M.Sc Thesis

M.Sc StudentMinkin Marina
SubjectImproving Performance and Security of Intel SGX
DepartmentDepartment of Computer Science
Supervisor ASSOCIATE PROF. Mark Silberstein
Full Thesis textFull thesis text - English Version


Intel Software Guard Extensions (SGX) are a new set of CPU instructions which enable trusted and isolated execution of selected sections of application code in hardware containers called enclaves. An enclave acts as a reverse sandbox: its private memory and execution state are isolated from any software outside the enclave, including an OS and/or a hypervisor, yet the code running in the enclave may access untrusted memory of the owner process. While SGX provides the convenience

of a standard x86 execution environment inside the enclave, there are important differences in the way enclaves manage their private memory and interact with the host OS.

 In this work, we try to understand better and improve the performance and security of SGX enclaves. First, we present Foreshadow, which is an attack on SGX that extracts full memory dumps of SGX enclaves thereby compromising SGX’s integrity and confidentiality guarantees. Next, previous work (Eleos, EuroSys’17) has shown that performance of SGX paging can be improved by using software user-level paging, called SUVM. In this thesis we show that SUVM for a single enclave is not effective for multi-enclave systems, and introduce Multi-SUVM. A system that supports SUVM for multi enclave environment with kernel space and in-enclave  odifications.

We show in Multi-SUVM up to 65% speedup, and up to 3.4? higher throughput than SUVM.