scone: secure linux containers with intel...
TRANSCRIPT
![Page 1: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/1.jpg)
SCONE:SecureLinuxContainerswithIntelSGXSergeiArnautov1,BohdanTrach1,FranzGregor1,ThomasKnauth1,AndreMarGn1,ChrisGanPriebe2,JoshuaLind2,DivyaMuthukumaran2,DanO’Keeffe2,MarkLSGllwell2,DavidGoltzsche3,DavidEyers4,R¨udigerKapitza3,PeterPietzuch2,andChristofFetzer11Fakult¨atInformaGk,TUDresden,[email protected],ImperialCollegeLondon,[email protected],TUBraunschweig,[email protected],UniversityofOtago,[email protected]
SaeidMofrad
![Page 2: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/2.jpg)
1-INTRODUCTION:LinuxContainers:ContainersuseOS-levelvirtualizaGonandtheyarepopularforpackaging,deployingandmanagingservicessuchaskey/valuestoresandwebservers.UnlikeVMs,theydonotrequirehypervisorsoradedicatedOSkernel.Instead,theyusekernelfeaturestoisolateprocesses,andthusdonotneedtotrapsystemcallsoremulatehardwaredevices.• Containerprocesscanrunasnormalsystemprocess.Theyarelightweight(theyusethehostOSforI/OoperaGons,resourcemanagement,etc.)fasterI/OthroughputandlatencythanVMsIsolaGonisweaksinceitisusingso`warekernelmechanisms,makeiteasierforaaackerstocompromisetheconfidenGalityandintegrityofapplicaGondatawithincontainers.• DockerandLXCareusingforthepackagingofthecontainers.• DockerSwarmorKubernetesareusingfortheirdeployment.
![Page 3: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/3.jpg)
WhatisSCONE?SCONEisaSecureContainerEnvironmentforDockerthatusesSGXtorunLinuxapplicaGonsinsecurecontainers.GoalofSCONE:1. RununmodifiedLinuxapplicaGons2. Incontainers3. Inanuntrustedcloud4. SecurelywithacceptableperformanceSCONEProper7es:1. SecurecontainershaveasmallTCB.2. Securecontainershavealowoverhead.3. SecurecontainersaretransparenttoDocker.
![Page 4: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/4.jpg)
Designtrade-offs:whatsystemsupportshouldbeplacedinsideanenclavetoenablethesecureexecuGonofLinuxprocessesinacontainer?Challenges:SecuritydecisionaboutthesizeoftheTCBandtheexposedinterfacetotheoutsideworldandperformanceimpactbecauseoftheSGXlimitaGon).TCBSIZE:BiggerTCBLargerAaacksurfaceExternalcontainerinterface:Toexecuteunmodifiedprocessesinsidesecurecontainers,thecontainermustsupportaCstandardlibrary(libc)interface.SinceanylibcimplementaGonmustusesystemcalls,whichcannotbeexecutedinsideofanenclave,asecurecontainermustalsoexposeanexternalinterfacetothehostOS.AsthehostOSisuntrusted,theexternalinterfacebecomesanaaackvector.
![Page 5: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/5.jpg)
TojusGfythedesignofSCONE,Theyexploredalternatedesignchoices.
Figure1ashowsapriordesignpoint,asdemonstratedbyHaven,whichminimizestheexternalinterfacebyplacinganenGreWindowslibraryOSinsidetheenclave.Abenefitofthisapproachisthatitexposesonlyasmallexternalinterfacewith22callsbecausealargeporGonofaprocess’systemsupportcanbeprovidedbythelibraryOS.ThelibraryOS,however,increasestheTCBsizeinsideoftheenclave.
![Page 6: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/6.jpg)
TojusGfythedesignofSCONE,Theyexplorealternatedesignchoices.(cont.) Figure1bshowstheopposite,extremedesign
point:theexternalinterfaceisusedtoperformalllibclibrarycallsmadebytheapplicaGon.ThisraisesthechallengeofprotecGngtheconfidenGalityandintegrityofapplicaGondatawhilstexposingawideinterface.Forexample,I/Ocallssuchasreadandwritecouldbeusedtocompromisedatawithintheenclave,andcodeinsidethesecurecontainercannottrustreturneddata.AbenefitofthisapproachisthatithasminimalTCBinsidetheenclave—onlyasmallshimClibraryneedstorelaylibccallstothehostlibclibraryoutsideoftheenclave.
![Page 7: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/7.jpg)
TojusGfythedesignofSCONE,Theyexploredalternatedesignchoices.(Cont.)
Figure1cshowsamiddlegroundbydefiningtheexternalinterfaceatthelevelofsystemcallsexecutedbythelibcimplementaGon.• shieldlibrariescanbeusedtoprotectasecurity-sensiGvesetofsystemcalls:filedescriptorbasedI/Ocalls,suchasread,write,send,andrecv,areshieldedbytransparentlyencrypGnganddecrypGngtheuserdata.
![Page 8: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/8.jpg)
Table1ShowstheperformanceandresourcemetricsforeachserviceusingtheLinuxlibraryOScomparedtoanaGveglibcdeployment.Onaverage,thelibraryOSincreasestheTCBsizeby5x,theservicelatencyby4xandhalvestheservicethroughput.
![Page 9: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/9.jpg)
Observation: System call overhead and Memory Access Overhead. A micro-benchmarkonanIntelXeonCPUE3-1230v5at3.4GHzmeasuringthemaximumrateatwhichpwritesystemcallscanbeexecutedwithandwithoutanenclave.
![Page 10: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/10.jpg)
Endofpresenta7on
![Page 11: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/11.jpg)
![Page 12: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/12.jpg)
3.2Externalinterfaceshielding:SCONEsupportsasetofshields.Shieldsfocuson:(1)PrevenGnglow-levelaaacks,suchastheOSkernelcontrollingpointersandbuffersizespassedtotheservice(2)ensuringtheconfidenGalityandintegrityoftheapplicaGondatapassedthroughtheOS.SCONEsupportsshieldsfor:(1) thetransparentencrypGonoffiles(2)thetransparentencrypGonofcommunicaGonchannelsviaTLS(3)thetransparentencrypGonofconsolestreams.AshieldalsohasconfiguraGonparameters,whichareencryptedandcanbeaccessedonlya`ertheenclavehasbeeniniGalized.
![Page 13: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/13.jpg)
Filesystemshield:ThefilesystemshieldprotectstheconfidenGalityandintegrityoffiles.Containerimagecreatormustdefinethreedisjointsetsoffilepathprefixes:(1) Unprotectedfiles,(2) encryptedandauthenGcatedfiles,(3) authenGcatedfiles.-ProcessesinasecurecontainerhaveaccesstothestandardDockertmpfs,butitiscostlyaslightweightalternaGveSCONEsupportsasecureephemeralfilesystemthroughitsfilesystemshield.theephemeralfilesystemmaintainsthestateofmodifiedfilesinnon-enclavememoryanditisfasterthantmpfs.Theephemeralfilesystemisresilientagainstrollbackaaack:a`errestarGngthecontainerprocess,thefilesystemreturnstoapreconfiguredstartupstatethatisvalidatedbythefilesystemshield,andthereforeitisnotpossibleforanaaackertorollbackthefilesystemtoanintermediatestate.ThisisalsotrueduringrunGme,sincethemetadataforfiles’blocksresideswithintheenclave.
![Page 14: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/14.jpg)
Networkshield:SCONEpermitsclientstoestablishsecuretunnelstoitandwrapsallsocketoperaGonsandredirectsthemtoanetworkshield.Thenetworkshield,uponestablishinganewconnecGon,performsaTLShandshakeandencrypts/decryptsanydatatransmiaedthroughthesocket.TheprivatekeyandcerGficatearereadfromthecontainer’sfilesystem.Thus,theyareprotectedbythefilesystemshield.Consoleshield:Containerpermitauthorizedprocessestoaaachtothestdin,stdout,andstderr.SCONEsupportstransparentencrypGonforthem.ThesymmetricencrypGonkeyisexchangedbetweenthesecurecontainerandtheSCONEclientduringthestartupprocedure.Aconsoleshieldencryptsastreambysplijngitintovariable-sizedblocks.AstreamisprotectedagainstreplayandreorderingaaacksbyassigningeachblockauniqueidenGfier,whichischeckedbytheauthorizedSCONEclient.
![Page 15: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/15.jpg)
3.3Threadingmodel:SCONEsupportsanM:NthreadingmodelinwhichMapplicaGonthreadsinsidetheenclavearemappedtoNOSthreads.->fewerenclavetransiGons.
-MulGpleOSthreadsinSCONEcanenteranenclave.Eachthreadexecutesthescheduler.Schedulerchecksif:(1)anapplicaGonthreadneedstobewokenduetoanexpiredGmeoutorthearrivalofasystemcallresponse;or(2)anapplicaGonthreadiswaiGngtobescheduled.Inbothcases,theschedulerexecutestheassociatedthread.-ThenumberofOSthreadsinsidetheenclaveistypicallyboundbythenumberofCPUcores.-Thesystemcallthreadsresideinthekernelindefinitelytoeliminatetheoverheadofkernelmodeswitches.-Whentherearenopendingsystemcalls,thethreadsback-offtoreduceCPUload.
![Page 16: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/16.jpg)
3.4 Asynchronous system calls: Thisinterfaceconsistsoftwolock-free,mulG-producer,mulG-consumerqueues:arequestqueueandaresponsequeue.
1. When system call happens copies memory-based
arguments outside of the enclave 2. addsadescripGonofthesystemcalltoasyscallslotdatastructurecontainingthesystemcallnumberandarguments.Thesyscallslotandtheargumentsusethread-localstorage.3. NexttheapplicaGonthreadyieldstothescheduler,which
willexecuteotherapplicaGonthreadsunGlthereplytothesystemcallisreceivedintheresponsequeue.
4. Thesystemcallisissuedbyplacingareferencetothesyscallslotintotherequestqueue.
5.Whentheresultisavailableintheresponsequeue,buffersarecopiedtotheinsideoftheenclave,andallpointersareupdatedtopointtoenclavememorybuffers.6.TheassociatedapplicaGonthreadisscheduledagain.
![Page 17: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/17.jpg)
3.5Dockerintegra7on:TheintegraGonofsecurecontainerswithDockerrequireschangestothebuildprocessofsecureimage,andchangetoclient-sideextensions.SCONEdoesnotrequiremodificaGonstotheDockerEngineoritsAPI.
Containerstartup:EachsecurecontainerrequiresastartupconfiguraGonfile(SCF).TheSCFcontainskeystoencryptstandardI/Ostreams,ahashoftheFSprotecGonfileanditsencrypGonkey.SinceSGXdoesnotprotecttheconfidenGalityofenclavecode,pujngthestartupconfiguraGonintheenclaveitselfisnotanopGon.Instead,a`ertheexecutablehasiniGalizedtheenclave,theSCFisreceivedthroughaTLSprotectednetworkconnecGon,duringenclavestartup.
![Page 18: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/18.jpg)
Evalua7on:TheyUsedTwowebservers,Apache,andNGINX,Memcached;Redis;andSQLite.TheapplicaGonsincludeamixofcompute(e.g.,SQLite)andI/Ointensive(e.g.,ApacheandMemcached)workloads.Threevariantsforeachapplica7on:1-onebuiltwiththeGNUClibrary(glibc);2-onebuiltwiththemuslClibraryadaptedtoruninsideSGXenclaveswithsynchronoussystemcalls(SCONE-sync);3-onebuiltwiththesamemuslClibrarybutwithasynchronoussystemcalls(SCONE-async).ForapplicaGonsthatdonotsupportencrypGon(e.g.,MemcachedandRedis),theyuseStunneltoencrypttheircommunicaGonintheglibcvariant.
![Page 19: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/19.jpg)
![Page 20: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/20.jpg)
![Page 21: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/21.jpg)
![Page 22: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/22.jpg)
FIGURE 14 SHOWS HOW MANY PWRITE() CALLS CAN BE EXECUTED BY SCONE-ASYNC, SCONE-SYNC AND NATIVELY.
![Page 23: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/23.jpg)
CONCLUSION
• SCONEincreasestheconfidenGalityandintegrityofcontainerizedservicesusingIntelSGX.
• TCBisbetween0.6–2theapplicaGoncodesizeandarecompaGblewithDocker.
• asynchronoussystemcallsandakernelmodulemakeSGXoverheadless.
• Forallevaluatedservices,theyachievedatleast60%ofthenaGvethroughput;
![Page 24: SCONE: Secure Linux Containers with Intel SGXwebpages.eng.wayne.edu/~fy8421/16fa-csc6991/slides/19-SCONE.pdf · 3.5 Docker integra7on: The integraon of secure containers with Docker](https://reader030.vdocuments.mx/reader030/viewer/2022040306/5ec56e06b18bbb3f2256b978/html5/thumbnails/24.jpg)
REFERENCE:
• haps://www.ibr.cs.tu-bs.de/users/goltzsch/papers/osdi2016scone-preprint.pdf
• haps://www.usenix.org/sites/default/files/conference/protected-files/osdi16_slides_knauth.pdf