S-NFV:通过使用SGX保护NFV状态

Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization Pub Date : 2016-03-11 DOI:10.1145/2876019.2876032

Ming-Wei Shih, Mohan Kumar, Taesoo Kim, Ada Gavrilovska

{"title":"S-NFV:通过使用SGX保护NFV状态","authors":"Ming-Wei Shih, Mohan Kumar, Taesoo Kim, Ada Gavrilovska","doi":"10.1145/2876019.2876032","DOIUrl":null,"url":null,"abstract":"Network Function Virtualization (NFV) applications are stateful. For example, a Content Distribution Network (CDN) caches web contents from remote servers and serves them to clients. Similarly, an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) have both per-flow and multi-flow (shared) states to properly react to intrusions. On today's NFV infrastructures, security vulnerabilities many allow attackers to steal and manipulate the internal states of NFV applications that share a physical resource. In this paper, we propose a new protection scheme, S-NFV that incorporates Intel Software Guard Extensions (Intel SGX) to securely isolate the states of NFV applications.","PeriodicalId":107409,"journal":{"name":"Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"108","resultStr":"{\"title\":\"S-NFV: Securing NFV states by using SGX\",\"authors\":\"Ming-Wei Shih, Mohan Kumar, Taesoo Kim, Ada Gavrilovska\",\"doi\":\"10.1145/2876019.2876032\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network Function Virtualization (NFV) applications are stateful. For example, a Content Distribution Network (CDN) caches web contents from remote servers and serves them to clients. Similarly, an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) have both per-flow and multi-flow (shared) states to properly react to intrusions. On today's NFV infrastructures, security vulnerabilities many allow attackers to steal and manipulate the internal states of NFV applications that share a physical resource. In this paper, we propose a new protection scheme, S-NFV that incorporates Intel Software Guard Extensions (Intel SGX) to securely isolate the states of NFV applications.\",\"PeriodicalId\":107409,\"journal\":{\"name\":\"Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization\",\"volume\":\"38 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-03-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"108\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2876019.2876032\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2876019.2876032","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 108

摘要

NFV (Network Function Virtualization)应用是有状态的。例如，CDN (Content Distribution Network)缓存来自远程服务器的web内容，并将其提供给客户端。类似地，入侵检测系统(IDS)和入侵防御系统(IPS)同时具有单流和多流(共享)状态，以正确响应入侵。在当今的NFV基础设施中，许多安全漏洞允许攻击者窃取和操纵共享物理资源的NFV应用程序的内部状态。在本文中，我们提出了一种新的保护方案，S-NFV，它结合了英特尔软件保护扩展(英特尔SGX)来安全隔离NFV应用程序的状态。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

S-NFV: Securing NFV states by using SGX

Network Function Virtualization (NFV) applications are stateful. For example, a Content Distribution Network (CDN) caches web contents from remote servers and serves them to clients. Similarly, an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) have both per-flow and multi-flow (shared) states to properly react to intrusions. On today's NFV infrastructures, security vulnerabilities many allow attackers to steal and manipulate the internal states of NFV applications that share a physical resource. In this paper, we propose a new protection scheme, S-NFV that incorporates Intel Software Guard Extensions (Intel SGX) to securely isolate the states of NFV applications.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

自引率

0.00%

发文量