sgx-perf: A Performance Analysis Tool for Intel SGX Enclaves

Novel trusted execution technologies such as Intel's Software Guard Extensions (SGX) are considered a cure to many security risks in clouds. This is achieved by offering trusted execution contexts, so called enclaves, that enable confidentiality and integrity protection of code and data even from privileged software and physical attacks. To utilise this new abstraction, Intel offers a dedicated Software Development Kit (SDK). While it is already used to build numerous applications, understanding the performance implications of SGX and the offered programming support is still in its infancy. This inevitably leads to time-consuming trial-and-error testing and poses the risk of poor performance. To enable the development of well-performing SGX-based applications, this paper makes the following three contributions: First, it summarises identified performance critical factors of SGX. Second, it presents sgx-perf, a collection of tools for high-level dynamic performance analysis of SGX-based applications. In particular, sgx-perf performs not only fined-grained profiling of performance critical events in enclaves but also offers recommendations on how to improve enclave performance. Third, it demonstrates how we used sgx-perf in four non-trivial SGX workloads to increase their performance by up to 2.16x.

[1]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[2]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[3]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[4]  Gerhard Wellein,et al.  LIKWID: A Lightweight Performance-Oriented Tool Suite for x86 Multicore Environments , 2010, 2010 39th International Conference on Parallel Processing Workshops.

[5]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[6]  Ahmed E. Hassan,et al.  Detecting performance anti-patterns for applications developed using object-relational mapping , 2014, ICSE.

[7]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX Annual Technical Conference.

[8]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.

[9]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[10]  Mark Silberstein,et al.  Eleos: ExitLess OS Services for SGX Enclaves , 2017, EuroSys.

[11]  Chunxiao Xing,et al.  On the Performance of Intel SGX , 2016, 2016 13th Web Information Systems and Applications Conference (WISA).

[12]  Rüdiger Kapitza,et al.  EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[13]  Gerhard Wellein,et al.  LIKWID: Lightweight Performance Tools , 2011, CHPC.

[14]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[15]  Christof Fetzer,et al.  TaLoS : Secure and Transparent TLS Termination inside SGX Enclaves , 2017 .

[16]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[17]  Gerhard Wellein,et al.  Performance Patterns and Hardware Metrics on Modern Multicore Processors: Best Practices for Performance Engineering , 2012, Euro-Par Workshops.

[18]  Mahadev Konar,et al.  ZooKeeper: Wait-free Coordination for Internet-scale Systems , 2010, USENIX ATC.

[19]  R. Krishnakumar Kernel korner: kprobes-a kernel debugger , 2005 .

[20]  John Murphy,et al.  Detecting Performance Antipatterns in Component Based Enterprise Systems , 2008, J. Object Technol..

[21]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[22]  Rüdiger Kapitza,et al.  STANlite – A Database Engine for Secure Data Processing at Rack-Scale Level , 2018, 2018 IEEE International Conference on Cloud Engineering (IC2E).

[23]  N. Asokan,et al.  Using SafeKeeper to Protect Web Passwords , 2018, WWW.

[24]  Vivien Quéma,et al.  MemProf: A Memory Profiler for NUMA Multicore Systems , 2012, USENIX Annual Technical Conference.

[25]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[26]  Connie U. Smith,et al.  Software Performance AntiPatterns; Common Performance Problems and their Solutions , 2001, Int. CMG Conference.

[27]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[28]  Shay Gueron,et al.  A Memory Encryption Engine Suitable for General Purpose Processors , 2016, IACR Cryptol. ePrint Arch..

[29]  Håvard D. Johansen,et al.  Performance of Trusted Computing in Cloud Infrastructures with Intel SGX , 2017, CLOSER.

[30]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[31]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[32]  Yuan Xiao,et al.  SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution , 2018, ArXiv.

[33]  David M. Eyers,et al.  LibSEAL: revealing service integrity violations using trusted execution , 2018, EuroSys.

[34]  Connie U. Smith,et al.  Software performance antipatterns , 2000, WOSP '00.