SIGCOMM 2015 Raluca Ada Popa Joint work with Justine Sherry Chang Lan Sylvia Ratnasamy UC Berkeley Deep Packet Inspection DPI Innetwork devices which inspect packet payloads to enforce policies ID: 654467
Download Presentation The PPT/PDF document "BlindBox: Deep Packet Inspection Over E..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
BlindBox: Deep Packet Inspection Over Encrypted Traffic
SIGCOMM 2015
Raluca Ada PopaJoint work with: Justine Sherry, Chang Lan, Sylvia Ratnasamy UC BerkeleySlide2
Deep Packet Inspection(DPI)In-network devices which inspect packet
payloads to enforce policies.
Intrusion detection/prevention
Exfiltration
Parental filteringSlide3
Example: Intrusion prevention
ATTACKHACKS183237
rules
middlebox
ATTACK
Alice
Bob
Detect!
rule generator
rulesSlide4
Observation: a lot of traffic today is sent over httpsSlide5
Problem: middleboxes cannot inspect traffic over https
middlebox
Alice
Bob
ATTACK
???Slide6
State-of-the-art: man in the middle attack on SSL
middlebox
SECRET
Alice
I am Google
fake certificate
No privacy!
and a lot of other security issues [Jarmoc’12]
[Huang et al.’14]Slide7
Can we achieve both
privacy and payload inspection?Slide8
Yes: BlindBoxThe first system to enable DPI middleboxes to inspect traffic
without seeing the traffic Slide9
Approach
middlebox
Alice
Bob
SECRET
inspect encrypted traffic
without decrypting it!Slide10
Technical setupSlide11
Model
middlebox (MB)
Alice
Bob
rule generator
rulesSlide12
Threat model
middlebox (MB)
Alice
Bob
rule generator
rules
runs detection functionality correctly
one endpoint can misbehave but at least one endpoint behaves correctly;
generates rules correctly
but curious to see traffic content
(honest but curious/passive)
endpoints cannot learn rulesSlide13
Goals
Strong privacy guaranteePracticalWide range of functionality
well-studied security guarantees
network rates are incredibly fast! (microsec)
regexp, scriptsSlide14
Strawmen: fully homomorphic or functional encryption?[Gentry’09, BSW’11]
Does not fit our threat model
* based on our experiments using [Katz, Sahai,Waters’08]
middlebox
Alice
Bob
Prohibitive performance:
IDS detection over a single packet requires over
1 day
*Slide15
BlindBox’s designSlide16
System overview
SSL remains unchanged.
message
split in tokens
encrypt each token
run detection on encrypted tokens
encrypted tokens
message
SSL traffic
SSL
encrypt
BlindBox
encrypt
BlindBox
verify
SSL
decrypt
BBhttps:
enhance https
BBhttps
BBhttpsSlide17
How do we inspect encrypted traffic efficiently?Slide18
Step1: searchable encryption
scheme
packet
inspection
security
deterministic
schemes
fast
O(
log
(#rules) *
#bytes/packet)
weak
randomized
schemes
[SongWagnerPerrig’00]
slow
O(
#
rules *
#bytes/packet)
high
high
fast
desired
our new searchable encryption scheme & detection algorithm
no satisfying scheme for our settingSlide19
Our new search scheme
middlebox
Alice
AES
K
(rule)
example message
tokens
example
xample
ample m
mple me
…
AES
K
(token)
salt, AES
(salt)
Fast encryption:
only AES!
?=
K
But detection is
slow O(#rules * #tokens)
BBhttps
AES
AES
K
(rule)
AES
(salt)Slide20
Desired:Avoid combining a salt with each ruleBuild index on rules Slide21
Fast detection protocol
middlebox
Alice
Rule index:
precompute tree with salt=1
Enc
K
(1, rule1),
Enc
K
(1, rule2), …
tokens
A
B
A
A
encrypted tokens
Enc
K
(1, A)
Enc
K
(1, B)
Enc
K
(2, A)
Enc
K
(3, A)
For each token, one tree lookup!
O(
log
#rules * # tokens)
Enc
K(2, rule2)
rare operation!
Use a salt schedule:Slide22
But how does the middlebox obtain ?
middlebox
Alice
Bob
AES
K
(rule)
K
AES
K
(rule)Slide23
Step 2: BlindBox’s setup phase
middlebox
Alice
AES
K
(rule)
K
Alice sends to MB garbled circuits
[Yao’86]
for
MB runs oblivious transfer
[Rabin’81]
with Alice to obtain encoding for
rule
MB evaluates garbled circuit and obtains
AES
K
()
AES
K
(rule)
have
rule
wantSlide24
Security guarantee
“Principle of least privilege”: the middlebox learns only byte positions where a rule matches (well-studied guarantee in the searchable encryption literature)
ATTACK
HACKS
BLACKLIST
match!
byte streamSlide25
So far…
complete system for equality matching
exfiltration
intrusion prevention (IPS)
parental filtering
Need support for regular expressions!Slide26
How to support regular expressions?Slide27
Rules with regular expressions in IPS
Snort rule example:
{
content
:
“malicious string”,
pcre: “/\r\nHost\x3As+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz Hi”,
[…]
}
Rule first matches string by equality
Must be highly selective stringSlide28
New privacy model: probable cause privacy
If a malicious string matches a packet, middlebox can decrypt the packet, but not otherwise.
Privacy may be lost only if there is a probable causeSlide29
New encryption scheme for probable cause
middlebox
Alice
AES
K
(rule)
K
Enc’
K
(token)
If token = rule, middlebox obtains
KSlide30
Middlebox can run regexp
Step 1: match content string on encrypted traffic
Step 2: run regexp on unencrypted traffic
Rule
{
content
: “malicious string”,
pcre: “/\r\nHost\…”,
[…]
}
obtain
K
decrypt packetSlide31
More details in our paper!
Optimizations to reduce bandwidth overheadDetails on garbled circuits + oblivious transferSupport for malicious middleboxRule generation, regular expressions, probable cause decryption…Slide32
Implementation
Endpoints: BBhttps - C libraryMiddlebox: Click frameworkSlide33
EvaluationfunctionalityperformanceSlide34
Functionality Evaluation
DatasetWithout probable cause
With probable causeDocument watermarking100%
100%
Parental filtering
100%100%
Snort community (HTTP)67%
100%Snort Emerging Threats (HTTP)42%
100%
StoneSoft (McAffee) IDS
40%
100%
LastLine IDS
29%
100%
IDSSlide35
Performance highlights
Three main performance figures:Detection Time:
competitive with existing IDSes!186Mbps with BlindBox (comparable to Snort)
Transmission Time:
practical overhead
Page load completion time increases by 0.15-1x
Setup Time: not yet competitive
1 min for 3000 rulesfine for long-lived connections (cloud-enterprise)Slide36
Upcoming work: MBArk
Outsourcing middleboxes to the cloud
Support header-based computations over encrypted data: firewall, NAT, IP forwarder, load balancer, VPN, IDS, exfiltrationSlide37
Conclusion
BlindBox is the first system to enable DPI middleboxes to process traffic without seeing itpractical for a class of applications
Thanks!