CTR: Checkpoint, Transfer, and Restore for Secure Enclaves

by   Yoshimichi Nakatsuka, et al.

Hardware-based Trusted Execution Environments (TEEs) are becoming increasingly prevalent in cloud computing, forming the basis for confidential computing. However, the security goals of TEEs sometimes conflict with existing cloud functionality, such as VM or process migration, because TEE memory cannot be read by the hypervisor, OS, or other software on the platform. Whilst some newer TEE architectures support migration of entire protected VMs, there is currently no practical solution for migrating individual processes containing in-process TEEs. The inability to migrate such processes leads to operational inefficiencies or even data loss if the host platform must be urgently restarted. We present CTR, a software-only design to retrofit migration functionality into existing TEE architectures, whilst maintaining their expected security guarantees. Our design allows TEEs to be interrupted and migrated at arbitrary points in their execution, thus maintaining compatibility with existing VM and process migration techniques. By cooperatively involving the TEE in the migration process, our design also allows application developers to specify stateful migration-related policies, such as limiting the number of times a particular TEE may be migrated. Our prototype implementation for Intel SGX demonstrates that migration latency increases linearly with the size of the TEE memory and is dominated by TEE system operations.


page 1

page 2

page 3

page 4


Migrating SGX Enclaves with Persistent State

Hardware-supported security mechanisms like Intel Software Guard Extensi...

Tailoring the Cyber Security Framework: How to Overcome the Complexities of Secure Live Virtual Machine Migration in Cloud Computing

This paper proposes a novel secure live virtual machine migration framew...

Dynamic Transparent General Purpose Process Migration For Linux

Process migration refers to the act of transferring a process in the mid...

Migration-Based Synchronization

A fundamental challenge in multi- and many-core systems is the correct e...

New Thread Migration Strategies for NUMA Systems

Multicore systems present on-board memory hierarchies and communication ...

Migration of CMSWEB Cluster at CERN to Kubernetes

The CMS experiment heavily relies on the CMSWEB cluster to host critical...

PIE: A Platform-wide TEE

While modern computing architectures rely on specialized hardware such a...

Please sign up or login with your details

Forgot password? Click here to reset