1. S-Blocks: Lightweight and Trusted Virtual Security Function With SGX
- Author
-
Jun Xu, Peng Liu, Juan Wang, Wenhui Zhang, Bo Zhao, Hongxin Hu, Hongda Li, Shirong Hao, and Ma Jing
- Subjects
Flexibility (engineering) ,Computer Networks and Communications ,business.industry ,Computer science ,Distributed computing ,020206 networking & telecommunications ,Cloud computing ,02 engineering and technology ,Virtualization ,computer.software_genre ,Computer Science Applications ,Hardware and Architecture ,Synchronization (computer science) ,Scalability ,0202 electrical engineering, electronic engineering, information engineering ,Key (cryptography) ,Overhead (computing) ,020201 artificial intelligence & image processing ,Latency (engineering) ,business ,computer ,Software ,Information Systems - Abstract
Despite the advantages of scalability and flexibility, Security Function Virtualization (SFV) raises concerns about its own security. To enhance the security of SFV, a promising approach is to run critical components of off-the-shelf security software inside SGX enclaves. This idea, however, is hardly practical due to the difficulty of detaching components from the monolithic security function and the unacceptable cost of running them in enclaves. In this work, we propose S-Blocks, an architecture to modularize a virtual security function (VSF) and protect its key modules with SGX in an efficient manner. Through systematically decomposing modules of a VSF into related elements, it is easy to put the key modules and elements of the VSF into an enclave. Furthermore, aiming at addressing state consistency and secure migration issues of security function scaling, we design a fine-grained state synchronization and migration mechanism to ensure lose-free, order-preserving, and state security for VSFs. To demonstrate the effectiveness of our approach, we prototype S-Blocks using Fast-Click on a real Skylake platform and implement three main types of virtual security functions based on the S-Blocks architecture. Our evaluation results show that S-Blocks only imposes a manageable performance overhead, and low latency and resource consumption when protecting VSFs.
- Published
- 2022