research-article

SmartNIC Security Isolation in the Cloud with S-NIC

Authors:

Mark Wilkening,

Minlan YuAuthors Info & Claims

EuroSys '24: Proceedings of the Nineteenth European Conference on Computer Systems

Pages 851 - 869

https://doi.org/10.1145/3627703.3650071

Published: 22 April 2024 Publication History

Abstract

Modern smart NICs provide little isolation between the network functions belonging to different tenants. These NICs also do not protect network functions from the datacenter-provided management OS which runs on the smart NIC. We describe concrete attacks which allow a network function's state to leak to (or be modified by) another network function or the management OS. We then introduce S-NIC, a new hardware design for smart NICs that provides strong isolation guarantees. S-NIC pervasively virtualizes hardware accelerators, enforces single-owner semantics for each line in on-NIC cache and RAM, and provides dedicated bus bandwidth for each network function. Using this design, we eliminate side channels involving shared hardware state, and give each network function the illusion of having a private smart NIC. We show how these virtual NICs can be integrated with preexisting datacenter technologies for virtual LANs and trusted host-level computations like SGX enclaves. The overall result is that S-NIC enables strongly-isolated, NIC-accelerated datacenter applications; in these applications, network functions and host-level code receive hardware-guaranteed isolation from other applications and the datacenter provider.

References

[1]

Alfred V Aho and Margaret J Corasick. Efficient String Matching: an Aid to Bibliographic Search. Communications of the ACM, 18(6):333--340, 1975.

Digital Library

[2]

Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida García, and Nicola Tuveri. Port Contention for Fun and Profit. In Proceedings of IEEE Symposium on Security and Privacy, pages 870--887, 2019.

[3]

Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. Innovative Technology for CPU Based Attestation and Sealing. In Proceedings of International Workshop on Hardware and Architectural Support for Security and Privacy, 2013.

[4]

James W Anderson, Ryan Braud, Rishi Kapoor, George Porter, and Amin Vahdat. xOMB: Extensible Open Middleboxes with Commodity Servers. In Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications systems, pages 49--60, 2012.

Digital Library

[5]

Bilal Anwer, Theophilus Benson, Nick Feamster, and Dave Levin. Programming Slick Network Functions. In Proceedings of ACM SIGCOMM Symposium on Software Defined Networking Research, pages 1--13, 2015.

[6]

ARM. ARM TrustZone. https://developer.arm.com/ip-products/security-ip/trustzone, 2020.

[7]

ARM. Cortex-A9 - Arm Developer. https://developer.arm.com/ip-products/processors/cortex-a/cortex-a9, 2020.

[8]

Aryaka. Cloud-First WAN: Managed SD-WAN and MPLS Alternative - Aryaka. http://www.aryaka.com/, 2020.

[9]

Anonymous authors. Non-NDA discussions with Mellanox, 2019.

[10]

Tom Barbette, Cyril Soldani, and Laurent Mathy. Fast Userspace Packet Processing. In Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems, pages 5--16, 2015.

[11]

Adam Bates, Benjamin Mood, Joe Pletcher, Hannah Pruse, Masoud Valafar, and Kevin Butler. On Detecting Co-Resident Cloud Instances Using Network Flow Watermarking Techniques. International Journal of Information Security, 13(2):171--189, 2014.

Digital Library

[12]

J. Bech, A. Biesheuvel, M. Brown, and D. Thompson. Implications of Meltdown and Spectre: Part 2, February 7, 2018. Linaro blog. https://www.linaro.org/blog/meltdown-spectre-2/.

[13]

Theophilus Benson. In-Network Compute: Considered Armed and Dangerous. In Proceedings of HotOS, pages 216--224, 2019.

[14]

Ravi Bhargava, Benjamin Serebrin, Francesco Spadini, and Srilatha Manne. Accelerating Two-Dimensional Page Walks for Virtualized Systems. In Proceedings of ACM ASPLOS, pages 26--35, 2008.

[15]

Ravi Bhargava, Benjamin Serebrin, Francesco Spadini, and Srilatha Manne. Accelerating Two-Dimensional Page Walks for Virtualized Systems. In ACM SIGOPS Operating Systems Review, pages 26--35, 2008.

Digital Library

[16]

Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R Hower, Tushar Krishna, Somayeh Sardashti, et al. The gem5 Simulator. ACM SIGARCH computer architecture news, 39(2):1--7, 2011.

[17]

Rick Boivie and Peter Williams. SecureBlue++: CPU Support for Secure Execution, April 12, 2013. IBM Research Report: RC25369. https://domino.research.ibm.com/library/cyberdig.nsf/papers/BE73A643EFE8274B85257B51006760C0/&PHgr;le/rc25369.pdf.

[18]

Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. In Proceedings USENIX Workshop on Offensive Technologies, 2017.

[19]

Anat Bremler-Barr, Yotam Harchol, and David Hay. OpenBox: a Software-Defined Framework for Developing, Deploying, and Managing Network Functions. In Proceedings of ACM SIGCOMM, pages 511--524, 2016.

[20]

J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T.F. Wenisch, Y. Yarom, and R. Strackx. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In Proceedings of USENIX Security, pages 991--1008, 2018.

[21]

J.V. Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. Telling Your Secrets without Page Faults: Stealthy Page Table-based Attacks on Enclaved Execution. In Proceedings of USENIX Security, pages 1041--1056, 2017.

[22]

Gianpiero Cabodi, Paolo Camurati, Fabrizio Finocchiaro, and Danilo Vendramietto. Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification. In Proceedings of the International Conference on Codes, Cryptology, and Information Security, pages 462--479, 2019.

Digital Library

[23]

Adrian M Caulfield, Eric S Chung, Andrew Putnam, Hari Angepat, Jeremy Fowers, Michael Haselman, Stephen Heil, Matt Humphrey, Puneet Kaur, Joo-Young Kim, et al. A Cloud-Scale Acceleration Architecture. In Proceedings of IEEE/ACM MICRO, page 7, 2016.

[24]

Center for Applied Internet Data Analysis (CAIDA). The CAIDA Anonymized Internet Traces 2016 Dataset. https://www.caida.org/data/passive/passive_2016_dataset.xml, 2016.

[25]

David Champagne and Ruby B Lee. Scalable Architectural Support for Trusted Software. In Proceedings of IEEE International Symposium on High-Performance Computer Architecture, pages 1--12, 2010.

[26]

Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. SgxPectre: Stealing Intel Secrets from SGX Enclaves via Speculative Execution. In Proceedings of IEEE European Symposium on Security and Privacy, pages 142--157, 2019.

[27]

Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proceedings of IEEE Symposium on Security and Privacy, pages 191--206, 2010.

Digital Library

[28]

Sean Choi, Muhammad Shahbaz, Balaji Prabhakar, and Mendel Rosenblum. λ-NIC: Interactive Serverless Compute on Programmable SmartNICs. In Proceedings of IEEE ICDCS, pages 67--77, 2020.

[29]

Cisco. Community Rulesets for Snort v3.0 and v2.9. https://www.snort.org/downloads, 2020.

[30]

Comcast. NetBricks Open Source. https://github.com/williamofockham/NetBricks/tree/5e92f07410a67178fb837adf8b47b40f524ade67, 2019.

[31]

Victor Costan and Srinivas Devadas. Intel SGX Explained, February 20, 2017. Cryptology ePrint Archive: Version 20170221:054353. https://eprint.iacr.org/2016/086.pdf.

[32]

Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In Proceedings of USENIX Security, pages 857--874, 2016.

[33]

Peter W Deutsch, Yuheng Yang, Thomas Bourgeat, Jules Drean, Joel S Emer, and Mengjia Yan. DAGguise: Mitigating Memory Timing Side Channels. In Proceedings of ACM ASPLOS, pages 329--343, 2022.

[34]

Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6):644--654, 1976.

Digital Library

[35]

Dmitry Duplyakin, Robert Ricci, Aleksander Maricq, Gary Wong, Jonathon Duerig, Eric Eide, Leigh Stoller, Mike Hibler, David Johnson, Kirk Webb, et al. The Design and Operation of CloudLab. In Proceedings of USENIX ATC, pages 1--14, 2019.

[36]

Eddie Kohler. MazuNAT. https://github.com/kohler/click/blob/master/conf/mazu-nat.click, 2011.

[37]

Daniel E Eisenbud, Cheng Yi, Carlo Contavalli, Cody Smith, Roman Kononov, Eric Mann-Hielscher, Ardas Cilingiroglu, Bin Cheyney, Wentao Shang, and Jinnah Dylan Hosein. Maglev: A Fast and Reliable Software Network Load Balancer. In Proceedings of USENIX NSDI, pages 523--535, 2016.

[38]

Reouven Elbaz, David Champagne, Catherine Gebotys, Ruby B Lee, Nachiketh Potlapally, and Lionel Torres. Hardware Mechanisms for Memory Authentication: A Survey of Existing Techniques and Engines. In Transactions on Computational Science IV, pages 1--22. 2009.

Digital Library

[39]

Emerging Threats Site. DPI Rulesets. https://rules.emergingthreats.net/open/, 2020.

[40]

Emerging Threats Site. Firewall Rulesets. https://rules.emergingthreats.net/fwrules/, 2020.

[41]

Haggai Eran, Lior Zeno, Maroun Tork, Gabi Malka, and Mark Silberstein. NICA: An Infrastructure for Inline Acceleration of Network Applications. In Proceedings of USENIX ATC, pages 345--362, 2019.

[42]

D. Evtyushkin, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. Branch-Scope: A New Side-Channel Attack on Directional Branch Predictor. In Proceedings of ACM ASPLOS, pages 693--707, 2018.

[43]

Dmitry Evtyushkin, Jesse Elwell, Meltem Ozsoy, Dmitry Ponomarev, Nael Abu Ghazaleh, and Ryan Riley. Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution. In Proceedings of IEEE/ACM MICRO, pages 190--202, 2014.

[44]

Yangchun Fu, Erick Bauman, Raul Quinonez, and Zhiqiang Lin. SGX-LPAD: Thwarting Controlled Side Channel Attacks via Enclave Verifiable Page Faults. In Proceedings of International Symposium on Research in Attacks, Intrusions, and Defenses, pages 357--380, 2017.

[45]

GlobeNewswire. Stingray SmartNIC Powering Baidu Cloud. https://www.globenewswire.com/news-release/2020/03/31/2009195/0/en/Broadcom-Stingray-SmartNIC-Accelerates-Baidu-Cloud-Services.html, 2020.

[46]

Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. Cache Attacks on Intel SGX. In Proceedings of European Workshop on Systems Security, pages 1--6, 2017.

[47]

Stewart Grant, Anil Yelam, Maxwell Bland, and Alex C Snoeren. Smartnic performance isolation with fairnic: Programmable networking for the cloud. In Proceedings of ACM SIGCOMM, pages 681--693, 2020.

Digital Library

[48]

B. Gras, K. Razavi, H. Bos, and C. Giuffrida. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. In Proceedings of USENIX Security, pages 995--972, 2018.

[49]

A. Greenberg, J. R. Hamilton, N. Jain, S. Kandula, C. Kim, P. Lahiri, D. A. Maltz, P. Patel, and S. Sengupta. VL2: A Scalable and Flexible Data Center Network. In Proceedings of ACM SIGCOMM, pages 51--62, 2009.

Digital Library

[50]

Roberto Guanciale, Musard Balliu, and Mads Dam. InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis. In Proceedings of ACM CCS, pages 1853--1869, 2020.

Digital Library

[51]

Shay Gueron. A Memory Encryption Engine Suitable for General Purpose Processors, February 25, 2016. Cryptology ePrint Archive: Version 20160225:211316. https://eprint.iacr.org/2016/204.pdf.

[52]

Pankaj Gupta, Steven Lin, and Nick McKeown. Routing Lookups in Hardware at Memory Access Speeds. In Proceedings of IEEE INFOCOM, pages 1240--1247, 1998.

[53]

Michio Honda, Felipe Huici, Giuseppe Lettieri, and Luigi Rizzo. mSwitch: a Highly-Scalable, Modular Software Switch. In Proceedings of ACM SIGCOMM Symposium on Software Defined Networking Research, pages 1--13, 2015.

[54]

Jinho Hwang, K K_ Ramakrishnan, and Timothy Wood. NetVM: High Performance and Flexible Networking Using Virtualization on Commodity Platforms. IEEE Transactions on Network and Service Management, 12(1):34--47, 2015.

Digital Library

[55]

IETF. RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. https://tools.ietf.org/html/rfc7348, 2014.

[56]

Intel. PCI-SIG SR-IOV Primer: An Introduction to SR-IOV Technology (Intel LAN Access Division). https://www.intel.com/content/dam/doc/application-note/pci-sig-sr-iov-primer-sr-iov-technology-paper.pdf, 2011.

[57]

Intel. Improving Real-Time Performance by Utilizing Cache Allocation Technology. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/cache-allocation-technology-white-paper pdf, 2015.

[58]

Intel. Resources and Response to Side Channel L1 Terminal Fault. https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html, 2018.

[59]

Intel. Intel Xeon Processor E5-2680 v3 (30M Cache, 2.50 GHz) Product Specifications. https://ark.intel.com/content/www/us/en/ark/products/81908/intel-xeon-processor-e5-2680-v3-30m-cache-2-50-ghz.html?q=E5-2680v3, 2020.

[60]

Zsolt István, David Sidler, Gustavo Alonso, and Marko Vukolic. Consensus in a Box: Inexpensive Coordination in Hardware. In Proceedings of USENIX NSDI, pages 425--438, 2016.

[61]

Murad Kablan, Azzam Alsudais, Eric Keller, and Franck Le. Stateless Network Functions: Breaking the Tight Coupling of State and Processing. In Proceedings of USENIX NSDI, pages 97--112, 2017.

[62]

Georgios P Katsikas, Tom Barbette, Dejan Kostic, Rebecca Steinert, and Gerald Q Maguire Jr. Metron: NFV Service Chains at the True Speed of the Underlying Hardware. In Proceedings of USENIX NSDI, pages 171--186, 2018.

[63]

Johannes Krude, Jaco Hofmann, Matthias Eichholz, Klaus Wehrle, Andreas Koch, and Mira Mezini. Online Reprogrammable Multi-Tenant Switches. In Proceedings of Workshop on Emerging in-Network Computing Paradigms, pages 1--8, 2019.

[64]

Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, and Zhi Liu. Embark: Securely Outsourcing Middleboxes to the Cloud. In Proceedings of USENIX NSDI, pages 255--273, 2016.

[65]

Yanfang Le, Hyunseok Chang, Sarit Mukherjee, Limin Wang, Aditya Akella, Michael M Swift, and TV Lakshman. UNO: Unifying Host and Smart NIC Offload for Flexible Packet Processing. In Proceedings of ACM SoCC, pages 506--519, 2017.

[66]

Ruby B Lee, Peter CS Kwan, John P McGregor, Jeffrey Dwoskin, and Zhenghong Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proceedings of IEEE International Symposium on Computer Architecture, pages 2--13, 2005.

[67]

Michael Lescisin and Qusay Mahmoud. Tools for Active and Passive Network Side-Channel Detection for Web Applications. In Proceedings of USENIX Workshop on Offensive Technologies, 2018.

[68]

Huaicheng Li, Mingzhe Hao, Stanko Novakovic, Vaibhav Gogte, Sriram Govindan, Dan RK Ports, Irene Zhang, Ricardo Bianchini, Haryadi S Gunawi, and Anirudh Badam. LeapIO: Efficient and Portable Virtual NVMe Storage on ARM SoCs. In Proceedings of ACM ASPLOS, pages 591--605, 2020.

[69]

Jialin Li, Ellis Michael, and Dan RK Ports. Eris: Coordination-Free Consistent Transactions Using In-Network Concurrency Control. In Proceedings of ACM SOSP, pages 104--120, 2017.

[70]

Jialin Li, Ellis Michael, Naveen Kr Sharma, Adriana Szekeres, and Dan RK Ports. Just Say NO to Paxos Overhead: Replacing Consensus with Network Ordering. In Proceedings of USENIX OSDI, pages 467--483, 2016.

[71]

Sheng Li, Jung Ho Ahn, Richard D Strong, Jay B Brockman, Dean M Tullsen, and Norman P Jouppi. McPAT: an Integrated Power, Area, and Timing Modeling Framework for Multicore and Manycore Architectures. In Proceedings of IEEE/ACM MICRO, pages 469--480, 2009.

[72]

David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz. Architectural Support for Copy and Tamper Resistant Software. Acm Sigplan Notices, 35(11):168--177, 2000.

Digital Library

[73]

Jiaxin Lin, Kiran Patel, Brent E Stephens, Anirudh Sivaraman, and Aditya Akella. PANIC: A High-Performance Programmable NIC for Multi-tenant Networks. In Proceedings of USENIX OSDI, pages 243--259, 2020.

[74]

Linaro Limited. Open Portable Trusted Execution Environment. https://www.op-tee.org/, 2020.

[75]

M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard. ARMageddon: Cache Attacks on Mobile Devices. In Proceedings of USENIX Security, pages 549--564, 2016.

[76]

Ming Liu, Tianyi Cui, Henry Schuh, Arvind Krishnamurthy, Simon Peter, and Karan Gupta. Offloading Distributed Applications onto SmartNICs Using iPipe. In Proceedings of ACM SIGCOMM, pages 318--333, 2019.

Digital Library

[77]

Ming Liu, Liang Luo, Jacob Nelson, Luis Ceze, Arvind Krishnamurthy, and Kishore Atreya. IncBricks: Toward In-Network Computation with an In-Network Cache. In Proceedings of ACM ASPLOS, pages 795--809, 2017.

[78]

Ming Liu, Simon Peter, Arvind Krishnamurthy, and Phitchaya Mangpo Phothilimthana. E3: Energy-Efficient Microservices on SmartNIC-Accelerated Servers. In Proceedings of USENIX ATC, pages 363--378, 2019.

[79]

Zaoxing Liu, Antonis Manousis, Gregory Vorsanger, Vyas Sekar, and Vladimir Braverman. One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon. In Proceedings of ACM SIGCOMM, pages 101--114, 2016.

Digital Library

[80]

Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici. ClickOS and the Art of Network Function Virtualization. In Proceedings of USENIX NSDI, pages 459--473, 2014.

[81]

Marvell. Marvell/Cavium LiquidIO Smart NICs. https://www.marvell.com/ethernet-adapters-and-controllers/liquidio-smart-nics/, 2020.

[82]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. In Proceedings of International Workshop on Hardware and Architectural Support for Security and Privacy, 2013.

Digital Library

[83]

J. Mickens, E. B. Nightingale, J. Elson, D. Gehring, B. Fan, A. Kadav, V. Chidambaram, and O. Khan. Blizzard: Fast, Cloud-scale Block Storage for Cloud-oblivious Applications. In Proceedings of USENIX NSDI, pages 257--273, 2014.

[84]

Saeid Mofrad, Fengwei Zhang, Shiyong Lu, and Weidong Shi. A Comparison Study of Intel SGX and AMD Memory Encryption Technology. In Proceedings of International Workshop on Hardware and Architectural Support for Security and Privacy, pages 1--8, 2018.

[85]

R. N. Mysore, A. Pamboris, N. Farrington, N. Huang, P. Miri, S. Radhakrishnan, V. Subramanya, and A. Vahdat. PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. In Proceedings of ACM SIGCOMM, pages 39--50, 2009.

[86]

D. Naylor, K. Schomp, M. Varvello, I. Leontiadis, J. Blackburn, D.R. López, K. Papagiannaki, R. Rodriguez, and P. Steenkiste. Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS. In Proceedings of ACM SIGCOMM, pages 199--212, 2015.

Digital Library

[87]

Netronome. Netronome Agilio LX Smart NICs. https://www.netronome.com/products/agilio-lx/, 2020.

[88]

Palo Alto Networks. Global Cybersecurity Leader - Palo Alto Networks. https://www.paloaltonetworks.com/, 2020.

[89]

Bernard Ngabonziza, Daniel Martin, Anna Bailey, Haehyun Cho, and Sarah Martin. Trustzone Explained: Architectural Features and Use Cases. In Proceedings of IEEE International Conference on Collaboration and Internet Computing, pages 445--451, 2016.

[90]

E. B. Nightingale, J. Elson, J. Fan, O. Hofmann, J. Howell, and Y. Suzue. Flat Datacenter Storage. In Proceedings of USENIX OSDI, pages 1--15, 2012.

[91]

Oleskii Oleksenko, Bodhan Trach, Robert Krahn, Andre Martin, Christof Fetzer, and Mark Silberstein. Varys: Protecting SGX Enclaves from Practical Side-channel Attacks. In Proceedings of USENIX ATC, pages 227--239, 2018.

[92]

Emmanuel Owusu, Jorge Guajardo, Jonathan McCune, Jim Newsome, Adrian Perrig, and Amit Vasudevan. OASIS: On Achieving a Sanctuary for Integrity and Secrecy on Untrusted Platforms. In Proceedings of ACM SIGSAC conference on Computer & communications security, pages 13--24, 2013.

[93]

D. Page. Partitioned Cache Architecture as a Side-Channel Defence Mechanism, August 22, 2005. Cryptology ePrint Archive: Version 20050825:073958. http://eprint.iacr.org/2005/280.pdf.

[94]

Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, and Scott Shenker. NetBricks: Taking the V out of NFV. In Proceedings of USENIX OSDI, pages 203--216, 2016.

[95]

B. Parno, J.M. McCune, and A. Perrig. Bootstrapping Trust in Modern Computers, 2011. https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/BootstrappingTrustBook.pdf.

Digital Library

[96]

Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, et al. The Design and Implementation of Open vSwitch. In Proceedings of USENIX NSDI, pages 117--130, 2015.

[97]

Phitchaya Mangpo Phothilimthana, Ming Liu, Antoine Kaufmann, Simon Peter, Rastislav Bodik, and Thomas Anderson. Floem: a Programming System for NIC-Accelerated Network Applications. In Proceedings of USENIX OSDI, pages 663--679, 2018.

[98]

Rishabh Poddar, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. SafeBricks: Shielding Network Functions in the Cloud. In Proceedings of USENIX NSDI, pages 201--216, 2018.

[99]

Moinuddin K Qureshi and Yale N Patt. Utility-Based Cache Partitioning: A Low-Overhead, High-Performance, Runtime Mechanism to Partition Shared Caches. In Proceedings of IEEE/ACM MICRO, pages 423--432, 2006.

Digital Library

[100]

Kaushik Kumar Ram, Alan L Cox, Mehul Chadha, and Scott Rixner. Hyper-switch: A Scalable Software Virtual Switching Architecture. In Proceedings of USENIX ATC, pages 13--24, 2013.

[101]

Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security, 15(1):1--34, 2012.

Digital Library

[102]

Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K Reiter, and Guangyu Shi. Design and Implementation of a Consolidated Middlebox Architecture. In Proceedings of USENIX NSDI, pages 323--336, 2012.

[103]

Ali Shafiee, Akhila Gundu, Manjunath Shevgoor, Rajeev Balasubramonian, and Mohit Tiwari. Avoiding Information Leakage in the Memory Controller with Fixed Service Policies. In Proceedings of IEEE/ACM MICRO, pages 89--101, 2015.

[104]

D. Shen. Exploiting Trustzone on Android. In Black Hat, August 2015. https://www.blackhat.com/docs/us- 15/materials/us- 15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android-wp.pdf.

[105]

Justine Sherry, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. Blindbox: Deep Packet Inspection over Encrypted Traffic. In Proceedings of ACM SIGCOMM, pages 213--226, 2015.

[106]

Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs. In Proceedings of NDSS, 2017.

[107]

Vishal Shrivastav. Fast, Scalable, and Programmable Packet Scheduler in Hardware. In Proceedings of ACM SIGCOMM, pages 367--379, 2019.

[108]

Arjun Singhvi, Aditya Akella, Dan Gibson, Thomas F Wenisch, Monica Wong-Chan, Sean Clark, Milo MK Martin, Moray McLaren, Prashant Chandra, Rob Cauble, et al. 1RMA: Re-envisioning Remote Memory Access for Multi-tenant Datacenters. In Proceedings of ACM SIGCOMM, pages 708--721, 2020.

[109]

Site Selection Group. Power in the Data Center and its Cost Across the U.S. https://info.siteselectiongroup.com/blog/power-in-the-data-center-and-its-costs-across-the-united-states, 2017.

[110]

Brent Stephens, Aditya Akella, and Michael Swift. Loom: Flexible and Efficient NIC Packet Scheduling. In Proceedings of USENIX NSDI, pages 33--46, 2019.

[111]

G Edward Suh, Dwaine Clarke, Blaise Gassend, Marten Van Dijk, and Srinivas Devadas. AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing. In Proceedings of ACM International Conference on Supercomputing, pages 357--368, 2014.

[112]

Jakub Szefer and Ruby B Lee. Architectural Support for Hypervisor-Secure Virtualization. ACM SIGPLAN Notices, 47(4):437--450, 2012.

Digital Library

[113]

The UCSB iCTF. Network Traces Collected During the 2010 iCTF. https://ictf.cs.ucsb.edu/archive/ictf_2010.html, 2010.

[114]

Caroline Trippel, Daniel Lustig, and Margaret Martonosi. CheckMate: Automated Synthesis of Hardware Exploits and Security Litmus Tests. In Proceedings of IEEE/ACM MICRO, pages 947--960, 2018.

[115]

Trusted Computing Group. TCG Infrastructure Working Group Architecture Part II: Integrity Management, 2006. Specification Version 1.0, Revision 1.0.

[116]

Trusted Computing Group. TCG Attestation PTS Protocol: Binding to TNC IF-M, 2011. Specification Version 1.0, Revision 28.

[117]

VMware. Network Functions Virtualization (NFV) - vCloud NFV. https://www.vmware.com/products/network-functions-virtualization.html, 2020.

[118]

Wenhao Wang, Guoxing Chen, Xiaorui Pan, Yinqian Zhang, XiaoFeng Wang, Vincent Bindschaedler, Haixu Tang, and Carl A Gunter. Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Jazards in SGX. In Proceedings of ACM CCS, pages 2421--2434, 2017.

[119]

Yao Wang, Andrew Ferraiuolo, and G Edward Suh. Timing Channel Protection For a Shared Memory Controller. In Proceedings of IEEE International Symposium on High Performance Computer Architecture, pages 225--236, 2014.

[120]

Yao Wang, Andrew Ferraiuolo, Danfeng Zhang, Andrew C Myers, and G Edward Suh. SecDCP: Secure Dynamic Cache Partitioning for Efficient Timing Channel Protection. In Proceedings of Design Automation Conference, pages 1--6, 2016.

[121]

Yuanzhong Xu, Weidong Cui, and Marcus Peinado. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In Proceedings of IEEE Symposium on Security and Privacy, pages 640--656, 2015.

[122]

Yao Wang. Open Source for Temporal Partitioning Bus Arbitration. https://github.com/xiaoyaozi5566/GEM5_DRAMSim2, 2014.

[123]

Ning Zhang, Kun Sun, Deborah Shands, Wenjing Lou, and Y Thomas Hou. TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices, October 10, 2016. Cryptology ePrint Archive: Version 20161015:190703. https://eprint.iacr.org/2016/980.pdf.

[124]

Wei Zhang, Guyue Liu, Wenhui Zhang, Neel Shah, Phillip Lopreiato, Gregoire Todeschi, KK Ramakrishnan, and Timothy Wood. Open-NetVM: a Platform for High Performance Network Service Chains. In Proceedings of Workshop on Hot topics in Middleboxes and Network Function Virtualization, pages 26--31, 2016.

Digital Library

[125]

Ziqiao Zhou, Yizhou Shan, Weidong Cui, Xinyang Ge, Marcus Peinado, and Andrew Baumann. Core Slicing: Closing the Gap Between Leaky Confidential VMs and Bare-metal Cloud. In Proceedings of USENIX OSDI, pages 247--267, 2023.

[126]

Noa Zilberman, Yury Audzevich, Georgina Kalogeridou, Neelakandan Manihatty-Bojan, Jingyun Zhang, and Andrew Moore. NetFPGA: Rapid Prototyping of Networking Devices in Open Source. ACM SIGCOMM Computer Communication Review, 45(4):363--364, 2015.

Digital Library

[127]

Zscaler. Zscaler Cloud Security - Secure Your Digital Transformation. https://www.zscaler.com/, 2020.

Cited By

Benhabbour IDacier M(2025)ENDEMIC: End-to-End Network Disruptions – Examining Middleboxes, Issues, and Countermeasures – A SurveyACM Computing Surveys10.1145/371637257:7(1-42)Online publication date: 21-Feb-2025
https://dl.acm.org/doi/10.1145/3716372
Seshagiri VGupta AJabrayilov VWildani AKaffes K(2024)Rethinking the Networking Stack for Serverless Environments: A Sidecar ApproachProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698561(213-222)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698561
Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Show More Cited By

Index Terms

SmartNIC Security Isolation in the Cloud with S-NIC

Recommendations

SmartNIC Performance Isolation with FairNIC: Programmable Networking for the Cloud
SIGCOMM '20: Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication

Multiple vendors have recently released SmartNICs that provide both special-purpose accelerators and programmable processing cores that allow increasingly sophisticated packet processing tasks to be offloaded from general-purpose CPUs. Indeed, leading ...
SmartNIC-Enabled Live Migration for Storage-Optimized VMs
APSys '24: Proceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems

Cloud providers offer storage-optimized VMs equipped with locally attached storage to meet the high performance requirements of cloud users. However, current cloud providers cannot enable live migration for storage-optimized VMs due to the high resource ...
OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM Conference

We present OpenBox — a software-defined framework for network-wide development, deployment, and management of network functions (NFs). OpenBox effectively decouples the control plane of NFs from their data plane, similarly to SDN solutions that only ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '24: Proceedings of the Nineteenth European Conference on Computer Systems

April 2024

1245 pages

ISBN:9798400704376

DOI:10.1145/3627703

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 April 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroSys '24

Sponsor:

SIGOPS

EuroSys '24: Nineteenth European Conference on Computer Systems

April 22 - 25, 2024

Athens, Greece

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
439
Total Downloads

Downloads (Last 12 months)439
Downloads (Last 6 weeks)34

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Benhabbour IDacier M(2025)ENDEMIC: End-to-End Network Disruptions – Examining Middleboxes, Issues, and Countermeasures – A SurveyACM Computing Surveys10.1145/371637257:7(1-42)Online publication date: 21-Feb-2025
https://dl.acm.org/doi/10.1145/3716372
Seshagiri VGupta AJabrayilov VWildani AKaffes K(2024)Rethinking the Networking Stack for Serverless Environments: A Sidecar ApproachProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698561(213-222)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698561
Han XGao YParmer GWood T(2024)Byways: High-Performance, Isolated Network Functions for Multi-Tenant Cloud ServersProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698547(811-829)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698547
Kfoury EChoueiri SMazloum AAlSabeh AGomez JCrichigno J(2024)A Comprehensive Survey on SmartNICs: Architectures, Development Models, Applications, and Research DirectionsIEEE Access10.1109/ACCESS.2024.343720312(107297-107336)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3437203

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten