A rapid and steady development of cloud computing and network function virtualization (NFV) makes various security services running on the cloud platform to utilize powerful resources in terms of computation and storage. However, this trend introduces new attack surface to security applications running on the cloud platform as an attacker takes full control over the privilege software once the cloud is compromised. Meanwhile, signicant progress in hardware-based protection and security have also made into the market. The radical development of hardware-based protection gives new opportunities to address the new threats. However, there exists a fundamental problem to leverage recent hardware-based technologies: It takes long time until the complete deployment of the new TEE technology.
This dissertation answers the key question: what can we do for each TEE deployment stage to enhance the security of legacy networked systems? In this dissertation, we argue that an appropriate methodology of building software counterparts of hardware-based protection for each deployment stage helps researchers to establish a pioneer design of secure networked systems. To substantiate our claim, we systematically explore the possibility of leveraging a recent hardware-based TEE technology, Intel SGX, and splits it into four dierent phases.
First, we propose a proof-of-concept simulation to explore new design space and functionalities of TEE-based networked system. As a showcasing example, we demonstrate practical implications on path computation of SGX-enabled SDN-based inter-domain routing. Second, we build an SGX emulation framework, called OpenSGX, and perform a system emulation to get performance and implementation implications. We show that OpenSGX enables to qualify an engineering eort and for building non-trivial applications, Tor anonymity network. In addition, we design and implement a SGX-Tor, a Tor running on top of real hardware, to characterize performance overhead and evaluate its practicality. Finally, we leverage a recent optimization technique to improve the performance of SGX-enabled middleboxes.
In summary, this dissertation demonstrates that it is possible to proactively adopt hardware-based TEE on networking to address security and privacy issues by developing a proper software counterparts during the deployment cycle.