TEE-based Privacy-Preserve in Collaborative Traffic Policy Compilation for Programmable Devices

Abstract

Maintaining the integrity of network devices policy across a different organization is very challenging since the devices are shared for multiple traffic forwarding purposes, including public Internet access. An organization's administrator can put unnecessary (i.e., wrong) policy that may leak the private traffic between the organizations to a public network. It can be avoided by exchanging the network traffic policy between the organizations but keeping the confidentiality of the policies among them (i.e., to avoid honest-but-curious adversary) is very challenging. Furthermore, there is also no guarantee that the policy is properly enforced into the network device. An administrator can intentionally put malicious policies that allow the attacker to enter the organization's network (i.e., malicious adversary). This paper proposed a cross-organization network traffic policy compilation that preserves the policy privacy and ensures its enforcement to the network devices. It utilizes a trusted execution environment (TEE) to compile the high-level traffic policies into low-level rules for the programmable network device. Then, the rules are easily pushed and optimized by using hardware programming abstraction.