Presentation is loading. Please wait.

Presentation is loading. Please wait.

Panoply: Low-TCB Linux Applications With SGX Enclaves

Published byLucy Peters Modified over 7 years ago

Similar presentations

Presentation on theme: "Panoply: Low-TCB Linux Applications With SGX Enclaves"— Presentation transcript:

1 Panoply: Low-TCB Linux Applications With SGX Enclaves
Shweta Shinde Dat Le Tien Shruti Tople Prateek Saxena National University of Singapore

2 TCB: Hosting a Web Server
Current systems have a large TCB 183 KLOC Webserver 10 MLOC 150 KLOC Operating System Hypervisor

3 SGX: Hardware-root of Trust
RAM Web Server Enclave Other Applications Ring 3 Operating System / VMM Ring 0 - 2 EPC Trusted Untrusted

4 SGX: Hardware-root of Trust
183 KLOC Enclave Webserver 10 MLOC 150 KLOC Operating System Hypervisor Confidentiality and Integrity Hardware

5 non-application software from TCB..
..but limits the expressiveness of the applications (e.g., no syscalls) SGX eliminates all the non-application software from TCB..

6 TCB & Expressiveness Trade-off
LibraryOS Haven [OSDI’14] Graphene-SGX [EuroSys’14] ~1MLOC Containers Scone [OSDI’16] Ryoan [OSDI’16] ~100KLOC ? ~KLOC Syscall Threads Event Mgmt Syscall Threads Event Mgmt Fork/ exec Syscall Threads Expressiveness Syscall

7 Contributions Panoply Evaluation
Expressiveness: All standard POSIX APIs Low TCB: 2 orders of magnitude smaller than LibraryOS Library-enclaves for fine-grained TCB Evaluation Absolute 24% and 5-10% compared to LibraryOS

8 Problem

9 Challenge I: Expressiveness vs TCB
Webserver Syscalls Threading Event Handling Forking Fork Emulation Event Management Thread Handling Syscall Emulation Web Server Legacy Application Design Enclave TCB

10 Challenge I: Expressiveness vs. TCB

11 Challenge II: Multi-Enclave Applications
zlib zlib Web Server libssl libevent libevent libcrypto libcrypto libssl libssl Operating System Web Server Web Server Single Enclave Application Multi-Enclave Application

12 Attacks on Multi-Enclave Applications
session_t session; certificate_credentials_t xcred; /* Specify callback function*/ /* Initialize TLS session */ init (&session, TLS_CLIENT); certificate_set_verify_function (...); [SSL Lib] OS Set SSL Callback Webserver Enclave SSL Library Enclave

13 Attacks on Multi-Enclave Applications
OS Webserver Enclave SSL Library Enclave Drop Spoof Replay

14 Our Solution: Panoply

15 Microns keep libc outside the enclave
Panoply Runtime Microns keep libc outside the enclave Micron Enclave-bound Logic Enclave Panoply Shim Lib Trusted SGX Lib libc.so Non-enclave Logic Untrusted SGX Lib Non- Enclave Linux User-level Process

16 Overview Panoply E1 E1 E3 E2 E2 Source Code Programmer Annotations
Compiler Instrumentation 1 Creating Enclaves 2 Panoply Application Ap E1 E3 E2 Enclave-bound Code E1 Add calls to Panoply API E2 Panoply Shim Intel SGX SDK Add Flow Checks Panoply

17 Challenge I: Expressiveness
Delegate rather than emulate Enclave Syscalls On-demand threading Multi-processing Event Handling

18 Expressiveness: Panoply APIs
Core Services Process Creation and Control 5 Signals 6 Timers File and Directory Operations 37 Pipes 4 C Library (Standard C) 66 I/O Port Interface and Control 40 Real-time Extensions Real-Time Signals 4 Clocks and Timers 1 Semaphores 2 Message Passing 7 Shared Memory 6 Asynchronous and Synchronous I/O 29 Memory Locking Interface Thread Extensions Thread Creation, Control, and Cleanup 17 Thread Scheduling 4 Thread Synchronization 10 Signal Delivery 2 Signal Handling 3 POSIX APIs Supported for Commodity Linux Apps

19 Expressiveness Example: Fork
LibraryOSes emulate fork semantics Fork Semantics LibraryOS Fork Implementation Parent Process Child Process Parent Enclave Child Enclave Page Copy Page Copy OS Page Copy PID Mgmt PID Mgmt PID Mgmt OS

20 Expressiveness Example: Delegating Fork
Creating child process and child enclave Parent Enclave Child Enclave Parent Process Child Process Panoply Fork OS PID Mgmt Child enclave has a clean memory state

21 Expressiveness Example: Achieving Fork Semantics
Mirroring parent’s memory in child enclave After the fork call, before resuming execution Parent Enclave Child Enclave Stack Heap Data Stack Heap Data Parent Process Child Process OS Sealed Data

22 Expressiveness Example: Achieving Fork Semantics
Mirroring parent’s memory in child enclave Full replica: default mode in Panoply Alternative strategies to full replica Copy on demand: Requires page-fault support from SGX v2 Copy on need: Replicate selected addresses which are pre-determined by static analysis

23 Expressiveness Example: Multi-Threading
Virtual Threads TCS1 TCS2 TCS3 TCS1 TCS2 TCS3 Micron A Micron A’ Panoply Shim Panoply Shim Thread Control Manager Micron Shared Variables

24 Challenge II: Multi-enclave Applications

25 Securing Multi-Enclave Apps
Enclave Identity Pair-wise Nonce OS Call Ack Enclave 1 Enclave 2 Attack Security Property Spoofing Sender / Receiver Authentication Replay Message Freshness Silent Drops Reliable Delivery

26 Evaluation

27 Benchmarks Real-world use-cases for SGX
4 apps: Tor, H2O web server, FreeTDS, OpenSSL Operating system stress testing 26 LMBench benchmarks tests 17 metrics for memory, network, signal, syscall APIs

28 Panoply reduces TCB by 2 orders of magnitude
TCB Evaluation Panoply Graphene-SGX Component LOC Panoply Library 10425 API Wrappers 9788 Total 20213 Component LOC Glibc libPal-LinuxSGX 16901 libPal-enclave 33103 Total Panoply reduces TCB by 2 orders of magnitude

29 Performance Evaluation
Create delete takes large fraction of the time Overhead increases with number of Out-Calls Panoply incurs 24% overhead App Panoply Empty Enclave Overhead (% increase) OpenSSL 3.16 2.79 13 H2O 8.79 6.56 34 FreeTDS 8.74 8.60 1 Tor 6.72 4.54 48 Average 24

30 Throughput Evaluation

31 Throughput Evaluation
Overhead for SGX-apps is proportional to the size of requests

32 Comparison with Graphene-SGX

33 Comparison with Graphene-SGX
Panoply performance varies by 5-10% as compared to Graphene-SGX

34 Conclusion TCB Panoply Expressiveness
~1MLOC Panoply ~100KLOC - 254 APIs - 20KLOC - 24%Overhead ~KLOC Syscall Threads Event Mgmt Syscall Threads Event Mgmt Fork/ exec Syscall Threads Expressiveness Syscall

35 Thank You ! Contact Shweta Shinde shweta24@comp.nus.edu.sg
Panoply Benchmarks & Case-studies: Thank You !

36 References [OSDI’ 14] A. Baumann, M. Peinado, and G. Hunt, Shielding Applications from an Untrusted Cloud with Haven [OSDI’ 16] S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O’Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer, SCONE: Secure Linux Containers with Intel SGX [OSDI’ 16] T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel, Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data [EuroSys’ 14] Graphene-SGX Library OS - a library OS for Linux multi-process applications, with Intel SGX support

Download ppt "Panoply: Low-TCB Linux Applications With SGX Enclaves"

Similar presentations

3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.

3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.

Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads.

Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads.
Chapter 5 Processes and Threads Copyright © 2008.

Chapter 5 Processes and Threads Copyright © 2008.
Silberschatz, Galvin and Gagne  2002 5.1 Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.

Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
3.5 Interprocess Communication

3.5 Interprocess Communication
Threads CSCI 444/544 Operating Systems Fall 2008.

Threads CSCI 444/544 Operating Systems Fall 2008.
CS 3013 & CS 502 Summer 2006 Threads1 CS-3013 & CS-502 Summer 2006.

CS 3013 & CS 502 Summer 2006 Threads1 CS-3013 & CS-502 Summer 2006.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.

Scheduler Activations Jeff Chase. Threads in a Process Threads are useful at user-level – Parallelism, hide I/O latency, interactivity Option A (early.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Silberschatz, Galvin and Gagne  2002 5.1 Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 5: Threads Overview Multithreading Models Threading Issues Pthreads Solaris.
Eric Keller, Evan Green Princeton University PRESTO 2008 8/22/08 Virtualizing the Data Plane Through Source Code Merging.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Similar presentations

Ads by Google