eleos exit less os services for sgx enclaves
play

Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina - PowerPoint PPT Presentation

Feb 29, 2024 •145 likes •1.02k views

Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel What do we do? Improve performance: I/O intensive & memory demanding SGX enclaves

  1. Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel

  2. What do we do? Improve performance: I/O intensive & memory demanding SGX enclaves Why? Cost of SGX execution for these applications is high How? In-enclave System Calls & User Managed Virtual Memory Results Eleos vs vanilla SGX 2x Throughput: memcached & face verification servers Even for 5x available enclave memory Available for Linux, Windows* (*) Without Eleos, these applications crash in Windows enclaves 22 May@Systor' 2017 Meni Orenbach, Technion 2

  3. ● Background ● Motivation ● Overhead analysis ● Eleos design ● Evaluation 22 May@Systor' 2017 Meni Orenbach, Technion 3

  4. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 4

  5. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 5

  6. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 6

  7. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 7

  8. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted 22 May@Systor' 2017 Meni Orenbach, Technion 8

  9. SGX enclaves are already here! ● Secured execution environment ● Reversed sandbox Application Enclave Enclave ● Small TCB ● Private code & data – Confidentiality Operating system – Integrity – Freshness ● Only CPU is trusted Lets look at How to secure server applications with enclaves 22 May@Systor' 2017 Meni Orenbach, Technion 9

  10. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) 22 May@Systor' 2017 Meni Orenbach, Technion 10

  11. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access 22 May@Systor' 2017 Meni Orenbach, Technion 11

  12. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access Dedicated SGX mem Limited to: 128 MB Secured access 22 May@Systor' 2017 Meni Orenbach, Technion 12

  13. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Wait for network app requests 22 May@Systor' 2017 Meni Orenbach, Technion 13

  14. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Wait for network app requests 22 May@Systor' 2017 Meni Orenbach, Technion 14

  15. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests 22 May@Systor' 2017 Meni Orenbach, Technion 15

  16. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests 22 May@Systor' 2017 Meni Orenbach, Technion 16

  17. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests Encrypt responses 22 May@Systor' 2017 Meni Orenbach, Technion 17

  18. Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host Enter Wait for network app enclave Decrypt requests requests Process requests Exit enclave Encrypt responses Send responses 22 May@Systor' 2017 Meni Orenbach, Technion 18

  19. SGX enclaves should be fast ● ISA extensions ● Implemented in HW & Firmware ● Same CPU HW ● In-cache execution suffers no overheads 22 May@Systor' 2017 Meni Orenbach, Technion 19

  20. SGX enclaves should be fast ● ISA extensions ● Implemented in HW & Firmware ● Same CPU HW ● In-cache execution suffers no overheads However... 22 May@Systor' 2017 Meni Orenbach, Technion 20

  21. Executing a Key-Value Store in enclave is slower 22 May@Systor' 2017 Meni Orenbach, Technion 21

  22. Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 40 35 34X 30 25 20 15 11X 10 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 22 Memory footprint

  23. Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 40 35 34X Crashes 30 in Windows 25 20 15 11X 10 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 23 Memory footprint

  24. ● Background ● Motivation ● Overhead analysis ● Eleos design ● Evaluation 22 May@Systor' 2017 Meni Orenbach, Technion 24

  25. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Enter app enclave Wait for network Decrypt requests requests 150 cycles/32B Process requests *100 cycles/32B Exit enclave Encrypt responses Send responses *150 cycles/32B 22 May@Systor' 2017 Meni Orenbach, Technion 25

  26. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Process requests *100 cycles/32B Exit Exit enclave enclave Encrypt responses Send responses *150 cycles/32B 22 May@Systor' 2017 Meni Orenbach, Technion 26

  27. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Process requests *100 cycles/32B Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 27

  28. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Exits causes indirect costs: Process requests 1.5X – 5X slower execution *100 cycles/32B FlexSC [OSDI'10] syscall analysis Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 28

  29. Overhead analysis Untrusted (Host & OS) Trusted (Enclave) Host Host Enter Enter app app enclave enclave Wait for network Decrypt requests ~3,300 requests 150 cycles/32B cycles Exits causes indirect costs: Process requests 1.5X – 5X slower execution *100 cycles/32B FlexSC [OSDI'10] syscall analysis Exit Exit enclave enclave Encrypt responses Send responses ~3,800 *150 cycles/32B cycles 22 May@Systor' 2017 Meni Orenbach, Technion 29

  30. Eleos does better! Throughput: Slowdown factor 40 SGX Eleos 35 30 25 20 5x 15 10 3.5x 5 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 30 Memory footprint

  31. Eleos does better! Throughput: Slowdown factor 40 SGX Eleos 35 30 25 20 5x 15 10 3.5x 5 0 64 MB 512 MB How does Eleos achieve this? 22 May@Systor' 2017 Meni Orenbach, Technion 31 Memory footprint

  32. Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging 22 May@Systor' 2017 Meni Orenbach, Technion 32

  33. Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging 22 May@Systor' 2017 Meni Orenbach, Technion 33

  34. Background: SGX paging System mem SGX mem Dedicated memory Enclave code & data Limited to 128 MB 22 May@Systor' 2017 Meni Orenbach, Technion 34

  35. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 35

  36. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 36

  37. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Encrypted Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 37

  38. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Encrypted Untrusted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 38

  39. Background: SGX paging Enclave System mem Trusted secret_foo(): ... *p = 1; SGX mem Hardware Address translation Page table Fault Encrypted SGX-driver handler Untrusted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1 Research Statement: Enclaves are accelerators for secured execution Accelerator system services and Abstractions can be retrofitted Inspire

297 views • 28 slides
Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms

1.06k views • 18 slides
I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION TIME! WE NEED TO SETTLE ON A PROPOSED ACTION Follow-up from June 7 th Public Informational Meeting EXIT 7 Exit 7 Relocated Interchange EXIT 6

253 views • 23 slides
Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and make it grow. But they often neglect the need for Exit Planning in their Business. In absence of Exit Strategy, they often forget that the decisions

247 views • 11 slides
Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able

Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able

Start Up to Successful Exit Lee Benson, CEO A B L E A E R O S P A C E S E R V I C E S Able History Aerospace unit founded in 1982 Purchased by CEO in 1993 with 3 employees Able Engineering and Component Services Inc.:

535 views • 34 slides
Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

The Exit Planning Executive Briefing Presented by Geoffrey S. Gallo, ChFC, CExP TR Moore & Company, PC Member of Business Enterprise Institutes Network Of Exit Planning Professionals Story Agenda Exit Planning Collaboration

590 views • 37 slides
AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90 New hospital located at 9801 Frontier Ave. SE, off of I-90, Exit 25. NEW HOSPITAL FEATURES We will have more space to deliver the services our

328 views • 13 slides
AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90

AFFILIATION UPDATE New 70,000 sq. ft. hospital opening in 2015 NEW HOSPITAL SITE Exit 25 I-90 New hospital located at 9801 Frontier Ave. SE, off of I-90, Exit 25. NEW HOSPITAL FEATURES We will have more space to deliver the services our

616 views • 14 slides
Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct contrast to the modular nature of the Briton 560 - 570 Series, the Features & Benefits long established Briton 376 Series is supplied as a

182 views • 7 slides
Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases today! What is an Exit Plan? Exit Planning is business strategy. Exit Planning builds, harvests and Personal Goals preserves wealth while

598 views • 36 slides
Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A

Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A

Exit Counseling SPRING 2018 M I D D L E B U R Y I N S T I T U T E O F I N T E R N A T I O N A L S T U D I E S STUDENT FINANCIAL SERVICES Agenda Loan types and interest rates Grace periods Repaying your student loans Repayment

481 views • 45 slides
J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

f17 d b lJ t fJ fr u 9 J9r @ J J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19 INTERCHANGE AREA MANAGEMENT PLANS lAMP ODors Mission Provide a safe efficient transportation system that

422 views • 10 slides
Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a one-day writing event for seniors. The first round of writing events will occur during the winter Keystone testing period. Senior Exit Project

500 views • 12 slides
Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan

Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan

Fair Computation using Enclaves and Shared Ledger Rohit Sinha , Siva Gaddam, and Ranjit Kumaresan Open Source Enclaves Workshop 2019 Transparent Mint Transparent Mint Alice Mint Transparent Mint Merchant ID Date Amount Alice 2014-06-03

825 views • 65 slides
MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

Damian Barabonkov MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big Ideas Paper Feedback Motivation of MI6 Threat Model Implementation Performance Analysis

383 views • 24 slides
Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes

629 views • 34 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA

Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA

Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA What constitutes an identity? Your public key PK Your biometric Email ID abc@gmail.com z x How about where you are? y

696 views • 42 slides
An Upgrading Algorithm with Optimal Power Law Or Ordentlich 1 Ido Tal 2 1 Hebrew University 2

An Upgrading Algorithm with Optimal Power Law Or Ordentlich 1 Ido Tal 2 1 Hebrew University 2

An Upgrading Algorithm with Optimal Power Law Or Ordentlich 1 Ido Tal 2 1 Hebrew University 2 Technion 1 / 14 Big picture first In this talk: An upgrading algorithm for channels with non-binary input Optimal power law Achieved by

177 views • 14 slides
Sequential Importance Resampling (SIR) Particle Filter 1. Algorithm particle_filter ( S t-1 , u t

Sequential Importance Resampling (SIR) Particle Filter 1. Algorithm particle_filter ( S t-1 , u t

Particle Filters++ Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox, Probabilistic Robotics Sequential Importance Resampling (SIR) Particle Filter 1. Algorithm particle_filter ( S t-1 , u t , z t ): 2. S , 0 =

358 views • 14 slides
lecture 10 - cubic curves - cubic splines - bicubic surfaces We want to define smooth curves:

lecture 10 - cubic curves - cubic splines - bicubic surfaces We want to define smooth curves:

lecture 10 - cubic curves - cubic splines - bicubic surfaces We want to define smooth curves: - for defining paths of cameras or objects - for defining 1D shapes of objects We want to define smooth surfaces too. Parametric Equation of a

948 views • 48 slides
Specialization investments and market power in the underwriting market for municipal bonds.

Specialization investments and market power in the underwriting market for municipal bonds.

Specialization investments and market power in the underwriting market for municipal bonds. Dario Cestau IE Business School Heat map top 7-12 underwriters of school bonds Actual Theoretical Why are underwriters segmented by state? Part

434 views • 9 slides
VIDEO CONFERENCING MISSION HALL Level%2% Level%3% Level%4% Level%1%

VIDEO CONFERENCING MISSION HALL Level%2% Level%3% Level%4% Level%1%

VIDEO CONFERENCING MISSION HALL Level%2% Level%3% Level%4% Level%1% Check&back&end& se@ngs& Check&cables& Check&TMS& se@ngs& Bu1on&push& Check&cables& Further&tes;ng/

584 views • 39 slides
LSTM: A Search Space Odyssey Klaus Greff, Rupesh K. Srivastava, Jan Koutn k, Bas R.

LSTM: A Search Space Odyssey Klaus Greff, Rupesh K. Srivastava, Jan Koutn k, Bas R.

LSTM: A Search Space Odyssey Klaus Greff, Rupesh K. Srivastava, Jan Koutn k, Bas R. Steunebrink, Ju rgen Schmidhuber, 2015. Presenter: Yijun Tian, Zhenyu Liu Abstract In this paper, the authors analyze performance of LSTM and its

758 views • 10 slides

More recommend