TEEMon: A continuous performance monitoring framework for TEEs

by   Robert Krahn, et al.

Trusted Execution Environments (TEEs), such as Intel Software Guard eXtensions (SGX), are considered as a promising approach to resolve security challenges in clouds. TEEs protect the confidentiality and integrity of application code and data even against privileged attackers with root and physical access by providing an isolated secure memory area, i.e., enclaves. The security guarantees are provided by the CPU, thus even if system software is compromised, the attacker can never access the enclave's content. While this approach ensures strong security guarantees for applications, it also introduces a considerable runtime overhead in part by the limited availability of protected memory (enclave page cache). Currently, only a limited number of performance measurement tools for TEE-based applications exist and none offer performance monitoring and analysis during runtime. This paper presents TEEMon, the first continuous performance monitoring and analysis tool for TEE-based applications. TEEMon provides not only fine-grained performance metrics during runtime, but also assists the analysis of identifying causes of performance bottlenecks, e.g., excessive system calls. Our approach smoothly integrates with existing open-source tools (e.g., Prometheus or Grafana) towards a holistic monitoring solution, particularly optimized for systems deployed through Docker containers or Kubernetes and offers several dedicated metrics and visualizations. Our evaluation shows that TEEMon's overhead ranges from 5


page 4

page 8

page 12


Co-processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode

Highly privileged software, such as firmware, is an attractive target fo...

Guarding Serverless Applications with SecLambda

As an emerging application paradigm, serverless computing attracts atten...

Supporting RISC-V Performance Counters through Performance analysis tools for Linux (Perf)

Increased attention to RISC-V in Cloud, Data Center, Automotive and Netw...

Designing a Provenance Analysis for SGX Enclaves

Intel SGX enables memory isolation and static integrity verification of ...

Confidential Machine Learning within Graphcore IPUs

We present IPU Trusted Extensions (ITX), a set of experimental hardware ...

A practical approach for updating an integrity-enforced operating system

Trusted computing defines how to securely measure, store, and verify the...

Migrating SGX Enclaves with Persistent State

Hardware-supported security mechanisms like Intel Software Guard Extensi...