Abstract
Cloud providers offering Software-as-a-Service (SaaS) are increasingly being trusted by customers to store sensitive data. Companies often monetize such personal data through curation and analysis, providing customers with personalized application experiences and targeted advertisements. Personal data is often accompanied by strict privacy and security policies, requiring data processing to be governed by non-trivial enforcement mechanisms. Moreover, to offset the cost of hosting the potentially large amounts of data privately, SaaS companies even employ Infrastructure-as-a-Service (IaaS) cloud providers not under the direct supervision of the administrative entity responsible for the data. Intel Software Guard Extensions (SGX) is a recent trusted computing technology that can mitigate some of these privacy and security concerns through the remote attestation of computations, establishing trust on hardware residing outside the administrative domain. This paper investigates and demonstrates the added cost of using SGX, and further argues that great care must be taken when designing system software in order to avoid the performance penalty incurred by trusted computing. We describe these costs and present eight specific principles that application authors should follow to increase the performance of their trusted computing systems.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Gjerdrum, A.T., Johansen, H.D., Johansen, D.: Implementing informed consent as information-flow policies for secure analytics on eHealth data: principles and practices. In: IEEE Conference on Connected Health: Applications, Systems and Engineering Technologies: The 1st International Workshop on Security, Privacy, and Trustworthiness in Medical Cyber-Physical System, CHASE 2016. IEEE (2016)
Johansen, H.D., Birrell, E., Van Renesse, R., Schneider, F.B., Stenhaug, M., Johansen, D.: Enforcing privacy policies with meta-code. In: 6th Asia-Pacific Workshop on Systems, p. 16. ACM (2015)
Osborn, J.D., Challener, D.C.: Trusted platform module evolution. Johns Hopkins APL Tech. Digest 32, 536–543 (2013)
TCG Published: TPM main part 1 design principles. Specification Version 1.2 Revision 116, Trusted Computing Group (2011)
Anati, I., Gueron, S., Johnson, S., Scarlata, V.: Innovative technology for CPU based attestation and sealing. In: 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, vol. 13 (2013)
Costan, V., Devadas, S.: Intel SGX explained. In: Cryptology ePrint Archive (2016)
Gjerdrum, A.T., Pettersen, R., Johansen, H.D., Johansen, D.: Performance of trusted computing in cloud infrastructures with Intel SGX. In: 7th International Conference on Cloud Computing and Services Science, CLOSER 2017. SCITEPRESS (2017)
Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014). USENIX Advanced Computing Systems Association (2014)
Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. In: 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XIII, pp. 2–13. ACM, New York (2008)
Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’Keeffe, D., Stillwell, M.L., Goltzsche, D., Eyers, D., Kapitza, R., Pietzuch, P., Fetzer, C.: Scone: secure Linux containers with Intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), GA, pp. 689–703. USENIX Association (2016)
Costan, V., Lebedev, I., Devadas, S.: Sanctum: minimal hardware extensions for strong software isolation. In: USENIX Security, vol. 16, pp. 857–874 (2016)
McKeen, F., Alexandrovich, I., Anati, I., Caspi, D., Johnson, S., Leslie-Hurd, R., Rozas, C.: Intel® software guard extensions (Intel® SGX) support for dynamic memory management inside an enclave. In: Hardware and Architectural Support for Security and Privacy 2016, p. 10. ACM (2016)
Hunt, T., Zhu, Z., Xu, Y., Peter, S., Witchel, E.: Ryoan: a distributed sandbox for untrusted computation on secret data. In: 12th USENIX Conference on Operating Systems Design and Implementation, OSDI 2016, pp. 533–549. USENIX Association, Berkeley (2016)
Ngabonziza, B., Martin, D., Bailey, A., Cho, H., Martin, S.: Trustzone explained: architectural features and use cases. In: 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), pp. 445–451. IEEE (2016)
Shuja, J., Gani, A., Bilal, K., Khan, A.U.R., Madani, S.A., Khan, S.U., Zomaya, A.Y.: A survey of mobile device virtualization: taxonomy and state of the art. ACM Comput. Surv. (CSUR) 49, 1 (2016)
Pettersen, R., Johansen, H.D., Johansen, D.: Trusted execution on ARM TrustZone. In: 7th International Conference on Cloud Computing and Services Science (CLOSER 2017) (2017)
Acknowledgments
This work was supported in part by the Norwegian Research Council project numbers 263248/O70 and 250138. We would like to thank Robbert van Renesse for his insights and discussions, and anonymous reviewers for their useful insights and comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Gjerdrum, A.T., Pettersen, R., Johansen, H.D., Johansen, D. (2018). Performance Principles for Trusted Computing with Intel SGX. In: Ferguson, D., Muñoz, V., Cardoso, J., Helfert, M., Pahl, C. (eds) Cloud Computing and Service Science. CLOSER 2017. Communications in Computer and Information Science, vol 864. Springer, Cham. https://doi.org/10.1007/978-3-319-94959-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-94959-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94958-1
Online ISBN: 978-3-319-94959-8
eBook Packages: Computer ScienceComputer Science (R0)