High-Performance Secure Network Appliances: A Hardware-Assisted Approach

基於可信硬件的高性能安全網絡系統

Student thesis: Doctoral Thesis

View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Awarding Institution
Supervisors/Advisors
Award date8 Sept 2020

Abstract

Modern networks are not dull — consisting only of dumb switches and routers that pass packets around the internet — instead they are intelligent and vibrant, permeated with a wide variety of network appliances. Often known as middleboxes, these appliances perform indispensable network functions for security, performance, and connectivity: firewalls, intrusion detection/prevention, bandwidth optimization, load balancing and proxying, to name a few. Operating such systems, however, becomes increasingly challenging because of growing security concerns and radical architecture shifts in the internet today. In particular, the protection of network appliances and the data they operate on, both to defeat cyberattacks and to ensure compliance of privacy regulations like GDPR, is in more dire need than ever.

The dissertation presents a systematic investigation into building high-performance secure network appliances with trusted hardware (e.g., Intel SGX). This hardware-assisted approach allows for solutions that are more versatile and performant than those built from cryptography alone. Specifically, we detail the rationale, design, implementation and evaluation of three systems: 1) the first-ever secure middlebox system that can run advanced stateful network functions in secure enclaves at near- native speed, while providing comprehensive protection in off-premise deployment of middleboxes; 2) a secure traffic archival system that empowers privacy-assured network forensics and diagnostics with high-fidelity traffic traces; 3) a generic optimisation framework that speeds up enclave applications by eliminating redundant computation. The first two systems complement each other in that the former features real-time traffic processing yet the latter enables retrospective analysis; they can be augmented by the third system with a further performance boost.

Our research establishes that securing network appliances is not at odds with their complex functionality and stringent performance requirements. We are able to bring our secure-by-design systems into the practical realm by synergizing a set of novel and customised techniques. Our encouraging results would provide valuable insights into and good practices for the development of hardware-assisted secure systems in general.