Projects per year
Abstract
Network function virtualisation enables versatile
network functions as cloud services with reduced cost. Specifically,
network measurement tasks such as heavy-hitter detection
and flow distribution estimation serve many core network
functions for improved performance and security of enterprise
networks. However, deploying network measurement services in
third-party multi-tenant cloud service providers raises critical
privacy and security concerns. Recent studies demonstrate that
leaking and abusing flow statistics can lead to severe network
attacks such as DDoS, network topology manipulation and
poisoning, etc.
In this paper, we propose OblivSketch, an oblivious network
measurement service using Intel SGX. It employs hardware
enclave for secure network statistics generation and queries.
The statistics are maintained in newly designed oblivious data
structures inside the SGX enclave and queried by data-oblivious
algorithms to prevent data leakage caused by access patterns
to the memory of SGX. To demonstrate the practicality, we
implement OblivSketch as a full-fledge service integrated with
the off-the-shelf SDN framework. The evaluations demonstrate
that OblivSketch consumes a constant and small memory space
(6MB) to track a massive amount of flows (from 30k to 1.45m),
and it takes no more than 15ms to respond six widely adopted
measurement queries for a 5s-trace with 70k flows.
network functions as cloud services with reduced cost. Specifically,
network measurement tasks such as heavy-hitter detection
and flow distribution estimation serve many core network
functions for improved performance and security of enterprise
networks. However, deploying network measurement services in
third-party multi-tenant cloud service providers raises critical
privacy and security concerns. Recent studies demonstrate that
leaking and abusing flow statistics can lead to severe network
attacks such as DDoS, network topology manipulation and
poisoning, etc.
In this paper, we propose OblivSketch, an oblivious network
measurement service using Intel SGX. It employs hardware
enclave for secure network statistics generation and queries.
The statistics are maintained in newly designed oblivious data
structures inside the SGX enclave and queried by data-oblivious
algorithms to prevent data leakage caused by access patterns
to the memory of SGX. To demonstrate the practicality, we
implement OblivSketch as a full-fledge service integrated with
the off-the-shelf SDN framework. The evaluations demonstrate
that OblivSketch consumes a constant and small memory space
(6MB) to track a massive amount of flows (from 30k to 1.45m),
and it takes no more than 15ms to respond six widely adopted
measurement queries for a 5s-trace with 70k flows.
Original language | English |
---|---|
Title of host publication | 28th Annual Network and Distributed System Security Symposium, NDSS 2021 |
Editors | Ahmad-Reza Sadeghi, Farinaz Koushanfar |
Place of Publication | San Diego CA USA |
Publisher | Internet Society |
Number of pages | 18 |
ISBN (Electronic) | 1891562665 |
DOIs | |
Publication status | Published - 2021 |
Event | Usenix Network and Distributed System Security Symposium 2021 - Online, United States of America Duration: 21 Feb 2021 → 25 Feb 2021 https://www.ndss-symposium.org/ndss2021/ |
Conference
Conference | Usenix Network and Distributed System Security Symposium 2021 |
---|---|
Abbreviated title | NDSS 2021 |
Country/Territory | United States of America |
Period | 21/02/21 → 25/02/21 |
Internet address |
-
Encrypted, Distributed, and Queryable Data Store: Framework and Realisation
Yuan, X. & Wang, C.
1/07/20 → 30/06/23
Project: Research
-
Privacy-preserving Data Processing on the Cloud
Steinfeld, R., Pieprzyk, J. P., Liu, J., Desmedt, Y. & Wang, H.
20/06/18 → 31/12/22
Project: Research