S Blocks: Lightweight and Trusted Virtual Security Function with SGX

Despite the advantages of scalability and flexibility, Security Function Virtualization (SFV) raises concerns about its own security. To enhance the security of SFV, a promising approach is to run critical components of off-the-shelf security software inside SGX enclaves. This idea, however, is hardly practical due to the difficulty of detaching components from the monolithic security function and the unacceptable cost of running them in enclaves. In this work, we propose S-Blocks, an architecture to modularize a virtual security function (VSF) and protect its key modules with SGX in an efficient manner. Through systematically decomposing modules of a VSF into related elements, it is easy to put the key modules and elements of the VSF into an enclave. Furthermore, aiming at addressing state consistency and secure migration issues of security function scaling, we design a fine-grained state synchronization and migration …