SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients

Schwarz, Fabian and Rossow, Christian
(2020) SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients.
In: 29th USENIX Security Symposium (USENIX Security 20).
Conference: USENIX-Security Usenix Security Symposium

[img]
Preview
Text
seng-sec20.pdf

Download (1MB) | Preview

Abstract

Network administrators face a security-critical dilemma. While they want to tightly contain their hosts, they usually have to relax firewall policies to support a large variety of applications. However, liberal policies like this enable data exfiltration by unknown (and untrusted) client applications. An inability to attribute communication accurately and reliably to applications is at the heart of this problem. Firewall policies are restricted to coarse-grained features that are easy to evade and mimic, such as protocols or port numbers. We present SENG, a network gateway that enables firewalls to reliably attribute traffic to an application. SENG shields an application in an SGX-tailored LibOS and transparently establishes an attestation-based DTLS channel between the SGX enclave and the central network gateway. Consequently, administrators can perfectly attribute traffic to its originating application, and thereby enforce fine-grained per-application communication policies at a central firewall. Our prototype implementation demonstrates that SENG (i) allows administrators to readily use their favorite firewall to enforce network policies on a certified per-application basis and (ii) prevents local system-level attackers from interfering with the shielded application's communication.

Actions

Actions (login required)

View Item View Item