More Web Proxy on the site http://driver.im/

research-article

Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves

Authors:

Valeria Bertacco,

Todd AustinAuthors Info & Claims

ISCA '17: Proceedings of the 44th Annual International Symposium on Computer Architecture

Pages 81 - 93

https://doi.org/10.1145/3079856.3080208

Published: 24 June 2017 Publication History

Abstract

Intel's SGX secure execution technology allows running computations on secret data using untrusted servers. While recent work showed how to port applications and large-scale computations to run under SGX, the performance implications of using the technology remains an open question. We present the first comprehensive quantitative study to evaluate the performance of SGX. We show that straightforward use of SGX library primitives for calling functions add between 8,200 - 17,000 cycles overhead, compared to 150 cycles of a typical system call. We quantify the performance impact of these library calls and show that in applications with high system calls frequency, such as memcached, openVPN, and lighttpd, which all have high bandwidth network requirements, the performance degradation may be as high as 79%. We investigate the sources of this performance degradation by leveraging a new set of microbenchmarks for SGX-specific operations such as enclave entry-calls and out-calls, and encrypted memory I/O accesses. We leverage the insights we gain from these analyses to design a new SGX interface framework HotCalls. HotCalls are based on a synchronization spin-lock mechanism and provide a 13-27x speedup over the default interface. It can easily be integrated into existing code, making it a practical solution. Compared to a baseline SGX implementation of memcached, openVPN, and lighttpd - we show that using the new interface boosts the throughput by 2.6-3.7x, and reduces application latency by 62-74%.

References

[1]

http_load - multiprocessing http test client. http://acme.com/software/http_load/.

[2]

SGX Secure Enclaves in Practice: Security and Crypto Review. Black Hat. https://www.blackhat.com/docs/us-16/materials/us-16-Aumasson-SGX-Secure-Enclaves-In-Practice-Security-And-\Crypto-Review.pdf.

[3]

Tiago Alves and Don Felton. 2004. TrustZone: Integrated Hardware and Software Security-Enabling Trusted Computing in Embedded Systems.

[4]

Nikos Anastopoulos and Nectarios Koziris. 2008. Facilitating Efficient Synchronization of Asymmetric Threads on Hyper-Threaded Processors. In Proc. of IEEE IPDPS.

[5]

Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative Technology For CPU Based Attestation and sealing. In Proc. of HASP.

[6]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel O'Keeffe, Mark L Stillwell, and others. 2016. SCONE: Secure Linux Containers with Intel SGX. In Proc. of OSDI.

Digital Library

[7]

Krste Asanović and David A Patterson. 2014. Instruction Sets Should be Free: The Case for RISC-V. Technical Report. University of California at Berkeley, http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-146.pdf.

[8]

Berk Atikoglu, Yuehai Xu, Eitan Frachtenberg, Song Jiang, and Mike Paleczny. 2012. Workload Analysis of a Large-Scale Key-Value Store. In Proc. of ACM SIGMETRICS Performance Evaluation Review.

Digital Library

[9]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding Applications from an Untrusted Cloud with Haven. In Proc. of ACM TOCS.

Digital Library

[10]

Stephen Checkoway and Hovav Shacham. 2013. Iago attacks: Why the System Call API is a Bad Untrusted RPC Interface. In Proc. of ACM SIGARCH Computer Architecture News.

Digital Library

[11]

Xiaoxin Chen, Tal Garfinkel, E Christopher Lewis, Pratap Subrahmanyam, Carl Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan Ports. 2008. Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. In Proc. of ACM SIGARCH Computer Architecture News.

Digital Library

[12]

Siddhartha Chhabra, Brian Rogers, Yan Solihin, and Milos Prvulovic. 2011. SecureME: a Hardware-Software Approach to Full System Security. In Proc. of ACM ICS.

Digital Library

[13]

Victor Costan and Srinivas Devadas. Intel SGX explained. Technical Report. Cryptology ePrint Archive, Report 2016/086, 2016. https://eprint.iacr.org/2016/086.

[14]

Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In Proc. of USENIX Security.

[15]

Christoffer Dall, Shih-Wei Li, Jin Tack Lim, Jason Nieh, and Georgios Koloventzos. 2016. ARM Virtualization: Performance and Architectural Implications. In Proc. of ISCA.

Digital Library

[16]

Zakir Durumeric, James Kasten, David Adrian, J Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and others. The Matter of HeartBleed. In Proc. of ACM IMC.

Digital Library

[17]

Shawn Embleton, Sherri Sparks, and Cliff C Zou. 2013. SMM Rootkits: A New Breed of OS Independent Malware. In Security and Communication Networks. Wiley Online Library.

[18]

Nadeem Firasta, Mark Buxton, Paula Jinbo, Kaveh Nasri, and Shihjong Kuo. 2008. Intel AVX: New frontiers in performance improvements and energy efficiency.

[19]

Shay Gueron. A Memory Encryption Engine Suitable for General Purpose Processors. Intel Corporation.

[20]

J Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A Calandrino, Ariel Feldman, Jacob Appelbaum, and Edward Felten. 2009. Lest We Remember: Cold-Boot Attacks on Encryption Keys. In Communications of the ACM.

Digital Library

[21]

John L Henning. 2006. SPEC CPU2006 benchmark descriptions. In Proc. of ACM SIGARCH Computer Architecture News.

Digital Library

[22]

Andrew Douglas Hilton, BC Lee, and TS Lehman. 2016. PoisonIvy: Safe Speculation for Secure Memory. In Proc. of ACM MICRO.

[23]

Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using Innovative Instructions to Create Trustworthy Software Solutions. In Proc. of HASP.

Digital Library

[24]

Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proc. of OSDI.

Digital Library

[25]

Intel. Intel SGX Software Development Kit (SDK). Intel. https://software.intel.com/en-us/sgx-sdk.

[26]

Intel. Intel Software Guard Extensions SDK for Linux OS. Intel. https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf.

[27]

Intel. Intel Software Guard Extensions SDK for Windows OS. Intel. https://software.intel.com/sites/default/files/managed/b4/cf/Intel-SGX-SDK-Developer-Reference-for-Windows-OS.pdf.

[28]

Intel. Software Developer Manual, chapters 37--43. Intel. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf.

[29]

Intel. Software Guard Extensions: EPID Provisioning and Attestation Services. Intel. https://software.intel.com/sites/default/files/managed/ac/40/2016%20WW10%20sgx%20provisioning%20and%20attesatation%20final.pdf.

[30]

Iperf. A tool for active measurements of the maximum achievable bandwidth on IP networks. Iperf. https://iperf.fr/.

[31]

Sanjay Kumar, Himanshu Raj, Karsten Schwan, and Ivan Ganev. 2007. Rearchitecting VMMs for Multicore Systems: The Sidecore Approach. In Proc. of WIOSCA. Citeseer.

[32]

lighttpd. An open-source web server optimized for speed-critical environments. lighttpd. https://www.lighttpd.net/.

[33]

Kevin Lim, David Meisner, Ali Saidi, Parthasarathy Ranganathan, and Thomas Wenisch. 2013. Thin Servers With Smart Pipes: Designing SoC Accelerators for Memcached. In Proc. of ACM SIGARCH Computer Architecture News.

Digital Library

[34]

Jiuxing Liu and Bulent Abali. 2009. Virtualization polling engine (VPE): Using Dedicated CPU Cores to Accelerate I/O Virtualization. In Proc. of ACM ICS.

Digital Library

[35]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday Savagaonkar. 2013. Innovative Instructions and Software Model for Isolated Execution. In Proc. of HASP.

Digital Library

[36]

Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, and Rich Uhlig. 2006. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. In Intel Technology Journal.

[37]

OpenSSL. Cryptography and SSL/TLS Toolkit. OpenSSL. https://www.openssl.org/.

[38]

OpenVPN. An open source SSL VPN solution. OpenVPN. https://openvpn.net/.

[39]

Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2011. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In Proc. of SOSP.

Digital Library

[40]

Donald E Porter, Silas Boyd-Wickizer, Jon Howell, Reuben Olinsky, and Galen C Hunt. 2011. Rethinking the Library OS from the Top Down. In Proc. of ACM SIGPLAN.

Digital Library

[41]

Redis Labs. memtier_benchmark: A High-Throughput Benchmarking Tool for Redis & Memcached. Redis Labs. https://https://redislabs.com/blog/memtier_benchmark-a-high-throughput-benchmarking-tool-for-redis-memcached#.WBz0PNzHXeA.

[42]

Paul Saab. 2008. Scaling Memcached at Facebook.

[43]

Jamal Hadi Salim, Robert Olsson, and Alexey Kuznetsov. 2001. Beyond Softnet. In Proc. of USENIX ALSC.

Digital Library

[44]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy Data Analytics in the Cloud Using SGX. In Proc. of IEEE S&P.

Digital Library

[45]

Livio Soares and Michael Stumm. 2010. FlexSC: Flexible System Call Scheduling with Exception-Less System Calls. In Proc. of OSDI.

Digital Library

[46]

Andrew Waterman, Yunsup Lee, David A Patterson, and Krste Asanovic. 2011. The RISC-V Instruction Set Manual, Volume I: Base user-level ISA. EECS Department, UC Berkeley, Tech. Rep. UCB/EECS-2011-62 (2011).

[47]

Rafal Wojtczuk and Joanna Rutkowska. 2009. Attacking SMM Memory via Intel CPU Cache Poisoning. In Invisible Things Lab.

[48]

Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic Side Channels for Untrusted Operating Systems. In Proc. of IEEE S&P.

Digital Library

[49]

Wenting Zheng, Ankur Dave, Jethro Beekman, Raluca Ada Popa, Joseph Gonzalez, and Ion Stoica. 2017. Opaque: An Oblivious and Encrypted Distributed Analytics Platform. In Proc. of NSDI.

Cited By

Misono MStavrakakis DSantos NBhatotia P(2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3700418
Shobiri BPourali SMigault DBoureanu IPreda SMannan MYoussef A(2024)LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3IEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.343283611:6(6313-6327)Online publication date: Nov-2024
https://doi.org/10.1109/TNSE.2024.3432836
Ménétrey JPasin MFelber PSchiavoni VMazzeo GHollum AVaydia D(2024)A Comprehensive Trusted Runtime for WebAssembly With Intel SGXIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.333451621:4(3562-3579)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TDSC.2023.3334516
Show More Cited By

Index Terms

Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves
1. Security and privacy

Recommendations

Regaining Lost Cycles with HotCalls: A Fast Interface for SGX Secure Enclaves
ISCA'17

Intel's SGX secure execution technology allows running computations on secret data using untrusted servers. While recent work showed how to port applications and large-scale computations to run under SGX, the performance implications of using the ...
Faster enclave transitions for IO-intensive network applications
SPIN '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable network INfrastructure

Process-based confidential computing enclaves such as Intel SGX have been proposed for protecting the confidentiality and integrity of network applications, without the overhead of virtualization. However, these solutions introduce other types of ...
JITGuard: Hardening Just-in-time Compilers with SGX
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Memory-corruption vulnerabilities pose a serious threat to modern computer security. Attackers exploit these vulnerabilities to manipulate code and data of vulnerable applications to generate malicious behavior by means of code-injection and code-reuse ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISCA '17: Proceedings of the 44th Annual International Symposium on Computer Architecture

June 2017

736 pages

ISBN:9781450348928

DOI:10.1145/3079856

ACM SIGARCH Computer Architecture News Volume 45, Issue 2
ISCA'17
May 2017
715 pages
ISSN:0163-5964
DOI:10.1145/3140659
Editor:
Babak Falsafi
Interim
Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

IEEE: IEEE Computer Society Technical Committee on Design Automation
SIGARCH: ACM Special Interest Group on Computer Architecture

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ISCA '17

Sponsor:

IEEE
SIGARCH

ISCA '17: The 44th Annual International Symposium on Computer Architecture

June 24 - 28, 2017

ON, Toronto, Canada

Acceptance Rates

ISCA '17 Paper Acceptance Rate 54 of 322 submissions, 17%;

Overall Acceptance Rate 543 of 3,203 submissions, 17%

Upcoming Conference

ISCA '25

Sponsor:
sigarch

The 52nd Annual International Symposium on Computer Architecture

June 21 - 25, 2025

Tokyo , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

102
Total Citations
View Citations
1,395
Total Downloads

Downloads (Last 12 months)88
Downloads (Last 6 weeks)11

Reflects downloads up to 17 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Misono MStavrakakis DSantos NBhatotia P(2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3700418
Shobiri BPourali SMigault DBoureanu IPreda SMannan MYoussef A(2024)LURK-T: Limited Use of Remote Keys With Added Trust in TLS 1.3IEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.343283611:6(6313-6327)Online publication date: Nov-2024
https://doi.org/10.1109/TNSE.2024.3432836
Ménétrey JPasin MFelber PSchiavoni VMazzeo GHollum AVaydia D(2024)A Comprehensive Trusted Runtime for WebAssembly With Intel SGXIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.333451621:4(3562-3579)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/TDSC.2023.3334516
Nye JAli UKhan O(2024)SSE: Security Service Engines to Scale Enclave Parallelism for System Interactive Applications2024 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED61283.2024.00019(84-95)Online publication date: 16-May-2024
https://doi.org/10.1109/SEED61283.2024.00019
Shu JShu J(2024)Storage SecurityData Storage Architectures and Technologies10.1007/978-981-97-3534-1_10(271-309)Online publication date: 28-Aug-2024
https://doi.org/10.1007/978-981-97-3534-1_10
Tanigassalame SPipereau YChader AToljaga JThomas G(2024)FastSGX: A Message-Passing Based Runtime for SGXAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_7(74-85)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_7
Li FLi XGao M(2023)Secure MLaaS with Temper: Trusted and Efficient Model Partitioning and Enclave ReuseProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627145(621-635)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627145
Wang JDu YWang XMa CLu DXi N(2023)TEE-Assisted Time-Scale Database Management System on IoT devicesProceedings of the 13th International Conference on the Internet of Things10.1145/3627050.3631578(253-259)Online publication date: 7-Nov-2023
https://dl.acm.org/doi/10.1145/3627050.3631578
Kim SYou MKim BShin S(2023)CryonicsProceedings of the 2023 ACM Symposium on Cloud Computing10.1145/3620678.3624789(528-543)Online publication date: 30-Oct-2023
https://dl.acm.org/doi/10.1145/3620678.3624789
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents