Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
SCONE: Secure Linux Container Environments
with Intel SGXS. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C.
Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College London; D. Goltzsche, Technische Universität Braunschweig; D. Eyers, University of Otago; R. Kapitza, Technische Universität
Braunschweig; P. Pietzuch, Imperial College London; C. Fetzer, Technische Universität Dresden
Trust Issues: The Provider’s Perspective
• Cloud provider does not trust users
• Use virtual machines to isolate users from each other and the host
• VMs only provide one way protection
2
Redis
OS
VMM
Firmware
Cloud platform
Staff
…
trust
ed
Trust Issues: The User’s Perspective
• Users trust their application
• Users must implicitly trust the cloud provider
• Existing applications implicitly assume trusted operating system
3
Redis
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Containers are the new VMs
• Containers provide resource isolation and bundling
• Smaller resource overhead than virtual machines
• Convenient tooling to create and deploy applications in the cloud
4
Disaster!
5
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Disaster!
6
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Disaster!
7
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Disaster!
8
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
• securely and …
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
• securely and …
• with acceptable performance
1010
Secure Guard Extensions
• New enclave processor mode
• Users can create a HW-enforced trusted environment
• Only trust Intel and Secure Guard Extensions (SGX) implementation
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Enclave
SGX: HW-enforced Security
• 18 new instructions to manage enclave life cycle
• Enclave memory only accessible from enclave
• Certain instructions disallowed, e.g., syscall
11
… EENTER …
Execute …
Return
privileged access from
OS, VMM, SMM forbidden
untrusted trusted
Challenge 1: Interface
• Haven (OSDI’14): library operating system in enclave
• Large TCB → more vulnerable
• Small interface (22 system calls)
• Shields protect the interface
12
Application Code
Host OS
Library OSC Library Libraries
Shielding layer
Library OS inside TCB
Exte
rnal
cont
ainer
inte
rface
trus
ted
untru
sted
Challenge 1: Interface
• Small TCB
• C library interface is complex
• Harder to protect
13
Application Code
Shim C Library
C LibraryHost OS
Libraries
Minimal TCB
Challenge 2: Performance
14
syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 4 8
native
synchronous enclave exits
• pwrite() with 32 byte buffer • 4 cores with hyper threading
Challenge 2: Performance
14
syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 4 8
native
synchronous enclave exits
• pwrite() with 32 byte buffer • 4 cores with hyper threading
8×
Host operating system
SCONE Architecture
15
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
15
SCONE C library
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
• Asynchronous system calls and user space threading reduce number of enclave exits (Challenge 2)
15
SCONE C libraryAsynchronous system calls
M:N threading
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
• Asynchronous system calls and user space threading reduce number of enclave exits (Challenge 2)
• Network and file system shields actively protect user data
15
SCONE C libraryAsynchronous system calls
M:N threadingNetwork shield File system shield
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
Anatomy of a System Call
16
enclavekernel
read, fd, buf, size
Anatomy of a System Call
17
enclave
read(fd, buf, size)
[0]
[2]
kernel
T1
[1]
system call slots
read, fd, buf, size
Anatomy of a System Call
18
enclavekernel
read(fd, buf, size)S1T1
[0]
[2][1]
system call slots
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)
[0]
T1
read, fd, buf, size[0]
[2][1]
system call slots
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
read, fd, buf, sizeread(fd, buf, size)T2
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
read, fd, buf, sizeread(fd, buf, size)T2
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
[2]
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
[0]#2&$?%
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
GET K1decrypt buffer into enclave
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
2. run
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
2. run
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
4. execute
2. run
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
5. secure channel
4. execute
2. run
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
• pwrite() with 32 byte buffer • 4 cores with hyper threading
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
async with 1 thread achieves 80%
• pwrite() with 32 byte buffer • 4 cores with hyper threading
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
async with 1 thread achieves 80%
optimized queue may help
• pwrite() with 32 byte buffer • 4 cores with hyper threading
Apache Throughput
23
Late
ncy
(sec
onds
)
0
1
2
3
4
Throughput (requests / second)0 15000 30000 45000 60000
glibcasync
sync
0.8×
0.7×
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
inline encryption has less overhead
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
inline encryption has less overhead
inline encryption hurts performance with single thread
Summary
• Small trusted computing base (0.6× – 2.0× of native binary size)
• Low runtime overhead (0.6× – 1.2× of native throughput)
• Transparent to the container engine (e.g. Docker)
25