research-article

Regaining Lost Seconds: Efficient Page Preloading for SGX Enclaves

Authors:

Pen-Chung YewAuthors Info & Claims

Middleware '20: Proceedings of the 21st International Middleware Conference

Pages 326 - 340

https://doi.org/10.1145/3423211.3425673

Published: 11 December 2020 Publication History

Abstract

Intel SGX is already here, with a strong emphasis on security and privacy. However, it is not free. Studies have shown that it incurs a significant performance overhead to take advantage of the security and privacy enhancement offered by SGX. In particular, it only provides limited physical memory for applications to use SGX. As a result, page faults can be frequently triggered during program execution, especially for memory-intensive applications with a large memory footprint. Therefore, it is imperative to look into possible optimization opportunities to enhance the efficiency of SGX.

To this end, this paper proposes to leverage memory page preloading techniques to mitigate such a problem. More specifically, we propose two effective schemes to preload memory pages before they are accessed. This way, the number of page faults can be significantly reduced. To demonstrate the effectiveness of the proposed schemes, we have implemented them in a prototype using LLVM and an untrusted operating system.

Experimental results on benchmarks from SPEC CPU2017 and a micro-benchmark program show that, on average, these two mechanisms can achieve 11.4% and 7.0% performance improvement with a maximum performance improvement of 18.6% and 9.0%, respectively. The two mechanisms are also evaluated when they are deployed together. The combined approach can achieve an improvement of 7.1% on some real-world applications such as SIFT and MSER.

References

[1]

2017. MIT-Adobe fivek datasett. (2017). http://data.csail.mit.edu/graphics/fivek/.

[2]

AMD. 2020. AMD GuardMI Technology. https://www.amd.com/en/technologies/guardmi.

[3]

ARM. 2020. Introducing Arm TrustZone. https://developer.arm.com/ip-products/security-ip/trustzone.

[4]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, David Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (Savannah, GA, USA) (OSDI'16). USENIX Association, Berkeley, CA, USA, 689--703.

[5]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 689--703.

Digital Library

[6]

Grant Ayers, Heiner Litz, Christos Kozyrakis, and Parthasarathy Ranganathan. 2020. Classifying Memory Access Patterns for Prefetching. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 513--526.

Digital Library

[7]

Thomas Ball and James R Larus. 1994. Optimally profiling and tracing programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 16, 4 (1994), 1319--1360.

Digital Library

[8]

Laszlo A. Belady. 1966. A study of replacement algorithms for a virtual-storage computer. IBM Systems journal 5, 2 (1966), 78--101.

Digital Library

[9]

Jacob Brock, Chencheng Ye, Chen Ding, Yechen Li, Xiaolin Wang, and Yingwei Luo. 2015. Optimal cache partition-sharing. In 2015 44th International Conference on Parallel Processing. IEEE, 749--758.

Digital Library

[10]

James Bucek, Klaus-Dieter Lange, and Jóakim v. Kistowski. 2018. SPEC CPU2017: Next-generation compute benchmark. In Companion of the 2018 ACM/SPEC International Conference on Performance Engineering. 41--42.

Digital Library

[11]

Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive 2016, 086 (2016), 1--118.

[12]

Damon. 2019. Cost of a page fault trap. (2019). Accessed 19 Apirl 2020. https://stackoverflow.com/questions/10223690/cost-of-a-page-fault-trap.

[13]

Tu Dinh Ngoc, Bao Bui, Stella Bitchebe, Alain Tchana, Valerio Schiavoni, Pascal Felber, and Daniel Hagimont. 2019. Everything You Should Know About Intel SGX Performance on Virtualized Systems. Proc. ACM Meas. Anal. Comput. Syst. 3, 1, Article 5 (March 2019), 21 pages.

[14]

WU Fengguang, XI Hongsheng, and XU Chenfeng. 2008. On the design of a new linux readahead framework. ACM SIGOPS Operating Systems Review 42, 5 (2008), 75--84.

Digital Library

[15]

Milad Hashemi, Kevin Swersky, Jamie A Smith, Grant Ayers, Heiner Litz, Jichuan Chang, Christos Kozyrakis, and Parthasarathy Ranganathan. 2018. Learning memory access patterns. arXiv preprint arXiv:1803.02329 (2018).

[16]

Greg Hoglund and Gary McGraw. 2004. Exploiting Software: How to Break Code. Pearson Higher Education.

[17]

IBM. 2020. IBM Secure Service Container. https://www.ibm.com/us-en/marketpiace/secure-service-container.

[18]

Intel. 2020. Intel Software Guard Extensions. https://software.intel.com/en-us/sgx.

[19]

Intel. 2020. Intel Software Guard Extensions SDK. https://software.intel.com/en-us/sgx/sdk.

[20]

Intel. 2020. Intel(R) Software Guard Extensions for Linux OS. https://github.com/intei/linux-sgx-driver.

[21]

Pratheek Karnati. 2020. Data-in-use protection on IBM Cloud using Intel SGX. https://www.ibm.com/cioud/biog/data-use-protection-ibm-cioud-using-intei-sgx.

[22]

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime (Optimization (Palo Alto, California) (CGO '04). IEEE Computer Society, Washington, DC, USA, 75-.

[23]

Hui Lei and Dan Duchamp. 1997. An analytical approach to file prefetching. In USENIX Annual Technical Conference. 275--288.

[24]

Roy Levin, Ilan Newman, and Gadi Haber. 2008. Complementing missing and inaccurate profiling using a minimum cost circulation algorithm. In International Conference on High-Performance Embedded Architectures and Compilers. Springer, 291--304.

[25]

Microsoft. 2020. Protection by design: Intel SGX and Azure Confidential Computing. https://azure.microsoft.com/en-us/resources/videos/ignite-2018-protection-by-design-intei-sgx-and-azure-confidentiai-computing.

[26]

Meni Orenbach, Pavel Lifshits, Marina Minkin, and Mark Silberstein. 2017. Eleos: ExitLess OS services for SGX enclaves. In Proceedings of the Twelfth European Conference on Computer Systems. ACM, 238--253.

Digital Library

[27]

Meni Orenbach, Yan Michalevsky, Christof Fetzer, and Mark Silberstein. 2019. CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association, Renton, WA, 555--570.

[28]

Guilherme Ottoni. 2018. HHVM JIT: A Profile-guided, Region-based Compiler for PHP and Hack. In ACM SIGPLAN Notices, Vol. 53. ACM, 151--165.

[29]

Anastasios Papagiannis, Giorgos Xanthakis, Giorgos Saloustros, Manolis Marazakis, and Angelos Bilas. 2020. Optimizing Memory-mapped I/O for Fast Storage Devices. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 813--827.

[30]

David K Poulsen and Pen-Chung Yew. 1994. Data prefetching and data forwarding in shared memory multiprocessors. In 1994 Internatonal Conference on Parallel Processing Vol. 2, Vol. 2. IEEE, 280--280.

Digital Library

[31]

Moinuddin K Qureshi and Yale N Patt. 2006. Utility-based cache partitioning: A low-overhead, high-performance, runtime mechanism to partition shared caches. In 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO '06). IEEE, 423--432.

Digital Library

[32]

RedHat. 2019. CVE-2019-0117. (2019). Accessed 10 Sept 2020. https://access.redhat.com/security/cve/CVE-2019-0117.

[33]

Yang Sa. 2015. Medical Image Registration Algorithm Based on Compressive Sensing and Scale-Invariant Feature Transform. In 2015 8th International Conference on Intelligent Computation Technology and Automation (ICICTA). IEEE, 547--551.

[34]

Gururaj Saileshwar, Prashant Nair, Prakash Ramrakhyani, Wendy Elsasser, Jose Joao, and Moinuddin Qureshi. 2018. Morphable counters: Enabling compact integrity trees for low-overhead secure memories. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 416--427.

Digital Library

[35]

Ehab Salahat, Hani Saleh, Andrzej S Sluzek, Baker Mohammad, Mahmoud Al-Qutayri, and Mohammad Ismail. 2015. Novel MSER-guided street extraction from satellite images. In 2015 IEEE International Geoscience and Remote Sensing Symposium (IGARSS). IEEE, 1032--1035.

[36]

Luis A Salazar-Licea, C Mendoza, MA Aceves, JC Pedraza, and Alberto Pastrana-Palma. 2014. Automatic segmentation of mammograms using a Scale-Invariant Feature Transform and K-means clustering algorithm. In 2014 11th International Conference on Electrical Engineering, Computing Science and Automatic Control (CCE). IEEE, 1--6.

[37]

Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. [n.d.]. Zero-Trace: Oblivious Memory Primitives from Intel SGX. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018.

[38]

Meysam Taassori, Ali Shafiee, and Rajeev Balasubramonian. 2018. VAULT: Reducing paging overheads in SGX with efficient integrity verification structures. In ACM SIGPLAN Notices, Vol. 53. ACM, 665--678.

Digital Library

[39]

Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '17). 645--658.

[40]

Sravanthi Kota Venkata, Ikkjin Ahn, Donghwan Jeon, Anshuman Gupta, Christopher Louie, Saturnino Garcia, Serge Belongie, and Michael Bedford Taylor. 2009. SD-VBS: The San Diego vision benchmark suite. In 2009 IEEE International Symposium on Workload Characterization (IISWC). IEEE, 55--64.

Digital Library

[41]

Krishnaswamy Viswanathan. 2014. Disclosure of Hardware Prefetcher Control on Some Intel® Processors. https://software.intel.com/content/www/us/en/develop/articles/disclosure-of-hw-prefetcher-control-on-some-intel-processors.html.

[42]

Ofir Weisse, Valeria Bertacco, and Todd Austin. 2017. Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves. In ACM SIGARCH Computer Architecture News, Vol. 45. ACM, 81--93.

Digital Library

[43]

wolfSSL. 2020. wolfSSL with Intel® SGX. https://www.wolfssl.com/wolfssl-with-intel-sgx.

[44]

Yuejian Xie and Gabriel H Loh. 2009. PIPP: promotion/insertion pseudo-partitioning of multi-core shared caches. ACM SIGARCH Computer Architecture News 37, 3 (2009), 174--183.

Digital Library

[45]

Haijiang Zhu, Junhui Sheng, Fan Zhang, Jinglin Zhou, and Jing Wang. 2016. Improved maximally stable extremal regions based method for the segmentation of ultrasonic liver images. Multimedia Tools and Applications 75, 18 (2016), 10979--10997.

Digital Library

Cited By

Pandith O(2024)SGXFault: An Efficient Page Fault Handling Mechanism for SGX EnclavesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326816921:3(1173-1178)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3268169
Yao JMeng XZheng YWang C(2023)Privacy-Preserving Content-Based Similarity Detection Over in-the-Cloud MiddleboxesIEEE Transactions on Cloud Computing10.1109/TCC.2022.316932911:2(1854-1870)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TCC.2022.3169329
El-Hindi MZiegler THeinrich MLutsch AZhao ZBinnig C(2022)Benchmarking the Second Generation of Intel SGX HardwareProceedings of the 18th International Workshop on Data Management on New Hardware10.1145/3533737.3535098(1-8)Online publication date: 12-Jun-2022
https://dl.acm.org/doi/10.1145/3533737.3535098
Show More Cited By

Index Terms

Regaining Lost Seconds: Efficient Page Preloading for SGX Enclaves
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management

Recommendations

VAULT: Reducing Paging Overheads in SGX with Efficient Integrity Verification Structures
ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems

Intel's SGX offers state-of-the-art security features, including confidentiality, integrity, and authentication (CIA) when accessing sensitive pages in memory. Sensitive pages are placed in an Enclave Page Cache (EPC) within the physical memory before ...
ShieldStore: Shielded In-memory Key-value Storage with SGX
EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019

The shielded computation of hardware-based trusted execution environments such as Intel Software Guard Extensions (SGX) can provide secure cloud computing on remote systems under untrusted privileged system software. However, hardware overheads for ...
SGX-LEGO: Fine-grained SGX controlled-channel attack and its countermeasure
Abstract
The introduction of Intel Software Guard eXtension (SGX) prompted security researchers to verify its effectiveness. One of the frequently discussed attacks against SGX is the side-channel attack by gathering page-fault information (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '20: Proceedings of the 21st International Middleware Conference

December 2020

455 pages

ISBN:9781450381536

DOI:10.1145/3423211

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

faculty startup funding of the University of Georgia
Natural Science Foundation of Tianjin City
National Natural Science Foundation of China
National Key Research and Development Program of China
CERNET Innovation Project

Conference

Middleware '20

Sponsor:

ACM

Middleware '20: 21st International Middleware Conference

December 7 - 11, 2020

Delft, Netherlands

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Upcoming Conference

MIDDLEWARE '24

25th International Middleware Conference

December 2 - 6, 2024

Hong Kong , Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
249
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pandith O(2024)SGXFault: An Efficient Page Fault Handling Mechanism for SGX EnclavesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326816921:3(1173-1178)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3268169
Yao JMeng XZheng YWang C(2023)Privacy-Preserving Content-Based Similarity Detection Over in-the-Cloud MiddleboxesIEEE Transactions on Cloud Computing10.1109/TCC.2022.316932911:2(1854-1870)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TCC.2022.3169329
El-Hindi MZiegler THeinrich MLutsch AZhao ZBinnig C(2022)Benchmarking the Second Generation of Intel SGX HardwareProceedings of the 18th International Workshop on Data Management on New Hardware10.1145/3533737.3535098(1-8)Online publication date: 12-Jun-2022
https://dl.acm.org/doi/10.1145/3533737.3535098
Kumar SPanda ASarangi S(2022)SGXGauge: A Comprehensive Benchmark Suite for Intel SGX2022 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS)10.1109/ISPASS55109.2022.00014(135-137)Online publication date: May-2022
https://doi.org/10.1109/ISPASS55109.2022.00014
Kumar SSarangi SBilge LDumitras T(2021)SecureFS: A Secure File System for Intel SGXProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471840(91-102)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471840

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents