论文标题
occlum:在英特尔SGX的单个飞地中安全有效的多任务处理
Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX
论文作者
论文摘要
英特尔软件守卫扩展(SGX)使用户级代码能够创建名为finlaves的私人内存区域,其代码和数据受到CPU的保护,来自CPU,来自Enclaves之外的软件和硬件攻击。最近的工作将图书馆操作系统(Liboses)引入SGX,以便传统应用程序可以在很少甚至没有修改的飞地内运行。由于实际上任何非平凡的应用程序都需要多个过程,因此,Liboses必须支持多任务处理。但是,现有的SGX Liboses都没有安全,有效地支持多任务。 本文介绍了Occlum,该系统可以在SGX上实现安全有效的多任务处理。我们将LIBOS流程实施为SFI分离过程(SIP)。 SFI是一种用于沙箱不信任模块(称为域)的软件仪器技术。我们设计了一种名为MPX的新型SFI方案,基于MPX的多域SFI(MMDSFI),并利用MMDSFI来实施SIPS的隔离。我们还设计一个独立的验证者,以确保MMDSFI的安全保证。通过SIPS安全地共享飞地的单个地址空间,Libos可以有效地实现多任务处理。 Occlum Libos在多任务处理上的最新工作负载上优于最先进的SGX Libos,在微基准上最多可容纳6,600倍,在应用程序基准上最多可达500倍。
Intel Software Guard Extensions (SGX) enables user-level code to create private memory regions called enclaves, whose code and data are protected by the CPU from software and hardware attacks outside the enclaves. Recent work introduces library operating systems (LibOSes) to SGX so that legacy applications can run inside enclaves with few or even no modifications. As virtually any non-trivial application demands multiple processes, it is essential for LibOSes to support multitasking. However, none of the existing SGX LibOSes support multitasking both securely and efficiently. This paper presents Occlum, a system that enables secure and efficient multitasking on SGX. We implement the LibOS processes as SFI-Isolated Processes (SIPs). SFI is a software instrumentation technique for sandboxing untrusted modules (called domains). We design a novel SFI scheme named MPX-based, Multi-Domain SFI (MMDSFI) and leverage MMDSFI to enforce the isolation of SIPs. We also design an independent verifier to ensure the security guarantees of MMDSFI. With SIPs safely sharing the single address space of an enclave, the LibOS can implement multitasking efficiently. The Occlum LibOS outperforms the state-of-the-art SGX LibOS on multitasking-heavy workloads by up to 6,600X on micro-benchmarks and up to 500X on application benchmarks.