Abstract | ||
---|---|---|
Intel SGX hardware enables applications to protect themselves from potentially-malicious OSes or hyper visors. In cloud computing and other systems, many users and applications could benefit from SGX. Unfortunately, current applications will not work out-of-the-box on SGX. Although previous work has shown that a library OS can execute unmodified applications on SGX, a belief has developed that a library OS will be ruinous for performance and TCB size, making application code modification an implicit prerequisite to adopting SGX.This paper demonstrates that these concerns are exaggerated, and that a fully-featured library OS can rapidly deploy unmodified applications on SGX with overheads comparable to applications modified to use "shim" layers. We present a port of Graphene to SGX, as well as a number of improvements to make the security benefits of SGX more usable, such as integrity support for dynamically-loaded libraries, and secure multi-process support. Graphene-SGX supports a wide range of unmodified applications, including Apache, GCC, and the R interpreter. The performance overheads of Graphene-SGX range from matching a Linux process to less than 2x in most single-process cases; these overheads are largely attributable to current SGX hardware or missed opportunities to optimize Graphene internals, and are not necessarily fundamental to leaving the application unmodified. Graphene-SGX is open-source and has been used concurrently by other groups for SGX research. |
Year | Venue | Field |
---|---|---|
2017 | 2017 USENIX ANNUAL TECHNICAL CONFERENCE (USENIX ATC '17) | USable,Computer science,Parallel computing,Hypervisor,Operating system,Cloud computing,Overhead (business) |
DocType | Citations | PageRank |
Conference | 20 | 0.88 |
References | Authors | |
28 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Chia-Che Tsai | 1 | 120 | 7.81 |
Donald E. Porter | 2 | 389 | 32.25 |
Mona Vij | 3 | 36 | 4.51 |