S-Blocks: Lightweight and Trusted Virtual Security Function With SGX

Juan Wang, Shirong Hao, Hongxin Hu, Bo Zhao, Hongda Li, Wenhui Zhang, Jun Xu, Peng Liu, Jing Ma

Research output: Contribution to journalArticlepeer-review

2 Scopus citations

Abstract

Despite the advantages of scalability and flexibility, Security Function Virtualization (SFV) raises concerns about its own security. To enhance the security of SFV, a promising approach is to run critical components of off-the-shelf security software inside Software Guard Extensions (SGX) enclaves. This idea, however, is hardly practical due to the difficulty of detaching components from the monolithic security function and the unacceptable cost of executing them inside enclaves. In this article, we propose S-Blocks, an architecture to modularize virtual security functions (VSFs) and protect crucial modules with SGX in an efficient manner. S-Blocks decomposes VSFs into trusted and untrusted modules and provides dedicated APIs systematically. Only crucial VSF modules are hardened with enclaves. Furthermore, aiming at addressing state consistency and secure migration issues of security function scaling, we design a fine-grained state synchronization and migration mechanism to ensure loss-free, order-preserving, and state security for VSFs. To demonstrate the effectiveness of our approach, we prototype S-Blocks using Fast-Click on a real Skylake platform and implement three critical types of virtual security functions based on the S-Blocks architecture. Our evaluation results show that S-Blocks only imposes a manageable performance overhead, and low latency and resource consumption when protecting VSFs.

Original languageEnglish (US)
Pages (from-to)1082-1099
Number of pages18
JournalIEEE Transactions on Cloud Computing
Volume10
Issue number2
DOIs
StatePublished - 2022

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'S-Blocks: Lightweight and Trusted Virtual Security Function With SGX'. Together they form a unique fingerprint.

Cite this