container environments with intel sgx · 2017-07-14 · reduce number of enclave exits (challenge...
TRANSCRIPT
![Page 1: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/1.jpg)
SCONE: Secure Linux Container Environments
with Intel SGXS. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C.
Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, and M. Stillwell, Imperial College London; D. Goltzsche, Technische Universität Braunschweig; D. Eyers, University of Otago; R. Kapitza, Technische Universität
Braunschweig; P. Pietzuch, Imperial College London; C. Fetzer, Technische Universität Dresden
![Page 2: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/2.jpg)
Trust Issues: The Provider’s Perspective
• Cloud provider does not trust users
• Use virtual machines to isolate users from each other and the host
• VMs only provide one way protection
2
Redis
OS
VMM
Firmware
Cloud platform
Staff
…
trust
ed
![Page 3: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/3.jpg)
Trust Issues: The User’s Perspective
• Users trust their application
• Users must implicitly trust the cloud provider
• Existing applications implicitly assume trusted operating system
3
Redis
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 4: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/4.jpg)
Containers are the new VMs
• Containers provide resource isolation and bundling
• Smaller resource overhead than virtual machines
• Convenient tooling to create and deploy applications in the cloud
4
![Page 5: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/5.jpg)
Disaster!
5
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 6: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/6.jpg)
Disaster!
6
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 7: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/7.jpg)
Disaster!
7
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 8: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/8.jpg)
Disaster!
8
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 9: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/9.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
![Page 10: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/10.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
![Page 11: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/11.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
![Page 12: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/12.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
![Page 13: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/13.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
• securely and …
![Page 14: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/14.jpg)
We want to …
9
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
• run unmodified Linux applications …
• in containers …
• in an untrusted cloud …
• securely and …
• with acceptable performance
![Page 15: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/15.jpg)
1010
Secure Guard Extensions
• New enclave processor mode
• Users can create a HW-enforced trusted environment
• Only trust Intel and Secure Guard Extensions (SGX) implementation
OS
VMM
Firmware
Cloud platform
Staff
…
untru
sted
Enclave
![Page 16: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/16.jpg)
SGX: HW-enforced Security
• 18 new instructions to manage enclave life cycle
• Enclave memory only accessible from enclave
• Certain instructions disallowed, e.g., syscall
11
… EENTER …
Execute …
Return
privileged access from
OS, VMM, SMM forbidden
untrusted trusted
![Page 17: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/17.jpg)
Challenge 1: Interface
• Haven (OSDI’14): library operating system in enclave
• Large TCB → more vulnerable
• Small interface (22 system calls)
• Shields protect the interface
12
Application Code
Host OS
Library OSC Library Libraries
Shielding layer
Library OS inside TCB
Exte
rnal
cont
ainer
inte
rface
trus
ted
untru
sted
![Page 18: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/18.jpg)
Challenge 1: Interface
• Small TCB
• C library interface is complex
• Harder to protect
13
Application Code
Shim C Library
C LibraryHost OS
Libraries
Minimal TCB
![Page 19: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/19.jpg)
Challenge 2: Performance
14
syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 4 8
native
synchronous enclave exits
• pwrite() with 32 byte buffer • 4 cores with hyper threading
![Page 20: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/20.jpg)
Challenge 2: Performance
14
syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 4 8
native
synchronous enclave exits
• pwrite() with 32 byte buffer • 4 cores with hyper threading
8×
![Page 21: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/21.jpg)
Host operating system
SCONE Architecture
15
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
![Page 22: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/22.jpg)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
15
SCONE C library
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
![Page 23: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/23.jpg)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
• Asynchronous system calls and user space threading reduce number of enclave exits (Challenge 2)
15
SCONE C libraryAsynchronous system calls
M:N threading
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
![Page 24: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/24.jpg)
Host operating system
SCONE Architecture• Enhanced C library → small
TCB (Challenge 1)
• Asynchronous system calls and user space threading reduce number of enclave exits (Challenge 2)
• Network and file system shields actively protect user data
15
SCONE C libraryAsynchronous system calls
M:N threadingNetwork shield File system shield
LibrariesApplication
SCONE module Intel SGX driverContainer (cgroups)
![Page 25: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/25.jpg)
Anatomy of a System Call
16
enclavekernel
![Page 26: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/26.jpg)
read, fd, buf, size
Anatomy of a System Call
17
enclave
read(fd, buf, size)
[0]
[2]
kernel
T1
[1]
system call slots
![Page 27: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/27.jpg)
read, fd, buf, size
Anatomy of a System Call
18
enclavekernel
read(fd, buf, size)S1T1
[0]
[2][1]
system call slots
![Page 28: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/28.jpg)
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)
[0]
T1
read, fd, buf, size[0]
[2][1]
system call slots
![Page 29: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/29.jpg)
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
![Page 30: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/30.jpg)
read, fd, buf, sizeread(fd, buf, size)T2
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
![Page 31: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/31.jpg)
read, fd, buf, sizeread(fd, buf, size)T2
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
![Page 32: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/32.jpg)
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
![Page 33: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/33.jpg)
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size
Anatomy of a System Call
19
enclavekernel
read(fd, buf, size)T1
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
[2]
![Page 34: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/34.jpg)
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
![Page 35: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/35.jpg)
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
![Page 36: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/36.jpg)
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
switch to ready user space thread
[0]#2&$?%
![Page 37: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/37.jpg)
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
![Page 38: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/38.jpg)
read, fd, buf, size
Anatomy of a System Call
20
enclavekernel
read(fd, buf, size)T1
read, fd, buf, sizeread(fd, buf, size)T2
read, fd, buf, size[0]
[2][1]
system call slots
[0]#2&$?%
GET K1decrypt buffer into enclave
![Page 39: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/39.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
![Page 40: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/40.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
![Page 41: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/41.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
2. run
![Page 42: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/42.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
2. run
![Page 43: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/43.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
4. execute
2. run
![Page 44: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/44.jpg)
Container Integration
21
Repository Docker Engine
Secure Image Enclave
SCONE ClientDocker Client
1. push image
3. pull image
5. secure channel
4. execute
2. run
![Page 45: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/45.jpg)
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
• pwrite() with 32 byte buffer • 4 cores with hyper threading
![Page 46: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/46.jpg)
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
async with 1 thread achieves 80%
• pwrite() with 32 byte buffer • 4 cores with hyper threading
![Page 47: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/47.jpg)
Syst
em c
all f
requ
ency
(100
0s/s
econ
d)
1
100
10000
Threads
1 2 3 4 5 6 7 8
System Call Performance
22
native
asyncsync
async with 1 thread achieves 80%
optimized queue may help
• pwrite() with 32 byte buffer • 4 cores with hyper threading
![Page 48: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/48.jpg)
Apache Throughput
23
Late
ncy
(sec
onds
)
0
1
2
3
4
Throughput (requests / second)0 15000 30000 45000 60000
glibcasync
sync
0.8×
0.7×
![Page 49: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/49.jpg)
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
![Page 50: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/50.jpg)
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
inline encryption has less overhead
![Page 51: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/51.jpg)
Performance Overview
24
Application Throughput w.r.t. nativeasync (%) sync (%)
Memcached 120 113Apache 80 70NGINX 80 36Redis 60 20
inline encryption has less overhead
inline encryption hurts performance with single thread
![Page 52: Container Environments with Intel SGX · 2017-07-14 · reduce number of enclave exits (Challenge 2) 15 SCONE C library Asynchronous system calls M:N threading Libraries Application](https://reader035.vdocuments.pub/reader035/viewer/2022070709/5ebe07963736f401cd5c542f/html5/thumbnails/52.jpg)
Summary
• Small trusted computing base (0.6× – 2.0× of native binary size)
• Low runtime overhead (0.6× – 1.2× of native throughput)
• Transparent to the container engine (e.g. Docker)
25