skip to main content
research-article

Everything You Should Know About Intel SGX Performance on Virtualized Systems

Published:26 March 2019Publication History
Skip Abstract Section

Abstract

Intel SGX has attracted much attention from academia and is already powering commercial applications. Cloud providers have also started implementing SGX in their cloud offerings. Research efforts on Intel SGX so far have mainly concentrated on its security and programmability. However, no work has studied in detail the performance degradation caused by SGX in virtualized systems. Such settings are particularly important, considering that virtualization is the de facto building block of cloud infrastructure, yet often comes with a performance impact. This paper presents for the first time a detailed performance analysis of Intel SGX in a virtualized system in comparison with a bare-metal system. Based on our findings, we identify several optimization strategies that would improve the performance of Intel SGX on such systems.

References

  1. Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, Vol. 13. ACM New York, NY, USA.Google ScholarGoogle Scholar
  2. Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark Stillwell, et almbox. 2016. SCONE: Secure Linux Containers with Intel SGX.. In OSDI, Vol. 16. 689--703. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Pierre-Louis Aublin, Florian Kelbert, Dan O'Keeffe, Divya Muthukumaran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer, David Eyers, and Peter Pietzuch. 2017. TaLoS: Secure and transparent TLS termination inside SGX enclaves . Technical Report. Imperial College London.Google ScholarGoogle Scholar
  4. Ravi Bhargava, Benjamin Serebrin, Francesco Spadini, and Srilatha Manne. 2008. Accelerating two-dimensional page walks for virtualized systems. In ACM SIGARCH Computer Architecture News, Vol. 36. ACM, 26--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Nikhil Bhatia. 2009. Performance evaluation of Intel EPT hardware assist. VMware, Inc (2009).Google ScholarGoogle Scholar
  6. Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt, Matthias Lorenz, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza. 2016. SecureKeeper: confidential ZooKeeper using Intel SGX. In Proceedings of the 17th International Middleware Conference. ACM, 14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Somnath Chakrabarti, Rebekah Leslie-Hurd, Mona Vij, Frank McKeen, Carlos Rozas, Dror Caspi, Ilya Alexandrovich, and Ittai Anati. 2017. Intel Software Guard Extensions (Intel SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment. In Proceedings of the Hardware and Architectural Support for Security and Privacy. ACM, 7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Chia che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC 17) . USENIX Association, Santa Clara, CA, 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2018. SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution . arXiv preprint arXiv:1802.09085 (2018).Google ScholarGoogle Scholar
  10. Sean Christopherson. 2017. KVM: vmx: add support for SGX Launch Control. https://github.com/intel/kvm-sgx/commit/e9a065d3c1773ad72bfb28b6dad4c433f392eda8 .Google ScholarGoogle Scholar
  11. Intel Corporation. 2018a. Intel Linux SGX SDK v2.2 -- Switchless Calls . https://download.01.org/intel-sgx/linux-2.2/docs/Intel_SGX_Developer_Reference_Linux_2.2_Open_Source.pdf .Google ScholarGoogle Scholar
  12. Intel Corporation. 2018b. L1 Terminal Fault . https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault .Google ScholarGoogle Scholar
  13. Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive , Vol. 2016 (2016), 86.Google ScholarGoogle Scholar
  14. Tu Dinh Ngoc. 2018. SGX benchmark source code. https://github.com/sgxbench/sgxbench/releases .Google ScholarGoogle Scholar
  15. Edward W Felten. 2003. Understanding trusted computing: will its benefits outweigh its drawbacks? IEEE Security & Privacy , Vol. 99, 3 (2003), 60--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Jayneel Gandhi, Mark D Hill, and Michael M Swift. 2016. Agile paging: exceeding the best of nested and shadow paging. In ACM SIGARCH Computer Architecture News, Vol. 44. IEEE Press, 707--718. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Google. 2018. Asylo: an open-source framework for confidential computing . https://cloudplatform.googleblog.com/2018/05/Introducing-Asylo-an-open-source-framework-for-confidential-computing.html .Google ScholarGoogle Scholar
  18. David Grawrock. 2009. Dynamics of a Trusted Platform: A building block approach .Intel Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Trusted Computing Group. 2007. Design Principles Specification Version 1.2 Level 2 Revision 103 Part 1.Google ScholarGoogle Scholar
  20. Shay Gueron. 2016. Memory Encryption for General-Purpose Processors. IEEE Security & Privacy 6 (2016), 54--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Danny Harnik and Eliad Tsfadia. 2017. Impressions of Intel SGX performance. https://medium.com/@danny_harnik/22442093595a .Google ScholarGoogle Scholar
  22. IBM. 2018. Data-in-use protection on IBM Cloud using Intel SGX . https://www.ibm.com/blogs/bluemix/2018/05/data-use-protection-ibm-cloud-using-intel-sgx/.Google ScholarGoogle Scholar
  23. Intel. 2018. Intel Software Development Manual . https://software.intel.com/en-us/articles/intel-sdm .Google ScholarGoogle Scholar
  24. Intel Corporation. {n. d.} a. Intel Software Guard Extensions SDK . https://software.intel.com/en-us/sgx-sdk .Google ScholarGoogle Scholar
  25. Intel Corporation. {n. d.} b. Intel Software Guard Extensions SDK for Linux . https://01.org/intel-software-guard-extensions .Google ScholarGoogle Scholar
  26. Intel Corporation. {n. d.} c. SGX Virtualization. https://01.org/intel-software-guard-extensions/sgx-virtualization .Google ScholarGoogle Scholar
  27. Intel Corporation. 2017a. Intel and NeuLion Bring Secure, 4K UHD Sports Streaming to Computers. https://newsroom.intel.com/news/intel-neulion-bring-secure-4k-uhd-sports-streaming-computers/.Google ScholarGoogle Scholar
  28. Intel Corporation. 2017b. Intel Software Guard Extensions SDK for Linux OS. https://download.01.org/intel-sgx/linux-2.0/docs/Intel_SGX_Installation_Guide_Linux_2.0_Open_Source.pdfGoogle ScholarGoogle Scholar
  29. International Organization for Standardization. 2015. ISO/IEC 11889--1:2015 .Google ScholarGoogle Scholar
  30. David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White paper (2016).Google ScholarGoogle Scholar
  31. Alexey Kopytov. {n. d.}.Google ScholarGoogle Scholar
  32. Klaus Kursawe, Dries Schellekens, and Bart Preneel. 2005. Analyzing trusted platform communication. In ECRYPT Workshop, CRASH-CRyptographic Advances in Secure Hardware .Google ScholarGoogle Scholar
  33. Zheng Li, Maria Kihl, Qinghua Lu, and Jens A Andersson. 2017. Performance Overhead Comparison between Hypervisor and Container based Virtualization. In Advanced Information Networking and Applications (AINA), 2017 IEEE 31st International Conference on. IEEE, 955--962.Google ScholarGoogle ScholarCross RefCross Ref
  34. Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '17). USENIX Association, Berkeley, CA, USA, 285--298. http://dl.acm.org/citation.cfm?id=3154690.3154718 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 227--240. https://www.usenix.org/conference/atc18/presentation/oleksenko Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Ryan Puffer and Liza Poggemeyer. 2016. Guarded fabric and shielded VMs overview. https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms .Google ScholarGoogle Scholar
  37. Riva Richmond. {n. d.}.Google ScholarGoogle Scholar
  38. Marco Righini. 2010. Enabling Intel virtualization technology features and benefits. Intel White Paper. Retrieved January , Vol. 15 (2010), 2012.Google ScholarGoogle Scholar
  39. Efraim Rotem and Senior Principal Engineer. 2015. Intel Architecture, Code Name Skylake Deep Dive: A New Architecture to Manage Power Performance and Energy Efficiency. In Intel Developer Forum .Google ScholarGoogle Scholar
  40. Mark Russinovich. 2018. Azure confidential computing. https://azure.microsoft.com/en-us/blog/azure-confidential-computing/.Google ScholarGoogle Scholar
  41. Samsung Electronics Co., Ltd. 2017. Samsung Knox Security Solution. https://www.samsungknox.com/docs/SamsungKnoxSecuritySolution.pdf .Google ScholarGoogle Scholar
  42. Evan R Sparks and Evan R Sparks. 2007. A security assessment of Trusted Platform Modules - computer science technical report TR2007--597 . (2007).Google ScholarGoogle Scholar
  43. Gil Tene. 2018. WRK2 Http Benchmarking Took. https://github.com/giltene/wrk2 .Google ScholarGoogle Scholar
  44. Nico Weichbrodt, Anil Kurmus, Peter Pietzuch, and Rüdiger Kapitza. 2016. AsyncShock: Exploiting synchronisation bugs in Intel SGX enclaves. In European Symposium on Research in Computer Security. Springer, 440--457.Google ScholarGoogle ScholarCross RefCross Ref
  45. Ofir Weisse, Valeria Bertacco, and Todd Austin. 2017. Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves. In Proceedings of the 44th Annual International Symposium on Computer Architecture. ACM, 81--93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Wired. 2009. Google Hack Attack Was Ultra Sophisticated . https://www.wired.com/2010/01/operation-aurora/.Google ScholarGoogle Scholar
  47. Bin Cedric Xing, Mark Shanahan, and Rebekah Leslie-Hurd. 2016. Intel Software Guard Extensions (Intel SGX) Software Support for Dynamic Memory Allocation inside an Enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 11. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Everything You Should Know About Intel SGX Performance on Virtualized Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!