Bringing execution assurances of pattern matching in outsourced middleboxes

Xingliang Yuan, Huayi Duan, Cong Wang

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

17 Citations (Scopus)

Abstract

Migrating middleboxes to third-party service providers (e.g., clouds and ISPs) has drawn widespread attentions recently from both industry and academia. While its benefits on reduced local cost and increased service scalability are well understood, such deployment also introduces new security concerns, due to the fact that these boxes are no longer under the direct control of enterprises. Among others, one fundamental desideratum here is to ensure that those middleboxes consistently perform network functions as intended. In this work, we propose practical solutions towards enabling runtime execution assurances of outsourced middleboxes with high confidence. As an initial effort, we target on pattern matching based network functions, which cover a broad class of middlebox applications such as instruction detection, web firewall, and traffic classification. For efficiency, our design follows the same roadmap of probabilistic checking that provides tunable levels of assurance, as in outsourced computation and distributed computing literature. We show how to synthesize the design intuitions in the context of outsourced middleboxes and the dynamic network effect. We present diligent technical instantiations, in the case of single middlebox and the composition of multiple middlebox service chaining, respectively. For a large batch of packets, sufficiently high assurance levels can be achieved by pre-processing only a few randomly selected packets, with marginal overhead. Evaluations of our system prototype on Amazon EC2 show that, the processing of 1000 packets, which includes pattern matching and execution proof generation, results in 200-500ms latency and throughput up to 360Mbps.

Original languageEnglish
Title of host publication2016 IEEE 24th International Conference on Network Protocols, ICNP
Subtitle of host publication8-11 November 2016 Singapore
EditorsLili Qiu, Prashant Shenoy
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages171-180
Number of pages10
ISBN (Electronic)9781509032815
ISBN (Print)9781509032822
DOIs
Publication statusPublished - 2016
Externally publishedYes
EventInternational Conference on Network Protocols 2016 - Singapore, Singapore
Duration: 8 Nov 201611 Nov 2016
Conference number: 24th

Conference

ConferenceInternational Conference on Network Protocols 2016
Abbreviated titleICNP 2016
Country/TerritorySingapore
CitySingapore
Period8/11/1611/11/16

Cite this