Research On Security Protection Mechanism Of Virtual Network Function Based On SGX

Network Function Virtualization(NFV)is a more flexible and simple network development model that reduces the dependencies of hardware devices through virtualization technology.The ultimate goal of NFV is to replace those private network elements of the communication network through industry-standard x86 servers,storage and switching devices.However,NFV uses cloud computing and virtualization technology to provide better scalability and automation capabilities for next-generation network services,as well as some of the major security threats posed by virtualization and network infrastructure.A major problem with NFV is how to build a credible execution environment for Virtual Network Function(VNF)to ensure that virtual network functionality is running securely.We propose a security mechanism based on Intel SGX technology for virtual network function.The framework of the SGX technology using the memory isolation,security authentication and other characteristics,through the integration of multiple security modules to protect the NFV platform VNF instance of the security.The protection framework uses SGX memory isolation and sealing characteristic to isolate and protect Virtual Network Function instances running on virtual machines independently and ensure its security during startup and running.Based on the SGX secure remote authentication feature,the VNF instance running on the virtual machine is unified with the security authentication and key management.The security communication between the VNF,as well as the information of the platform and the security of the rules are promulgated.Finally,the security model is implemented based on QEMU-KVM architecture,and the key technologies in the framework are designed and described in detail.Experiments and analysis show that the security framework can provide a secure environment for secure operation,authentication and management for VNF instances.At the same time,SGX technology introduces a smaller overhead for VNF instance operations,security certifications,and secure communications.