Abstract
Intel SGX has attracted much attention from academia and is already powering commercial applications. Cloud providers have also started implementing SGX in their cloud offerings. Research efforts on Intel SGX so far have mainly concentrated on its security and programmability. However, no work has studied in detail the performance degradation caused by SGX in virtualized systems. Such settings are particularly important, considering that virtualization is the de facto building block of cloud infrastructure, yet often comes with a performance impact. This paper presents for the first time a detailed performance analysis of Intel SGX in a virtualized system in comparison with a bare-metal system. Based on our findings, we identify several optimization strategies that would improve the performance of Intel SGX on such systems.
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, Vol. 13. ACM New York, NY, USA.Google Scholar
- Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark Stillwell, et almbox. 2016. SCONE: Secure Linux Containers with Intel SGX.. In OSDI, Vol. 16. 689--703. Google Scholar
Digital Library
- Pierre-Louis Aublin, Florian Kelbert, Dan O'Keeffe, Divya Muthukumaran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer, David Eyers, and Peter Pietzuch. 2017. TaLoS: Secure and transparent TLS termination inside SGX enclaves . Technical Report. Imperial College London.Google Scholar
- Ravi Bhargava, Benjamin Serebrin, Francesco Spadini, and Srilatha Manne. 2008. Accelerating two-dimensional page walks for virtualized systems. In ACM SIGARCH Computer Architecture News, Vol. 36. ACM, 26--35. Google Scholar
Digital Library
- Nikhil Bhatia. 2009. Performance evaluation of Intel EPT hardware assist. VMware, Inc (2009).Google Scholar
- Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt, Matthias Lorenz, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza. 2016. SecureKeeper: confidential ZooKeeper using Intel SGX. In Proceedings of the 17th International Middleware Conference. ACM, 14. Google Scholar
Digital Library
- Somnath Chakrabarti, Rebekah Leslie-Hurd, Mona Vij, Frank McKeen, Carlos Rozas, Dror Caspi, Ilya Alexandrovich, and Ittai Anati. 2017. Intel Software Guard Extensions (Intel SGX) Architecture for Oversubscription of Secure Memory in a Virtualized Environment. In Proceedings of the Hardware and Architectural Support for Security and Privacy. ACM, 7. Google Scholar
Digital Library
- Chia che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC 17) . USENIX Association, Santa Clara, CA, 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai Google Scholar
Digital Library
- Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2018. SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution . arXiv preprint arXiv:1802.09085 (2018).Google Scholar
- Sean Christopherson. 2017. KVM: vmx: add support for SGX Launch Control. https://github.com/intel/kvm-sgx/commit/e9a065d3c1773ad72bfb28b6dad4c433f392eda8 .Google Scholar
- Intel Corporation. 2018a. Intel Linux SGX SDK v2.2 -- Switchless Calls . https://download.01.org/intel-sgx/linux-2.2/docs/Intel_SGX_Developer_Reference_Linux_2.2_Open_Source.pdf .Google Scholar
- Intel Corporation. 2018b. L1 Terminal Fault . https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault .Google Scholar
- Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive , Vol. 2016 (2016), 86.Google Scholar
- Tu Dinh Ngoc. 2018. SGX benchmark source code. https://github.com/sgxbench/sgxbench/releases .Google Scholar
- Edward W Felten. 2003. Understanding trusted computing: will its benefits outweigh its drawbacks? IEEE Security & Privacy , Vol. 99, 3 (2003), 60--62. Google Scholar
Digital Library
- Jayneel Gandhi, Mark D Hill, and Michael M Swift. 2016. Agile paging: exceeding the best of nested and shadow paging. In ACM SIGARCH Computer Architecture News, Vol. 44. IEEE Press, 707--718. Google Scholar
Digital Library
- Google. 2018. Asylo: an open-source framework for confidential computing . https://cloudplatform.googleblog.com/2018/05/Introducing-Asylo-an-open-source-framework-for-confidential-computing.html .Google Scholar
- David Grawrock. 2009. Dynamics of a Trusted Platform: A building block approach .Intel Press. Google Scholar
Digital Library
- Trusted Computing Group. 2007. Design Principles Specification Version 1.2 Level 2 Revision 103 Part 1.Google Scholar
- Shay Gueron. 2016. Memory Encryption for General-Purpose Processors. IEEE Security & Privacy 6 (2016), 54--62. Google Scholar
Digital Library
- Danny Harnik and Eliad Tsfadia. 2017. Impressions of Intel SGX performance. https://medium.com/@danny_harnik/22442093595a .Google Scholar
- IBM. 2018. Data-in-use protection on IBM Cloud using Intel SGX . https://www.ibm.com/blogs/bluemix/2018/05/data-use-protection-ibm-cloud-using-intel-sgx/.Google Scholar
- Intel. 2018. Intel Software Development Manual . https://software.intel.com/en-us/articles/intel-sdm .Google Scholar
- Intel Corporation. {n. d.} a. Intel Software Guard Extensions SDK . https://software.intel.com/en-us/sgx-sdk .Google Scholar
- Intel Corporation. {n. d.} b. Intel Software Guard Extensions SDK for Linux . https://01.org/intel-software-guard-extensions .Google Scholar
- Intel Corporation. {n. d.} c. SGX Virtualization. https://01.org/intel-software-guard-extensions/sgx-virtualization .Google Scholar
- Intel Corporation. 2017a. Intel and NeuLion Bring Secure, 4K UHD Sports Streaming to Computers. https://newsroom.intel.com/news/intel-neulion-bring-secure-4k-uhd-sports-streaming-computers/.Google Scholar
- Intel Corporation. 2017b. Intel Software Guard Extensions SDK for Linux OS. https://download.01.org/intel-sgx/linux-2.0/docs/Intel_SGX_Installation_Guide_Linux_2.0_Open_Source.pdfGoogle Scholar
- International Organization for Standardization. 2015. ISO/IEC 11889--1:2015 .Google Scholar
- David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White paper (2016).Google Scholar
- Alexey Kopytov. {n. d.}.Google Scholar
- Klaus Kursawe, Dries Schellekens, and Bart Preneel. 2005. Analyzing trusted platform communication. In ECRYPT Workshop, CRASH-CRyptographic Advances in Secure Hardware .Google Scholar
- Zheng Li, Maria Kihl, Qinghua Lu, and Jens A Andersson. 2017. Performance Overhead Comparison between Hypervisor and Container based Virtualization. In Advanced Information Networking and Applications (AINA), 2017 IEEE 31st International Conference on. IEEE, 955--962.Google Scholar
Cross Ref
- Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '17). USENIX Association, Berkeley, CA, USA, 285--298. http://dl.acm.org/citation.cfm?id=3154690.3154718 Google Scholar
Digital Library
- Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 227--240. https://www.usenix.org/conference/atc18/presentation/oleksenko Google Scholar
Digital Library
- Ryan Puffer and Liza Poggemeyer. 2016. Guarded fabric and shielded VMs overview. https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms .Google Scholar
- Riva Richmond. {n. d.}.Google Scholar
- Marco Righini. 2010. Enabling Intel virtualization technology features and benefits. Intel White Paper. Retrieved January , Vol. 15 (2010), 2012.Google Scholar
- Efraim Rotem and Senior Principal Engineer. 2015. Intel Architecture, Code Name Skylake Deep Dive: A New Architecture to Manage Power Performance and Energy Efficiency. In Intel Developer Forum .Google Scholar
- Mark Russinovich. 2018. Azure confidential computing. https://azure.microsoft.com/en-us/blog/azure-confidential-computing/.Google Scholar
- Samsung Electronics Co., Ltd. 2017. Samsung Knox Security Solution. https://www.samsungknox.com/docs/SamsungKnoxSecuritySolution.pdf .Google Scholar
- Evan R Sparks and Evan R Sparks. 2007. A security assessment of Trusted Platform Modules - computer science technical report TR2007--597 . (2007).Google Scholar
- Gil Tene. 2018. WRK2 Http Benchmarking Took. https://github.com/giltene/wrk2 .Google Scholar
- Nico Weichbrodt, Anil Kurmus, Peter Pietzuch, and Rüdiger Kapitza. 2016. AsyncShock: Exploiting synchronisation bugs in Intel SGX enclaves. In European Symposium on Research in Computer Security. Springer, 440--457.Google Scholar
Cross Ref
- Ofir Weisse, Valeria Bertacco, and Todd Austin. 2017. Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves. In Proceedings of the 44th Annual International Symposium on Computer Architecture. ACM, 81--93. Google Scholar
Digital Library
- Wired. 2009. Google Hack Attack Was Ultra Sophisticated . https://www.wired.com/2010/01/operation-aurora/.Google Scholar
- Bin Cedric Xing, Mark Shanahan, and Rebekah Leslie-Hurd. 2016. Intel Software Guard Extensions (Intel SGX) Software Support for Dynamic Memory Allocation inside an Enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 11. Google Scholar
Digital Library
Index Terms
Everything You Should Know About Intel SGX Performance on Virtualized Systems
Recommendations
Everything You Should Know About Intel SGX Performance on Virtualized Systems
Intel SGX has attracted much attention from academia and is already powering commercial applications. Cloud providers have also started implementing SGX in their cloud offerings. Research efforts on Intel SGX so far have mainly focused on its security ...
Everything You Should Know about Intel SGX Performance on Virtualized Systems
SIGMETRICS '19: Abstracts of the 2019 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer SystemsIntel SGX has attracted much attention from academia and is already powering commercial applications. Cloud providers have also started implementing SGX in their cloud offerings. Research efforts on Intel SGX so far have mainly focused on its security ...
Cache Attacks on Intel SGX
EuroSec'17: Proceedings of the 10th European Workshop on Systems SecurityFor the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert'...






Comments