Eleos: Exit-Less OS Services for SGX Enclaves

Size: px

Start display at page:

Download "Eleos: Exit-Less OS Services for SGX Enclaves"

Brent Roberts
6 years ago
Views:

1 Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel

2 What do we do? Improve performance: I/O intensive & memory demanding SGX enclaves Why? Cost of SGX execution for these applications is high How? In-enclave System Calls & User Managed Virtual Memory 2x Results Eleos vs vanilla SGX Throughput: memcached & face verification servers Even for 5x available enclave memory Available for Linux, Windows* (*) Without Eleos, these applications crash in Windows enclaves Meni Orenbach, Technion 2

3 Background Motivation Overhead analysis Eleos design Evaluation Meni Orenbach, Technion 3

4 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Only CPU is trusted Meni Orenbach, Technion 4

5 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Only CPU is trusted Meni Orenbach, Technion 5

6 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Only CPU is trusted Meni Orenbach, Technion 6

7 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Only CPU is trusted Meni Orenbach, Technion 7

8 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Only CPU is trusted Meni Orenbach, Technion 8

9 SGX enclaves are already here! Secured execution environment Reversed sandbox Small TCB Application Enclave Enclave Private code & data Confidentiality Integrity Operating system Freshness Lets look at How to secure server applications with enclaves Only CPU is trusted Meni Orenbach, Technion 9

10 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) 22 May@Systor' 2017 Meni Orenbach, Technion 10

11 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access 22 May@Systor' 2017 Meni Orenbach, Technion 11

12 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Untrusted memory Unsecured access Dedicated SGX mem Limited to: 128 MB Secured access 22 May@Systor' 2017 Meni Orenbach, Technion 12

13 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests 22 May@Systor' 2017 Meni Orenbach, Technion 13

14 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests 22 May@Systor' 2017 Meni Orenbach, Technion 14

15 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests Enter enclave Decrypt requests 22 May@Systor' 2017 Meni Orenbach, Technion 15

network requests Enter enclave Decrypt requests

16 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests Enter enclave Decrypt requests Process requests 22 May@Systor' 2017 Meni Orenbach, Technion 16

17 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests Enter enclave Decrypt requests Process requests Encrypt responses 22 May@Systor' 2017 Meni Orenbach, Technion 17

18 Background: Lifetime of a secured server Untrusted (Host & OS) Trusted (Enclave) Host app Wait for network requests Enter enclave Decrypt requests Process requests Send responses Exit enclave Encrypt responses 22 May@Systor' 2017 Meni Orenbach, Technion 18

19 SGX enclaves should be fast ISA extensions Implemented in HW & Firmware Same CPU HW In-cache execution suffers no overheads Meni Orenbach, Technion 19

20 SGX enclaves should be fast ISA extensions Implemented in HW & Firmware Same CPU HW In-cache execution suffers no overheads However Meni Orenbach, Technion 20

21 Executing a Key-Value Store in enclave is slower 22 May@Systor' 2017 Meni Orenbach, Technion 21

22 Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 34X 11X MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 22 Memory footprint

23 Executing a Key-Value Store in enclave is slower Throughput: Slowdown factor 11X Crashes in Windows 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 23 Memory footprint 34X

24 Background Motivation Overhead analysis Eleos design Evaluation Meni Orenbach, Technion 24

25 Overhead analysis Host app Untrusted (Host & OS) Wait for network requests Enter enclave Trusted (Enclave) Decrypt requests 150 cycles/32b Process requests *100 cycles/32b Send responses Exit enclave Encrypt responses *150 cycles/32b Meni Orenbach, Technion 25

26 Overhead analysis Host app Untrusted (Host & OS) Wait for network requests Enter ~3,300 enclave cycles Trusted (Enclave) Decrypt requests 150 cycles/32b Process requests *100 cycles/32b Exit enclave Send responses Encrypt responses *150 cycles/32b Meni Orenbach, Technion 26

27 Overhead analysis Host app Untrusted (Host & OS) Wait for network requests Enter ~3,300 enclave cycles Trusted (Enclave) Decrypt requests 150 cycles/32b Process requests *100 cycles/32b Send responses Exit enclave ~3,800 cycles Encrypt responses *150 cycles/32b Meni Orenbach, Technion 27

28 Overhead analysis Host app Untrusted (Host & OS) Wait for network requests Enter ~3,300 enclave cycles Trusted (Enclave) Decrypt requests 150 cycles/32b Exits causes indirect costs: 1.5X 5X slower execution FlexSC [OSDI'10] syscall analysis Send responses Exit enclave ~3,800 cycles Process requests *100 cycles/32b Encrypt responses *150 cycles/32b Meni Orenbach, Technion 28

29 Overhead analysis Host app Untrusted (Host & OS) Wait for network requests Enter ~3,300 enclave cycles Trusted (Enclave) Decrypt requests 150 cycles/32b Exits causes indirect costs: 1.5X 5X slower execution FlexSC [OSDI'10] syscall analysis Send responses Exit enclave ~3,800 cycles Process requests *100 cycles/32b Encrypt responses *150 cycles/32b Meni Orenbach, Technion 29

30 Eleos does better! Throughput: Slowdown factor SGX Eleos 5x 3.5x 0 64 MB 512 MB 22 May@Systor' 2017 Meni Orenbach, Technion 30 Memory footprint

31 Eleos does better! Throughput: Slowdown factor SGX Eleos 5x 3.5x 64 MB 512 MB How does Eleos achieve this? 22 May@Systor' 2017 Meni Orenbach, Technion 31 Memory footprint

32 Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging Meni Orenbach, Technion 32

33 Eleos: Exit-less services Exit-less system calls with RPC infrastructure Exit-less SGX paging Meni Orenbach, Technion 33

34 Background: SGX paging System mem SGX mem Dedicated memory Enclave code & data Limited to 128 MB Meni Orenbach, Technion 34

35 Background: SGX paging Enclave Trusted System mem secret_foo():... *p = 1; SGX mem Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 35

36 Background: SGX paging Enclave Trusted System mem secret_foo():... *p = 1; SGX mem Hardware Address translation Untrusted 22 May@Systor' 2017 Meni Orenbach, Technion 36

37 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; Hardware Address translation System mem SGX mem Page table Untrusted Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 37

38 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; Hardware Address translation System mem SGX mem Page table Encrypted Untrusted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 38

39 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; Hardware Address translation System mem SGX mem Page table SGX-driver Untrusted Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 39

40 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; Hardware Address translation System mem SGX mem Decrypted Page table Integrity validation SGX-driver Untrusted Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 40

41 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Page table SGX driver Untrusted Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 41

42 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Fast path Page table SGX driver Untrusted Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 42

43 Background: SGX paging Enclave Trusted Fast path secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation Page table System mem SGX mem Decrypted SGX driver Untrusted Fault handler Encrypted Since SGX memory is small paging is not as rare as in native applications What are the overheads? 22 May@Systor' 2017 Meni Orenbach, Technion 43

44 Background: SGX paging Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Page table SGX driver Untrusted Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 44

45 SGX paging overheads Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Enclave exit SGX driver Untrusted Page table Fault handler Enclave resume Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 45

46 SGX paging overheads Enclave Trusted Indirect costs secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Enclave exit SGX driver Untrusted Page table Fault handler Enclave resume Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 46

47 SGX paging overheads Enclave Trusted Indirect costs secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Enclave exit Page table Fault handler SGX driver Untrusted Overaheads: Untrusted software manages enclave memory Enclave resume Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 47

48 SGX paging overheads Enclave Trusted Indirect costs secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Decrypted Enclave exit Page table Fault handler SGX driver Untrusted Overaheads: Untrusted software manages enclave memory Enclave resume Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 48

49 Wanted: In-enclave virtual memory management No more exits! Meni Orenbach, Technion 49

50 Ideal in-enclave VM management Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Page table SGX driver Untrusted Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 50

51 Ideal in-enclave VM management Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation System mem SGX mem Page table Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 51

52 Ideal in-enclave VM management Enclave Trusted No available hardware secret_foo():... *p = 1; *(++p) = 2; Hardware Address translation Page table System mem SGX mem Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 52

53 Ideal in-enclave VM management Enclave Trusted secret_foo():... *p = 1; *(++p) = 2; Hardware Software Address translation System mem SGX mem Page table Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 53

54 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = System mem suvm_malloc(1024);... *p = 1; SGX mem Software Address translation Page table Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 54

55 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = System mem suvm_malloc(1024);... *p = 1; SGX mem Software Address translation Template class: SecuredPointer. Page table Fault handler 22 May@Systor' 2017 Meni Orenbach, Technion 55

56 SUVM: Secured user-space VM Enclave Trusted Template class: SecuredPointer. secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; Software Address translation Page table System mem SGX mem Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 56

57 SUVM: Secured user-space VM Enclave Trusted Template class: SecuredPointer. secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; Software Address translation Page table System mem SGX mem Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 57

58 SUVM: Secured user-space VM Enclave Trusted Template class: SecuredPointer. secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; Software Address translation Page table System mem SGX mem Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 58

59 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; Software Address translation System mem SGX mem Decrypted Template class: SecuredPointer. Page table Integrity validation Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 59

60 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; Software Address translation System mem SGX mem Decrypted Template class: SecuredPointer. Page table Integrity validation Control path in-enclave Fault handler Encrypted Swapped-out 22 May@Systor' 2017 Meni Orenbach, Technion 60

61 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; *(++p) = 2; Software Address translation System mem SGX mem Decrypted Page table Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 61

62 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; *(++p) = 2; Software Address translation System mem SGX mem Decrypted Page table Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 62

63 SUVM: Secured user-space VM Enclave Trusted secret_foo(): s_ptr<int> p = suvm_malloc(1024);... *p = 1; *(++p) = 2; Software Address translation System mem SGX mem Decrypted Fast path No page table Lookup! Page table Fault handler Encrypted 22 May@Systor' 2017 Meni Orenbach, Technion 63

64 Wait...Software based VM management? Based on software address translation on GPUs, ActivePointers [ISCA'2016] Meni Orenbach, Technion 64

65 SUVM key contributions Multi-threaded Compared to SGX: Fast path: up to 20% overheads Slow path: Eliminates costs of exits 1 Thread 4 Threads READ 5.5x 7x WRITE 3.5x 5.9x Throughput speedup 22 May@Systor' 2017 Meni Orenbach, Technion 65

66 Software address translation offers new optimizations Customized page size Customized eviction policy Multi-enclave memory coordination Write-back only dirty pages Sub-page direct access to backing store Meni Orenbach, Technion 66

67 Software address translation offers new optimizations Customized page size Customized eviction policy Virtual Machine ballooning Multi-enclave memory coordination Write-back only dirty pages Sub-page direct access to backing store Meni Orenbach, Technion 67

68 Software address translation offers new optimizations Customized page size Customized eviction policy Virtual Machine ballooning Multi-enclave memory coordination Write-back only dirty pages Sub-page direct access to backing store Meni Orenbach, Technion 68

69 Background Motivation Overhead analysis Eleos design Evaluation Meni Orenbach, Technion 69

70 Biometric Identity checking server Workload generator Face verification server + ID 10Gb NIC 22 May@Systor' 2017 Meni Orenbach, Technion 70? = 450MB DB (5X SGX mem)

71 Biometric Identity validating server Speedup compared to vanilla SGX Eleos Native May@Systor' 2017 Meni Orenbach, Technion 71 Server threads

72 Biometric Identity validating server Speedup compared to vanilla SGX Eleos Native May@Systor' 2017 Meni Orenbach, Technion 72 Server threads

73 Biometric Identity validating server Speedup compared to vanilla SGX Eleos Native Eleos scales better than vanilla-sgx: Saves inter-processor-interrupts May@Systor' 2017 Meni Orenbach, Technion 73 Server threads

74 Biometric Identity validating server Speedup compared to vanilla SGX Eleos Native Eleos scales better than vanilla-sgx: Saves inter-processor-interrupts May@Systor' 2017 Meni Orenbach, Technion 74 Server threads Saturate 10Gb network

75 Memcached Workload Generator (memaslap) Memcached Graphene LibOS [Eurosys'2014] 10Gb NIC GET( ) ~75 LOC modification for SUVM 500MB DB (5.5X SGX mem) 22 May@Systor' 2017 Meni Orenbach, Technion 75

76 Memcached 3 Speedup compared to vanilla SGX (500 MB) Eleos (500MB DB) vanilla SGX (20MB DB) No SGX Faults No SGX Faults 0 1 Thread 4 Threads 22 May@Systor' 2017 Meni Orenbach, Technion 76 Server threads

77 Memcached 3 Speedup compared to vanilla SGX (500 MB) Eleos (500MB DB) vanilla SGX (20MB DB) No SGX Faults No SGX Faults 0 1 Thread 4 Threads Disclaimer: Eleos+Graphene is 3x slower than native Server threads 22 May@Systor' 2017 Meni Orenbach, Technion 77

78 Take aways Eleos eliminates enclave exits costs Eleos available for Windows and Linux Makes memory demanding applications available on Windows today Eleos takes a modularize approach Memory demanding app? Link to SUVM I/O intensive app? Link to RPC Maintaining small TCB 22 May@Systor' 2017 Meni Orenbach, Technion 78

79 Traditional SGX: Host-centric OS services Enclave Operating System Meni Orenbach, Technion 79

80 Traditional SGX: Host-centric OS services Enclave Get data Operating System Meni Orenbach, Technion 80

81 Traditional SGX: Host-centric OS services Enclave Get data Data Unavailable Operating System Meni Orenbach, Technion 81

82 Traditional SGX: Host-centric OS services Enclave Get data Data Unavailable Fetch data Operating System Meni Orenbach, Technion 82

83 Traditional SGX: Host-centric OS services Enclave Get data Data Unavailable Fetch data Operating System Meni Orenbach, Technion 83

84 Eleos Insight: Enclave-centric OS services Enclave Get data Fetch data In-enclave Services Meni Orenbach, Technion 84

85 Take aways (2) Eleos adapts 'accelerator-centric management' System calls: GPUfs [ASPLOS'13], GPUnet [OSDI'14] Virtual memory: ActivePointers [ISCA'16] We can do more! Asynchronous DMA host copies Non-blocking enclave launches More information at: SGX Enclaves as Accelerators" [Systex'16] Meni Orenbach, Technion 85

86 Thank you Code is available at: Meni Orenbach, Technion 86

87 Backup slides Meni Orenbach, Technion 87

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)