Security, Performance and Energy Trade-Offs of Hardware-Assisted Memory Protection Mechanisms

Göttel, Christian; Pires, Rafael; Rocha, Isabelly; Vaucher, Sébastien; Felber, Pascal; Pasin, Marcelo; Schiavoni, Valerio

doi:10.1109/srds.2018.00024

Cited by 31 publications

(17 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…VM-based TEE implementations (e.g. AMD SEV, IBM SVM, and Intel TDX) support portability of legacy applications with a modest performance overhead [6], but have a larger attack surface and are vulnerable to several classes of attacks [17]. Process-based TEEs (e.g.…”

mentioning

confidence: 99%

“…Intel SGX and ARM TrustZone) on the other hand have a smaller attack surface and improved security and were proposed for protecting network applications [12,13,24,30]. Unfortunately, the additional security checks together with memory access limitations negatively affect the performance of process-based TEEs [6]. Furthermore, these have shown to be particularly vulnerable to microarchitectural attacks [26] and platform vendors have repeatedly issued microcode patches to alleviate security problems [5].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Faster enclave transitions for IO-intensive network applications

Svenningsson

Paladi

Vahidi

2021

Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network INfrastructure

View full text Add to dashboard Cite

Process-based confidential computing enclaves such as Intel SGX have been proposed for protecting the confidentiality and integrity of network applications, without the overhead of virtualization. However, these solutions introduce other types of overhead, particularly the cost transitioning in and out of an enclave context. This makes the use of enclaves impractical for running IO-intensive applications, such as network packet processing. We build on earlier approaches to improve the IO performance of workloads in Intel SGX enclaves and propose the HotCall-Bundler library that helps reduce the cost of individual single enclave transitions and the total number of enclave transitions in trusted applications running in Intel SGX enclaves. We describe the implementation of the HotCall-Bundler library, evaluate its performance and demonstrate its practicality using the case study of Open vSwitch, a widely used software switch implementation. CCS CONCEPTS• Security and privacy → Network security; Systems security; Security in hardware; Systems security; • Networks → Bridges and switches.

show abstract

mentioning

confidence: 99%

mentioning

confidence: 99%

Faster enclave transitions for IO-intensive network applications

Svenningsson

Paladi

Vahidi

2021

Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network INfrastructure

View full text Add to dashboard Cite

show abstract

“…VM-based TEE implementations (e.g. AMD SEV, IBM SVM, and Intel TDX) support portability of legacy applications with a modest performance overhead [8], but have a larger attack surface and are vulnerable to several classes of attacks [18]. Process-based TEEs (e.g.…”

Section: Introductionmentioning

confidence: 99%

“…Intel SGX and ARM TrustZone) on the other hand have a smaller attack surface and improved security. Unfortunately, the additional security checks together with memory access limitations also affect the performance of process-based TEEs negatively [8]. Furthermore, these have shown to be particularly vulnerable to microarchitectural attacks [26] and platform vendors have repeatedly issued microcode patches to alleviate security problems [7].…”

Section: Introductionmentioning

confidence: 99%

Speeding up enclave transitions for IO-intensive applications

Svenningsson¹,

Paladi²,

Vahidi³

2021

Preprint

View full text Add to dashboard Cite

Process-based confidential computing enclaves such as Intel SGX can be used to protect the confidentiality and integrity of workloads, without the overhead of virtualisation. However, they introduce a notable performance overhead, especially when it comes to transitions in and out of the enclave context. Such overhead makes the use of enclaves impractical for running IO-intensive applications, such as network packet processing or biological sequence analysis. We build on earlier approaches to improve the IO performance of work-loads in Intel SGX enclaves and propose the SGX-Bundler library, which helps reduce the cost of both individual single enclave transitions well as of the total number of enclave transitions in trusted applications running in Intel SGX enclaves. We describe the implementation of the SGX-Bundler library, evaluate its performance and demonstrate its practicality using the case study of Open vSwitch, a widely used software switch implementation.

show abstract

“…Homomorphic encryption (HE) is a cryptographic scheme that allows evaluating algorithms over encrypted data without having to decrypt it [4]. In spite of reducing the trusted computing base (TCB) to zero on the remote side, HE frameworks are currently prohibitively slow [5]. On the other hand, we have Trusted Execution Environments (TEE).…”

Section: Introductionmentioning

confidence: 99%

Secure Stream Processing for Medical Data

Segarra

Muntané

Lemay

et al. 2019

2019 41st Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC)

Self Cite

View full text Add to dashboard Cite

Medical data belongs to whom it produces it. In an increasing manner, this data is usually processed in unauthorized third-party clouds that should never have the opportunity to access it. Moreover, recent data protection regulations (e.g., GDPR) pave the way towards the development of privacy-preserving processing techniques. In this paper, we present a proof of concept of a streaming IoT architecture that securely processes cardiac data in the cloud combining trusted hardware and Spark. The additional security guarantees come with no changes to the application's code in the server. We tested the system with a database containing ECGs from wearable devices comprised of 8 healthy males performing a standardized range of in-lab physical activities (e.g., run, walk, bike). We show that, when compared with standard SPARK STREAMING, the addition of privacy comes at the cost of doubling the execution time.

show abstract

Security, Performance and Energy Trade-Offs of Hardware-Assisted Memory Protection Mechanisms

Cited by 31 publications

References 23 publications

Faster enclave transitions for IO-intensive network applications

Faster enclave transitions for IO-intensive network applications

Speeding up enclave transitions for IO-intensive applications

Secure Stream Processing for Medical Data

Contact Info

Product

Resources

About