CISPA
Browse
cispa_all_3119.pdf (1023.04 kB)

SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients

Download (1023.04 kB)
conference contribution
posted on 2023-11-29, 18:13 authored by Fabian SchwarzFabian Schwarz, Christian RossowChristian Rossow
Network administrators face a security-critical dilemma. While they want to tightly contain their hosts, they usually have to relax firewall policies to support a large variety of applications. However, liberal policies like this enable data exfiltration by unknown (and untrusted) client applications. An inability to attribute communication accurately and reliably to applications is at the heart of this problem. Firewall policies are restricted to coarse-grained features that are easy to evade and mimic, such as protocols or port numbers. We present SENG, a network gateway that enables firewalls to reliably attribute traffic to an application. SENG shields an application in an SGX-tailored LibOS and transparently establishes an attestation-based DTLS channel between the SGX enclave and the central network gateway. Consequently, administrators can perfectly attribute traffic to its originating application, and thereby enforce fine-grained per-application communication policies at a central firewall. Our prototype implementation demonstrates that SENG (i) allows administrators to readily use their favorite firewall to enforce network policies on a certified per-application basis and (ii) prevents local system-level attackers from interfering with the shielded application's communication.

History

Preferred Citation

Fabian Schwarz and Christian Rossow. SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients. In: Usenix Security Symposium (USENIX-Security). 2020.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date

2020-06-22

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3119, title = "SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients", author = "Schwarz, Fabian and Rossow, Christian", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC