Zombie: Middleboxes that Don’t Snoop

Collin Zhang, Zachary DeStefano, Arasu Arun, Joseph Bonneau, Paul Grubbs, Michael Walfish

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Zero-knowledge middleboxes (ZKMBs) are a recent paradigm in which clients get privacy while middleboxes enforce policy: clients prove in zero knowledge that the plaintext underlying their encrypted traffic complies with network policies, such as DNS filtering. However, prior work had impractically poor performance and was limited in functionality. This work presents Zombie, the first system built using the ZKMB paradigm. Zombie introduces techniques that push ZKMBs to the verge of practicality: preprocessing (to move the bulk of proof generation to idle times between requests), asynchrony (to remove proving and verifying costs from the critical path), and batching (to amortize some of the verification work). Zombie’s choices, together with these techniques, reduce client and middlebox overhead by ≈ 3.5×, lowering the critical path overhead for a DNS filtering application on commodity hardware to less than 300ms or, in the asynchronous configuration, to 0. As an additional contribution that is likely of independent interest, Zombie introduces a portfolio of techniques to encode regular expressions in probabilistic (and zero-knowledge) proofs. These techniques significantly improve performance over a standard baseline, asymptotically and concretely. Zombie builds on this portfolio to support policies based on regular expressions, such as data loss prevention.

Original languageEnglish (US)
Title of host publicationProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024
PublisherUSENIX Association
Pages1917-1935
Number of pages19
ISBN (Electronic)9781939133397
StatePublished - 2024
Event21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024 - Santa Clara, United States
Duration: Apr 16 2024Apr 18 2024

Publication series

NameProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024

Conference

Conference21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024
Country/TerritoryUnited States
CitySanta Clara
Period4/16/244/18/24

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Control and Systems Engineering

Fingerprint

Dive into the research topics of 'Zombie: Middleboxes that Don’t Snoop'. Together they form a unique fingerprint.

Cite this