Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina - - PowerPoint PPT Presentation

Eleos: Exit-Less OS Services for SGX Enclaves

Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab

Haifa, Israel

22 May@Systor' 2017 Meni Orenbach, Technion 2

What do we do?

Improve performance: I/O intensive & memory demanding SGX enclaves

Why?

Cost of SGX execution for these applications is high

How?

In-enclave System Calls & User Managed Virtual Memory

Results

Eleos vs vanilla SGX

2x Throughput: memcached & face verification servers Even for 5x available enclave memory

Available for Linux, Windows* (*) Without Eleos, these applications crash in Windows enclaves

22 May@Systor' 2017 Meni Orenbach, Technion 3

• Background
• Motivation
• Overhead analysis
• Eleos design
• Evaluation

22 May@Systor' 2017 Meni Orenbach, Technion 4

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

22 May@Systor' 2017 Meni Orenbach, Technion 5

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

22 May@Systor' 2017 Meni Orenbach, Technion 6

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

22 May@Systor' 2017 Meni Orenbach, Technion 7

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

22 May@Systor' 2017 Meni Orenbach, Technion 8

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

22 May@Systor' 2017 Meni Orenbach, Technion 9

SGX enclaves are already here!

• Secured execution environment
• Reversed sandbox
• Small TCB
• Private code & data

– Confidentiality – Integrity – Freshness

• Only CPU is trusted

Operating system Application Enclave Enclave

Lets look at How to secure server applications with enclaves

22 May@Systor' 2017 Meni Orenbach, Technion 10

Background: Lifetime of a secured server

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 11

Untrusted memory Unsecured access

Background: Lifetime of a secured server

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 12

Untrusted memory Unsecured access

Background: Lifetime of a secured server

Untrusted (Host & OS) Trusted (Enclave)

Dedicated SGX mem Limited to: 128 MB Secured access

22 May@Systor' 2017 Meni Orenbach, Technion 13

Wait for network requests

Background: Lifetime of a secured server

Host app

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 14

Wait for network requests

Background: Lifetime of a secured server

Host app

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 15

Wait for network requests

Background: Lifetime of a secured server

Decrypt requests

Enter enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 16

Wait for network requests

Background: Lifetime of a secured server

Decrypt requests

Enter enclave

Process requests

Host app

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 17

Wait for network requests

Background: Lifetime of a secured server

Decrypt requests

Enter enclave

Process requests

Host app

Encrypt responses

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 18

Send responses Wait for network requests

Background: Lifetime of a secured server

Decrypt requests

Enter enclave

Process requests

Exit enclave Host app

Encrypt responses

Untrusted (Host & OS) Trusted (Enclave)

22 May@Systor' 2017 Meni Orenbach, Technion 19

SGX enclaves should be fast

• ISA extensions
• Implemented in HW & Firmware
• Same CPU HW
• In-cache execution suffers no overheads

22 May@Systor' 2017 Meni Orenbach, Technion 20

SGX enclaves should be fast

• ISA extensions
• Implemented in HW & Firmware
• Same CPU HW
• In-cache execution suffers no overheads

However...

22 May@Systor' 2017 Meni Orenbach, Technion 21

Executing a Key-Value Store in enclave is slower

22 May@Systor' 2017 Meni Orenbach, Technion 22

64 MB 512 MB 5 10 15 20 25 30 35 40 Memory footprint

Executing a Key-Value Store in enclave is slower

Throughput: Slowdown factor

11X 34X

22 May@Systor' 2017 Meni Orenbach, Technion 23

64 MB 512 MB 5 10 15 20 25 30 35 40 Memory footprint

Executing a Key-Value Store in enclave is slower

Throughput: Slowdown factor

11X 34X

Crashes in Windows

22 May@Systor' 2017 Meni Orenbach, Technion 24

• Background
• Motivation
• Overhead analysis
• Eleos design
• Evaluation

22 May@Systor' 2017 Meni Orenbach, Technion 25

Send responses Wait for network requests

Overhead analysis

Enter enclave Exit enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

Decrypt requests 150 cycles/32B Process requests

*100 cycles/32B

Encrypt responses

*150 cycles/32B

22 May@Systor' 2017 Meni Orenbach, Technion 26

Overhead analysis

Enter enclave Exit enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

Send responses Wait for network requests

Enter enclave Exit enclave Host app

Decrypt requests 150 cycles/32B Process requests

*100 cycles/32B

Encrypt responses

*150 cycles/32B

~3,300 cycles

22 May@Systor' 2017 Meni Orenbach, Technion 27

Overhead analysis

Enter enclave Exit enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

Send responses Wait for network requests

Enter enclave Exit enclave Host app

Decrypt requests

150 cycles/32B

Process requests

*100 cycles/32B

Encrypt responses

*150 cycles/32B

~3,300 cycles ~3,800 cycles

22 May@Systor' 2017 Meni Orenbach, Technion 28

Overhead analysis

Enter enclave Exit enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

Send responses Wait for network requests

Enter enclave Exit enclave Host app

Decrypt requests 150 cycles/32B Process requests

*100 cycles/32B

Encrypt responses

*150 cycles/32B

~3,300 cycles ~3,800 cycles Exits causes indirect costs: 1.5X – 5X slower execution FlexSC [OSDI'10] syscall analysis

22 May@Systor' 2017 Meni Orenbach, Technion 29

Overhead analysis

Enter enclave Exit enclave Host app

Untrusted (Host & OS) Trusted (Enclave)

Send responses Wait for network requests

Enter enclave Exit enclave Host app

Decrypt requests 150 cycles/32B Process requests

*100 cycles/32B

Encrypt responses

*150 cycles/32B

~3,300 cycles ~3,800 cycles Exits causes indirect costs: 1.5X – 5X slower execution FlexSC [OSDI'10] syscall analysis

22 May@Systor' 2017 Meni Orenbach, Technion 30

Eleos does better!

64 MB 512 MB 5 10 15 20 25 30 35 40 SGX Eleos Memory footprint

3.5x 5x

Throughput: Slowdown factor

22 May@Systor' 2017 Meni Orenbach, Technion 31

Eleos does better!

64 MB 512 MB 5 10 15 20 25 30 35 40 SGX Eleos Memory footprint

3.5x 5x

How does Eleos achieve this?

Throughput: Slowdown factor

22 May@Systor' 2017 Meni Orenbach, Technion 32

Eleos: Exit-less services

Exit-less system calls with RPC infrastructure Exit-less SGX paging

22 May@Systor' 2017 Meni Orenbach, Technion 33

Eleos: Exit-less services

Exit-less system calls with RPC infrastructure Exit-less SGX paging

22 May@Systor' 2017 Meni Orenbach, Technion 34

Background: SGX paging

System mem SGX mem Dedicated memory Enclave code & data Limited to 128 MB

22 May@Systor' 2017 Meni Orenbach, Technion 35

Background: SGX paging

System mem

secret_foo(): ... *p = 1;

SGX mem Enclave Trusted Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 36

Background: SGX paging

System mem

secret_foo(): ... *p = 1;

SGX mem Hardware Address translation Enclave Trusted Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 37

Background: SGX paging

System mem

secret_foo(): ... *p = 1;

Encrypted SGX mem Page table Hardware Address translation Enclave Trusted Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 38

Background: SGX paging

System mem

secret_foo(): ... *p = 1;

Encrypted SGX mem Page table Hardware Address translation Swapped-out Enclave Trusted Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 39

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1;

Encrypted SGX mem Page table Hardware Address translation Swapped-out Enclave Trusted Untrusted SGX-driver

22 May@Systor' 2017 Meni Orenbach, Technion 40

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1;

Encrypted

Integrity validation Decrypted

SGX mem Page table Hardware Address translation Swapped-out Enclave Trusted Untrusted SGX-driver

22 May@Systor' 2017 Meni Orenbach, Technion 41

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 42

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Fast path

22 May@Systor' 2017 Meni Orenbach, Technion 43

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted

Since SGX memory is small paging is not as rare as in native applications What are the overheads?

Fast path

22 May@Systor' 2017 Meni Orenbach, Technion 44

Background: SGX paging

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted

22 May@Systor' 2017 Meni Orenbach, Technion 45

SGX paging overheads

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Enclave resume Enclave exit

22 May@Systor' 2017 Meni Orenbach, Technion 46

SGX paging overheads

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Enclave resume Enclave exit Indirect costs

22 May@Systor' 2017 Meni Orenbach, Technion 47

SGX paging overheads

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs

22 May@Systor' 2017 Meni Orenbach, Technion 48

SGX paging overheads

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs

22 May@Systor' 2017 Meni Orenbach, Technion 49

Wanted: In-enclave virtual memory management

No more exits!

22 May@Systor' 2017 Meni Orenbach, Technion 50

Ideal in-enclave VM management

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

SGX mem Page table Hardware Address translation Enclave Trusted SGX driver Untrusted Hardware Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 51

Ideal in-enclave VM management

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

SGX mem Page table Hardware Address translation Enclave Trusted Hardware Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 52

Ideal in-enclave VM management

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

SGX mem Page table Hardware Address translation Enclave Trusted Hardware Address translation

No available hardware

22 May@Systor' 2017 Meni Orenbach, Technion 53

Ideal in-enclave VM management

System mem Fault handler

secret_foo(): ... *p = 1; *(++p) = 2;

SGX mem Page table Hardware Address translation Enclave Trusted Software Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 54

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

SGX mem Page table Enclave Trusted Software Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 55

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

22 May@Systor' 2017 Meni Orenbach, Technion 56

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

Encrypted SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

22 May@Systor' 2017 Meni Orenbach, Technion 57

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

Encrypted SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

Swapped-out

22 May@Systor' 2017 Meni Orenbach, Technion 58

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

Encrypted SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

Swapped-out

22 May@Systor' 2017 Meni Orenbach, Technion 59

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

Encrypted

Decrypted

SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

Swapped-out

Integrity validation

22 May@Systor' 2017 Meni Orenbach, Technion 60

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1;

Encrypted

Decrypted

SGX mem Page table Enclave Trusted Software Address translation

Template class: SecuredPointer.

Swapped-out

Integrity validation

Control path in-enclave

22 May@Systor' 2017 Meni Orenbach, Technion 61

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Enclave Trusted Software Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 62

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Enclave Trusted Software Address translation

22 May@Systor' 2017 Meni Orenbach, Technion 63

SUVM: Secured user-space VM

System mem Fault handler

secret_foo(): s_ptr<int> p = suvm_malloc(1024); ... *p = 1; *(++p) = 2;

Encrypted

Decrypted

SGX mem Page table Enclave Trusted Software Address translation

Fast path No page table Lookup!

22 May@Systor' 2017 Meni Orenbach, Technion 64

Wait...Software based VM management?

Based on software address translation

• n GPUs, ActivePointers [ISCA'2016]

22 May@Systor' 2017 Meni Orenbach, Technion 65

SUVM key contributions

• Multi-threaded

Compared to SGX: Fast path: up to 20% overheads Slow path: Eliminates costs of exits 1 Thread 4 Threads READ 5.5x 7x WRITE 3.5x 5.9x

Throughput speedup

22 May@Systor' 2017 Meni Orenbach, Technion 66

Software address translation

• ffers new optimizations
• Customized page size
• Customized eviction policy
• Multi-enclave memory coordination
• Write-back only dirty pages
• Sub-page direct access to backing store

22 May@Systor' 2017 Meni Orenbach, Technion 67

Software address translation

• ffers new optimizations
• Customized page size
• Customized eviction policy
• Multi-enclave memory coordination
• Write-back only dirty pages
• Sub-page direct access to backing store

Virtual Machine ballooning

22 May@Systor' 2017 Meni Orenbach, Technion 68

Software address translation

• ffers new optimizations
• Customized page size
• Customized eviction policy
• Multi-enclave memory coordination
• Write-back only dirty pages
• Sub-page direct access to backing store

Virtual Machine ballooning

22 May@Systor' 2017 Meni Orenbach, Technion 69

• Background
• Motivation
• Overhead analysis
• Eleos design
• Evaluation

22 May@Systor' 2017 Meni Orenbach, Technion 70

Biometric Identity checking server

Face verification server Workload generator

? =

450MB DB (5X SGX mem)

+ ID

10Gb NIC

22 May@Systor' 2017 Meni Orenbach, Technion 71

1 2 4 0.5 1 1.5 2 2.5 3 3.5 Eleos Native Server threads

Biometric Identity validating server

Speedup compared to vanilla SGX

22 May@Systor' 2017 Meni Orenbach, Technion 72

1 2 4 0.5 1 1.5 2 2.5 3 3.5 Eleos Native Server threads

Biometric Identity validating server

Speedup compared to vanilla SGX

22 May@Systor' 2017 Meni Orenbach, Technion 73

1 2 4 0.5 1 1.5 2 2.5 3 3.5 Eleos Native Server threads

Biometric Identity validating server

Speedup compared to vanilla SGX

Eleos scales better than vanilla-SGX: Saves inter-processor-interrupts

22 May@Systor' 2017 Meni Orenbach, Technion 74

1 2 4 0.5 1 1.5 2 2.5 3 3.5 Eleos Native Server threads

Biometric Identity validating server

Speedup compared to vanilla SGX

Eleos scales better than vanilla-SGX: Saves inter-processor-interrupts Saturate 10Gb network

22 May@Systor' 2017 Meni Orenbach, Technion 75

Memcached

Workload Generator (memaslap)

GET( )

~75 LOC modification for SUVM

Memcached Graphene LibOS [Eurosys'2014]

500MB DB (5.5X SGX mem) 10Gb NIC

22 May@Systor' 2017 Meni Orenbach, Technion 76

1 Thread 4 Threads 0.5 1 1.5 2 2.5 3 E l e

• s

( 5 MB D B ) v a n i l l a S G X ( 2 MB D B ) Server threads

Memcached

Speedup compared to vanilla SGX (500 MB)

No SGX Faults No SGX Faults

22 May@Systor' 2017 Meni Orenbach, Technion 77

1 Thread 4 Threads 0.5 1 1.5 2 2.5 3 E l e

• s

( 5 MB D B ) v a n i l l a S G X ( 2 MB D B ) Server threads

Memcached

Speedup compared to vanilla SGX (500 MB)

Disclaimer: Eleos+Graphene is 3x slower than native No SGX Faults No SGX Faults

22 May@Systor' 2017 Meni Orenbach, Technion 78

Take aways

• Eleos eliminates enclave exits costs
• Eleos available for Windows and Linux

– Makes memory demanding applications available

• n Windows today
• Eleos takes a modularize approach

– Memory demanding app? Link to SUVM – I/O intensive app? Link to RPC – Maintaining small TCB

22 May@Systor' 2017 Meni Orenbach, Technion 79

Traditional SGX: Host-centric OS services

Enclave Operating System

22 May@Systor' 2017 Meni Orenbach, Technion 80

Traditional SGX: Host-centric OS services

Enclave Operating System

Get data

22 May@Systor' 2017 Meni Orenbach, Technion 81

Traditional SGX: Host-centric OS services

Enclave Operating System

Get data Data Unavailable

22 May@Systor' 2017 Meni Orenbach, Technion 82

Traditional SGX: Host-centric OS services

Enclave Operating System

Fetch data Get data Data Unavailable

22 May@Systor' 2017 Meni Orenbach, Technion 83

Traditional SGX: Host-centric OS services

Enclave Operating System

Fetch data Get data Data Unavailable

22 May@Systor' 2017 Meni Orenbach, Technion 84

Eleos Insight: Enclave-centric OS services

Enclave

Get data Fetch data

In-enclave Services

22 May@Systor' 2017 Meni Orenbach, Technion 85

Take aways (2)

• Eleos adapts 'accelerator-centric management'

– System calls: GPUfs [ASPLOS'13], GPUnet [OSDI'14] – Virtual memory: ActivePointers [ISCA'16]

• We can do more!

– Asynchronous DMA host copies – Non-blocking enclave launches

More information at: “SGX Enclaves as Accelerators" [Systex'16]

22 May@Systor' 2017 Meni Orenbach, Technion 86

Thank you Code is available at:

https://github.com/acsl-technion/eleos

shmeni@tx.technion.ac.il

22 May@Systor' 2017 Meni Orenbach, Technion 87

Backup slides