Efficient Management Models for SGX Enclaves
摘要
The relevance of data confidentiality continues to increase for users in both corporate and personal contexts. Privacy-sensitive business and personal data traverse various networks and are manipulated by diverse software across multiple platforms, thereby amplifying concerns regarding their confidentiality and integrity. To mitigate such concerns, numerous solutions have been proposed, among them the Intel Software Guard Extensions (SGX) architecture. SGX provides mechanisms to encapsulate critical applications and data within hardware-protected encrypted RAM areas, referred to as enclaves, governed by rigorous security policies. Nonetheless, leveraging these mechanisms to ensure confidentiality and integrity of sensitive data incurs a performance penalty on application execution, attributed to the constraints and verifications enforced by the SGX architecture. Furthermore, the availability of enclaves is finite, and their instantiation involves a considerable performance cost. Consequently, efficient management of SGX enclaves becomes imperative. This study introduces two management models for the efficient utilization of SGX enclaves: (i) enclave sharing and (ii) enclave pool. To build such models, an enclave provider architecture is proposed, which decouples the enclave from the application, thereby facilitating the implementation of the proposed management models and provisioning enclave resources to applications through an ’as-a-service’ paradigm. A prototype was developed to evaluate the proposed architecture and management models; empirical results demonstrated a significant reduction in the performance impact of enclave allocation, while maintaining satisfactory response times to accommodate concurrent requests.