Dynamic Binary Translation for SGX Enclaves

03/29/2021
by   Jinhua Cui, et al.
0

Enclaves, such as those enabled by Intel SGX, offer a hardware primitive for shielding user-level applications from the OS. While enclaves are a useful starting point, code running in the enclave requires additional checks whenever control or data is transferred to/from the untrusted OS. The enclave-OS interface on SGX, however, can be extremely large if we wish to run existing unmodified binaries inside enclaves. This paper presents Ratel, a dynamic binary translation engine running inside SGX enclaves on Linux. Ratel offers complete interposition, the ability to interpose on all executed instructions in the enclave and monitor all interactions with the OS. Instruction-level interposition offers a general foundation for implementing a large variety of inline security monitors in the future. We take a principled approach in explaining why complete interposition on SGX is challenging. We draw attention to 5 design decisions in SGX that create fundamental trade-offs between performance and ensuring complete interposition, and we explain how to resolve them in the favor of complete interposition. To illustrate the utility of the Ratel framework, we present the first attempt to offer binary compatibility with existing software on SGX. We report that Ratel offers binary compatibility with over 200 programs we tested, including micro-benchmarks and real applications such as Linux shell utilities. Runtimes for two programming languages, namely Python and R, tested with standard benchmarks work out-of-the-box on Ratel without any specialized handling.

READ FULL TEXT

page 4

page 16

research
09/02/2020

Binary Compatibility For SGX Enclaves

Enclaves, such as those enabled by Intel SGX, offer a powerful hardware ...
research
03/29/2021

Twine: An Embedded Trusted Runtime for WebAssembly

WebAssembly is an increasingly popular lightweight binary instruction fo...
research
05/15/2018

SGX-Aware Container Orchestration for Heterogeneous Clusters

Containers are becoming the de facto standard to package and deploy appl...
research
02/26/2019

PubSub-SGX: Exploiting Trusted Execution Environments for Privacy-Preserving Publish/Subscribe Systems

This paper presents PUBSUB-SGX, a content-based publish-subscribe system...
research
01/26/2023

User-Customizable Transpilation of Scripting Languages

A transpiler converts code from one programming language to another. Man...
research
08/31/2018

Wasabi: A Framework for Dynamically Analyzing WebAssembly

WebAssembly is the new low-level language for the web and has now been i...
research
07/27/2018

Sound Transpilation from Binary to Machine-Independent Code

In order to handle the complexity and heterogeneity of mod- ern instruct...

Please sign up or login with your details

Forgot password? Click here to reset