29 research outputs found
Stress-SGX: Load and Stress your Enclaves for Fun and Profit
The latest generation of Intel processors supports Software Guard Extensions
(SGX), a set of instructions that implements a Trusted Execution Environment
(TEE) right inside the CPU, by means of so-called enclaves. This paper presents
Stress-SGX, an easy-to-use stress-test tool to evaluate the performance of
SGX-enabled nodes. We build on top of the popular Stress-NG tool, while only
keeping the workload injectors (stressors) that are meaningful in the SGX
context. We report on several insights and lessons learned about porting legacy
code to run inside an SGX enclave, as well as the limitations introduced by
this process. Finally, we use Stress-SGX to conduct a study comparing the
performance of different SGX-enabled machines.Comment: European Commission Project: LEGaTO - Low Energy Toolset for
Heterogeneous Computing (EC-H2020-780681
Security, Performance and Energy Trade-offs of Hardware-assisted Memory Protection Mechanisms
The deployment of large-scale distributed systems, e.g., publish-subscribe
platforms, that operate over sensitive data using the infrastructure of public
cloud providers, is nowadays heavily hindered by the surging lack of trust
toward the cloud operators. Although purely software-based solutions exist to
protect the confidentiality of data and the processing itself, such as
homomorphic encryption schemes, their performance is far from being practical
under real-world workloads.
The performance trade-offs of two novel hardware-assisted memory protection
mechanisms, namely AMD SEV and Intel SGX - currently available on the market to
tackle this problem, are described in this practical experience.
Specifically, we implement and evaluate a publish/subscribe use-case and
evaluate the impact of the memory protection mechanisms and the resulting
performance. This paper reports on the experience gained while building this
system, in particular when having to cope with the technical limitations
imposed by SEV and SGX.
Several trade-offs that provide valuable insights in terms of latency,
throughput, processing time and energy requirements are exhibited by means of
micro- and macro-benchmarks.Comment: European Commission Project: LEGaTO - Low Energy Toolset for
Heterogeneous Computing (EC-H2020-780681
SGX-Aware Container Orchestration for Heterogeneous Clusters
Containers are becoming the de facto standard to package and deploy
applications and micro-services in the cloud. Several cloud providers (e.g.,
Amazon, Google, Microsoft) begin to offer native support on their
infrastructure by integrating container orchestration tools within their cloud
offering. At the same time, the security guarantees that containers offer to
applications remain questionable. Customers still need to trust their cloud
provider with respect to data and code integrity. The recent introduction by
Intel of Software Guard Extensions (SGX) into the mass market offers an
alternative to developers, who can now execute their code in a hardware-secured
environment without trusting the cloud provider.
This paper provides insights regarding the support of SGX inside Kubernetes,
an industry-standard container orchestrator. We present our contributions
across the whole stack supporting execution of SGX-enabled containers. We
provide details regarding the architecture of the scheduler and its monitoring
framework, the underlying operating system support and the required kernel
driver extensions. We evaluate our complete implementation on a private cluster
using the real-world Google Borg traces. Our experiments highlight the
performance trade-offs that will be encountered when deploying SGX-enabled
micro-services in the cloud.Comment: Presented in the 38th IEEE International Conference on Distributed
Computing Systems (ICDCS 2018
In situ synchrotron radiation monitoring of phase transitions during microwave heating of Al-Cu-Fe alloys
The effect of rapid microwave heating has so far been evaluated mainly by comparing the state of materials before and after microwave exposure. Yet, further progress critically depends on the ability to follow the evolution of materials during ultrafast heating in real time. We describe the first in situ time-resolved monitoring of solid-state phase transitions during microwave heating of metallic powders using wide-angle synchrotron radiation diffraction. Single-phase Al-Cu-Fe quasicrystal powders were obtained by microwave heating of nanocrystalline alloy precursors at 650 °C in <20
The Yin-Yang of the Green Fluorescent Protein:Impact on Saccharomyces cerevisiae stress resistance
International audienceAlthough fluorescent proteins are widely used as biomarkers (Yin), no study focuses on their influence on the microbial stress response. Here, the Green Fluorescent Protein (GFP) was fused to two proteins of interest in Saccharomyces cerevisiae. Pab1p and Sur7p, respectively involved in stress granules structure and in Can1 membrane domains. These were chosen since questions remain regarding the understanding of the behavior of S. cerevisiae facing different heat kinetics or oxidative stresses. The main results showed that Pab1p-GFP fluorescent mutant displayed a higher resistance than that of the wild type under a heat shock. Moreover, fluorescent mutants exposed to oxidative stresses displayed changes in the cultivability compared to the wild type strain. In silico approaches showed that the presence of the GFP did not influence the structure and so the functionality of the tagged proteins meaning that changes in yeast resistance were certainly related to GFP ROS-scavenging ability (Yang)
ENDBOX: Scalable Middlebox Functions Using Client-Side Trusted Execution
Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems.
We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its design combines a virtual private network (VPN) with middlebox functions that are hardware-protected by a trusted execution environment (TEE), as offered by Intel's Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside SGX enclaves, EndBox ensures that all client traffic, including encrypted communication, is processed by the middlebox. Despite its decentralised model, EndBox's middlebox functions remain maintainable: they are centrally controlled and can be updated efficiently. We demonstrate EndBox with two scenarios involving (i) a large company; and (ii) an Internet service provider that both need to protect their network and connected clients. We evaluate EndBox by comparing it to centralised deployments of common middlebox functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales linearly with the number of clients
Ocular Application of the Kinin B1 Receptor Antagonist LF22-0542 Inhibits Retinal Inflammation and Oxidative Stress in Streptozotocin-Diabetic Rats
Purpose: Kinin B1 receptor (B1R) is upregulated in retina of Streptozotocin (STZ)-diabetic rats and contributes to vasodilation of retinal microvessels and breakdown of the blood-retinal barrier. Systemic treatment with B 1R antagonists reversed the increased retinal plasma extravasation in STZ rats. The present study aims at determining whether ocular application of a water soluble B1R antagonist could reverse diabetes-induced retinal inflammation and oxidative stress. Methods: Wistar rats were made diabetic with STZ (65 mg/kg, i.p.) and 7 days later, they received one eye drop application of LF22-0542 (1 % in saline) twice a day for a 7 day-period. The impact was determined on retinal vascular permeability (Evans blue exudation), leukostasis (leukocyte infiltration using Fluorescein-isothiocyanate (FITC)-coupled Concanavalin A lectin), retinal mRNA levels (by qRT-PCR) of inflammatory (B1R, iNOS, COX-2, ICAM-1, VEGF-A, VEGF receptor type 2, IL-1b and HIF-1a) and anti-inflammatory (B2R, eNOS) markers and retinal level of superoxide anion (dihydroethidium staining). Results: Retinal plasma extravasation, leukostasis and mRNA levels of B 1R, iNOS, COX-2, VEGF receptor type 2, IL-1b and HIF-1a were significantly increased in diabetic retinae compared to control rats. All these abnormalities were reversed to control values in diabetic rats treated with LF22-0542. B1R antagonist also significantly inhibited the increased production of superoxide anion in diabetic retinae. Conclusion: B1R displays a pathological role in the early stage of diabetes by increasing oxidative stress and proinflammator