Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCONE: Secure Linux Containers Environments with Intel SGX

Published by상인 경 Modified over 5 years ago

Similar presentations

Presentation on theme: "SCONE: Secure Linux Containers Environments with Intel SGX"— Presentation transcript:

1 SCONE: Secure Linux Containers Environments with Intel SGX
CS 795 Pruthvik N Narayanaswamy

2 Motivation Cloud provider does not trust users and use VMS to isolate users from each other and the host. There is only one-way protection and users must implicity trust cloud providers.     Enter containers … Benefits of low overhead, lightweight, easy deployment etc. Existing container isolation mechanisms focus on protecting the environment from untrusted containers.  Users want to protect the confidentiality and integrity of their application data from unauthorized accesses not only from containers, but also from higher-privileged system software, such as the OS kernel and the hypervisor

3 Goals Run Unmodified Linux Applications in containers in an untrusted cloud securely and with acceptable performance.

4 SGX : Software Guard Extensions
The SGX extension adds support for secure enclaves which shield application code and data from access by other software (including higher-privileged software) Inside an enclave both code and data reside in an enclave page cache(EPC) Only enclave can access enclave memory Multiple threads can operate within an enclave, each with its own 4KB thread local storage Some restrictions : syscalls not allowed inside enclaves

5 Performance Overheads ?
Privileged instructions cannot execute inside the enclave, so threads must exit the enclave to make system calls On Intel Skylake CPUs, the EPC size is between 64 and 128 MB, therefore if applications with memory requirements exceeding the size of the EPC must pay for the costly encryption and integrity protection involved in moving pages out to DRAM.

6 Challenges Challenge 1 : Interface
What should be stored in the enclave ?

7 Performance Challenge

8 Scone Architecture Enhanced C library = small TCB
Asynchronous system calls and user space threading reduce number of enclave exits  Network and file system shields actively protect user data

9 Shields A file system shied protects the confidentiality and integrity of files, with transparent authentication and encryption. A network shield ensures that all network communications use TLS, terminated inside the enclave. A console shield protects the confidentiality of data sent via the stdin, stdout, and stderr streams.

10

11

12

13

14 Async System calls

15 Integrate with Docker Does not require changes to be made to the Docker Engine or the Docker API Uses a wrapper around the Docker client, Scone client.

16 Workflow with Docker When a container instance is created from the image, a startup configuration file (SCF) is sent to it via a TLS protected network connection. The SCF contains keys to encrypt standard I/O streams, a hash of the FS protection file and its encryption key, application arguments, and environment variables.

17 Performance Benchmarks

18 Application benchmark

19 CPU Utilization

20 Application performance

21 Related Work Software protection against privileged code
Initial work such as NGSCB and Proxos executes untrusted and trusted OSs side-by side using virtualization, with security-sensitive applications hosted by the trusted OS. Subsequent work, including Overshadow, SP3, InkTag and Virtual Ghost, has focused on reducing the size of the TCB by directly protecting application memory from unauthorized OS accesses.

22 Trusted hardware Secure co-processors offer tamper-proof physical isolation and can host arbitrary functionality.  Trusted platform modules (TPM) offer tailored services for securing commodity systems. ARM TrustZone has two system personalities, secure and normal world. This split meets the needs of mobile devices in which a rich OS must be separated from the system software controlling basic operations. Intel SGX

23 References Anatomy of system call from 

24 Questions ?

Download ppt "SCONE: Secure Linux Containers Environments with Intel SGX"

Similar presentations

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.

Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko

An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
April 2000Dr Milan Simic1 Network Operating Systems Windows NT.

April 2000Dr Milan Simic1 Network Operating Systems Windows NT.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

Similar presentations

Ads by Google