Network middleboxes provide the first line of defense for enterprise networks. Many of them typically inspect packet payload to filter malicious attack patterns. However, the widespread use of end-to-end cryptographic protocols designed to promote security and privacy, either inhibits deep packet inspection in the network or forces enterprises to use solutions that are not secure. This article introduces a complete framework for building secure and practical network middleboxes, called EVE, which enables visibility over encrypted traffic. EVE securely processes encrypted traffic using a combination of hardware-based trusted execution and software security technology. For enhanced programmability and security, EVE provides a high-level programming interface based on the Rust language. The high-level APIs of EVE provide security and significantly ease the development effort by hiding the details of cryptographic operations, enclave processing, TCP reassembly, and out-of-band key sharing. Our evaluation shows EVE supports diverse use cases with multiple encryption protocols in a secure fashion while delivering high performance.

中文翻译：

---

一个安全的中间盒框架，用于通过多种加密协议启用可见性

网络中间盒为企业网络提供了第一道防线。他们中的许多人通常检查数据包有效载荷以过滤恶意攻击模式。但是，旨在提高安全性和隐私性的端到端加密协议的广泛使用会抑制网络中的深度数据包检查，或者迫使企业使用不安全的解决方案。本文介绍了一个用于构建安全实用的网络中间箱的完整框架，称为EVE，该框架可查看加密流量。EVE通过结合使用基于硬件的可信执行和软件安全技术来安全地处理加密流量。为了增强可编程性和安全性，EVE提供了基于Rust语言的高级编程接口。EVE的高级API通过隐藏加密操作，隔离区域处理，TCP重组和带外密钥共享的细节，提供了安全性并大大简化了开发工作。我们的评估表明EVE以安全的方式支持多种加密协议的各种用例，同时提供了高性能。