Content Delivery Networks (CDNs) serve a large and increasing portion of today's web content. Beyond caching, CDNs provide their customers with a variety of services, including protection against DDoS and targeted attacks. As the web shifts from HTTP to HTTPS, CDNs continue to provide such services by also assuming control of their customers' private keys, thereby breaking a fundamental security principle: private keys must only be known by their owner.
In this talk, I present two approaches to running unmodified, legacy CDN services without the CDN having access to the customers' private keys. My first approach, conclaves, uses Intel SGX secure hardware to run the CDN software in a trusted execution environment. In its strongest configuration, conclaves reduces the knowledge of the edge server to that of a traditional on-path HTTPS adversary. My second approach, co-domains, uses a taint-tracking emulator to migrate a CDN process to a customer's trusted machine for operations involving the private key. Both conclaves and co-domains are specific examples of using virtualization techniques to transparently add security guarantees post hoc to unmodified binaries.