Spons & shields: practical isolation for trusted execution

Trusted execution environments (TEEs) promise a cost-effective, “lift-and-shift” solution for deploying security-sensitive applications in untrusted clouds. For this, they must support rich, multi-component applications, but a large trusted computing base (TCB) inside the TEE risks that attackers can compromise application security. Fine-grained compartmentalisation can increase security through defense-in-depth, but current solutions either run all software components unprotected in the same TEE, lack efficient shared memory support, or isolate application processes using separate TEEs, impacting performance and compatibility. We describe the Spons & Shields framework (SSF) for Intel SGX TEEs, which offers intra-TEE compartmentalisation using two new abstraction, Spons and Shields. Spons and Shields generalise process, library and user/kernel isolation inside the TEE while allowing for efficient memory sharing. When users deploy unmodified multi-component applications in a TEE, SSF dynamically creates Spons (one per POSIX process or library) and Shields (to enforce a given security policy for memory accesses). Applications can be hardened with minor code changes, e.g., by using a separate Shield to isolate an SSL library. SSF uses compiler instrumentation to protect Shield boundaries, exploiting MPX instructions if available. We evaluate SSF using a complex application service (NGINX, PHP interpreter and PostgreSQL) and show that its overhead is comparable to process isolation

CAP-VMs: Capability-based isolation and sharing in the cloud

Cloud stacks must isolate application components, while permitting efficient data sharing between components deployed on the same physical host. Traditionally, the MMU enforces isolation and permits sharing at page granularity. MMU approaches, however, lead to cloud stacks with large TCBs in kernel space, and page granularity requires inefficient OS interfaces for data sharing. Forthcoming CPUs with hardware support for memory capabilities offer new opportunities to implement isolation and sharing at a finer granularity. We describe cVMs, a new VM-like abstraction that uses memory capabilities to isolate application components while supporting efficient data sharing, all without mandating application code to be capability-aware. cVMs share a single virtual address space safely, each having only capabilities to access its own memory. A cVM may include a library OS, thus minimizing its dependency on the cloud environment. cVMs efficiently exchange data through two capability-based primitives assisted by a small trusted monitor: (i) an asynchronous read/write interface to buffers shared between cVMs; and (ii) a call interface to transfer control between cVMs. Using these two primitives, we build more expressive mechanisms for efficient cross-cVM communication. Our prototype implementation using CHERI RISC-V capabilities shows that cVMs isolate services (Redis and Python) with low overhead while improving data sharing

Evaluation of Parameters for Confident Phosphorylation Site Localization using an Orbitrap Fusion Tribrid Mass Spectrometer

Confident identification of sites of protein phosphorylation by mass spectrometry (MS) is essential to advance understanding of phosphorylation-mediated signaling events. However, development of novel instrumentation requires that methods for MS data acquisition and its interrogation be evaluated and optimized for high throughput phosphoproteomics. Here, we compare and contrast eight MS acquisition methods on the novel tribrid Orbitrap Fusion MS platform, using both a synthetic phosphopeptide library and a complex phosphopeptide-enriched cell lysate. As well as evaluating multiple fragmentation regimes (HCD, EThcD and neutral loss triggered ET(ca/hc)D), and analyzers for MS/MS (orbitrap (OT) versus ion trap (IT)), we also compare two commonly used bioinformatics platforms, Andromeda with PTM-score, and MASCOT with ptmRS, for confident phosphopeptide identification and, crucially, phosphosite localization. Our findings demonstrate that optimal phosphosite identification is achieved using HCD fragmentation and high resolution orbitrap-based MS/MS analysis, employing MASCOT/ptmRS for data interrogation. Although EThcD is optimal for confident site localization for a given PSM, the increased duty cycle compared with HCD compromises the numbers of phosphosites identified. Finally, our data highlights that a charge-state dependent fragmentation regime, and a multiple algorithm search strategy, are likely to be of benefit for confident large-scale phosphosite localization

DEFCON: high-performance event processing with information security

In finance and healthcare, event processing systems handle sensitive data on behalf of many clients. Guaranteeing information security in such systems is challenging because of their strict performance requirements in terms of high event throughput and low processing latency. We describe DEFCON, an event processing system that enforces constraints on event flows between event processing units. DEFCON uses a combination of static and runtime techniques for achieving light-weight isolation of event flows, while supporting efficient sharing of events. Our experimental evaluation in a financial data processing scenario shows that DEFCON can provide information security with significantly lower processing latency compared to a traditional approach

ORC: Increasing cloud memory density via object reuse with capabilities

Cloud environments host many tenants, and typically there is substantial overlap between the application binaries and libraries executed by tenants. Thus, memory de-duplication can increase memory density by allocating memory for shared binaries only once. Existing de-duplication approaches, however, either rely on a shared OS to de-deduplicate binary objects, which provides unacceptably weak isolation; or exploit hypervisor-based de-duplication at the level of memory pages, which is blind to the semantics of the objects to be shared. We describe Object Reuse with Capabilities (ORC), which supports the fine-grained sharing of binary objects between tenants, while isolating tenants strongly through a small trusted computing base (TCB). ORC uses hardware sup- port for memory capabilities to isolate tenants, which permits shared objects to be accessible to multiple tenants safely. Since ORC shares binary objects within a single address space through capabilities, it uses a new relocation type to create per-tenant state when loading shared objects. ORC supports the loading of objects by an untrusted guest, outside of its TCB, only verifying the safety of the loaded data. Our experiments show that ORC achieves a higher memory density with a lower overhead than hypervisor-based de-deduplication

cAMP-dependent protein kinase (PKA) complexes probed by complementary differential scanning fluorimetry and ion mobility-mass spectrometry

cAMP-dependent protein kinase (PKA) is an archetypal biological signaling module and a model for understanding the regulation of protein kinases. In the present study, we combine biochemistry with differential scanning fluorimetry (DSF) and ion mobility–mass spectrometry (IM–MS) to evaluate effects of phosphorylation and structure on the ligand binding, dynamics and stability of components of heteromeric PKA protein complexes in vitro. We uncover dynamic, conformationally distinct populations of the PKA catalytic subunit with distinct structural stability and susceptibility to the physiological protein inhibitor PKI. Native MS of reconstituted PKA R(2)C(2) holoenzymes reveals variable subunit stoichiometry and holoenzyme ablation by PKI binding. Finally, we find that although a ‘kinase-dead’ PKA catalytic domain cannot bind to ATP in solution, it interacts with several prominent chemical kinase inhibitors. These data demonstrate the combined power of IM–MS and DSF to probe PKA dynamics and regulation, techniques that can be employed to evaluate other protein-ligand complexes, with broad implications for cellular signaling

DRP-1 is required for BH3 mimetic-mediated mitochondrial fragmentation and apoptosis

The concept of using BH3 mimetics as anticancer agents has been substantiated by the efficacy of selective drugs, such as Navitoclax and Venetoclax, in treating BCL-2-dependent haematological malignancies. However, most solid tumours depend on MCL-1 for survival, which is highly amplified in multiple cancers and a major factor determining chemoresistance. Most MCL-1 inhibitors that have been generated so far, while demonstrating early promise in vitro, fail to exhibit specificity and potency in a cellular context. To address the lack of standardised assays for benchmarking the in vitro binding of putative inhibitors before analysis of their cellular effects, we developed a rapid differential scanning fluorimetry (DSF)-based assay, and used it to screen a panel of BH3 mimetics. We next contrasted their binding signatures with their ability to induce apoptosis in a MCL-1 dependent cell line. Of all the MCL-1 inhibitors tested, only A-1210477 induced rapid, concentration-dependent apoptosis, which strongly correlated with a thermal protective effect on MCL-1 in the DSF assay. In cells that depend on both MCL-1 and BCL-XL, A-1210477 exhibited marked synergy with A-1331852, a BCL-XL specific inhibitor, to induce cell death. Despite this selectivity and potency, A-1210477 induced profound structural changes in the mitochondrial network in several cell lines that were not phenocopied following MCL-1 RNA interference or transcriptional repression, suggesting that A-1210477 induces mitochondrial fragmentation in an MCL-1-independent manner. However, A-1210477-induced mitochondrial fragmentation was dependent upon DRP-1, and silencing expression levels of DRP-1 diminished not just mitochondrial fragmentation but also BH3 mimetic-mediated apoptosis. These findings provide new insights into MCL-1 ligands, and the interplay between DRP-1 and the anti-apoptotic BCL-2 family members in the regulation of apoptosis

TaLoS: secure and transparent TLS termination inside SGX enclaves

We introduce TaLoS1, a drop-in replacement for existing transport layer security (TLS) libraries that protects itself from a malicious environment by running inside an Intel SGX trusted execution environment. By minimising the amount of enclave transitions and reducing the overhead of the remaining enclave transitions, TaLoS imposes an overhead of no more than 31% in our evaluation with the Apache web server and the Squid proxy