Abstract

Network Function Virtualization (NFV) promises the benefits of reduced\ninfrastructure, personnel, and management costs by outsourcing network\nmiddleboxes to the public or private cloud. Unfortunately, running network\nfunctions in the cloud entails security challenges, especially for complex\nstateful services. In this paper, we describe our experiences with hardening\nthe king of middleboxes - Intrusion Detection Systems (IDS) - using Intel\nSoftware Guard Extensions (Intel SGX) technology. Our IDS secured using Intel\nSGX, called SEC-IDS, is an unmodified Snort 3 with a DPDK network layer that\nachieves 10Gbps line rate. SEC-IDS guarantees computational integrity by\nrunning all Snort code inside an Intel SGX enclave. At the same time, SEC-IDS\nachieves near-native performance, with throughput close to 100 percent of\nvanilla Snort 3, by retaining network I/O outside of the enclave. Our\nexperiments indicate that performance is only constrained by the modest Enclave\nPage Cache size available on current Intel SGX Skylake based E3 Xeon platforms.\nFinally, we kept the porting effort minimal by using the Graphene-SGX library\nOS. Only 27 Lines of Code (LoC) were modified in Snort and 178 LoC in\nGraphene-SGX itself.\n