Compiler-based Techniques for Enhancing Performance and Privacy in Enclaves

I’ve been collaborating for a while with the ACSL research lab at the Technion and this collaboration has resulted in the recent publication of our paper CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves in a top-tier systems conference called USENIX ATC’19. Our research pursued achieving better performance and enabling very strong privacy guarantees for applications running in secure enclaves (with focus on Intel® SGX) with zero of very-little effort for the developer and without really changing the source code of the application.

This goal is in line with Anjuna’s mission to enable running applications in secure enclaves, achieving the strongest security guarantees, with little compromise to performance and no engineering effort involved in the process. Some of the existing enclave architectures, like Intel® SGX, do not allow secure and efficient implementation of custom page fault handlers. This limitation has implications on the use of memory-mapped files, the performance of page-fault handling, and the ability to provide memory abstractions that perform tasks like compression or remote memory access (such as RDMA).

CoSMIX is a Compiler-based system for Secure Memory Instrumentation and eXecution of applications in secure enclaves. It provides a memory store abstraction that allows the implementation of application-level secure page-fault handlers that are invoked by a lightweight enclave runtime. The CoSMIX compiler instruments the application’s memory accesses to use one or more memory stores, guided by an instrumentation policy specified as an external configuration provided to the compiler, or minimal code-annotations. This enables us to achieve about 2x speedups for applications like Redis and Memcached, or seamlessly add Oblivious RAM (ORAM) functionality to applications that access sensitive datasets and make those resilient to controlled side-channel attacks.

The Anjuna Runtime Security solution supports applications instrumented using the CoSMIX compiler. This powerful combination enables seamless migration of real-world applications into secure enclaves with minimal effort.

(The full paper is available here)


Additional Blog Articles

| 2 MINUTE READ

Plundervolt

On June 7, 2019, academics from the universities of Birmingham, Graz and Leuven disclosed to Intel® the Plundervolt attack, tracked by Intel® as ...


| 2 MINUTE READ

Why We Started Anjuna (It's Been a Long Time Coming...)

This week, we announced the launch of Anjuna Enterprise Enclaves—a simple and secure data security solution. While Anjuna Security was founded in...


| 0 MINUTE READ

Anjuna and AWS Nitro Enclaves: Making it Safe to Move the Most Sensitive Apps and Data to the Cloud.

We’re pleased to announce that Anjuna Enterprise Enclaves support AWS Nitro Enclaves, announced today by AWS.