SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College London; D. Goltzsche, Technische Universität Braunschweig; D. Eyers, University of Otago; R. Kapitza, Technische Universität Braunschweig; P. Pietzuch, Imperial College London; C. Fetzer, Technische Universität Dresden thomas.knauth@tu-dresden.de 1
Trust Issues: The Provider’s Perspective • Cloud provider does not trust Redis users OS • Use virtual machines to isolate users from each other and the VMM trusted host Firmware • VMs only provide one way Cloud platform protection Staff … 2
Trust Issues: The User’s Perspective Redis • Users trust their application • Users must implicitly trust the OS cloud provider VMM untrusted • Existing applications implicitly Firmware assume trusted operating Cloud platform system Staff … 3
Containers are the new VMs • Containers provide resource isolation and bundling • Smaller resource overhead than virtual machines • Convenient tooling to create and deploy applications in the cloud 4
Disaster! OS VMM untrusted Firmware Cloud platform Staff … 5
Disaster! OS VMM untrusted Firmware Cloud platform Staff … 6
Disaster! OS VMM untrusted Firmware Cloud platform Staff … 7
Disaster! OS VMM untrusted Firmware Cloud platform Staff … 8
We want to … OS VMM untrusted Firmware Cloud platform Staff … 9
We want to … • run unmodified Linux applications … OS VMM untrusted Firmware Cloud platform Staff … 9
We want to … • run unmodified Linux applications … • in containers … OS VMM untrusted Firmware Cloud platform Staff … 9
We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware Cloud platform Staff … 9
We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform Staff … 9
We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform • with acceptable performance Staff … 9
Secure Guard Extensions Enclave New enclave processor mode • Users can create a HW- • OS enforced trusted environment VMM untrusted Firmware Only trust Intel and Secure • Guard Extensions (SGX) Cloud platform implementation Staff … 10 10
SGX: HW-enforced Security untrusted trusted • 18 new instructions to manage Execute enclave life cycle … Return • Enclave memory only … accessible from enclave EENTER … • Certain instructions privileged access from disallowed, e.g., syscall OS, VMM, SMM forbidden 11
Challenge 1: Interface Library OS inside TCB Application Code • Haven (OSDI’14): library External container interface trusted operating system in enclave Libraries • Large TCB → more vulnerable C Library Library OS • Small interface (22 system calls) untrusted Shielding layer • Shields protect the interface Host OS 12
Challenge 1: Interface Minimal TCB Application Code Libraries • Small TCB Shim C Library • C library interface is complex • Harder to protect C Library Host OS 13
Challenge 2: Performance native system call frequency 10000 (1000s/second) synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14
Challenge 2: Performance native system call frequency 10000 (1000s/second) 8 × synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14
SCONE Architecture Application Libraries SCONE module Intel SGX driver Container (cgroups) Host operating system 15
SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) SCONE C library SCONE module Intel SGX driver Container (cgroups) Host operating system 15
SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) SCONE module Intel SGX driver Container (cgroups) Host operating system 15
SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) Network shield File system shield M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) • Network and file system SCONE module Intel SGX driver shields actively protect user Container (cgroups) data Host operating system 15
Anatomy of a System Call enclave kernel 16
Anatomy of a System Call T1 read(fd, buf, size) read, fd, buf, size enclave kernel [0] [1] [2] system call slots 17
Anatomy of a System Call T1 S1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 18
Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [0] [1] [2] system call slots 19
Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] system call slots 19
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 19
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [2] [1] [2] read, fd, buf, size system call slots 19
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20
Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20
Anatomy of a System Call GET K1 T2 T1 decrypt buffer into enclave read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20
Container Integration Repository Docker Engine SCONE Client Secure Enclave Image Docker Client 21
Container Integration Repository Docker Engine 1. push image SCONE Client Secure Enclave Image Docker Client 21
Container Integration Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21
Container Integration 3. pull image Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21
Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image SCONE Client Secure Enclave Image Docker Client 21
Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image 5. secure channel SCONE Client Secure Enclave Image Docker Client 21
System Call Performance native System call frequency 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22
System Call Performance async with 1 thread achieves 80% native System call frequency 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22
System Call Performance async with 1 thread optimized queue achieves 80% may help native System call frequency 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22
Apache Throughput sync 4 async glibc Latency (seconds) 3 2 0.7 × 1 0.8 × 0 0 15000 30000 45000 60000 Throughput (requests / second) 23
Recommend
More recommend