47 research outputs found
Migrating SGX Enclaves with Persistent State
Hardware-supported security mechanisms like Intel Software Guard Extensions
(SGX) provide strong security guarantees, which are particularly relevant in
cloud settings. However, their reliance on physical hardware conflicts with
cloud practices, like migration of VMs between physical platforms. For
instance, the SGX trusted execution environment (enclave) is bound to a single
physical CPU.
Although prior work has proposed an effective mechanism to migrate an
enclave's data memory, it overlooks the migration of persistent state,
including sealed data and monotonic counters; the former risks data loss whilst
the latter undermines the SGX security guarantees. We show how this can be
exploited to mount attacks, and then propose an improved enclave migration
approach guaranteeing the consistency of persistent state. Our software-only
approach enables migratable sealed data and monotonic counters, maintains all
SGX security guarantees, minimizes developer effort, and incurs negligible
performance overhead
Managing Large Enclaves in a Data Center
Live migration of an application or VM is a well-known technique for load
balancing, performance optimization, and resource management. To minimize the
total downtime during migration, two popular methods -- pre-copy or post-copy
-- are used in practice. These methods scale to large VMs and applications
since the downtime is independent of the memory footprint of an application.
However, in a secure, trusted execution environment (TEE) like Intel's scalable
SGX, the state-of-the-art still uses the decade-old stop-and-copy method, where
the total downtime is proportional to the application's memory footprint. This
is primarily due to the fact that TEEs like Intel SGX do not expose memory and
page table accesses to the OS, quite unlike unsecure applications. However,
with modern TEE solutions that efficiently support large applications, such as
Intel's Scalable SGX and AMD's Epyc, it is high time that TEE migration methods
also evolve to enable live migration of large TEE applications with minimal
downtime (stop-and-copy cannot be used any more). We present OptMig, an
end-to-end solution for live migrating large memory footprints in TEE-enabled
applications. Our approach does not require a developer to modify the
application; however, we need a short, separate compilation pass and
specialized software library support. Our optimizations reduce the total
downtime by 98% for a representative microbenchmark that uses 20GB of secure
memory and by 90 -- 96% for a suite of Intel SGX applications that have
multi-GB memory footprints
Secure cloud micro services using Intel SGX
The micro service paradigm targets the implementation of
large and scalable systems while enabling fine-grained service-level main-
tainability. Due to their scalability, such architectures are frequently used
in cloud environments, which are often subject to privacy and trust issues
hindering the deployment of services dealing with sensitive data.
In this paper we investigate the integration of trusted execution based on
Intel Software Guard Extensions (SGX) into micro service applications.
We present our Vert.x Vault, that supports SGX-based trusted execution
in Eclipse Vert.x, a renowned tool-kit for writing reactive micro service
applications. With our approach, secure micro services can run alongside
regular ones, inter-connected via the Vert.x event bus to build large Vert.x
applications that can contain multiple trusted components.
Maintaining a full-edged Java Virtual Machine (JVM) inside an SGX
enclave is impractical due to its complexity, less secure because of a large
Trusted Code Base (TCB), and would suffer from performance penalties
due to a high memory footprint. However, as Vert.x is written in Java, for
a lean TCB this requires integration of native enclave C/C++ code into
Vert.x, for which we propose the usage of Java Native Interface (JNI).
Our Vert.x Vault provides the benefits of micro service architectures
together with trusted execution to support privacy and data confidentiality
for sensitive applications in the cloud at scale. In our evaluation we show
the feasibility of our approach, buying a significantly increased level of
security for a low performance overhead of only ≈ 8:7%
Systemunterstützung für moderne Speichertechnologien
Trust and scalability are the two significant factors which impede the dissemination of clouds.
The possibility of privileged access to customer data by a cloud provider limits the usage of clouds for processing security-sensitive data.
Low latency cloud services rely on in-memory computations, and thus, are limited by several characteristics of Dynamic RAM (DRAM) such as capacity, density, energy consumption, for example.
Two technological areas address these factors.
Mainstream server platforms, such as Intel Software Guard eXtensions (SGX) und AMD Secure Encrypted Virtualisation (SEV) offer extensions for trusted execution in untrusted environments.
Various technologies of Non-Volatile RAM (NV-RAM) have better capacity and density compared to DRAM and thus can be considered as DRAM alternatives in the future.
However, these technologies and extensions require new programming approaches and system support since they add features to the system architecture: new system components (Intel SGX) and data persistence (NV-RAM).
This thesis is devoted to the programming and architectural aspects of persistent and trusted systems.
For trusted systems, an in-depth analysis of new architectural extensions was performed.
A novel framework named EActors and a database engine named STANlite were developed to effectively use the capabilities of trusted~execution.
For persistent systems, an in-depth analysis of prospective memory technologies, their features and the possible impact on system architecture was performed.
A new persistence model, called the hypervisor-based model of persistence, was developed and evaluated by the NV-Hypervisor.
This offers transparent persistence for legacy and proprietary software, and supports virtualisation of persistent memory.Vertrauenswürdigkeit und Skalierbarkeit sind die beiden maßgeblichen Faktoren, die die Verbreitung von Clouds behindern.
Die Möglichkeit privilegierter Zugriffe auf Kundendaten durch einen Cloudanbieter schränkt die Nutzung von Clouds bei der Verarbeitung von sicherheitskritischen und vertraulichen Informationen ein.
Clouddienste mit niedriger Latenz erfordern die Durchführungen von Berechnungen im Hauptspeicher und sind daher an Charakteristika von Dynamic RAM (DRAM) wie Kapazität, Dichte, Energieverbrauch und andere Aspekte gebunden.
Zwei technologische Bereiche befassen sich mit diesen Faktoren: Etablierte Server Plattformen wie Intel Software Guard eXtensions (SGX) und AMD Secure Encrypted Virtualisation (SEV) stellen Erweiterungen für vertrauenswürdige Ausführung in nicht vertrauenswürdigen Umgebungen bereit.
Verschiedene Technologien von nicht flüchtigem Speicher bieten bessere Kapazität und Speicherdichte verglichen mit DRAM, und können daher in Zukunft als Alternative zu DRAM herangezogen werden.
Jedoch benötigen diese Technologien und Erweiterungen neuartige Ansätze und Systemunterstützung bei der Programmierung, da diese der Systemarchitektur neue Funktionalität hinzufügen: Systemkomponenten (Intel SGX) und Persistenz (nicht-flüchtiger Speicher).
Diese Dissertation widmet sich der Programmierung und den Architekturaspekten von persistenten und vertrauenswürdigen Systemen.
Für vertrauenswürdige Systeme wurde eine detaillierte Analyse der neuen Architekturerweiterungen durchgeführt.
Außerdem wurden das neuartige EActors Framework und die STANlite Datenbank entwickelt, um die neuen Möglichkeiten von vertrauenswürdiger Ausführung effektiv zu nutzen.
Darüber hinaus wurde für persistente Systeme eine detaillierte Analyse zukünftiger Speichertechnologien, deren Merkmale und mögliche Auswirkungen auf die Systemarchitektur durchgeführt.
Ferner wurde das neue Hypervisor-basierte Persistenzmodell entwickelt und mittels NV-Hypervisor ausgewertet, welches transparente Persistenz für alte und proprietäre Software, sowie Virtualisierung von persistentem Speicher ermöglicht
Intel TDX Demystified: A Top-Down Approach
Intel Trust Domain Extensions (TDX) is a new architectural extension in the
4th Generation Intel Xeon Scalable Processor that supports confidential
computing. TDX allows the deployment of virtual machines in the
Secure-Arbitration Mode (SEAM) with encrypted CPU state and memory, integrity
protection, and remote attestation. TDX aims to enforce hardware-assisted
isolation for virtual machines and minimize the attack surface exposed to host
platforms, which are considered to be untrustworthy or adversarial in the
confidential computing's new threat model. TDX can be leveraged by regulated
industries or sensitive data holders to outsource their computations and data
with end-to-end protection in public cloud infrastructure.
This paper aims to provide a comprehensive understanding of TDX to potential
adopters, domain experts, and security researchers looking to leverage the
technology for their own purposes. We adopt a top-down approach, starting with
high-level security principles and moving to low-level technical details of
TDX. Our analysis is based on publicly available documentation and source code,
offering insights from security researchers outside of Intel
SGX-Aware Container Orchestration for Heterogeneous Clusters
Containers are becoming the de facto standard to package and deploy
applications and micro-services in the cloud. Several cloud providers (e.g.,
Amazon, Google, Microsoft) begin to offer native support on their
infrastructure by integrating container orchestration tools within their cloud
offering. At the same time, the security guarantees that containers offer to
applications remain questionable. Customers still need to trust their cloud
provider with respect to data and code integrity. The recent introduction by
Intel of Software Guard Extensions (SGX) into the mass market offers an
alternative to developers, who can now execute their code in a hardware-secured
environment without trusting the cloud provider.
This paper provides insights regarding the support of SGX inside Kubernetes,
an industry-standard container orchestrator. We present our contributions
across the whole stack supporting execution of SGX-enabled containers. We
provide details regarding the architecture of the scheduler and its monitoring
framework, the underlying operating system support and the required kernel
driver extensions. We evaluate our complete implementation on a private cluster
using the real-world Google Borg traces. Our experiments highlight the
performance trade-offs that will be encountered when deploying SGX-enabled
micro-services in the cloud.Comment: Presented in the 38th IEEE International Conference on Distributed
Computing Systems (ICDCS 2018
Secure migration of WebAssembly-based mobile agents between secure enclaves
Cryptography and security protocols are today commonly used to protect data at-rest and in-transit. In contrast, protecting data in-use has seen only limited adoption. Secure data transfer methods employed today rarely provide guarantees regarding the trustworthiness of the software and hardware at the communication endpoints.
The field of study that addresses these issues is called Trusted or Confidential Computing and relies on the use of hardware-based techniques. These techniques aim to isolate critical data and its processing from the rest of the system. More specifically, it investigates the use of hardware isolated Secure Execution Environments (SEEs) where applications cannot be tampered with during operation. Over the past few decades, several implementations of SEEs have been introduced, each based on a different hardware architecture. However, lately, the trend is to move towards architecture-independent SEEs.
As part of this, Huawei research project is developing a secure enclave framework that enables secure execution and migration of applications (mobile agents), regardless of the underlying architecture. This thesis contributes to the development of the framework by participating in the design and implementation of a secure migration scheme for the mobile agents. The goal is a scheme wherein it is possible to transfer the mobile agent without compromising the security guarantees provided by SEEs. Further, the thesis also provides performance measurements of the migration scheme implemented in a proof of concept of the framework