Slick: Secure Middleboxes using Shielded Execution

Cloud computing o‚ers the economies of scale for computational resources with the ease of management, elasticity, and fault tolerance. To take advantage of these bene€ts, many enterprises are contemplating to outsource the middlebox processing services in the cloud. However, middleboxes that process con€dential and private data cannot be securely deployed in the untrusted environment of the (edge) cloud. To securely outsource middleboxes to the cloud, the stateof-the-art systems advocate network processing over the encrypted trac. Unfortunately, these systems support only restrictive middlebox functionalities, and incur prohibitively high overheads due to the complex computations involved over the encrypted trac. Œis motivated the design of Slick—a secure middlebox framework for deploying high-performance Network Functions (NFs) on untrusted commodity servers. Slick exposes a generic interface based on Click to design and implement a wide-range of NFs using its out-of-the box elements and C++ extensions. Slick leverages Scone (a shielded execution framework based on Intel SGX) and Intel DPDK to securely process con€dential data at line rate. More speci€cally, Slick provides hardware-assisted memory protection, and con€guration and aŠestation service for seamless and veri€able deployment of middleboxes. We have also added several new features for commonly required functionalities: new specialized Click elements for secure packet processing, secure shared memory packet transfer for NFs chaining, secure state persistence, an ecient on-NIC timer for SGX enclaves, and memory safety against DPDK-speci€c Iago aŠacks. Furthermore, we have implemented several SGX-speci€c optimizations in Slick. Our evaluation shows that Slick achieves near-native throughput and latency.