I’ve been collaborating for a while with the ACSL research lab at the Technion and this collaboration has resulted in the recent publication of our paper CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves in a top-tier systems conference called USENIX ATC’19. Our research pursued achieving better performance and enabling very strong privacy guarantees for applications running in secure enclaves (with focus on Intel® SGX) with zero of very-little effort for the developer and without really changing the source code of the application.
This goal is in line with Anjuna’s mission to enable running applications in secure enclaves, achieving the strongest security guarantees, with little compromise to performance and no engineering effort involved in the process. Some of the existing enclave architectures, like Intel® SGX, do not allow secure and efficient implementation of custom page fault handlers. This limitation has implications on the use of memory-mapped files, the performance of page-fault handling, and the ability to provide memory abstractions that perform tasks like compression or remote memory access (such as RDMA).
CoSMIX is a Compiler-based system for Secure Memory Instrumentation and eXecution of applications in secure enclaves. It provides a memory store abstraction that allows the implementation of application-level secure page-fault handlers that are invoked by a lightweight enclave runtime. The CoSMIX compiler instruments the application’s memory accesses to use one or more memory stores, guided by an instrumentation policy specified as an external configuration provided to the compiler, or minimal code-annotations. This enables to achieve about 2x speedups for applications like Redis and Memcached, or seamlessly add Oblivious RAM (ORAM) functionality to applications that access sensitive datasets and make those resilient to controlled side-channel attacks.
The Anjuna Runtime Security solution supports applications instrumented using the CoSMIX compiler. This powerful combination enables seamless migration of real-world applications into secure enclaves with minimal effort.
(The full paper is available here)