions — SGX does not support system calls or instructions that lead to a VMEXIT
Small trusted computing base (TCB) — enclave should contain minimal amount of code
1
![Page 44: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/44.jpg)
�44
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
NetBricks1
![Page 45: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/45.jpg)
�45
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
Enclave1
• Maximal TCB: NetBricks stack entirely within enclave
![Page 46: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/46.jpg)
�46
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
Enclave1
• Minimal TCB: Only security-critical components within enclave
• One enclave transition per node per packet batch
![Page 47: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/47.jpg)
• Intermediate TCB • One enclave transition per
packet batch
�47
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
Enclave1
![Page 48: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/48.jpg)
�48
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
Glue code (trusted)
Glue code (untrusted)
SafeBricksenclave(trusted)
SafeBrickshost
(untrusted)
1
• Partitioned NetBricks framework; glue code connects trusted and untrusted code
![Page 49: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/49.jpg)
�49
I/O interface
Poll for I/O
Programming abstractions
State abstractions
Scheduler
DPDK
NICs
Glue code (trusted)
Glue code (untrusted)
SafeBricksenclave(trusted)
SafeBrickshost
(untrusted)
1
• Partitioned NetBricks framework; glue code connects trusted and untrusted code
Two new operators for packet transfer to/from enclave:
and toHosttoEnclave
![Page 50: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/50.jpg)
Challenges
�50
2
3
High performance — Transitioning into / out of enclaves is expensive!
Small trusted computing base (TCB) — enclave should contain minimal amount of code
1
Illegal enclave instructions — SGX does not support system calls or instructions that lead to a VMEXIT
![Page 51: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/51.jpg)
SafeBricks host
SafeBricks enclave
�51
NICs
2
toHosttoEnclave
NF
• One enclave transition per packet batch
![Page 52: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/52.jpg)
SafeBricks host
SafeBricks enclave
�52 NICs
2
toHosttoEnclave
NF
• Shared queues in non-enclave heap
• Separate enclave and host threads
• Access queues without exiting enclave — zero enclave transitions
send recv
Enclave I/O
Host I/O
![Page 53: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/53.jpg)
Challenges
�53
2
3
High performance — Transitioning into / out of enclaves is expensive!
Small trusted computing base (TCB) — enclave should contain minimal amount of code
1
Illegal enclave instructions — SGX does not support system calls or instructions that lead to a VMEXIT
![Page 54: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/54.jpg)
�54
3
Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs
![Page 55: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/55.jpg)
�55
3
Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except:
• Logging
• Timestamps (using rdtsc)
![Page 56: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/56.jpg)
�56
Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except:
• Logging
• Timestamps (using rdtsc)
3
SafeBricks designs custom solutions for these operations without enclave transitions
![Page 57: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/57.jpg)
�57
2
3
1
SafeBricks
Protects traffic from the NF providers
Protects traffic from the cloud provider
Protects NF source code and rulesets from client enterprise and cloud
![Page 58: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/58.jpg)
Problem: Malicious NFs within enclaves
�58
Malicious NFs inside the enclave can exfiltrate or tamper with packets!!
![Page 59: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/59.jpg)
Problem: Malicious NFs within enclaves
�59
Observation: NFs typically need access only to specific packet fields
• E.g. Firewall needs read-only access to TCP/IP headers
• E.g. NAT needs both read-write access to headers but not to packet payload
Malicious NFs inside the enclave can exfiltrate or tamper with packets!!
![Page 60: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/60.jpg)
Problem: Malicious NFs within enclaves
�60
Observation: NFs typically need access only to specific packet fields
• E.g. Firewall needs read-only access to TCP/IP headers
• E.g. NAT needs both read-write access to headers but not to packet payload
Malicious NFs inside the enclave can exfiltrate or tamper with packets!!
IP addresses; TCP ports; HTTP
payload
![Page 61: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/61.jpg)
Problem: Malicious NFs within enclaves
�61
Observation: NFs typically need access only to specific packet fields
• E.g. Firewall needs read-only access to TCP/IP headers
• E.g. NAT needs both read-write access to headers but not to packet payload
Malicious NFs inside the enclave can exfiltrate or tamper with packets!!
SafeBricks enforces least privilege across NFs within the enclave
![Page 62: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/62.jpg)
toEnclave toHost
Host
�62
Run NFs within the same enclave
Least privilege enforcement
Firewall NAT
![Page 63: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/63.jpg)
�63
Run NFs within the same enclaveFirewall
toEnclave
NAT
toHost
Host
Least privilege enforcement
![Page 64: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/64.jpg)
�64
Run NFs within the same enclave
• Stitch NFs together interspersed with an operator ( wList ) that embeds a vector of permissions in packets — two bits per packet field
Firewall
toEnclave
NAT
toHost
Host
wList wList
wList
Least privilege enforcement
![Page 65: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/65.jpg)
�65
Enforce permissions by mediating access to
packets using Rust’s ownership model
SafeBricks Controller
Least privilege enforcement
![Page 66: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/66.jpg)
�66
Enforce permissions by mediating access to
packets using Rust’s ownership model
• Controller module holds ownership of packet buffers
SafeBricks Controller
Packet buffer
Least privilege enforcement
![Page 67: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/67.jpg)
�67
Enforce permissions by mediating access to
packets using Rust’s ownership model
• Controller module holds ownership of packet buffers
• NFs borrow references to packet fields from the Controller, which checks permissions vector in packet
SafeBricks Controller
NAT Firewall
Packet buffer
Least privilege enforcement
![Page 68: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/68.jpg)
�68
Enforce permissions by mediating access to
packets using Rust’s ownership model
• Controller module holds ownership of packet buffers
• NFs borrow references to packet fields from the Controller, which checks permissions vector in packet
SafeBricks Controller
Packet buffer
NAT Firewall
Returns an immutable reference for read-only access, and a mutable reference for
write access
Least privilege enforcement
![Page 69: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/69.jpg)
Assumption: Trusted compilation of NFs
�69
Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations!
![Page 70: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/70.jpg)
Assumption: Trusted compilation of NFs
�70
Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations!
E.g. Check array bounds, no pointer arithmetic, no
unsafe type casts
![Page 71: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/71.jpg)
Assumption: Trusted compilation of NFs
�71
Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations!
• Possible solution: Client obtains NF source codes from providers and assembles them locally
NF providersNF providersNF providersNF providers
Client Enterprise
NF code + rulesets
![Page 72: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/72.jpg)
Assumption: Trusted compilation of NFs
�72
Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations!
• Possible solution: Client obtains NF source codes from providers and assembles them locally
• Problem: This violates the confidentiality of NF source code!
NF providersNF providersNF providersNF providers
Enterprise
NF code + rulesets
![Page 73: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/73.jpg)
�73
2
3
1
SafeBricks
Protects traffic from the NF providers
Protects traffic from the cloud provider
Protects NF source code and rulesets from client enterprise and cloud
![Page 74: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/74.jpg)
Assembling NFs
�74
• Key idea: Build NFs within a special “meta”-enclave in the cloud using an agreed upon compiler
![Page 75: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/75.jpg)
Assembling NFs
�75
• Key idea: Build NFs within a special “meta”-enclave in the cloud using an agreed upon compiler
• Both client and NF providers can verify the agreed upon compiler using remote attestation
![Page 76: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/76.jpg)
Assembling NFs
�76
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
![Page 77: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/77.jpg)
Assembling NFs
�77
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
Remote attestation
![Page 78: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/78.jpg)
Assembling NFs
�78
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
Remote attestation
![Page 79: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/79.jpg)
Assembling NFs
�79
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
Remote attestation
![Page 80: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/80.jpg)
Assembling NFs
�80
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
NF code + rulesets
![Page 81: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/81.jpg)
Assembling NFs
�81
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
NF code + rulesets
Config
![Page 82: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/82.jpg)
Assembling NFs
�82
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
NF code + rulesets
Config
Placement of NFs, least privilege policies per NF
![Page 83: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/83.jpg)
Assembling NFs
�83
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
NF code + rulesets
Config
![Page 84: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/84.jpg)
Assembling NFs
�84
Enterprise
NF providersNF providersNF providersNF providers
Loader Compiler
Assembly enclave
Deployment enclave
![Page 85: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/85.jpg)
SafeBricks
�85
2
3
Protects traffic from the NF providers
Protects NF source code and rulesets from client enterprise and cloud
Protects traffic from the cloud provider1
![Page 86: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/86.jpg)
Performance
�86
![Page 87: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/87.jpg)
Throughput decline across NFs
�87~0–15% overhead across applications for different packet sizes
Thro
ughp
ut d
eclin
e
0%
10%
20%
30%
40%
Packet size (bytes)64 256 512 1024
Firewall NATLoad Balancer DPI
![Page 88: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/88.jpg)
DPI performance with increasing no. of rules
�88 Overhead spikes when NF working set exceeds enclave memory
Thro
ughp
ut d
eclin
e
0%
25%
50%
75%
100%
Number of rules
0 500010000
1500020000
25000
94MB64MB8MB
![Page 89: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/89.jpg)
DPI performance with increasing no. of rules
�89 Overhead spikes when NF working set exceeds enclave memory
Thro
ughp
ut d
eclin
e
0%
25%
50%
75%
100%
Number of rules
0 500010000
1500020000
25000
94MB64MB8MB
Not a fundamental limitation
![Page 90: SafeBricks: Shielding Network Functions in the Cloud · NF TLS IPSec TLS SafeBricks also supports “direct” delivery of traffic IPSec. Outsourcing NFs using hardware enclaves 39](https://reader034.vdocuments.us/reader034/viewer/2022051809/6013529930c1f3413f11cba2/html5/thumbnails/90.jpg)
SafeBricks uses a combination of hardware enclaves
and language-based isolation to:
• Protect client traffic from the cloud provider
• Enforce least privilege across NFs
• Protect the confidentiality of NF code and rulesets
�90
Summary
Modest overhead across a range of applications