scone s ecure linux con tainer e nvironments with intel
play

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. - PowerPoint PPT Presentation

Aug 25, 2022 •284 likes •820 views

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universitt Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College

  1. SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College London; D. Goltzsche, Technische Universität Braunschweig; D. Eyers, University of Otago; R. Kapitza, Technische Universität Braunschweig; P. Pietzuch, Imperial College London; C. Fetzer, Technische Universität Dresden thomas.knauth@tu-dresden.de 1

  2. Trust Issues: The Provider’s Perspective • Cloud provider does not trust Redis users OS • Use virtual machines to isolate users from each other and the VMM trusted host Firmware • VMs only provide one way Cloud platform protection Staff … 2

  3. Trust Issues: The User’s Perspective Redis • Users trust their application • Users must implicitly trust the OS cloud provider VMM untrusted • Existing applications implicitly Firmware assume trusted operating Cloud platform system Staff … 3

  4. Containers are the new VMs • Containers provide resource isolation and bundling • Smaller resource overhead than virtual machines • Convenient tooling to create and deploy applications in the cloud 4

  5. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 5

  6. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 6

  7. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 7

  8. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 8

  9. We want to … OS VMM untrusted Firmware Cloud platform Staff … 9

  10. We want to … • run unmodified Linux applications … OS VMM untrusted Firmware Cloud platform Staff … 9

  11. We want to … • run unmodified Linux applications … • in containers … OS VMM untrusted Firmware Cloud platform Staff … 9

  12. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware Cloud platform Staff … 9

  13. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform Staff … 9

  14. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform • with acceptable performance Staff … 9

  15. Secure Guard Extensions Enclave New enclave processor mode • Users can create a HW- • OS enforced trusted environment VMM untrusted Firmware Only trust Intel and Secure • Guard Extensions (SGX) Cloud platform implementation Staff … 10 10

  16. SGX: HW-enforced Security untrusted trusted • 18 new instructions to manage Execute enclave life cycle … Return • Enclave memory only … accessible from enclave EENTER … • Certain instructions privileged access from disallowed, e.g., syscall OS, VMM, SMM forbidden 11

  17. Challenge 1: Interface Library OS inside TCB Application Code • Haven (OSDI’14): library External container interface trusted operating system in enclave Libraries • Large TCB → more vulnerable C Library Library OS • Small interface (22 system calls) untrusted Shielding layer • Shields protect the interface Host OS 12

  18. Challenge 1: Interface Minimal TCB Application Code Libraries • Small TCB Shim C Library • C library interface is complex • Harder to protect C Library Host OS 13

  19. Challenge 2: Performance native system call frequency 
 10000 (1000s/second) synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14

  20. Challenge 2: Performance native system call frequency 
 10000 (1000s/second) 8 × synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14

  21. SCONE Architecture Application Libraries SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  22. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) SCONE C library SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  23. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  24. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) Network shield File system shield M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) • Network and file system SCONE module Intel SGX driver shields actively protect user Container (cgroups) data Host operating system 15

  25. Anatomy of a System Call enclave kernel 16

  26. Anatomy of a System Call T1 read(fd, buf, size) read, fd, buf, size enclave kernel [0] [1] [2] system call slots 17

  27. Anatomy of a System Call T1 S1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 18

  28. Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [0] [1] [2] system call slots 19

  29. Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19

  30. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19

  31. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] system call slots 19

  32. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 19

  33. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [2] [1] [2] read, fd, buf, size system call slots 19

  34. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  35. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  36. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  37. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  38. Anatomy of a System Call GET K1 T2 T1 decrypt buffer into enclave read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  39. Container Integration Repository Docker Engine SCONE Client Secure Enclave Image Docker Client 21

  40. Container Integration Repository Docker Engine 1. push image SCONE Client Secure Enclave Image Docker Client 21

  41. Container Integration Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21

  42. Container Integration 3. pull image Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21

  43. Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image SCONE Client Secure Enclave Image Docker Client 21

  44. Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image 5. secure channel SCONE Client Secure Enclave Image Docker Client 21

  45. System Call Performance native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  46. System Call Performance async with 1 thread achieves 80% native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  47. System Call Performance async with 1 thread optimized queue achieves 80% may help native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  48. Apache Throughput sync 4 async glibc Latency (seconds) 3 2 0.7 × 1 0.8 × 0 0 15000 30000 45000 60000 Throughput (requests / second) 23

Recommend

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides
Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2

Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2

Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2 Linux Desktop Ubuntu 13.10 3.4 GHz Intel Core i7 4 Titan Cray Linux 16 2.2GHz AMD Opteron 6274 (Interlagos) Supada (ORNL) Geant4 Multithreading

61 views • 5 slides
service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

Introduction to Cache Quality of service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem definition Existing techniques Why use Kernel QOS framework Intel Cache qos support Kernel

1.5k views • 32 slides
Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel

Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel

Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel versions 2.2.X (user mode only) 2.3.99-pre6 (stable) 2.4.0-test1 (intel/alpha with patches) 2.4.0-test2 (intel only) Linux Driver

74 views • 4 slides
Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer

Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer

Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer Contributed to several open source projects throughout the Linux stack Recently joined projects under the Dronecode Linux maintainer for

583 views • 39 slides
Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center

Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center

Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center Feb 2 nd 2019 1 Agenda Linuxs unique development model How to prevent regressions from getting in? Case study: Intel GFX CI

467 views • 22 slides
Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open

Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open

Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open Source Technology Center 19-Aug, 2015 LinuxCon North America/Linux Plumbers Conference Seattle, WA 1 Acknowledgements Todd Brandt

613 views • 39 slides
SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen <

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen <

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen < jarkko.sakkinen@linux.intel.com > First, a little bit of history Skylake 2015 First attempt 2016/04/25: Only Intel blessed enclaves :(

707 views • 15 slides
Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com http://01.org/powertop 1 About Experiment 2 About Experiment Software Ubuntu 13.10: Includes Ubuntu Linux Kernel 3.11.0-12.19. Based on upstream Linux Kernel

463 views • 20 slides
Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org

Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org

Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org Overview Scalability theory Linux history Some common scalability trouble-spots Application workarounds Motivation CPUs still getting faster

327 views • 22 slides
Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com

Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com

Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com October 5, 2015 Daniel Baluta (Intel) Industrial I/O October 5, 2015 1 / 29 Why Industrial I/O? past - industrial process control or scientific

679 views • 29 slides
Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

1 Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as an open-source ("free") alternative by Linux Torvalds and several others starting in 1991 Originally only for Intel based processors

785 views • 16 slides
JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux

JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux

JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux Foundation. *Other names and brands may be claimed as the property of others. Outline Why JavaScript* Architecture Arduino 101* Port Building

244 views • 21 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux

Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux

Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux Foundation. *Other names and brands may be claimed as the property of others. Agenda Why Power Management? The core concepts behind Zephyr RTOS PM Power

487 views • 34 slides
An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms

An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms

An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms for or NFV FV Sriram Natarajan, Deutsche Telekom Inc. Ramki Krishnan, Dell Inc. Anoop Ghanwani, Dell Inc. Dilip Krishnaswamy, IBM Research

154 views • 14 slides
Intel GFX CI and IGT What services do we provide, our roadmaps, and lessons learnt! Martin Peres

Intel GFX CI and IGT What services do we provide, our roadmaps, and lessons learnt! Martin Peres

Intel GFX CI and IGT What services do we provide, our roadmaps, and lessons learnt! Martin Peres & Arek Hiler Feb 3 rd 2018 1 Agenda Introduction: Linux and its need for CI IGT GPU Tools - our testsuite State of Intel GFX CI,

513 views • 30 slides
The Devil Wears RPM: Continous Security Integration Ikey Doherty Intel Corporation Who are you?

The Devil Wears RPM: Continous Security Integration Ikey Doherty Intel Corporation Who are you?

The Devil Wears RPM: Continous Security Integration Ikey Doherty Intel Corporation Who are you? Introduction to Ikey Doherty Who are you? Ikey Doherty, software engineer at Intel Part of the Clear Linux* Project for Intel Architecture

324 views • 14 slides
Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be dominig.arfoll@fridu.net 1/30 A harden Embedded Linux Applicable to any Industrial IoT Linux 2/30 3/30 4/30 Top 25 Git Commituers in 2016 Commits Name

1.37k views • 30 slides
Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23

Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23

Desktop Virtualization with SPICE Gerd Hoffmann <kraxel@redhat.com> Linux Kongress, Sep 23 th 2010 1 SPICE | Gerd Hoffmann What is SPICE Virtual Desktop Infrastructure. S imple P rotocol for I ndependent C omputing E nvironments.

353 views • 13 slides
LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure Matt Fleming, Intel Linux* UEFI Validation Project Started in January 2014 Custom Linux

493 views • 21 slides
Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp

Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp

Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp March 2018 Summary 10Gbe Niantic and family have IPsec HW offload Initial driver support came out in v4.15 Approx 6.5 Gbps

577 views • 22 slides
S TATISTICAL M ODELING OF S POT I NSTANCE P RICES IN P UBLIC C LOUD E NVIRONMENTS Bahman Javadi ,

S TATISTICAL M ODELING OF S POT I NSTANCE P RICES IN P UBLIC C LOUD E NVIRONMENTS Bahman Javadi ,

S TATISTICAL M ODELING OF S POT I NSTANCE P RICES IN P UBLIC C LOUD E NVIRONMENTS Bahman Javadi , Ruppa K. Thulasiram , and Rajkumar Buyya Cloud Computing and Distributed Systems (CLOUDS) Laboratory Department of Computer Science and Software

611 views • 23 slides
& Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security

& Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security

TCG TPM2 Software Stack & Embedded Linux Philip Tricca philip.b.tricca@intel.com Agenda Background Security basics Terms TPM basics What it is / what it does Why this matters / specific features TPM Software Stack

616 views • 24 slides

More recommend