Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave...
Transcript of Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave...
![Page 1: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/1.jpg)
Eleos: Exit-Less OS Services for SGX Enclaves
Meni OrenbachMarina MinkinPavel Lifshits
Mark Silberstein
Accelerated Computing Systems Lab
Haifa, Israel
![Page 2: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/2.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 2
What do we do?Improve performance: I/O intensive & memory demanding SGX enclaves
Why?Cost of SGX execution for these applications is high
How?In-enclave System Calls & User Managed Virtual Memory
ResultsEleos vs vanilla SGX
2x Throughput: memcached & face verification serversEven for 5x available enclave memory
Available for Linux, Windows*
(*) Without Eleos, these applications crash in Windows enclaves
![Page 3: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/3.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 3
● Background● Motivation● Overhead analysis● Eleos design● Evaluation
![Page 4: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/4.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 4
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
![Page 5: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/5.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 5
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
![Page 6: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/6.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 6
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
![Page 7: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/7.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 7
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
![Page 8: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/8.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 8
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
![Page 9: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/9.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 9
SGX enclaves are already here!
● Secured execution environment● Reversed sandbox● Small TCB● Private code & data
– Confidentiality
– Integrity
– Freshness
● Only CPU is trusted
Operating system
ApplicationEnclave Enclave
Lets look atHow to secure server applications with enclaves
![Page 10: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/10.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 10
Background: Lifetime of a secured server
Untrusted (Host & OS) Trusted (Enclave)
![Page 11: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/11.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 11
Untrusted memoryUnsecured access
Background: Lifetime of a secured server
Untrusted (Host & OS) Trusted (Enclave)
![Page 12: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/12.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 12
Untrusted memoryUnsecured access
Background: Lifetime of a secured server
Untrusted (Host & OS) Trusted (Enclave)
Dedicated SGX memLimited to: 128 MB
Secured access
![Page 13: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/13.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 13
Wait for networkrequests
Background: Lifetime of a secured server
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
![Page 14: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/14.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 14
Wait for networkrequests
Background: Lifetime of a secured server
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
![Page 15: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/15.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 15
Wait for networkrequests
Background: Lifetime of a secured server
Decrypt requests
Enter enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
![Page 16: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/16.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 16
Wait for networkrequests
Background: Lifetime of a secured server
Decrypt requests
Enter enclave
Process requests
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
![Page 17: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/17.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 17
Wait for networkrequests
Background: Lifetime of a secured server
Decrypt requests
Enter enclave
Process requests
Hostapp
Encrypt responses
Untrusted (Host & OS) Trusted (Enclave)
![Page 18: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/18.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 18
Send responses
Wait for networkrequests
Background: Lifetime of a secured server
Decrypt requests
Enter enclave
Process requests
Exit enclave
Hostapp
Encrypt responses
Untrusted (Host & OS) Trusted (Enclave)
![Page 19: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/19.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 19
SGX enclaves should be fast
● ISA extensions● Implemented in HW & Firmware● Same CPU HW● In-cache execution suffers no overheads
![Page 20: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/20.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 20
SGX enclaves should be fast
● ISA extensions● Implemented in HW & Firmware● Same CPU HW● In-cache execution suffers no overheads
However...
![Page 21: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/21.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 21
Executing a Key-Value Store in enclave is slower
![Page 22: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/22.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 22
64 MB 512 MB0
5
10
15
20
25
30
35
40
Memory footprint
Executing a Key-Value Store in enclave is slower
Throughput: Slowdown factor
11X
34X
![Page 23: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/23.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 23
64 MB 512 MB0
5
10
15
20
25
30
35
40
Memory footprint
Executing a Key-Value Store in enclave is slower
Throughput: Slowdown factor
11X
34X
Crashesin Windows
![Page 24: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/24.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 24
● Background● Motivation● Overhead analysis● Eleos design● Evaluation
![Page 25: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/25.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 25
Send responses
Wait for networkrequests
Overhead analysis
Enter enclave
Exit enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
Decrypt requests 150 cycles/32B
Process requests *100 cycles/32B
Encrypt responses *150 cycles/32B
![Page 26: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/26.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 26
Overhead analysis
Enter enclave
Exit enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
Send responses
Wait for networkrequests
Enter enclave
Exit enclave
Hostapp Decrypt requests
150 cycles/32B
Process requests *100 cycles/32B
Encrypt responses *150 cycles/32B
~3,300cycles
![Page 27: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/27.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 27
Overhead analysis
Enter enclave
Exit enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
Send responses
Wait for networkrequests
Enter enclave
Exit enclave
Hostapp Decrypt requests
150 cycles/32B
Process requests*100 cycles/32B
Encrypt responses*150 cycles/32B
~3,300cycles
~3,800cycles
![Page 28: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/28.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 28
Overhead analysis
Enter enclave
Exit enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
Send responses
Wait for networkrequests
Enter enclave
Exit enclave
Hostapp Decrypt requests
150 cycles/32B
Process requests *100 cycles/32B
Encrypt responses *150 cycles/32B
~3,300cycles
~3,800cycles
Exits causes indirect costs:1.5X – 5X slower execution
FlexSC [OSDI'10] syscall analysis
![Page 29: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/29.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 29
Overhead analysis
Enter enclave
Exit enclave
Hostapp
Untrusted (Host & OS) Trusted (Enclave)
Send responses
Wait for networkrequests
Enter enclave
Exit enclave
Hostapp Decrypt requests
150 cycles/32B
Process requests *100 cycles/32B
Encrypt responses *150 cycles/32B
~3,300cycles
~3,800cycles
Exits causes indirect costs:1.5X – 5X slower execution
FlexSC [OSDI'10] syscall analysis
![Page 30: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/30.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 30
Eleos does better!
64 MB 512 MB0
5
10
15
20
25
30
35
40SGX Eleos
Memory footprint
3.5x
5x
Throughput: Slowdown factor
![Page 31: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/31.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 31
Eleos does better!
64 MB 512 MB0
5
10
15
20
25
30
35
40SGX Eleos
Memory footprint
3.5x
5x
How does Eleos achieve this?
Throughput: Slowdown factor
![Page 32: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/32.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 32
Eleos: Exit-less services
Exit-less system calls with RPC infrastructure
Exit-less SGX paging
![Page 33: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/33.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 33
Eleos: Exit-less services
Exit-less system calls with RPC infrastructure
Exit-less SGX paging
![Page 34: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/34.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 34
Background: SGX paging
System mem
SGX mem
Dedicated memoryEnclave code & data
Limited to 128 MB
![Page 35: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/35.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 35
Background: SGX paging
System memsecret_foo():...*p = 1; SGX mem
EnclaveTrusted
Untrusted
![Page 36: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/36.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 36
Background: SGX paging
System memsecret_foo():...*p = 1; SGX mem
HardwareAddress translation
EnclaveTrusted
Untrusted
![Page 37: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/37.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 37
Background: SGX paging
System memsecret_foo():...*p = 1;
Encrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
Untrusted
![Page 38: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/38.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 38
Background: SGX paging
System memsecret_foo():...*p = 1;
Encrypted
SGX mem
Page table
HardwareAddress translation
Swapped-out
EnclaveTrusted
Untrusted
![Page 39: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/39.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 39
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;
Encrypted
SGX mem
Page table
HardwareAddress translation
Swapped-out
EnclaveTrusted
UntrustedSGX-driver
![Page 40: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/40.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 40
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;
Encrypted
Integrityvalidation
Decrypted
SGX mem
Page table
HardwareAddress translation
Swapped-out
EnclaveTrusted
UntrustedSGX-driver
![Page 41: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/41.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 41
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
![Page 42: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/42.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 42
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Fast path
![Page 43: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/43.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 43
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Since SGX memory is smallpaging is not as rare as in native applications
What are the overheads?
Fast path
![Page 44: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/44.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 44
Background: SGX paging
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
![Page 45: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/45.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 45
SGX paging overheads
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Enclaveresume
Enclaveexit
![Page 46: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/46.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 46
SGX paging overheads
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Enclaveresume
Enclaveexit
Indirect costs
![Page 47: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/47.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 47
SGX paging overheads
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Enclaveresume
Enclaveexit
Overaheads: Untrusted softwaremanages enclave memory
Indirect costs
![Page 48: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/48.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 48
SGX paging overheads
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
Enclaveresume
Enclaveexit
Overaheads: Untrusted softwaremanages enclave memory
Indirect costs
![Page 49: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/49.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 49
Wanted: In-enclave virtual memory management
No more exits!
![Page 50: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/50.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 50
Ideal in-enclave VM management
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SGX driverUntrusted
HardwareAddress translation
![Page 51: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/51.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 51
Ideal in-enclave VM management
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
HardwareAddress translation
![Page 52: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/52.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 52
Ideal in-enclave VM management
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
HardwareAddress translation
No availablehardware
![Page 53: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/53.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 53
Ideal in-enclave VM management
System mem
Faulthandler
secret_foo():...*p = 1;*(++p) = 2;
SGX mem
Page table
HardwareAddress translation
EnclaveTrusted
SoftwareAddress translation
![Page 54: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/54.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 54
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1; SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
![Page 55: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/55.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 55
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1; SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
![Page 56: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/56.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 56
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;
Encrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
![Page 57: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/57.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 57
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;
Encrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
Swapped-out
![Page 58: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/58.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 58
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;
Encrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
Swapped-out
![Page 59: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/59.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 59
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;
Encrypted
Decrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
Swapped-out
Integrityvalidation
![Page 60: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/60.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 60
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;
Encrypted
Decrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Template class: SecuredPointer.
Swapped-out
Integrityvalidation
Control pathin-enclave
![Page 61: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/61.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 61
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
![Page 62: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/62.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 62
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
![Page 63: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/63.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 63
SUVM: Secured user-space VM
System mem
Faulthandler
secret_foo():s_ptr<int> p = suvm_malloc(1024);...*p = 1;*(++p) = 2;
Encrypted
Decrypted
SGX mem
Page table
EnclaveTrusted
SoftwareAddress translation
Fast pathNo page table
Lookup!
![Page 64: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/64.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 64
Wait...Software based VM management?
Based on software address translation on GPUs, ActivePointers [ISCA'2016]
![Page 65: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/65.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 65
SUVM key contributions
● Multi-threaded
Compared to SGX:
Fast path: up to 20% overheads
Slow path: Eliminates costs of exits
1 Thread 4 ThreadsREAD 5.5x 7xWRITE 3.5x 5.9x
Throughput speedup
![Page 66: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/66.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 66
Software address translation offers new optimizations
● Customized page size● Customized eviction policy● Multi-enclave memory coordination● Write-back only dirty pages● Sub-page direct access to backing store
![Page 67: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/67.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 67
Software address translation offers new optimizations
● Customized page size● Customized eviction policy● Multi-enclave memory coordination● Write-back only dirty pages● Sub-page direct access to backing store
Virtual Machineballooning
![Page 68: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/68.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 68
Software address translation offers new optimizations
● Customized page size● Customized eviction policy● Multi-enclave memory coordination● Write-back only dirty pages● Sub-page direct access to backing store
Virtual Machineballooning
![Page 69: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/69.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 69
● Background● Motivation● Overhead analysis● Eleos design● Evaluation
![Page 70: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/70.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 70
Biometric Identity checking server
Face verificationserver
Workloadgenerator
?=
450MB DB(5X SGX mem)
+ ID
10Gb NIC
![Page 71: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/71.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 71
1 2 40
0.5
1
1.5
2
2.5
3
3.5
Eleos Native
Server threads
Biometric Identity validating serverSpeedup compared to vanilla SGX
![Page 72: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/72.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 72
1 2 40
0.5
1
1.5
2
2.5
3
3.5
Eleos Native
Server threads
Biometric Identity validating serverSpeedup compared to vanilla SGX
![Page 73: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/73.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 73
1 2 40
0.5
1
1.5
2
2.5
3
3.5
Eleos Native
Server threads
Biometric Identity validating serverSpeedup compared to vanilla SGX
Eleos scales better than vanilla-SGX:Saves inter-processor-interrupts
![Page 74: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/74.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 74
1 2 40
0.5
1
1.5
2
2.5
3
3.5
Eleos Native
Server threads
Biometric Identity validating serverSpeedup compared to vanilla SGX
Eleos scales better than vanilla-SGX:Saves inter-processor-interrupts
Saturate 10Gb network
![Page 75: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/75.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 75
Memcached
WorkloadGenerator(memaslap)
GET( )
~75 LOC modificationfor SUVM
MemcachedGraphene LibOS [Eurosys'2014]
500MB DB(5.5X SGX mem)
10Gb NIC
![Page 76: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/76.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 76
1 Thread 4 Threads0
0.5
1
1.5
2
2.5
3
Eleos (500MB DB) vanilla SGX (20MB DB)
Server threads
MemcachedSpeedup compared to vanilla SGX (500 MB)
No SGX Faults
No SGX Faults
![Page 77: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/77.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 77
1 Thread 4 Threads0
0.5
1
1.5
2
2.5
3
Eleos (500MB DB) vanilla SGX (20MB DB)
Server threads
MemcachedSpeedup compared to vanilla SGX (500 MB)
Disclaimer: Eleos+Graphene is 3x slower than native
No SGX Faults
No SGX Faults
![Page 78: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/78.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 78
Take aways
● Eleos eliminates enclave exits costs● Eleos available for Windows and Linux
– Makes memory demanding applications available on Windows today
● Eleos takes a modularize approach– Memory demanding app? Link to SUVM
– I/O intensive app? Link to RPC
– Maintaining small TCB
![Page 79: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/79.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 79
Traditional SGX:Host-centric OS services
Enclave
Operating System
![Page 80: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/80.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 80
Traditional SGX:Host-centric OS services
Enclave
Operating System
Getdata
![Page 81: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/81.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 81
Traditional SGX:Host-centric OS services
Enclave
Operating System
Getdata
DataUnavailable
![Page 82: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/82.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 82
Traditional SGX:Host-centric OS services
Enclave
Operating System
Fetch data
Getdata
DataUnavailable
![Page 83: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/83.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 83
Traditional SGX:Host-centric OS services
Enclave
Operating System
Fetch data
Getdata
DataUnavailable
![Page 84: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/84.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 84
Eleos Insight:Enclave-centric OS services
Enclave
Getdata
Fetch data
In-enclaveServices
![Page 85: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/85.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 85
Take aways (2)
● Eleos adapts 'accelerator-centric management'– System calls: GPUfs [ASPLOS'13], GPUnet [OSDI'14]
– Virtual memory: ActivePointers [ISCA'16]
● We can do more!– Asynchronous DMA host copies
– Non-blocking enclave launches
More information at:
“SGX Enclaves as Accelerators" [Systex'16]
![Page 86: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/86.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 86
Thank you
Code is available at:https://github.com/acsl-technion/eleos
![Page 87: Eleos: Exit-Less OS Services for SGX EnclavesTrusted SGX driver Untrusted Enclave resume Enclave exit Overaheads: Untrusted software manages enclave memory Indirect costs 22 May@Systor'](https://reader033.fdocuments.in/reader033/viewer/2022052721/5f0b1fb27e708231d42ef726/html5/thumbnails/87.jpg)
22 May@Systor' 2017 Meni Orenbach, Technion 87
Backup slides