Middleboxes that process confidential data cannot be securely
deployed in untrusted cloud environments. To securely
outsource middleboxes to the cloud, state-of-the-art
systems advocate network processing over the encrypted
traffic. Unfortunately, these systems support only restrictive
functionalities, and incur prohibitively high overheads.
This motivated the design of ShieldBox—a secure middlebox
framework for deploying high-performance network
functions (NFs) over untrusted commodity servers. Shield-
Box securely processes encrypted traffic inside a secure container
by leveraging shielded execution. More specifically,
ShieldBox builds on hardware-assisted memory protection
based on Intel SGX to provide strong confidentiality and
integrity guarantees. For middlebox developers, ShieldBox
exposes a generic interface based on Click to design and
implement a wide-range of NFs using its out-of-the-box elements
and C++ extensions. For network operators, ShieldBox
provides configuration and attestation service for seamless
and verifiable deployment of middleboxes. We have implemented
ShieldBox supporting important end-to-end features
required for secure network processing, and performance optimizations.
Our extensive evaluation shows that ShieldBox
achieves a near-native throughput and latency to securely
process confidential data at line rate.