AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting

Remote computation has numerous use cases such as cloud computing, client-side web applications or volunteer computing. Typically, these computations are executed inside a sandboxed environment for two reasons: first, to isolate the execution in order to protect the host environment from unauthorised access, and second to control and restrict resource usage. Often, there is mutual distrust between entities providing the code and the ones executing it, owing to concerns over three potential problems: (i) loss of control over code and data by the providing entity, (ii) uncertainty of the integrity of the execution environment for customers, and (iii) a missing mutually trusted accounting of resource usage. In this paper we present AccTEE, a two-way sandbox that offers remote computation with resource accounting trusted by consumers and providers. AccTEE leverages two recent technologies: hardware-protected trusted execution environments, and Web-Assembly, a novel platform independent byte-code format. We show how AccTEE uses automated code instrumentation for fine-grained resource accounting while maintaining confidentiality and integrity of code and data. Our evaluation of AccTEE in three scenarios -- volunteer computing, serverless computing, and pay-by-computation for the web -- shows a maximum accounting overhead of 10%.

[1]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[2]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[3]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[4]  David P. Anderson,et al.  BOINC: a system for public-resource computing and storage , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[5]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[6]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[7]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[8]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2018, Commun. ACM.

[9]  Rüdiger Kapitza,et al.  TrustJS: Trusted Client-side Execution of JavaScript , 2017, EUROSEC.

[10]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[11]  Alon Zakai Emscripten: an LLVM-to-JavaScript compiler , 2011, OOPSLA Companion.

[12]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[13]  Ada Gavrilovska,et al.  Fast, Scalable and Secure Onloading of Edge Functions Using AirBox , 2016, 2016 IEEE/ACM Symposium on Edge Computing (SEC).

[14]  Frank Piessens,et al.  Securely deploying distributed computation systems on peer-to-peer networks , 2019, SAC.

[15]  Luis F. G. Sarmenta Sabotage-tolerance mechanisms for volunteer computing systems , 2002, Future Gener. Comput. Syst..

[16]  Abhinav Jangda,et al.  Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code , 2019, USENIX ATC.

[17]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[18]  Matthäus Wander,et al.  Adaptive Cheat Detection in Decentralized Volunteer Computing with Untrusted Nodes , 2017, DAIS.

[19]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[20]  Shay Gueron,et al.  A Memory Encryption Engine Suitable for General Purpose Processors , 2016, IACR Cryptol. ePrint Arch..

[21]  Simson L. Garfinkel,et al.  Web Security, Privacy and Commerce , 2001 .

[22]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[23]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[24]  Fan Zhang,et al.  REM: Resource-Efficient Mining for Blockchains , 2017, IACR Cryptol. ePrint Arch..

[25]  N. Asokan,et al.  S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX , 2018, CCSW@CCS.

[26]  David M. Eyers,et al.  LibSEAL: revealing service integrity violations using trusted execution , 2018, EuroSys.

[27]  Alan Donovan,et al.  PNaCl : Portable Native Client Executables , 2022 .

[28]  Alexandru Iosup,et al.  On the Performance Variability of Production Cloud Services , 2011, 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.

[29]  Enrico Blanzieri,et al.  TN-Grid and gene@home project: volunteer computing for bioinformatics , 2015, HiPC 2015.

[30]  Travis Desell,et al.  Empirical support for the high-density subset sum decision threshold , 2015, 2015 IEEE 14th Canadian Workshop on Information Theory (CWIT).

[31]  Michal Król,et al.  Airtnt: Fair Exchange Payment for Outsourced Secure Enclave Computations , 2018, ArXiv.

[32]  Geoffrey C. Fox,et al.  Status of Serverless Computing and Function-as-a-Service(FaaS) in Industry and Research , 2017, ArXiv.

[33]  Shay Gueron,et al.  Memory Encryption for General-Purpose Processors , 2016, IEEE Security & Privacy.

[34]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions: EPID Provisioning and Attestation Services , 2016 .

[35]  Christof Fetzer,et al.  Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks , 2018, USENIX ATC.

[36]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[37]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[38]  Walter Binder,et al.  Portable resource control in Java , 2001, OOPSLA '01.

[39]  Peter Bühlmann,et al.  Estimating High-Dimensional Directed Acyclic Graphs with the PC-Algorithm , 2007, J. Mach. Learn. Res..

[40]  Simon Johnson,et al.  Supporting Third Party Attestation for Intel® SGX with Intel® Data Center Attestation Primitives , 2018 .

[41]  Greg Childers Factorization of a 1061-bit number by the Special Number Field Sieve , 2012, IACR Cryptol. ePrint Arch..

[42]  Rüdiger Kapitza,et al.  Trust more, serverless , 2019, SYSTOR.

[43]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[44]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[45]  Frank Piessens,et al.  The Heisenberg Defense: Proactively Defending SGX Enclaves against Page-Table-Based Side-Channel Attacks , 2017, ArXiv.

[46]  Prateek Saxena,et al.  VeriCount: Verifiable Resource Accounting Using Hardware and Software Isolation , 2018, ACNS.

[47]  Vijay S. Pande,et al.  Folding@Home and Genome@Home: Using distributed computing to tackle previously intractable problem , 2009, 0901.0866.

[48]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.