Panoply: Low-TCB Linux Applications With SGX Enclaves

Slides:



Advertisements
Similar presentations
3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.
Advertisements

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads.
Chapter 5 Processes and Threads Copyright © 2008.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
3.5 Interprocess Communication
Threads CSCI 444/544 Operating Systems Fall 2008.
CS 3013 & CS 502 Summer 2006 Threads1 CS-3013 & CS-502 Summer 2006.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.
CS252: Systems Programming Ninghui Li Final Exam Review.
Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
30 October Agenda for Today Introduction and purpose of the course Introduction and purpose of the course Organization of a computer system Organization.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.
Chapter 4: Multithreaded Programming. 4.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts What is Thread “Thread is a part of a program.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 4: Threads.
Operating Systems Unit 2: – Process Context switch Interrupt Interprocess communication – Thread Thread models Operating Systems.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Computer System Structures
Chapter 4 – Thread Concepts
Chapter 4: Threads Modified by Dr. Neerja Mhaskar for CS 3SH3.
Introduction to threads
Chapter 4: Threads.
Processes and threads.
Current Generation Hypervisor Type 1 Type 2.
Operating Systems Review ENCE 360.
The Mach System Sri Ramkrishna.
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Chapter 9: Virtual Memory – Part I
Processes and Threads Processes and their scheduling
Protection of System Resources
Day 12 Threads.
Chapter 4 – Thread Concepts
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 4: Multithreaded Programming
Chapter 4: Threads.
Chapter 5: Threads Overview Multithreading Models Threading Issues
Chapter 4: Threads.
Chapter 4: Threads.
Chapter 2: The Linux System Part 2
Suwen Zhu, Long Lu, Kapil Singh
Light-weight Contexts: An OS Abstraction for Safety and Performance
Cloud Security 李芮,蒋希坤,崔男 2018年4月.
Light-weight Contexts: An OS Abstraction for Safety and Performance
Operating Systems Lecture 1.
Prof. Leonardo Mostarda University of Camerino
Sai Krishna Deepak Maram, CS 6410
Chapter 4: Threads.
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Chapter 5: Threads Overview Multithreading Models Threading Issues
CS510 Operating System Foundations
Operating Systems Structure
Chapter 4: Threads.
CS703 – Advanced Operating Systems
Christof Fetzer Michio Honda Kapil Vaswani TU Dresden NEC Labs
Presentation transcript:

Panoply: Low-TCB Linux Applications With SGX Enclaves Shweta Shinde Dat Le Tien Shruti Tople Prateek Saxena National University of Singapore

TCB: Hosting a Web Server Current systems have a large TCB 183 KLOC Webserver 10 MLOC 150 KLOC Operating System Hypervisor

SGX: Hardware-root of Trust RAM Web Server Enclave Other Applications Ring 3 Operating System / VMM Ring 0 - 2 EPC Trusted Untrusted

SGX: Hardware-root of Trust 183 KLOC Enclave Webserver 10 MLOC 150 KLOC Operating System Hypervisor Confidentiality and Integrity Hardware

non-application software from TCB.. ..but limits the expressiveness of the applications (e.g., no syscalls) SGX eliminates all the non-application software from TCB..

TCB & Expressiveness Trade-off LibraryOS Haven [OSDI’14] Graphene-SGX [EuroSys’14] ~1MLOC Containers Scone [OSDI’16] Ryoan [OSDI’16] ~100KLOC ? ~KLOC Syscall Threads Event Mgmt Syscall Threads Event Mgmt Fork/ exec Syscall Threads Expressiveness Syscall

Contributions Panoply Evaluation Expressiveness: All standard POSIX APIs Low TCB: 2 orders of magnitude smaller than LibraryOS Library-enclaves for fine-grained TCB Evaluation Absolute 24% and 5-10% compared to LibraryOS

Problem

Challenge I: Expressiveness vs TCB Webserver Syscalls Threading Event Handling Forking Fork Emulation Event Management Thread Handling Syscall Emulation Web Server Legacy Application Design Enclave TCB

Challenge I: Expressiveness vs. TCB

Challenge II: Multi-Enclave Applications zlib zlib Web Server libssl libevent libevent libcrypto libcrypto libssl libssl Operating System Web Server Web Server Single Enclave Application Multi-Enclave Application

Attacks on Multi-Enclave Applications session_t session; certificate_credentials_t xcred; /* Specify callback function*/ /* Initialize TLS session */ init (&session, TLS_CLIENT); certificate_set_verify_function (...); [SSL Lib] OS Set SSL Callback Webserver Enclave SSL Library Enclave

Attacks on Multi-Enclave Applications OS Webserver Enclave SSL Library Enclave Drop Spoof Replay

Our Solution: Panoply

Microns keep libc outside the enclave Panoply Runtime Microns keep libc outside the enclave Micron Enclave-bound Logic Enclave Panoply Shim Lib Trusted SGX Lib libc.so Non-enclave Logic Untrusted SGX Lib Non- Enclave Linux User-level Process

Overview Panoply E1 E1 E3 E2 E2 Source Code Programmer Annotations Compiler Instrumentation 1 Creating Enclaves 2 Panoply Application Ap E1 E3 E2 Enclave-bound Code E1 Add calls to Panoply API E2 Panoply Shim Intel SGX SDK Add Flow Checks Panoply

Challenge I: Expressiveness Delegate rather than emulate Enclave Syscalls On-demand threading Multi-processing Event Handling

Expressiveness: Panoply APIs Core Services Process Creation and Control 5 Signals 6 Timers File and Directory Operations 37 Pipes 4 C Library (Standard C) 66 I/O Port Interface and Control 40 Real-time Extensions Real-Time Signals 4 Clocks and Timers 1 Semaphores 2 Message Passing 7 Shared Memory 6 Asynchronous and Synchronous I/O 29 Memory Locking Interface Thread Extensions Thread Creation, Control, and Cleanup 17 Thread Scheduling 4 Thread Synchronization 10 Signal Delivery 2 Signal Handling 3 POSIX APIs Supported for Commodity Linux Apps

Expressiveness Example: Fork LibraryOSes emulate fork semantics Fork Semantics LibraryOS Fork Implementation Parent Process Child Process Parent Enclave Child Enclave Page Copy Page Copy OS Page Copy PID Mgmt PID Mgmt PID Mgmt OS

Expressiveness Example: Delegating Fork Creating child process and child enclave Parent Enclave Child Enclave Parent Process Child Process Panoply Fork OS PID Mgmt Child enclave has a clean memory state

Expressiveness Example: Achieving Fork Semantics Mirroring parent’s memory in child enclave After the fork call, before resuming execution Parent Enclave Child Enclave Stack Heap Data Stack Heap Data Parent Process Child Process OS Sealed Data

Expressiveness Example: Achieving Fork Semantics Mirroring parent’s memory in child enclave Full replica: default mode in Panoply Alternative strategies to full replica Copy on demand: Requires page-fault support from SGX v2 Copy on need: Replicate selected addresses which are pre-determined by static analysis

Expressiveness Example: Multi-Threading Virtual Threads TCS1 TCS2 TCS3 TCS1 TCS2 TCS3 Micron A Micron A’ Panoply Shim Panoply Shim Thread Control Manager Micron Shared Variables

Challenge II: Multi-enclave Applications

Securing Multi-Enclave Apps Enclave Identity Pair-wise Nonce OS Call Ack Enclave 1 Enclave 2 Attack Security Property Spoofing Sender / Receiver Authentication Replay Message Freshness Silent Drops Reliable Delivery

Evaluation

Benchmarks Real-world use-cases for SGX 4 apps: Tor, H2O web server, FreeTDS, OpenSSL Operating system stress testing 26 LMBench benchmarks tests 17 metrics for memory, network, signal, syscall APIs

Panoply reduces TCB by 2 orders of magnitude TCB Evaluation Panoply Graphene-SGX Component LOC Panoply Library 10425 API Wrappers 9788 Total 20213 Component LOC Glibc 1156740 libPal-LinuxSGX 16901 libPal-enclave 33103 Total 1206744 Panoply reduces TCB by 2 orders of magnitude

Performance Evaluation Create delete takes large fraction of the time Overhead increases with number of Out-Calls Panoply incurs 24% overhead App Panoply Empty Enclave Overhead (% increase) OpenSSL 3.16 2.79 13 H2O 8.79 6.56 34 FreeTDS 8.74 8.60 1 Tor 6.72 4.54 48 Average 24

Throughput Evaluation

Throughput Evaluation Overhead for SGX-apps is proportional to the size of requests

Comparison with Graphene-SGX

Comparison with Graphene-SGX Panoply performance varies by 5-10% as compared to Graphene-SGX

Conclusion TCB Panoply Expressiveness ~1MLOC Panoply ~100KLOC - 254 APIs - 20KLOC - 24%Overhead ~KLOC Syscall Threads Event Mgmt Syscall Threads Event Mgmt Fork/ exec Syscall Threads Expressiveness Syscall

Thank You ! Contact Shweta Shinde shweta24@comp.nus.edu.sg Panoply Benchmarks & Case-studies:http://shwetasshinde24.github.io/Panoply/ Thank You !

References [OSDI’ 14] A. Baumann, M. Peinado, and G. Hunt, Shielding Applications from an Untrusted Cloud with Haven [OSDI’ 16] S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O’Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer, SCONE: Secure Linux Containers with Intel SGX [OSDI’ 16] T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel, Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data [EuroSys’ 14] Graphene-SGX Library OS - a library OS for Linux multi-process applications, with Intel SGX support

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.