Port or Shim? Stress Testing Application Performance on Intel SGX

Intel's newer processors come equipped with Software Guard Extensions (SGX) technology, allowing developers to write sections of code that run in a protected area of memory known as an enclave. In this work, we compare performance of two scenarios for running existing code on SGX. In one, a developer manually ports the code to SGX. In the other, a shim-layer and library OS are used to run the code unmodified on SGX. Our initial results demonstrate that when running an existing benchmarking tool under SGX, in addition to being much faster for development, code running in the library OS also tends to run at the same speed or faster than code that is manually ported. After obtaining this result, we then go on to design a series of microbenchmarks to characterize exactly what types of workloads would benefit from manual porting. We find that if the application to be ported has a small sensitive working set (less than the 6MB available cache size of the CPU), infrequently needs to enter the enclave (less than 110,000 times per second), and spends most of its time working on data outside of the enclave, then it may indeed perform better if it is manually ported as opposed to run in a shim.

[1]  Weidong Shi,et al.  A comparison study of intel SGX and AMD memory encryption technology , 2018, HASP@ISCA.

[2]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX ATC.

[3]  Donald E. Porter,et al.  Cooperation and security isolation of library OSes for multi-process applications , 2014, EuroSys '14.

[4]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[5]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[6]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[7]  Rüdiger Kapitza,et al.  sgx-perf: A Performance Analysis Tool for Intel SGX Enclaves , 2018, Middleware.

[8]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[10]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[11]  Ion Stoica,et al.  Opaque: An Oblivious and Encrypted Distributed Analytics Platform , 2017, NSDI.

[12]  Rajeev Balasubramonian,et al.  VAULT: Reducing Paging Overheads in SGX with Efficient Integrity Verification Structures , 2018, ASPLOS.

[13]  Mohit Joshi,et al.  EA-PLRU: Enclave-Aware Cache Replacement , 2019, HASP@ISCA.

[14]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[15]  Shoumeng Yan,et al.  Switchless Calls Made Practical in Intel SGX , 2018 .

[16]  Chunxiao Xing,et al.  SGXKernel: A Library Operating System Optimized for Intel SGX , 2017, Conf. Computing Frontiers.

[17]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[18]  Valerio Schiavoni,et al.  Everything You Should Know About Intel SGX Performance on Virtualized Systems , 2019, Proc. ACM Meas. Anal. Comput. Syst..

[19]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.