{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,11]],"date-time":"2025-12-11T07:37:43Z","timestamp":1765438663206,"version":"build-2065373602"},"reference-count":35,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2021,1,6]],"date-time":"2021-01-06T00:00:00Z","timestamp":1609891200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.61872430, 61402342, 61772384"],"award-info":[{"award-number":["No.61872430, 61402342, 61772384"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Basic Research Program of China 973 Program","award":["No.2014CB340601"],"award-info":[{"award-number":["No.2014CB340601"]}]},{"DOI":"10.13039\/501100012558","name":"Foundation of Science and Technology on Information Assurance Laboratory","doi-asserted-by":"publisher","award":["No. KJ-17-103"],"award-info":[{"award-number":["No. KJ-17-103"]}],"id":[{"id":"10.13039\/501100012558","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Network function virtualization (NFV) provides flexible and scalable network function for the emerging platform, such as the cloud computing, edge computing, and IoT platforms, while it faces more security challenges, such as tampering with network policies and leaking sensitive processing states, due to running in a shared open environment and lacking the protection of proprietary hardware. Currently, Intel\u00ae Software Guard Extensions (SGX) provides a promising way to build a secure and trusted VNF (virtual network function) by isolating VNF or sensitive data into an enclave. However, directly placing multiple VNFs in a single enclave will lose the scalability advantage of NFV. This paper combines SGX and click technology to design the virtual security function architecture based on multiple enclaves. In our design, the sensitive modules of a VNF are put into different enclaves and communicate by local attestation. The system can freely combine these modules according to user requirements, and increase the scalability of the system while protecting its running state security. In addition, we design a new hot-swapping scheme to enable the system to dynamically modify the configuration function at runtime, so that the original VNFs do not need to stop when the function of VNFs is modified. We implement an IDS (intrusion detection system) based on our architecture to verify the feasibility of our system and evaluate its performance. The results show that the overhead introduced by the system architecture is within an acceptable range.<\/jats:p>","DOI":"10.3390\/fi13010012","type":"journal-article","created":{"date-parts":[[2021,1,6]],"date-time":"2021-01-06T20:45:42Z","timestamp":1609965942000},"page":"12","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Design and Implementation of Virtual Security Function Based on Multiple Enclaves"],"prefix":"10.3390","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8813-7842","authenticated-orcid":false,"given":"Juan","family":"Wang","sequence":"first","affiliation":[{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China"},{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8612-022X","authenticated-orcid":false,"given":"Yang","family":"Yu","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China"},{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, China"}]},{"given":"Yi","family":"Li","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China"},{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, China"}]},{"given":"Chengyang","family":"Fan","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China"},{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, China"}]},{"given":"Shirong","family":"Hao","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China"},{"name":"Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, China"}]}],"member":"1968","published-online":{"date-parts":[[2021,1,6]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Zhang, Q., Liu, F., and Zeng, C. (May, January 29). Adaptive Interference-Aware VNF Placement for Service-Customized 5G Network Slices. Proceedings of the IEEE INFOCOM 2019-IEEE Conference on Computer Communications, Paris, France.","DOI":"10.1109\/INFOCOM.2019.8737660"},{"key":"ref_2","unstructured":"Cui, C., Deng, H., Telekom, D., Michel, U., and Damker, H. (2012, January 22\u201324). Network Functions Virtualisation. Proceedings of the SDN and OpenFlow World Congress, Darmstadt, Germany."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Cotroneo, D., De Simone, L., Iannillo, A.K., Lanzaro, A., Natella, R., Fan, J., and Ping, W. (2014, January 3\u20136). Network function virtualization: Challenges and directions for reliability assurance. Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering Workshops, Naples, Italy.","DOI":"10.1109\/ISSREW.2014.48"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1109\/MCOM.2015.7045396","article-title":"Network function virtualization: Challenges and opportunities for innovations","volume":"53","author":"Han","year":"2015","journal-title":"IEEE Commun. Mag."},{"key":"ref_5","first-page":"2778","article-title":"Analysis and research on SGX technology","volume":"29","author":"Wang","year":"2018","journal-title":"Ruan Jian Xue Bao\/J. Softw."},{"key":"ref_6","unstructured":"Poddar, R., Lan, C., Popa, R.A., and Ratnasamy, S. (2018, January 9\u201311). Safebricks: Shielding network functions in the cloud. Proceedings of the 15th (USENIX) Symposium on Networked Systems Design and Implementation (NSDI\u2019 18), Renton, WA, USA."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"32460","DOI":"10.1109\/ACCESS.2018.2842058","article-title":"Implementation of Multipath Network Virtualization With SDN and NFV","volume":"6","author":"Wang","year":"2018","journal-title":"IEEE Access"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Coughlin, M., Keller, E., and Wustrow, E. (2017, January 22\u201324). Trusted click: Overcoming security issues of NFV in the cloud. Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Scottsdale, AZ, USA.","DOI":"10.1145\/3040992.3040994"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Shih, M.W., Kumar, M., Kim, T., and Gavrilovska, A. (2016, January 11). S-NFV: Securing NFV states by using SGX. Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, New Orleans, LA, USA.","DOI":"10.1145\/2876019.2876032"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"263","DOI":"10.1145\/354871.354874","article-title":"The Click modular router","volume":"18","author":"Kohler","year":"2000","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1109\/MCOM.001.1900724","article-title":"Securing Outsourced VNFs: Challenges, State of the Art, and Future Directions","volume":"58","author":"Marku","year":"2020","journal-title":"IEEE Commun. Mag."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Morris, T. (2011). Trusted platform module. Encyclopedia of Cryptography and Security, Springer.","DOI":"10.1007\/978-1-4419-5906-5_796"},{"key":"ref_13","unstructured":"Perez, R., Sailer, R., and van Doorn, L. (August, January 31). vTPM: Virtualizing the trusted platform module. Proceedings of the 15th Conference on USENIX Security Symposium, Vancouver, BC, Canada."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Alippi, C., Camplani, R., Roveri, M., and Viscardi, G. (2012, January 8\u201311). Netbrick: A high-performance, low-power hardware platform for wireless and hybrid sensor networks. Proceedings of the 2012 IEEE 9th International Conference on Mobile Ad-Hoc and Sensor Systems (MASS 2012), Las Vegas, NV, USA.","DOI":"10.1109\/MASS.2012.6502508"},{"key":"ref_15","unstructured":"Lattner, C., and Adve, V. (2004, January 21\u201324). LLVM: A compilation framework for lifelong program analysis & transformation. Proceedings of the International Symposium on Code Generation and Optimization: Feedback-Directed and Runtime Optimization, IEEE Computer Society, Palo Alto, CA, USA."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Zhang, W., Liu, G., Zhang, W., Shah, N., Lopreiato, P., Todeschi, G., Ramakrishnan, K., and Wood, T. (2016, January 26). OpenNetVM: A platform for high performance network service chains. Proceedings of the 2016 workshop on Hot topics in Middleboxes and Network Function Virtualization, Florian\u00f3polis, Brazil.","DOI":"10.1145\/2940147.2940155"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Wang, J., Hao, S., Li, Y., Fan, C., Wang, J., Han, L., Hong, Z., and Hu, H. (2018, January 21). Challenges Towards Protecting VNF With SGX. Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA.","DOI":"10.1145\/3180465.3180476"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Anwer, B., Benson, T., Feamster, N., and Levin, D. (2015, January 17\u201318). Programming slick network functions. Proceedings of the 1st ACM Sigcomm Symposium on Software Defined Networking Research, Santa Clara, CA, USA.","DOI":"10.1145\/2774993.2774998"},{"key":"ref_19","unstructured":"Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O\u2019Keeffe, D., and Stillwell, M.L. (2016, January 2\u20134). SCONE: Secure Linux Containers with Intel SGX. Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), Savannah, GA, USA."},{"key":"ref_20","unstructured":"CORP, I. (2021, January 06). Intel Software Guard Extensions: EPID Provisioning and Attestation Services. Available online: https:\/\/software.intel.com\/sites\/default\/files\/managed\/57\/0e\/ww10-2016-sgx-provisioning-and-attestation-final.pdf."},{"key":"ref_21","unstructured":"Jain, P., Desai, S.J., Shih, M.W., Kim, T., Kim, S.M., Lee, J.H., Choi, C., Shin, Y., Kang, B.B., and Han, D. (2021, January 06). OpenSGX: An Open Platform for SGX Research, Available online: https:\/\/cysec.kr\/publications\/jain-opensgx.pdf."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Weichbrodt, N., Aublin, P.L., and Kapitza, R. (2018, January 10\u201314). sgx-perf: A Performance Analysis Tool for Intel SGX Enclaves. Proceedings of the 19th International Middleware Conference, Rennes, France.","DOI":"10.1145\/3274808.3274824"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Bremler-Barr, A., Harchol, Y., and Hay, D. (2016, January 22\u201326). OpenBox: A software-defined framework for developing, deploying, and managing network functions. Proceedings of the 2016 ACM SIGCOMM Conference, Florian\u00f3polis, Brazil.","DOI":"10.1145\/2934872.2934875"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Kablan, M., Caldwell, B., Han, R., Jamjoom, H., and Keller, E. (2015, January 21). Stateless network functions. Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization, London, UK.","DOI":"10.1145\/2785989.2785993"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Li, B., Tan, K., Luo, L.L., Peng, Y., Luo, R., Xu, N., Xiong, Y., Cheng, P., and Chen, E. (2016, January 22\u201326). Clicknp: Highly flexible and high performance network processing with reconfigurable hardware. Proceedings of the 2016 ACM SIGCOMM Conference, Florian\u00f3polis, Brazil.","DOI":"10.1145\/2934872.2934897"},{"key":"ref_26","unstructured":"Martins, J., Ahmed, M., Raiciu, C., Olteanu, V., Honda, M., Bifulco, R., and Huici, F. (2014, January 2\u20134). ClickOS and the art of network function virtualization. Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), Seattle, WA, USA."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Li, H., Hu, H., Gu, G., Ahn, G.J., and Zhang, F. (2018, January 15\u201319). vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243862"},{"key":"ref_28","unstructured":"Siwek, J. (2021, January 06). The Zeek Network Security Monitor. Available online: https:\/\/www.zeek.org\/."},{"key":"ref_29","unstructured":"INTEL (2021, January 06). Intel Data Plane Development Kit (DPDK). Available online: http:\/\/dpdk.org\/."},{"key":"ref_30","unstructured":"Cen, S., and Zhang, B. (2021, January 06). Trusted Time and Monotonic Counters with Intel Software Guard Extensions Platform Services. Available online: https:\/\/software.intel.com\/sites\/default\/files\/managed\/1b\/a2\/Intel-SGX-Platform-Services.pdf."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Trach, B., Krohmer, A., Gregor, F., Arnautov, S., Bhatotia, P., and Fetzer, C. (2018, January 28\u201329). ShieldBox: Secure middleboxes using shielded execution. Proceedings of the Symposium on SDN Research, Los Angeles, CA, USA.","DOI":"10.1145\/3185467.3185469"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Zhang, F., Cecchetti, E., Croman, K., Juels, A., and Shi, E. (2016, January 24\u201328). Town crier: An authenticated data feed for smart contracts. Proceedings of the 2016 ACM sIGSAC Conference on Computer and Communications Security, Vienna, Austria.","DOI":"10.1145\/2976749.2978326"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Chen, S., Zhang, X., Reiter, M.K., and Zhang, Y. (2017, January 2\u20136). Detecting privileged side-channel attacks in shielded execution with D\u00e9j\u00e1 Vu. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, UAE.","DOI":"10.1145\/3052973.3053007"},{"key":"ref_34","unstructured":"Biondi, P., and The Scapy Community (2021, January 06). \u201cScapy\u201d. Available online: https:\/\/scapy.net\/."},{"key":"ref_35","unstructured":"Grodzki, T. (2021, January 06). Network Flight Simulator. Available online: https:\/\/github.com\/alphasoc\/flightsim\/."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/13\/1\/12\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:07:49Z","timestamp":1760159269000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/13\/1\/12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,6]]},"references-count":35,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,1]]}},"alternative-id":["fi13010012"],"URL":"https:\/\/doi.org\/10.3390\/fi13010012","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2021,1,6]]}}}