Network middleboxes provide the first line of defense for enterprise networks by offering many security features. These middleboxes typically inspect packet payload to filter malicious content and attack patterns.However, the widespread use of end-to-end cryptographic protocols, such as SSL and TLS, designed to promote security and privacy, inhibits the functionalities of network middleboxes that perform deep-packet-inspection. This paper addresses the problem by introducing a secure framework for enabling visibility over encrypted traffic that makes use of software and hardware technologies.
We introduce EVE, a secure middlebox system that is fully functional in the presence of nested encryption protocols, such TLS and OpenVPN. EVE securely processes encrypted traffic, including decryption and deep packet inspection, in a secure container by leveraging the Intel SGX technology. The security components of EVE ensure that security-sensitive data is not visible adversaries outside the secure container. For middlebox developers, EVE provides secure high-level APIs based on the RUST language to enhance the programmability. The high-level APIs of EVE significantly lowers the barrier to entry for developing a secure middlebox by hiding the details of cryptographic operations, enclave processing, TCP reassembly, and out-of-band key-sharing. To demonstrate its utility and practicality, we implement an intrusion detection system that performs deep packet inspection on SSL/TLS encrypted traffic in a number of different environments.Our evaluation result shows that EVE has reasonable performance overhead for the real network environment.