short-paper

Challenges Towards Protecting VNF With SGX

Authors:

Hongxin HuAuthors Info & Claims

SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Pages 39 - 42

https://doi.org/10.1145/3180465.3180476

Published: 14 March 2018 Publication History

Abstract

Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and deploying them on high-volume standard servers and running as virtual instances. However, due to running in a shared and open environment and lacking the protection of proprietary hardware, virtual network functions (VNFs) face more security threats than traditional network functions. Hence, it is crucial to build a trusted execution environment to protect VNFs. In this paper, we first analyze the challenges for VNF security protection. We then propose a lightweight and trusted execution environment for securing VNFs based on SGX and Click. To demonstrate the feasibility of our approach, we implement a DDoS defense function on top of our environment and conduct paramilitary evaluations. Our evaluation results show that our system only introduces manageable performance overhead for protecting VNFs.

References

[1]

Bob Briscoe. Network functions virtualisation (nfv); security; problem statement. 2014.

[2]

B Jaeger. Security orchestrator: Introducing a security orchestrator in the context of the etsi nfv reference architecture. In IEEE Trustcom/bigdatase/ispa, pages 1255--1260, 2015.

Digital Library

[3]

Yeping Liu, Zhigang Guo, Guochu Shou, and Yihong Hu. To achieve a security service chain by integration of nfv and sdn. In Sixth International Conference on Instrumentation & Measurement, Computer, Communication and Control, pages 974--977, 2016.

[4]

Mahdi Daghmehchi Firoozjaei, Jaehoon Jeong, Hoon Ko, and Hyoungshick Kim. Security challenges with network functions virtualization. Future Generation Computer Systems, 2016.

[5]

Cesare Alippi, Romolo Camplani, Manuel Roveri, and Gabriele Viscardi. Netbrick: A high-performance, low-power hardware platform for wireless and hybrid sensor networks. In IEEE International Conference on Mobile Ad-Hoc and Sensor Systems, pages 111--117, 2012.

Digital Library

[6]

Adve V. Lattner C. Llvm: A compilation framework for lifelong program analysis & transformation. 2014.

[7]

Wei Zhang, Guyue Liu, Wenhui Zhang, Neel Shah, Phillip Lopreiato, Gregoire Todeschi, K. K. Ramakrishnan, and Timothy Wood. Opennetvm: A platform for high performance network service chains. In The Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pages 26--31, 2016.

[8]

Prerit Jain, Soham Desai, Seongmin Kim, Ming Wei Shih, Jae Hyuk Lee, Changho Choi, Youjung Shin, Taesoo Kim, Brent Byunghoon Kang, and Dongsu Han. Opensgx: An open platform for sgx research. In NDSS, 2016.

[9]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. Vc3: Trustworthy data analytics in the cloud using sgx. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 38--54. IEEE, 2015.

Digital Library

[10]

Michael Coughlin, Eric Keller, and Eric Wustrow. Trusted click: Overcoming security issues of nfv in the cloud. In ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pages 31--36, 2017.

Digital Library

[11]

Eddie Kohler. The click modular router. Massachusetts Institute of Technology, 2001.

Digital Library

[12]

Ming Wei Shih, Mohan Kumar, Taesoo Kim, and Ada Gavrilovska. S-nfv: Securing nfv states by using sgx. pages 45--48, 2016.

Digital Library

[13]

Wang C Duan H, Yuan X. Sgx-assisted secure network functions at near-native speed. pages 1--14, 2017.

[14]

Aaron Gember-Jacobson, Raajay Viswanathan, Chaithan Prakash, Robert Grandl, Junaid Khalid, Sourav Das, and Aditya Akella. Opennf: enabling innovation in network function control. In ACM Conference on SIGCOMM, pages 163--174, 2014.

Digital Library

[15]

Shriram Rajagopalan, Dan Williams, Hani Jamjoom, and Andrew Warfield. Split/merge: System support for elastic execution in virtual middleboxes. In NSDI, volume 13, pages 227--240, 2013.

Digital Library

[16]

Aaron Gember-Jacobson and Aditya Akella. Improving the safety, scalability, and efficiency of network function state transfers. In ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pages 43--48, 2015.

Digital Library

[17]

A H M Jakaria, Wei Yang, Bahman Rashidi, Carol Fung, and M. Ashiqur Rahman. Vfence: A defense against distributed denial of service attacks using network function virtualization. In Computer Software and Applications Conference, pages 431--436, 2016.

[18]

Seyed K Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. Bohatei: flexible and elastic ddos defense. In Usenix Conference on Security Symposium, pages 817--832, 2015.

Digital Library

[19]

Bahman Rashidi and Carol Fung. Cofence: A collaborative ddos defence using network function virtualization. In International Conference on Network and Service Management, 2017.

Digital Library

Cited By

Takahashi TSato TOki E(2024)Model for Jointly Determining Service Function Chain Routes and Update Scheduling with State ConsistencyIEICE Transactions on Communications10.23919/transcom.2023EBP3203E107-B:12(965-980)Online publication date: Dec-2024
https://doi.org/10.23919/transcom.2023EBP3203
Patowary RBarua GSukapuram R(2024)Correctness of Flow Migration for Service Function ChainsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575826(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575826
Patowary RBarua GSukapuram R(2024)Flow Migration for Service Function Chains: Preserving External-Ordering2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639762(1-9)Online publication date: 8-Oct-2024
https://doi.org/10.1109/LCN60385.2024.10639762
Show More Cited By

Index Terms

Challenges Towards Protecting VNF With SGX
1. Security and privacy
  1. Formal methods and theory of security
    1. Trust frameworks
  2. Network security
    1. Denial-of-service attacks

Recommendations

S-NFV: Securing NFV states by using SGX
SDN-NFV Security '16: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Network Function Virtualization (NFV) applications are stateful. For example, a Content Distribution Network (CDN) caches web contents from remote servers and serves them to clients. Similarly, an Intrusion Detection System (IDS) and an Intrusion ...
On the design and development of emulation platforms for NFV-based infrastructures

Network Functions Virtualisation (NFV) presents several advantages over traditional network architectures, such as flexibility, security, and reduced CAPEX/OPEX. In traditional middleboxes, network functions are usually executed on specialised hardware (...
Approach for minimising network effect of VNF migration

In the software defined network (SDN) environment, network function virtualisation enables the virtual machine migration. Owing to the fact that transferring large amount of data will impede competing workflows, virtual network function (VNF) migration ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

March 2018

64 pages

ISBN:9781450356350

DOI:10.1145/3180465

General Chairs:
Gail-Joon Ahn
Arizona State University, USA and Samsung Research, Korea
,
Guofei Gu
Texas A&M University, USA
,
Program Chairs:
Hongxin Hu
Clemson University, USA
,
Seungwon Shin
KAIST, Korea

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY '18

Sponsor:

SIGSAC

CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy

March 21, 2018

AZ, Tempe, USA

Acceptance Rates

Overall Acceptance Rate 11 of 30 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
264
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Takahashi TSato TOki E(2024)Model for Jointly Determining Service Function Chain Routes and Update Scheduling with State ConsistencyIEICE Transactions on Communications10.23919/transcom.2023EBP3203E107-B:12(965-980)Online publication date: Dec-2024
https://doi.org/10.23919/transcom.2023EBP3203
Patowary RBarua GSukapuram R(2024)Correctness of Flow Migration for Service Function ChainsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575826(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575826
Patowary RBarua GSukapuram R(2024)Flow Migration for Service Function Chains: Preserving External-Ordering2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639762(1-9)Online publication date: 8-Oct-2024
https://doi.org/10.1109/LCN60385.2024.10639762
Maitra SAtalay TStavrou AWang H(2024)Towards Shielding 5G Control Plane Functions2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00039(302-315)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00039
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Wu TGuo XChen YKumari SChen C(2022)SGXAP: SGX-Based Authentication Protocol in IoV-Enabled Fog ComputingSymmetry10.3390/sym1407139314:7(1393)Online publication date: 6-Jul-2022
https://doi.org/10.3390/sym14071393
Wu TWang LGuo XChen YChu S(2022)SAKAP: SGX-Based Authentication Key Agreement Protocol in IoT-Enabled Cloud ComputingSustainability10.3390/su14171105414:17(11054)Online publication date: 5-Sep-2022
https://doi.org/10.3390/su141711054
Wang JYu YLi YFan CHao S(2021)Design and Implementation of Virtual Security Function Based on Multiple EnclavesFuture Internet10.3390/fi1301001213:1(12)Online publication date: 6-Jan-2021
https://doi.org/10.3390/fi13010012
Sukapuram RPatowary RBarua G(2021)Loss-freedom, Order-preservation and No-buffering: Pick Any Two During Flow Migration in Network Functions2021 IEEE 29th International Conference on Network Protocols (ICNP)10.1109/ICNP52444.2021.9651954(1-11)Online publication date: 1-Nov-2021
https://doi.org/10.1109/ICNP52444.2021.9651954

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten