research-article

SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module

Authors:

Dongsu HanAuthors Info & Claims

APNet '17: Proceedings of the First Asia-Pacific Workshop on Networking

Pages 99 - 105

https://doi.org/10.1145/3106989.3106994

Published: 03 August 2017 Publication History

Abstract

A network middlebox benefits both users and network operators by offering a wide range of security-related in-network functions, such as web firewalls and intrusion detection systems (IDS). However, the wide usage of encryption protocol restricts functionalities of network middleboxes. This forces network operators and users to make a choice between end-to-end privacy and security. This paper presents SGX-Box, a secure middlebox system that enables visibility on encrypted traffic by leveraging Intel SGX technology. The entire process of SGX-Box ensures that the sensitive information, such as decrypted payloads and session keys, is securely protected within the SGX enclave. SGX-Box provides easy-to-use abstraction and a high-level programming language, called SB lang for handling encrypted traffic in middleboxes. It greatly enhances programmability by hiding details of the cryptographic operations and the implementation details in SGX enclave processing. We implement a proof-of-concept IDS using SB lang. Our preliminary evaluation shows that SGX-Box incurs acceptable performance overhead while it dramatically reduces middlebox developer's effort.

References

[1]

Cisco ASA 5585-X Spec. http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html.

[2]

ET Pro. https://www.proofpoint.com/us/threat-insight/et-pro-ruleset.

[3]

Intel(R) Software Guard Extensions SDK for Linux* OS. https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf.

[4]

ModSecurity. https://www.modsecurity.org/.

[5]

OpenSSL-1.1.0. https://www.openssl.org/.

[6]

Snort Intrusion Detection System. https://snort.org.

[7]

A. Baumann, M. Peinado, and G. Hunt. Shielding Applications from an Untrusted Cloud with Haven. In Proc. USENIX OSDI, 2014.

Digital Library

[8]

B. Choi, J. Chae, M. Jamshed, K. Park, and D. Han. DFC: Accelerating String Pattern Matching for Network Applications. In Proc. NSDI. USENIX, 2016.

Digital Library

[9]

C. Gentry. Fully Homomorphic Encryption Using Ideal Lattices. In Proc. STOC, 2009.

Digital Library

[10]

L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson. Analyzing Forged SSL Certificates in the Wild. In Proc. IEEE S&P, 2014.

Digital Library

[11]

T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel. Ryoan:A Distributed Sandbox for Untrusted Computation on Secret Data. In Proc. OSDI. USENIX, 2016.

Digital Library

[12]

P. Jain, S. Desai, S. Kim, M.-W. Shih, J. Lee, C. Choi, Y. Shin, T. Kim, B. B. Kang, and D. Han. OpenSGX: An Open Platform for SGX Research. In Proc. NDSS, 2016.

[13]

M. A. Jamshed, Y. Moon, D. Kim, D. Han, and K. Park. mOS: A Reusable Networking Stack for Flow Monitoring Middleboxes. In Proc. NSDI. USENIX, 2017.

[14]

J. Jarmoc. SSL/TLS Interception Proxies and Transitive Trust. Black Hat Europe, 2012.

[15]

E. Jeong, S. Woo, M. A. Jamshed, H. Jeong, S. Ihm, D. Han, and K. Park. mTCP: a Highly Scalable User-level TCP Stack for Multicore Systems. In Proc. NSDI. USENIX, 2014.

Digital Library

[16]

S. Kim, J. Han, J. Ha, T. Kim, and D. Han. Enhancing Security and Privacy of Tor's Ecosystem by Using Trusted Execution Environments. In Proc. NSDI. USENIX, 2017.

[17]

S. Kim, Y. Shin, J. Ha, T. Kim, and D. Han. A First Step Towards Leveraging Commodity Trusted Execution Environments for Network Applications. In Proc. HotNets. ACM, 2015.

Digital Library

[18]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. In Proc. HASP, 2013.

Digital Library

[19]

D. Naylor, A. Finamore, I. Leontiadis, Y. Grunenberger, M. Mellia, M. Munafò, K. Papagiannaki, and P. Steenkiste. The Cost of the S in HTTPS. In Proc. CoNEXT. ACM, 2014.

Digital Library

[20]

D. Naylor, K. Schomp, M. Varvello, I. Leontiadis, J. Blackburn, D. R. López, K. Papagiannaki, P. Rodriguez Rodriguez, and P. Steenkiste. Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS. In Proc. SIGCOMM, 2015.

Digital Library

[21]

A. Panda, S. Han, K. Jang, M. Walls, S. Ratnasamy, and S. Shenker. NetBricks: Taking the V out of NFV. In Proc. OSDI, 2016.

Digital Library

[22]

V. Paxson. Bro: A System for Detecting Network Intruders in RealTime. Computer networks, 31(23), 1999.

Digital Library

[23]

R. Sandvik. Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372). 2012.

[24]

F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy data analytics in the cloud using SGX. In Proc. IEEE S&P, pages 38--54, 2015.

Digital Library

[25]

J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs. In Proc. NDSS, 2017.

[26]

J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. BlindBox: Deep Packet Inspection over Encrypted Traffic. In Proc. SIGCOMM, 2015.

Digital Library

[27]

M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska. S-NFV: Securing NFV States by Using SGX. In Proc. ACM International Workshop on Security in SDN-NFV, 2016.

Digital Library

Cited By

Benhabbour IDacier M(2025)ENDEMIC: End-to-End Network Disruptions – Examining Middleboxes, Issues, and Countermeasures – A SurveyACM Computing Surveys10.1145/371637257:7(1-42)Online publication date: 21-Feb-2025
https://dl.acm.org/doi/10.1145/3716372
Kim HPark SHong HPark JKim S(2024)A Transferable Deep Learning Framework for Improving the Accuracy of Internet of Things Intrusion DetectionFuture Internet10.3390/fi1603008016:3(80)Online publication date: 28-Feb-2024
https://doi.org/10.3390/fi16030080
Wagner EHeye DSerror MKunze IWehrle KHenze MQuek TGao DZhou JCardenas A(2024)Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial CommunicationProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637640(962-976)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637640
Show More Cited By

Index Terms

SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module
1. Networks

Recommendations

Cache Attacks on Intel SGX
EuroSec'17: Proceedings of the 10th European Workshop on Systems Security

For the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert'...
SGX-Bomb: Locking Down the Processor via Rowhammer Attack
SysTEX'17: Proceedings of the 2nd Workshop on System Software for Trusted Execution

Intel Software Guard Extensions (SGX) provides a strongly isolated memory space, known as an enclave, for a user process, ensuring confidentiality and integrity against software and hardware attacks. Even the operating system and hypervisor cannot ...
Challenges Towards Protecting VNF With SGX
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

APNet '17: Proceedings of the First Asia-Pacific Workshop on Networking

August 2017

127 pages

ISBN:9781450352444

DOI:10.1145/3106989

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

APNet'17

APNet'17: First Asia-Pacific Workshop on Networking

August 3 - 4, 2017

Hong Kong, China

Acceptance Rates

Overall Acceptance Rate 50 of 118 submissions, 42%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
556
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Benhabbour IDacier M(2025)ENDEMIC: End-to-End Network Disruptions – Examining Middleboxes, Issues, and Countermeasures – A SurveyACM Computing Surveys10.1145/371637257:7(1-42)Online publication date: 21-Feb-2025
https://dl.acm.org/doi/10.1145/3716372
Kim HPark SHong HPark JKim S(2024)A Transferable Deep Learning Framework for Improving the Accuracy of Internet of Things Intrusion DetectionFuture Internet10.3390/fi1603008016:3(80)Online publication date: 28-Feb-2024
https://doi.org/10.3390/fi16030080
Wagner EHeye DSerror MKunze IWehrle KHenze MQuek TGao DZhou JCardenas A(2024)Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial CommunicationProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637640(962-976)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637640
Li HDang YSun GWu CZhang PShan DPan THu C(2024)Programming Network Stack for Physical Middleboxes and Virtualized Network FunctionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.330764132:2(971-986)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3307641
Zhang XWang JCheng YLi QSun KZheng YZhang NLi X(2024)Interface-Based Side Channel in TEE-Assisted Networked ServicesIEEE/ACM Transactions on Networking10.1109/TNET.2023.329401932:1(613-626)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3294019
Hou XLiu JTu TZhang RRen K(2024)PrivRE: Regular Expression Matching for Encrypted Packet Inspection2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00123(1306-1317)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00123
Maitra SAtalay TStavrou AWang H(2024)Towards Shielding 5G Control Plane Functions2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00039(302-315)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00039
Han XXu GZhang MYang ZYu ZHuang WMeng C(2024)DE-GNNComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110372245:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110372
Ahn TKwak JKim S(2024)mdTLS: How to Make Middlebox-Aware TLS More Efficient?Information Security and Cryptology – ICISC 202310.1007/978-981-97-1238-0_3(39-59)Online publication date: 8-Mar-2024
https://doi.org/10.1007/978-981-97-1238-0_3
Chen LGao SWei ZLiu BZhang X(2024)ENS-RFMC: An Encrypted Network Traffic Sampling Method Based on Rule-Based Feature Extraction and Multi-hierarchical Clustering for Intrusion DetectionPattern Recognition10.1007/978-3-031-78383-8_6(78-92)Online publication date: 2-Dec-2024
https://doi.org/10.1007/978-3-031-78383-8_6
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten