SafeLib: A Comprehensive Framework for Secure Outsourcing of Network Functions

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2024-12-19 DOI:10.1109/TNSM.2024.3520817

Enio Marku;Colin Boyd;Gergely Biczók

{"title":"SafeLib: A Comprehensive Framework for Secure Outsourcing of Network Functions","authors":"Enio Marku;Colin Boyd;Gergely Biczók","doi":"10.1109/TNSM.2024.3520817","DOIUrl":null,"url":null,"abstract":"Outsourcing virtual network functions (VNFs) to third-party service providers, such as public clouds, has become the norm. While outsourcing brings many benefits, including scalability, streamlined management, and lower CapEx, it also introduces security concerns. Owing to the lack of trust in the cloud, organizations may opt to shield both their network functions and the traffic flowing through them. Existing outsourcing mechanisms, however, fall short of the functionality, security, and/or performance requirements. This paper presents SafeLib, a comprehensive, Intel SGX based, open-source, secure network function outsourcing framework. To the best of our knowledge, SafeLib is the first trusted hardware based solution providing i) support for both stateful and stateless virtual NFs, ii) strong security properties with regard to both user traffic and VNF execution, state, policies, and code, iii) high performance, iv) enhanced usability for VNF developers and v) flexibility in choosing the network stack by providing support for both kernel and kernel-bypass mechanisms. We corroborate our performance claims through an extensive testbed evaluation. In addition, we provide insights on the performance penalty of major SGX limitations and also refute the popular belief that using a library OS within an SGX enclave necessarily reduces performance. We believe that SafeLib provides a flexible and performant tool with strong security guarantees for building secure, carrier-grade cloud-based services.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"2181-2198"},"PeriodicalIF":4.7000,"publicationDate":"2024-12-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10810360/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Outsourcing virtual network functions (VNFs) to third-party service providers, such as public clouds, has become the norm. While outsourcing brings many benefits, including scalability, streamlined management, and lower CapEx, it also introduces security concerns. Owing to the lack of trust in the cloud, organizations may opt to shield both their network functions and the traffic flowing through them. Existing outsourcing mechanisms, however, fall short of the functionality, security, and/or performance requirements. This paper presents SafeLib, a comprehensive, Intel SGX based, open-source, secure network function outsourcing framework. To the best of our knowledge, SafeLib is the first trusted hardware based solution providing i) support for both stateful and stateless virtual NFs, ii) strong security properties with regard to both user traffic and VNF execution, state, policies, and code, iii) high performance, iv) enhanced usability for VNF developers and v) flexibility in choosing the network stack by providing support for both kernel and kernel-bypass mechanisms. We corroborate our performance claims through an extensive testbed evaluation. In addition, we provide insights on the performance penalty of major SGX limitations and also refute the popular belief that using a library OS within an SGX enclave necessarily reduces performance. We believe that SafeLib provides a flexible and performant tool with strong security guarantees for building secure, carrier-grade cloud-based services.

查看原文本刊更多论文

SafeLib：网络功能安全外包的综合框架

将虚拟网络功能外包给第三方服务提供商（如公有云）已成为一种常态。虽然外包带来了许多好处，包括可伸缩性、简化的管理和更低的资本支出，但它也带来了安全问题。由于对云缺乏信任，组织可能会选择保护其网络功能和流经它们的流量。然而，现有的外包机制无法满足功能、安全性和/或性能需求。本文介绍了SafeLib，一个全面的，基于Intel SGX的，开源的，安全的网络功能外包框架。据我们所知，SafeLib是第一个可信的基于硬件的解决方案，它提供i)对有状态和无状态虚拟NFs的支持，ii)关于用户流量和VNF执行、状态、策略和代码的强大安全属性，iii)高性能，iv)增强VNF开发人员的可用性，v)通过支持内核和内核旁路机制来灵活选择网络堆栈。我们通过广泛的测试平台评估证实了我们的性能声明。此外，我们还提供了关于主要SGX限制的性能损失的见解，并驳斥了在SGX飞地中使用库操作系统必然会降低性能的流行观点。我们相信，SafeLib为构建安全的电信级云服务提供了一个灵活、高性能的工具，具有强大的安全保障。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.