research-article

A First Step Towards Leveraging Commodity Trusted Execution Environments for Network Applications

Authors:

Dongsu HanAuthors Info & Claims

HotNets-XIV: Proceedings of the 14th ACM Workshop on Hot Topics in Networks

Article No.: 7, Pages 1 - 7

https://doi.org/10.1145/2834050.2834100

Published: 16 November 2015 Publication History

Abstract

Network applications and protocols are increasingly adopting security and privacy features, as they are becoming one of the primary requirements. The wide-spread use of transport layer security (TLS) and the growing popularity of anonymity networks, such as Tor, exemplify this trend. Motivated by the recent movement towards commoditization of trusted execution environments (TEEs), this paper explores alternative design choices that application and protocol designers should consider. In particular, we explore the possibility of using Intel SGX to provide security and privacy in a wide range of network applications. We show that leveraging hardware protection of TEEs opens up new possibilities, often at the benefit of a much simplified application/protocol design. We demonstrate its practical implications by exploring the design space for SGX-enabled software-defined inter-domain routing, peer-to-peer anonymity networks (Tor), and middleboxes. Finally, we quantify the potential overheads of the SGX-enabled design by implementing it on top of OpenSGX, an open source SGX emulator.

Supplementary Material

MP4 File (a7.mp4)

Download
1393.41 MB

References

[1]

Gns3 network simulator. http://www.gns3.com/.

[2]

OpenSGX: An open platform for intel sgx. https://github.com/sslab-gatech/opensgx.

[3]

Possible upcoming attempts to disable the tor network. https://blog.torproject.org/blog/possible-upcoming-attempts-disable-tor-network, December 2014.

[4]

I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata. Innovative Technology for CPU Based Attestation and Sealing. In International Workshop on Hardware and Architectural Support for Security and Privacy, pages 1--8, Tel-Aviv, Israel, 2013.

[5]

P. Bakker. Polarssl project. http://polarssl.org/.

[6]

S. Balfe, A. Lakhani, and K. Paterson. Trusted computing: providing security for peer-to-peer networks. In Peer-to-Peer Computing, Fifth IEEE International Conference on, pages 117--124, Aug 2005.

Digital Library

[7]

A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In USENIX OSDI, 2014.

Digital Library

[8]

E. Brickell and J. Li. Enhanced privacy id: A direct anonymous attestation scheme with enhanced revocation capa bilities. In Proceedings of the 2007 ACM workshop on Privacy in electronic society, pages 21--30, 2007.

Digital Library

[9]

S. Checkoway and H. Shacham. Iago attacks: Why the system call api is a bad untrusted rpc interface. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '13, pages 253--264, 2013.

Digital Library

[10]

C. Chen, H. Raj, S. Saroiu, and A. Wolman. cTPM: A cloud TPM for cross-device trusted applications. In USENIX NSDI, 2014.

Digital Library

[11]

R. Dingledine. Tor Project infrastructure updates in response to security breach. http://archives.seul.org/or/talk/Jan-2010/msg00161.html, January 2010.

[12]

R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In USENIX Security Symposium, 2004.

Digital Library

[13]

J. Edge. Lots of progress for Debian's reproducible builds. http://lwn.net/Articles/630074/, Jan. 2015.

[14]

Y. Gasmi, A.-R. Sadeghi, P. Stewin, M. Unger, and N. Asokan. Beyond secure channels. In Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, STC '07, 2007.

Digital Library

[15]

K. Goldman, R. Perez, and R. Sailer. Linking remote attestation to secure tunnel endpoints. In Proceedings of the First ACM Workshop on Scalable Trusted Computing, STC '06, 2006.

Digital Library

[16]

A. Gupta, L. Vanbever, M. Shahbaz, S. P. Donovan, B. Schlinker, N. Feamster, J. Rexford, S. Shenker, R. Clark, and E. Katz-Bassett. SDX: A software defined internet exchange. In ACM SIGCOMM, 2014.

Digital Library

[17]

D. Gupta, A. Segal, A. Panda, G. Segev, M. Schapira, J. Feigenbaum, J. Rexford, and S. Shenker. A new approach to interdomain routing based on secure multi-party computation. In ACM HotNets, 2012.

Digital Library

[18]

Intel. Intel Software Guard Extensions Programming Reference (rev1), Sept. 2013. 329298-001US.

[19]

Intel. Intel Software Guard Extensions Programming Reference (rev2), Oct. 2014. 329298-002US.

[20]

R. Jansen, F. Tschorsch, A. Johnson, and B. Scheuermann. The sniper attack: Anonymously deanonymizing and disabling the tor network. Technical report, DTIC Document, 2014.

[21]

T.-W. Johnny Ngan, R. Dingledine, and D. Wallach. Building incentives into tor. In R. Sion, editor, Financial Cryptography and Data Security, volume 6052 of Lecture Notes in Computer Science, pages 238--256. Springer Berlin Heidelberg, 2010.

Digital Library

[22]

S. Le Blond, P. Manils, A. Chaabane, M. A. Kaafar, C. e. Castelluccia, A. Legout, and W. Dabbous. One bad apple spoils the bunch: Exploiting p2p applications to trace and profile tor users. In Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats, pages 2--2, 2011.

Digital Library

[23]

Y. Li, J. M. McCune, J. Newsome, A. Perrig, B. Baker, and W. Drewry. MiniBox: A Two-Way Sandbox for x86 Native Code. In Proceedings of the USENIX Annual Technical Conference, June 2014.

Digital Library

[24]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An Execution Infrastructure for TCB Minimization. In EUROSYS, pages 315--328, 2008.

Digital Library

[25]

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In International Workshop on Hardware and Architectural Support for Security and Privacy, pages 1--8, Tel-Aviv, Israel, 2013.

Digital Library

[26]

J. Naous, M. Walfish, A. Nicolosi, D. Mazières, M. Miller, and A. Seehra. Verifying and enforcing network paths with icing. In ACM CoNEXT, 2011.

Digital Library

[27]

D. Naylor, A. Finamore, I. Leontiadis, Y. Grunenberger, M. Mellia, M. Munafò, K. Papagiannaki, and P. Steenkiste. The cost of the "S" in HTTPS. In ACM CoNEXT, 2014.

Digital Library

[28]

D. Naylor, K. Schomp, M. Varvello, I. Leontiadis, J. Blackburn, D. Lopez, K. Papagiannaki, P. R. Rodriguez, and P. Steenkiste. multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS. In ACM SIGCOMM, 2015.

Digital Library

[29]

M. Perry. Deterministic Builds Part Two: Technical Details. https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details, Oct. 2013.

[30]

N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu. Policy-sealed data: A new abstraction for building trusted cloud services. In USENIX Conference on Security Symposium, 2012.

Digital Library

[31]

F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. Vc3: Trustworthy data analytics in the cloud. Technical Report MSR-TR-2014-39, Microsoft Research, February 2014.

[32]

J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. Blindbox: Deep packet inspection over encrypted traffic. In ACM SIGCOMM, 2015.

Digital Library

[33]

R. Sinha, S. Rajamani, S. A. Seshia, and K. Vaswani. Moat: Verifying confidentiality of enclave programs. In ACM CCS, 2015.

Digital Library

[34]

I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A scalable peer-to-peer lookup service for internet applications. In ACM SIGCOMM, 2001.

Digital Library

[35]

P.Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl. Spoiled onions: Exposing malicious tor exit relays. In Privacy Enhancing Technologies, pages 304--331. Springer, 2014.

[36]

X. Yang, D. Clark, and A. Berger. Nira: A new inter-domain routing architecture. Networking, IEEE/ACM Transactions on, 15(4):775--788, Aug 2007.

Digital Library

[37]

X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. G. Andersen. Scion: Scalability, control, and isolation on next-generation networks. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[38]

X. Zhang, Z. Zhou, G. Hasker, A. Perrig, and V. Gligor. Network fault localization with small tcb. In Network Protocols (ICNP), 2011 19th IEEE International Conference on, Oct 2011.

Digital Library

[39]

M. Zhao, W. Zhou, A. J. Gurney, A. Haeberlen, M. Sherr, and B. T. Loo. Private and verifiable interdomain routing decisions. In ACM SIGCOMM, 2012.

Digital Library

Cited By

Sabur A(2024)Lightweight Flow‐Based Policy Enforcement for SDN‐Based Multi‐Domain CommunicationInternational Journal of Network Management10.1002/nem.2312Online publication date: 23-Oct-2024
https://doi.org/10.1002/nem.2312
Alzahrani BChaudhry S(2022)An Identity-Based Encryption Method for SDN-Enabled Source Routing SystemsSecurity and Communication Networks10.1155/2022/19420972022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/1942097
Qiu HJi TZhao SChen XQi JCui HWang S(2022)A Geography-Based P2P Overlay Network for Fast and Robust Blockchain SystemsIEEE Transactions on Services Computing10.1109/TSC.2022.3189667(1-14)Online publication date: 2022
https://doi.org/10.1109/TSC.2022.3189667
Show More Cited By

Index Terms

A First Step Towards Leveraging Commodity Trusted Execution Environments for Network Applications
1. Networks
  1. Network architectures
  2. Network services

Recommendations

Enhancing security and privacy of tor's ecosystem by using trusted execution environments
NSDI'17: Proceedings of the 14th USENIX Conference on Networked Systems Design and Implementation

With Tor being a popular anonymity network, many attacks have been proposed to break its anonymity or leak information of a private communication on Tor. However, guaranteeing complete privacy in the face of an adversary on Tor is especially difficult ...
Towards a Trusted Mobile RFID Network Framework
CYBERC '13: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery

Although the mobile RFID system has various applications in Internet of Things(IoT), it has a limited communication range and raises some serious privacy and security problems. To improve the issuers above, we propose a new mobile RFID network framework ...
Towards standardizing trusted evidence of identity
DIM '13: Proceedings of the 2013 ACM workshop on Digital identity management

Evidence of identity (EOI), sometimes mentioned as breeder documents in a physical representation form, refers to a single or a set of evidence that can be used to provide confidence to the claimed identity. Trust of evidence of identity needs ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HotNets-XIV: Proceedings of the 14th ACM Workshop on Hot Topics in Networks

November 2015

189 pages

ISBN:9781450340472

DOI:10.1145/2834050

General Chairs:
Jaudelice de Oliveira
Drexel University
,
Jonathan Smith
University of Pennsylvania
,
Program Chairs:
Katerina Argyraki
EPFL
,
Philip Levis
Stanford University

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 November 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

HotNets-XIV

Sponsor:

SIGCOMM

HotNets-XIV: The 14th ACM Workshop on Hot Topics in Networks

November 16 - 17, 2015

PA, Philadelphia, USA

Acceptance Rates

Overall Acceptance Rate 110 of 460 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
671
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sabur A(2024)Lightweight Flow‐Based Policy Enforcement for SDN‐Based Multi‐Domain CommunicationInternational Journal of Network Management10.1002/nem.2312Online publication date: 23-Oct-2024
https://doi.org/10.1002/nem.2312
Alzahrani BChaudhry S(2022)An Identity-Based Encryption Method for SDN-Enabled Source Routing SystemsSecurity and Communication Networks10.1155/2022/19420972022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/1942097
Qiu HJi TZhao SChen XQi JCui HWang S(2022)A Geography-Based P2P Overlay Network for Fast and Robust Blockchain SystemsIEEE Transactions on Services Computing10.1109/TSC.2022.3189667(1-14)Online publication date: 2022
https://doi.org/10.1109/TSC.2022.3189667
Walther RWeinhold CRoitzsch M(2022)RATLS: Integrating Transport Layer Security with Remote AttestationApplied Cryptography and Network Security Workshops10.1007/978-3-031-16815-4_20(361-379)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-16815-4_20
Svenningsson JPaladi NVahidi A(2021)Faster enclave transitions for IO-intensive network applicationsProceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure10.1145/3472873.3472879(1-8)Online publication date: 27-Aug-2021
https://dl.acm.org/doi/10.1145/3472873.3472879
Miranda MEsteves TPortela BPaulo JWassermann BMalka MChidambaram VRaz D(2021)S2DedupProceedings of the 14th ACM International Conference on Systems and Storage10.1145/3456727.3463773(1-12)Online publication date: 14-Jun-2021
https://dl.acm.org/doi/10.1145/3456727.3463773
Wan SSun KZhang NLi YPöpper CVanhoef MBatina LMayrhofer R(2021)Remotely controlling TrustZone applications? A study on securely and resiliently receiving remote commandsProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3468501(204-215)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3468501
Mahhouk MWeichbrodt NKapitza R(2021)SGXoMeterProceedings of the 14th European Workshop on Systems Security10.1145/3447852.3458722(55-61)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3447852.3458722
Hu XLi JWei CLi WZeng XYu PGuan H(2021)STYX: A Hierarchical Key Management System for Elastic Content Delivery Networks on Public CloudsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.291827818:2(843-857)Online publication date: 1-Mar-2021
https://doi.org/10.1109/TDSC.2019.2918278
Jiang PWang QHuang MWang CLi QShen CRen K(2021)Building In-the-Cloud Network Functions: Security and Privacy ChallengesProceedings of the IEEE10.1109/JPROC.2021.3127277109:12(1888-1919)Online publication date: Dec-2021
https://doi.org/10.1109/JPROC.2021.3127277
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten