Stress-SGX: Load and Stress your Enclaves for Fun and Profit

The latest generation of Intel processors supports Software Guard Extensions (SGX), a set of instructions that implements a Trusted Execution Environment (TEE) right inside the CPU, by means of so-called enclaves. This paper presents Stress-SGX, an easy-to-use stress-test tool to evaluate the performance of SGX-enabled nodes. We build on top of the popular Stress-NG tool, while only keeping the workload injectors (stressors) that are meaningful in the SGX context. We report on several insights and lessons learned about porting legacy code to run inside an SGX enclave, as well as the limitations introduced by this process. Finally, we use Stress-SGX to conduct a study comparing the performance of different SGX-enabled machines.Comment: European Commission Project: LEGaTO - Low Energy Toolset for Heterogeneous Computing (EC-H2020-780681

Security, Performance and Energy Trade-offs of Hardware-assisted Memory Protection Mechanisms

The deployment of large-scale distributed systems, e.g., publish-subscribe platforms, that operate over sensitive data using the infrastructure of public cloud providers, is nowadays heavily hindered by the surging lack of trust toward the cloud operators. Although purely software-based solutions exist to protect the confidentiality of data and the processing itself, such as homomorphic encryption schemes, their performance is far from being practical under real-world workloads. The performance trade-offs of two novel hardware-assisted memory protection mechanisms, namely AMD SEV and Intel SGX - currently available on the market to tackle this problem, are described in this practical experience. Specifically, we implement and evaluate a publish/subscribe use-case and evaluate the impact of the memory protection mechanisms and the resulting performance. This paper reports on the experience gained while building this system, in particular when having to cope with the technical limitations imposed by SEV and SGX. Several trade-offs that provide valuable insights in terms of latency, throughput, processing time and energy requirements are exhibited by means of micro- and macro-benchmarks.Comment: European Commission Project: LEGaTO - Low Energy Toolset for Heterogeneous Computing (EC-H2020-780681

SGX-Aware Container Orchestration for Heterogeneous Clusters

Containers are becoming the de facto standard to package and deploy applications and micro-services in the cloud. Several cloud providers (e.g., Amazon, Google, Microsoft) begin to offer native support on their infrastructure by integrating container orchestration tools within their cloud offering. At the same time, the security guarantees that containers offer to applications remain questionable. Customers still need to trust their cloud provider with respect to data and code integrity. The recent introduction by Intel of Software Guard Extensions (SGX) into the mass market offers an alternative to developers, who can now execute their code in a hardware-secured environment without trusting the cloud provider. This paper provides insights regarding the support of SGX inside Kubernetes, an industry-standard container orchestrator. We present our contributions across the whole stack supporting execution of SGX-enabled containers. We provide details regarding the architecture of the scheduler and its monitoring framework, the underlying operating system support and the required kernel driver extensions. We evaluate our complete implementation on a private cluster using the real-world Google Borg traces. Our experiments highlight the performance trade-offs that will be encountered when deploying SGX-enabled micro-services in the cloud.Comment: Presented in the 38th IEEE International Conference on Distributed Computing Systems (ICDCS 2018

In situ synchrotron radiation monitoring of phase transitions during microwave heating of Al-Cu-Fe alloys

The effect of rapid microwave heating has so far been evaluated mainly by comparing the state of materials before and after microwave exposure. Yet, further progress critically depends on the ability to follow the evolution of materials during ultrafast heating in real time. We describe the first in situ time-resolved monitoring of solid-state phase transitions during microwave heating of metallic powders using wide-angle synchrotron radiation diffraction. Single-phase Al-Cu-Fe quasicrystal powders were obtained by microwave heating of nanocrystalline alloy precursors at 650 °C in <20

The Yin-Yang of the Green Fluorescent Protein:Impact on Saccharomyces cerevisiae stress resistance

International audienceAlthough fluorescent proteins are widely used as biomarkers (Yin), no study focuses on their influence on the microbial stress response. Here, the Green Fluorescent Protein (GFP) was fused to two proteins of interest in Saccharomyces cerevisiae. Pab1p and Sur7p, respectively involved in stress granules structure and in Can1 membrane domains. These were chosen since questions remain regarding the understanding of the behavior of S. cerevisiae facing different heat kinetics or oxidative stresses. The main results showed that Pab1p-GFP fluorescent mutant displayed a higher resistance than that of the wild type under a heat shock. Moreover, fluorescent mutants exposed to oxidative stresses displayed changes in the cultivability compared to the wild type strain. In silico approaches showed that the presence of the GFP did not influence the structure and so the functionality of the tagged proteins meaning that changes in yeast resistance were certainly related to GFP ROS-scavenging ability (Yang)

ENDBOX: Scalable Middlebox Functions Using Client-Side Trusted Execution

Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems. We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its design combines a virtual private network (VPN) with middlebox functions that are hardware-protected by a trusted execution environment (TEE), as offered by Intel's Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside SGX enclaves, EndBox ensures that all client traffic, including encrypted communication, is processed by the middlebox. Despite its decentralised model, EndBox's middlebox functions remain maintainable: they are centrally controlled and can be updated efficiently. We demonstrate EndBox with two scenarios involving (i) a large company; and (ii) an Internet service provider that both need to protect their network and connected clients. We evaluate EndBox by comparing it to centralised deployments of common middlebox functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales linearly with the number of clients

Ocular Application of the Kinin B1 Receptor Antagonist LF22-0542 Inhibits Retinal Inflammation and Oxidative Stress in Streptozotocin-Diabetic Rats

Purpose: Kinin B1 receptor (B1R) is upregulated in retina of Streptozotocin (STZ)-diabetic rats and contributes to vasodilation of retinal microvessels and breakdown of the blood-retinal barrier. Systemic treatment with B 1R antagonists reversed the increased retinal plasma extravasation in STZ rats. The present study aims at determining whether ocular application of a water soluble B1R antagonist could reverse diabetes-induced retinal inflammation and oxidative stress. Methods: Wistar rats were made diabetic with STZ (65 mg/kg, i.p.) and 7 days later, they received one eye drop application of LF22-0542 (1 % in saline) twice a day for a 7 day-period. The impact was determined on retinal vascular permeability (Evans blue exudation), leukostasis (leukocyte infiltration using Fluorescein-isothiocyanate (FITC)-coupled Concanavalin A lectin), retinal mRNA levels (by qRT-PCR) of inflammatory (B1R, iNOS, COX-2, ICAM-1, VEGF-A, VEGF receptor type 2, IL-1b and HIF-1a) and anti-inflammatory (B2R, eNOS) markers and retinal level of superoxide anion (dihydroethidium staining). Results: Retinal plasma extravasation, leukostasis and mRNA levels of B 1R, iNOS, COX-2, VEGF receptor type 2, IL-1b and HIF-1a were significantly increased in diabetic retinae compared to control rats. All these abnormalities were reversed to control values in diabetic rats treated with LF22-0542. B1R antagonist also significantly inhibited the increased production of superoxide anion in diabetic retinae. Conclusion: B1R displays a pathological role in the early stage of diabetes by increasing oxidative stress and proinflammator