Toward Migration of SGX-Enabled Containers

Containers are becoming the de facto platform for cloud computing. While cloud security has been a major concern, Intel SGX provisions powerful protection guarantees that can be used for containers. However, this technology does not come for free. For example, limited Enclave Page Cache (EPC) challenges the migration design of SGX-enabled containers.We note that previous security protocols are problematic concerning migration of SGX-enabled containers, which will lead to the failure of measures to prevent fork/fallback attacks. In this paper, we propose the migration of SGX-enabled containers and explore the challenges of deploying and migrating SGX-enabled containers considering both EPC resources and persistent storage. To our best knowledge, we are the first to design and implement such a framework for the SGX-enabled container migration that is easy, flexible and lightweight to deploy. We evaluate the proposed framework by migrating SGX-enabled Sqlite3 container and the experimental result shows that the proposed framework has about 15% overhead, which is acceptable due to its security advantage.

[1]  Shripad Nadgowda,et al.  Voyager: Complete Container State Migration , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[2]  A. Mirkin Containers checkpointing and live migration , 2010 .

[3]  JongWon Kim,et al.  Stateful Container Migration employing Checkpoint-based Restoration for Orchestrated Container Clusters , 2018, 2018 International Conference on Information and Communication Technology Convergence (ICTC).

[4]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Patrick Traynor,et al.  A Practical Intel SGX Setting for Linux Containers in the Cloud , 2019, CODASPY.

[6]  Yubin Xia,et al.  Secure Live Migration of SGX Enclaves on Untrusted Cloud , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]  Kwangjo Kim,et al.  eMotion: An SGX extension for migrating enclaves , 2019, Comput. Secur..

[8]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[9]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[10]  Valerio Schiavoni,et al.  SGX-Aware Container Orchestration for Heterogeneous Clusters , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[11]  Chung-Horng Lung,et al.  LXC Container Migration in Cloudlets under Multipath TCP , 2017, 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC).

[12]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[13]  Jaemin Park,et al.  Toward Live Migration of SGX-Enabled Virtual Machines , 2016, 2016 IEEE World Congress on Services (SERVICES).

[14]  N. Asokan,et al.  Migrating SGX Enclaves with Persistent State , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).