Secure Content-Based Routing Using Intel Software Guard Extensions

Pires, Rafael; Pasin, Marcelo; Felber, Pascal; Fetzer, Christof

doi:10.1145/2988336.2988346

Cited by 51 publications

(47 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main sources of overhead for SGX enclaved executions are the transitions between protected and unprotected modes, and memory usage [18], [46]- [48]. Additionally, startup time is longer than traditional executions, mainly due to support service initialization and memory allocation.…”

Section: Evaluation Of Sgx Performancementioning

confidence: 99%

SGX-Aware Container Orchestration for Heterogeneous Clusters

Vaucher

Pires

Felber

et al. 2018

2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)

Self Cite

View full text Add to dashboard Cite

Containers are becoming the de facto standard to package and deploy applications and micro-services in the cloud. Several cloud providers (e.g., Amazon, Google, Microsoft) begin to offer native support on their infrastructure by integrating container orchestration tools within their cloud offering. At the same time, the security guarantees that containers offer to applications remain questionable. Customers still need to trust their cloud provider with respect to data and code integrity. The recent introduction by Intel of Software Guard Extensions (SGX) into the mass market offers an alternative to developers, who can now execute their code in a hardware-secured environment without trusting the cloud provider.This paper provides insights regarding the support of SGX inside Kubernetes, an industry-standard container orchestrator. We present our contributions across the whole stack supporting execution of SGX-enabled containers. We provide details regarding the architecture of the scheduler and its monitoring framework, the underlying operating system support and the required kernel driver extensions. We evaluate our complete implementation on a private cluster using the real-world Google Borg traces. Our experiments highlight the performance tradeoffs that will be encountered when deploying SGX-enabled microservices in the cloud.

show abstract

Section: Evaluation Of Sgx Performancementioning

confidence: 99%

SGX-Aware Container Orchestration for Heterogeneous Clusters

Vaucher

Pires

Felber

et al. 2018

2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Intel SGX is used to implement a Secure Content-Based Routing (SCBR) system [6], providing privacy preserving to messages, since they are not exposed to unauthorized parties and they are filtered only in a secure enclave. Extensive experiments concluded that SGX adds a limited overhead providing much better performance when compared to other alternatives of Secure CBR.…”

Section: Related Workmentioning

confidence: 99%

“…To avoid such kind of attacks, the data can be encrypted in the producers in order to be processed only in a secure way. This can be achieved by homomorphic cryptography [5], which performs common operations over encrypted data, but its great overhead makes it unpractical to use with complex operations [6]. Another approach is the use of a trusted execution environment (TEE), that enables, by using specific hardware instructions, the creation of a shielded space in the memory in a way data can be processed securely inside this space.…”

Section: Introductionmentioning

confidence: 99%

Achieving Data Dissemination with Security using FIWARE and Intel Software Guard Extensions (SGX)

Valadares

Silva

Brito

et al. 2018

2018 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

The Internet of Things (IoT) field has gained much attention from industry and academia, being the main subject for numerous research and development projects. Frequently, the dense amount of generated data from IoT applications is sent to a cloud service, that is responsible for processing and storage. Many of these applications demand security and privacy for their data because of their sensitive nature. This is specially true when such data must be processed in entities hosted in public clouds, where the environment in which applications run may not be trusted. Some concerns are then raised since it is not trivial to provide the needed protection for these sensitive data. We present a solution that considers the security components of FIWARE and the Intel SGX capabilities. FIWARE is a platform created to support the development of Smart Applications, including IoT systems, and SGX is the Intel solution for Trusted Execution Environment (TEE). We propose a new component for key management that, together with other FIWARE components, can be used to provide privacy, confidentiality, and integrity guarantees for IoT data. A case study illustrates how this proposed solution can be employed in a realistic scenario, which allows the dissemination of sensitive data through public clouds without risking privacy issues. The results of the experiments provide evidence that our approach does not harm scalability or availability of the system. In addition, it presents acceptable memory costs when considering the benefit of the privacy guarantees achieved.

show abstract

“…To the best of our knowledge, there is only one existing system (SCBR [26]) that efficiently combines the publish/subscribe paradigm with Intel SGX. SCBR integrates with Intel SGX by running the code of the brokers inside the enclaves, thus preventing an attacker with full control to inspect the messages in transit through the network.…”

Section: ) Pypy and Shielding Overheadmentioning

confidence: 99%

PubSub-SGX: Exploiting Trusted Execution Environments for Privacy-Preserving Publish/Subscribe Systems

Arnautov

Brito

Felber

et al. 2018

2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS)

Self Cite

View full text Add to dashboard Cite

This paper presents PUBSUB-SGX, a content-based publish-subscribe system that exploits trusted execution environments (TEEs), such as Intel SGX, to guarantee confidentiality and integrity of data as well as anonymity and privacy of publishers and subscribers. We describe the technical details of our Python implementation, as well as the required system support introduced to deploy our system in a container-based runtime. Our evaluation results show that our approach is sound, while at the same time highlighting the performance and scalability trade-offs. In particular, by supporting just-in-time compilation inside of TEEs, Python programs inside of TEEs are in general faster than when executed natively using standard CPython.

show abstract

Secure Content-Based Routing Using Intel Software Guard Extensions

Cited by 51 publications

References 30 publications

SGX-Aware Container Orchestration for Heterogeneous Clusters

SGX-Aware Container Orchestration for Heterogeneous Clusters

Achieving Data Dissemination with Security using FIWARE and Intel Software Guard Extensions (SGX)

PubSub-SGX: Exploiting Trusted Execution Environments for Privacy-Preserving Publish/Subscribe Systems

Contact Info

Product

Resources

About