Challenges Towards Protecting VNF With SGX

Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization Pub Date : 2018-03-14 DOI:10.1145/3180465.3180476

Juan Wang, Shirong Hao, Yi Li, Chengyang Fan, Jie Wang, Lin Han, Zhi Hong, Hongxin Hu

{"title":"Challenges Towards Protecting VNF With SGX","authors":"Juan Wang, Shirong Hao, Yi Li, Chengyang Fan, Jie Wang, Lin Han, Zhi Hong, Hongxin Hu","doi":"10.1145/3180465.3180476","DOIUrl":null,"url":null,"abstract":"Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and deploying them on high-volume standard servers and running as virtual instances. However, due to running in a shared and open environment and lacking the protection of proprietary hardware, virtual network functions (VNFs) face more security threats than traditional network functions. Hence, it is crucial to build a trusted execution environment to protect VNFs. In this paper, we first analyze the challenges for VNF security protection. We then propose a lightweight and trusted execution environment for securing VNFs based on SGX and Click. To demonstrate the feasibility of our approach, we implement a DDoS defense function on top of our environment and conduct paramilitary evaluations. Our evaluation results show that our system only introduces manageable performance overhead for protecting VNFs.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"53 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3180465.3180476","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and deploying them on high-volume standard servers and running as virtual instances. However, due to running in a shared and open environment and lacking the protection of proprietary hardware, virtual network functions (VNFs) face more security threats than traditional network functions. Hence, it is crucial to build a trusted execution environment to protect VNFs. In this paper, we first analyze the challenges for VNF security protection. We then propose a lightweight and trusted execution environment for securing VNFs based on SGX and Click. To demonstrate the feasibility of our approach, we implement a DDoS defense function on top of our environment and conduct paramilitary evaluations. Our evaluation results show that our system only introduces manageable performance overhead for protecting VNFs.

查看原文本刊更多论文

SGX保护VNF的挑战

网络功能虚拟化(Network Function Virtualization, NFV)是一种在软件中实现网络功能的新兴技术，通过将网络功能与网络专用设备解耦，部署在大容量的标准服务器上，并作为虚拟实例运行，从而降低设备成本(CAPEX)和运营成本(OPEX)。然而，由于运行在共享、开放的环境中，缺乏专有硬件的保护，虚拟网络功能比传统网络功能面临更多的安全威胁。因此，构建可信任的执行环境来保护VNFs至关重要。本文首先分析了VNF安全保护面临的挑战。然后，我们提出了一个轻量级和可信的执行环境，用于保护基于SGX和Click的VNFs。为了证明我们的方法的可行性，我们在我们的环境之上实现了一个DDoS防御功能，并进行了准军事评估。我们的评估结果表明，我们的系统仅为保护VNFs引入了可管理的性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

自引率

0.00%

发文量