scone s ecure linux con tainer e nvironments with intel
play

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. - PowerPoint PPT Presentation

Aug 25, 2022 •284 likes •820 views

SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universitt Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College

  1. SCONE: S ecure Linux Con tainer E nvironments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth , and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College London; D. Goltzsche, Technische Universität Braunschweig; D. Eyers, University of Otago; R. Kapitza, Technische Universität Braunschweig; P. Pietzuch, Imperial College London; C. Fetzer, Technische Universität Dresden thomas.knauth@tu-dresden.de 1

  2. Trust Issues: The Provider’s Perspective • Cloud provider does not trust Redis users OS • Use virtual machines to isolate users from each other and the VMM trusted host Firmware • VMs only provide one way Cloud platform protection Staff … 2

  3. Trust Issues: The User’s Perspective Redis • Users trust their application • Users must implicitly trust the OS cloud provider VMM untrusted • Existing applications implicitly Firmware assume trusted operating Cloud platform system Staff … 3

  4. Containers are the new VMs • Containers provide resource isolation and bundling • Smaller resource overhead than virtual machines • Convenient tooling to create and deploy applications in the cloud 4

  5. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 5

  6. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 6

  7. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 7

  8. Disaster! OS VMM untrusted Firmware Cloud platform Staff … 8

  9. We want to … OS VMM untrusted Firmware Cloud platform Staff … 9

  10. We want to … • run unmodified Linux applications … OS VMM untrusted Firmware Cloud platform Staff … 9

  11. We want to … • run unmodified Linux applications … • in containers … OS VMM untrusted Firmware Cloud platform Staff … 9

  12. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware Cloud platform Staff … 9

  13. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform Staff … 9

  14. We want to … • run unmodified Linux applications … • in containers … OS VMM • in an untrusted cloud … untrusted Firmware • securely and … Cloud platform • with acceptable performance Staff … 9

  15. Secure Guard Extensions Enclave New enclave processor mode • Users can create a HW- • OS enforced trusted environment VMM untrusted Firmware Only trust Intel and Secure • Guard Extensions (SGX) Cloud platform implementation Staff … 10 10

  16. SGX: HW-enforced Security untrusted trusted • 18 new instructions to manage Execute enclave life cycle … Return • Enclave memory only … accessible from enclave EENTER … • Certain instructions privileged access from disallowed, e.g., syscall OS, VMM, SMM forbidden 11

  17. Challenge 1: Interface Library OS inside TCB Application Code • Haven (OSDI’14): library External container interface trusted operating system in enclave Libraries • Large TCB → more vulnerable C Library Library OS • Small interface (22 system calls) untrusted Shielding layer • Shields protect the interface Host OS 12

  18. Challenge 1: Interface Minimal TCB Application Code Libraries • Small TCB Shim C Library • C library interface is complex • Harder to protect C Library Host OS 13

  19. Challenge 2: Performance native system call frequency 
 10000 (1000s/second) synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14

  20. Challenge 2: Performance native system call frequency 
 10000 (1000s/second) 8 × synchronous enclave exits 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 4 8 Threads 14

  21. SCONE Architecture Application Libraries SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  22. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) SCONE C library SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  23. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) SCONE module Intel SGX driver Container (cgroups) Host operating system 15

  24. SCONE Architecture Application • Enhanced C library → small Libraries TCB (Challenge 1) Network shield File system shield M:N threading • Asynchronous system calls SCONE C library and user space threading reduce number of enclave Asynchronous system calls exits (Challenge 2) • Network and file system SCONE module Intel SGX driver shields actively protect user Container (cgroups) data Host operating system 15

  25. Anatomy of a System Call enclave kernel 16

  26. Anatomy of a System Call T1 read(fd, buf, size) read, fd, buf, size enclave kernel [0] [1] [2] system call slots 17

  27. Anatomy of a System Call T1 S1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 18

  28. Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [0] [1] [2] system call slots 19

  29. Anatomy of a System Call T1 read(fd, buf, size) enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19

  30. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] system call slots 19

  31. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] system call slots 19

  32. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 19

  33. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel read, fd, buf, size [0] [2] [1] [2] read, fd, buf, size system call slots 19

  34. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  35. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  36. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size switch to ready enclave user space thread kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  37. Anatomy of a System Call T2 T1 read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  38. Anatomy of a System Call GET K1 T2 T1 decrypt buffer into enclave read(fd, buf, size) read(fd, buf, size) read, fd, buf, size enclave kernel #2&$?% [0] read, fd, buf, size [0] [1] [2] read, fd, buf, size system call slots 20

  39. Container Integration Repository Docker Engine SCONE Client Secure Enclave Image Docker Client 21

  40. Container Integration Repository Docker Engine 1. push image SCONE Client Secure Enclave Image Docker Client 21

  41. Container Integration Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21

  42. Container Integration 3. pull image Repository Docker Engine 2. run 1. push image SCONE Client Secure Enclave Image Docker Client 21

  43. Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image SCONE Client Secure Enclave Image Docker Client 21

  44. Container Integration 3. pull image Repository Docker Engine 2. run 4. execute 1. push image 5. secure channel SCONE Client Secure Enclave Image Docker Client 21

  45. System Call Performance native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  46. System Call Performance async with 1 thread achieves 80% native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  47. System Call Performance async with 1 thread optimized queue achieves 80% may help native System call frequency 
 10000 (1000s/second) async sync 100 • pwrite() with 32 byte buffer • 4 cores with hyper threading 1 1 2 3 4 5 6 7 8 Threads 22

  48. Apache Throughput sync 4 async glibc Latency (seconds) 3 2 0.7 × 1 0.8 × 0 0 15000 30000 45000 60000 Throughput (requests / second) 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides
Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2

Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2

Specifications Platform OS CPU #Cores MacBook Air OS X 10.9.2 1.7 GHz Intel Core i7 2 Linux Desktop Ubuntu 13.10 3.4 GHz Intel Core i7 4 Titan Cray Linux 16 2.2GHz AMD Opteron 6274 (Interlagos) Supada (ORNL) Geant4 Multithreading

61 views • 5 slides
service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

Introduction to Cache Quality of service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem definition Existing techniques Why use Kernel QOS framework Intel Cache qos support Kernel

1.5k views • 32 slides
Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel

Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel

Linux Driver for APIC Authors: Berkley Shands, John DeHart, Rezwani Kabir Linux Kernel versions 2.2.X (user mode only) 2.3.99-pre6 (stable) 2.4.0-test1 (intel/alpha with patches) 2.4.0-test2 (intel only) Linux Driver

74 views • 4 slides
Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer

Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer

Linux - the future for drones Lucas De Marchi, Intel ELCE 2015 Who am I Software developer Contributed to several open source projects throughout the Linux stack Recently joined projects under the Dronecode Linux maintainer for

583 views • 39 slides
Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center

Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center

Intel GFX CI Doing validation the Linux Way Martin Peres - Intels Open Source Graphics Center Feb 2 nd 2019 1 Agenda Linuxs unique development model How to prevent regressions from getting in? Case study: Intel GFX CI

467 views • 22 slides
Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open

Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open

Linux Suspend/Resume at the Speed of Light Len Brown, Principal Engineer, Intel Open Source Technology Center 19-Aug, 2015 LinuxCon North America/Linux Plumbers Conference Seattle, WA 1 Acknowledgements Todd Brandt

613 views • 39 slides
SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen <

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen <

SGX Upstreaming Story Linux Plumbers Conference 2019 Jarkko Sakkinen < jarkko.sakkinen@linux.intel.com > First, a little bit of history Skylake 2015 First attempt 2016/04/25: Only Intel blessed enclaves :(

707 views • 15 slides
Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com http://01.org/powertop 1 About Experiment 2 About Experiment Software Ubuntu 13.10: Includes Ubuntu Linux Kernel 3.11.0-12.19. Based on upstream Linux Kernel

463 views • 20 slides
Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org

Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org

Linux multi-core scalability Oct 2009 Andi Kleen Intel Corporation andi@firstfloor.org Overview Scalability theory Linux history Some common scalability trouble-spots Application workarounds Motivation CPUs still getting faster

327 views • 22 slides
Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com

Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com

Industrial I/O Subsystem: The Home of Linux Sensors Daniel Baluta Intel daniel.baluta@intel.com October 5, 2015 Daniel Baluta (Intel) Industrial I/O October 5, 2015 1 / 29 Why Industrial I/O? past - industrial process control or scientific

679 views • 29 slides
Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

1 Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as an open-source ("free") alternative by Linux Torvalds and several others starting in 1991 Originally only for Intel based processors

785 views • 16 slides
JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux

JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux

JavaScript* Meets Zephyr OS Sakari Poussa @spoussa Intel Zephyr is a trademark of the Linux Foundation. *Other names and brands may be claimed as the property of others. Outline Why JavaScript* Architecture Arduino 101* Port Building

244 views • 21 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux

Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux

Zephyr Power Management Ramesh Thomas OTC, Intel Zephyr is a trademark of the Linux Foundation. *Other names and brands may be claimed as the property of others. Agenda Why Power Management? The core concepts behind Zephyr RTOS PM Power

487 views • 34 slides
An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms

An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms

An An An Anal alysi ysis s of of Con ontain tainer er-based based Pl Plat atforms forms for or NFV FV Sriram Natarajan, Deutsche Telekom Inc. Ramki Krishnan, Dell Inc. Anoop Ghanwani, Dell Inc. Dilip Krishnaswamy, IBM Research

154 views • 14 slides
Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor,

Clemmys Towards Secure Remote Execution in FaaS Bohdan Trach , Oleksii Oleksenko, Franz Gregor, Pramod Bhatotia, Christof Fetzer ACM SYSTOR 2019 FaaS Paradigm of Cloud Computing Function Runtime Guest OS Function Hypervisor Host OS FaaS

1.34k views • 98 slides
Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel

Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel

Tennessee Nursing Facility Case Mix Rate Setting Training May 21, 2018 Presented by: Daniel Brendel Kevin Londeen, CPA CONTACT INFORMATION Myers and Stauffer 700 W. 47 th Street, Suite 1100 Kansas City, MO 64112 PH: (800) 374-6858 Email:

1.17k views • 91 slides
From Offline Long-Run to Online Short-Run: Exploring A New Approach of Hybrid Systems Model

From Offline Long-Run to Online Short-Run: Exploring A New Approach of Hybrid Systems Model

From Offline Long-Run to Online Short-Run: Exploring A New Approach of Hybrid Systems Model Checking for MDPnP Tao Li*, Qixin Wang*, Feng Tan*, Lei Bu, Jian-nong Cao*, Xue Liu, Yufei Wang*, Rong Zheng *The Hong Kong Polytechnic Univ. CPS Week

1.04k views • 66 slides
Perioperative Care in OSA Surgery Disclosures Apnicure Minor stock holder sleep apnea device

Perioperative Care in OSA Surgery Disclosures Apnicure Minor stock holder sleep apnea device

Perioperative Care in OSA Surgery Disclosures Apnicure Minor stock holder sleep apnea device Siesta Medical Minor stock holder sleep apnea device Patent Pending 61/624,105 Sinus diagnostics and therapeutics Andrew N. Goldberg, MD,

87 views • 8 slides
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko ,

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko , Sergei Arnautov , Bohdan Trach , Pramod Bhatotia * , Pascal Felber , Christof Fetzer TU Dresden, * The University of Edinburgh,

1.51k views • 87 slides
EndBox: Scalable M iddlebox Functions Using Client-Side Trusted Execution Image CC-BY-SA

EndBox: Scalable M iddlebox Functions Using Client-Side Trusted Execution Image CC-BY-SA

Institute of Operating Systems and Computer Networks EndBox: Scalable M iddlebox Functions Using Client-Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rsch, 1 Manuel Nieke, 1 Sbastien Vaucher, 2 Nico Weichbrodt, 1

630 views • 46 slides
E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20

E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20

E Actors: an actor-based programming framework for Intel SGX Dr.-Eng. V. A. Sartakov 01.02.2x20 Imperial College London Plan Why do we need another framework? The framework Fundamentals Messaging System Components Benchmark Examples

527 views • 38 slides
Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING

Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING

Canadian Society of Internal Medicine Annual Meeting 2018 Banff, AB MEDICAL ASSISTANCE IN DYING (MAID) Dr. Kim Wiebe WRHA & CAMAP CSIM Annual Meeting 2018 The following presentation represents the views of the speaker at the time of the

397 views • 28 slides

More recommend