Despite the advantages of scalability and flexibility, Security Function Virtualization (SFV) raises concerns about its own security. To enhance the security of SFV, a promising approach is to run critical components of off-the-shelf security software inside Software Guard Extensions (SGX) enclaves. This idea, however, is hardly practical due to the difficulty of detaching components from the monolithic security function and the unacceptable cost of executing them inside enclaves. In this article, we propose S-Blocks, an architecture to modularize virtual security functions (VSFs) and protect crucial modules with SGX in an efficient manner. S-Blocks decomposes VSFs into trusted and untrusted modules and provides dedicated APIs systematically. Only crucial VSF modules are hardened with enclaves. Furthermore, aiming at addressing state consistency and secure migration issues of security function scaling, we design a fine-grained state synchronization and migration mechanism to ensure loss-free, order-preserving, and state security for VSFs. To demonstrate the effectiveness of our approach, we prototype S-Blocks using Fast-Click on a real Skylake platform and implement three critical types of virtual security functions based on the S-Blocks architecture. Our evaluation results show that S-Blocks only imposes a manageable performance overhead, and low latency and resource consumption when protecting VSFs.
All Science Journal Classification (ASJC) codes
- Information Systems
- Hardware and Architecture
- Computer Science Applications
- Computer Networks and Communications