eleos exit less os services for sgx enclaves
play

Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina - PowerPoint PPT Presentation

Feb 29, 2024 •145 likes •1.02k views

Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel What do we do? Improve performance: I/O intensive & memory demanding SGX enclaves

  1. Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel

  2. What do we do? Improve performance: I/O intensive & memory demanding SGX enclaves Why? Cost of SGX execution for these applications is high How? In-enclave System Calls & User Managed Virtual Memory Results Eleos vs vanilla SGX 2x Throughput: memcached & face verification servers Even for 5x available enclave memory Available for Linux, Windows* (*) Without Eleos, these applications crash in Windows enclaves 22 May@Systor' 2017 Meni Orenbach, Technion 2

  3. ● Background ● Motivation ● Overhead analysis ● Eleos design ● Evaluation 22 May@Systor' 2017 Meni Orenbach, Technion 3

  4. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 4

  5. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 5

  6. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 6

  7. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 7

  8. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 8

  9. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted Lets look at How to secure server applications with enclaves 22 May@Systor' 2017 Meni Orenbach, Technion 9

  10. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) 22 May@Systor' 2017 Meni Orenbach, Technion 10

  11. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access 22 May@Systor' 2017 Meni Orenbach, Technion 11

  12. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access Dedicated SGX mem Limited to: 128 MB Secured access 22 May@Systor' 2017 Meni Orenbach, Technion 12

  13. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Wait for network app requests 22 May@Systor' 2017 Meni Orenbach, Technion 13

  14. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Wait for network app requests 22 May@Systor' 2017 Meni Orenbach, Technion 14

  15. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests 22 May@Systor' 2017 Meni Orenbach, Technion 15

  16. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests 22 May@Systor' 2017 Meni Orenbach, Technion 16

  17. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests Encrypt responses 22 May@Systor' 2017 Meni Orenbach, Technion 17

  18. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests Exit enclave Encrypt responses Send responses 22 May@Systor' 2017 Meni Orenbach, Technion 18

  19. SGX enclaves should be fast ● ISA extensions ● Implemented in HW & Firmware ● Same CPU HW ● In-cache execution suffers no overheads 22 May@Systor' 2017 Meni Orenbach, Technion 19

  20. SGX enclaves should be fast ● ISA extensions ● Implemented in HW & Firmware ● Same CPU HW ● In-cache execution suffers no overheads However... 22 May@Systor' 2017 Meni Orenbach, Technion 20

  21. Executing a Key-Value Store in enclave is slower 22 May@Systor' 2017 Meni Orenbach, Technion 21

  22. Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 40 35 34X 30 25 20 15 11X 10 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 22 Memory footprint

  23. Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 40 35 34X Crashes 30 in Windows 25 20 15 11X 10 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 23 Memory footprint

  24. ● Background ● Motivation ● Overhead analysis ● Eleos design ● Evaluation 22 May@Systor' 2017 Meni Orenbach, Technion 24

  25. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Enter app enclave Wait for network Decrypt requests requests 150 cycles/32B Process requests *100 cycles/32B Exit enclave Encrypt responses Send responses *150 cycles/32B 22 May@Systor' 2017 Meni Orenbach, Technion 25

  26. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Process requests *100 cycles/32B Exit Exit enclave enclave Encrypt responses Send responses *150 cycles/32B 22 May@Systor' 2017 Meni Orenbach, Technion 26

  27. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Process requests *100 cycles/32B Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 27

  28. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Exits causes indirect costs: Process requests 1.5X – 5X slower execution *100 cycles/32B FlexSC [OSDI'10] syscall analysis Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 28

  29. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Exits causes indirect costs: Process requests 1.5X – 5X slower execution *100 cycles/32B FlexSC [OSDI'10] syscall analysis Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 29

  30. Eleos does better! Throughput: Slowdown factor 40 SGX Eleos 35 30 25 20 5x 15 10 3.5x 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 30 Memory footprint

  31. Eleos does better! Throughput: Slowdown factor 40 SGX Eleos 35 30 25 20 5x 15 10 3.5x 5 0 64 MB 512 MB How does Eleos achieve this? 22 May@Systor' 2017 Meni Orenbach, Technion 31 Memory footprint

  32. Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging 22 May@Systor' 2017 Meni Orenbach, Technion 32

  33. Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging 22 May@Systor' 2017 Meni Orenbach, Technion 33

  34. Background: SGX paging System mem SGX mem Dedicated memory Enclave code & data Limited to 128 MB 22 May@Systor' 2017 Meni Orenbach, Technion 34

  35. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 35

  36. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 36

  37. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Encrypted Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 37

  38. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Encrypted Untrusted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 38

  39. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Fault Encrypted SGX-driver handler Untrusted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 39

Recommend

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1 Research Statement: Enclaves are accelerators for secured execution Accelerator system services and Abstractions can be retrofitted Inspire

297 views • 28 slides
Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms

1.06k views • 18 slides
I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION TIME! WE NEED TO SETTLE ON A PROPOSED ACTION Follow-up from June 7 th Public Informational Meeting EXIT 7 Exit 7 Relocated Interchange EXIT 6

253 views • 23 slides
Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and make it grow. But they often neglect the need for Exit Planning in their Business. In absence of Exit Strategy, they often forget that the decisions

247 views • 11 slides
Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able

Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able

Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able History Aerospace unit founded in 1982 Purchased by CEO in 1993 with 3 employees Able Engineering and Component Services Inc.:

535 views • 34 slides
Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

The Exit Planning Executive Briefing Presented by Geoffrey S. Gallo, ChFC, CExP TR Moore & Company, PC Member of Business Enterprise Institutes Network Of Exit Planning Professionals Story Agenda Exit Planning Collaboration

590 views • 37 slides
AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90 New hospital located at 9801 Frontier Ave. SE, off of I-90, Exit 25. NEW HOSPITAL FEATURES We will have more space to deliver the services our

328 views • 13 slides
AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90 New hospital located at 9801 Frontier Ave. SE, off of I-90, Exit 25. NEW HOSPITAL FEATURES We will have more space to deliver the services our

616 views • 14 slides
Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct contrast to the modular nature of the Briton 560 - 570 Series, the Features & Benefits long established Briton 376 Series is supplied as a

182 views • 7 slides
Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases today! What is an Exit Plan? Exit Planning is business strategy. Exit Planning builds, harvests and Personal Goals preserves wealth while

598 views • 36 slides
Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A

Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A

Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A L S T U D I E S STUDENT FINANCIAL SERVICES Agenda Loan types and interest rates Grace periods Repaying your student loans Repayment

481 views • 45 slides
J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

f17 d b lJ t fJ fr u 9 J9r @ J J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19 INTERCHANGE AREA MANAGEMENT PLANS lAMP ODors Mission Provide a safe efficient transportation system that

422 views • 10 slides
Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a one-day writing event for seniors. The first round of writing events will occur during the winter Keystone testing period. Senior Exit Project

500 views • 12 slides
Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan

Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan

Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan Open Source Enclaves Workshop 2019 Transparent Mint Transparent Mint Alice Mint Transparent Mint Merchant ID Date Amount Alice 2014-06-03

825 views • 65 slides
MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

Damian Barabonkov MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big Ideas Paper Feedback Motivation of MI6 Threat Model Implementation Performance Analysis

383 views • 24 slides
Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes

629 views • 34 slides
COGS Graduate Student Exit Survey An Example of COGS Academic Support Services Assessment Dr.

COGS Graduate Student Exit Survey An Example of COGS Academic Support Services Assessment Dr.

COGS Graduate Student Exit Survey An Example of COGS Academic Support Services Assessment Dr. Susan L. Pocotte Associate Dean for Academic Affairs- COGS Presentation Objectives Summarize COGS assessment process Describe trended results

965 views • 54 slides
From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd Paysan, net2o [] exit execute Exit not tickable in Gforth 0.7 Standard-conforming, but Several complaints over the years Traditionally

594 views • 14 slides
EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE EU Exit Chemicals Programme Defra policy lead REACH, PPP, MRLs, Detergents, POPs, Mercury HSE policy lead CLP, PIC, BPR HSE is

629 views • 21 slides
Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29 September, 2011 Issues When Optimizing for Exit A Lifecycle Approach 1. When investing - with a view to exit 2. When carrying and managing in

569 views • 28 slides
Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems boolean find_exit(int x, int y) /* 2 nd try */ { if ( we have been here before ) return false; /* dont try same spot again */ if ( x,y is an exit )

611 views • 17 slides
No More Enclaves: Aynak in Afghanistan Prepared by Gary McMahon, World Bank, for Countdown to

No More Enclaves: Aynak in Afghanistan Prepared by Gary McMahon, World Bank, for Countdown to

No More Enclaves: Aynak in Afghanistan Prepared by Gary McMahon, World Bank, for Countdown to Copper in Afghanistan: Pitfalls and Possibilities, US Institute of Peace, February 10, 2010 Main Issues Fiscal revenues: premium, royalties,

373 views • 6 slides
CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck Nadia Heninger Frank Piessens Berk Sunar Intel Labs Sept. 10 2020 OS/Hypervisor Security Model App App App OS Trusted Hypervisor

1.13k views • 67 slides
CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck

CopyCat: Controlled Instruction-Level Attacks on Enclaves Daniel Moghimi Jo Van Bulck Nadia Heninger Frank Piessens Berk Sunar Trusted Execution Environment (TEE) Intel SGX Intel Software Guard eXtensions (SGX) App

894 views • 42 slides

More recommend