SlideShare a Scribd company logo

Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides

Jämes Ménétrey
Jämes Ménétrey

Twine is a trusted runtime that allows WebAssembly applications to execute securely within Intel SGX enclaves on untrusted cloud infrastructure. It addresses challenges of interfacing WebAssembly with hardware security modules and optimizing performance. Evaluations show Twine can execute SQLite compiled to WebAssembly within SGX enclaves with overhead of only 2.5-6.5x compared to native execution. Twine shields user applications while allowing them to be deployed across programming languages and hardware security environments.

Software
1 of 15
Download to read offline
Twine: An Embedded Trusted Runtime for WebAssembly Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni University of Neuchâtel, Switzerland 19-22 April 2021 37th IEEE International Conference on Data Engineering 1
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Context Hardware VMM Company OS Software stack Trusted by cloud providers Your apps Trusted by you Developers Cloud providers Your apps Attack surface of your apps • We process and store important data in clouds • From cloud providers’ perspective: the users deploy untrusted apps on their trusted systems • From users’ perspective: they deploy trusted apps on systems they assume to be trustworthy 2
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Users’ apps shielding • Twine relies on a Trusted Execution Environment (TEE) • We focus on Intel Secure Guard Extensions (SGX), which provide: • Memory access protection, integrity • Persist non-volatile data • Attestation of code (local and remote) • Applications are isolated inside hardware enforced enclaves Enclave Hardware VMM Company OS Software stack Your apps 3
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Primer on Intel SGX Trusted Untrusted ① Enclave creation ② Call trusted function (ECALL) Call gates Trusted function ③ ⑤ Returns ⑥ Enclave destruction ④ Code execution • Hardware enforced security • Enclave memory access is restricted • Partitioned applications • Some instructions are illegal, e.g., syscall OS, VMM, … 4
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Interoperability • Relax the constraints imposed by the TEE, such as: • Programming languages • Programming paradigm (e.g., code partitioning) • No built-in system calls (e.g., printf) • Abstract the host OS and the TEE • Provide practical performance 5 Cloud providers Your apps OS TEEs Programming lang. Deploy
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 WebAssembly • WebAssembly is a standard for a lightweight bytecode format • A compilation target for most mainstream programming languages • Initially meant for the web, can be used anywhere today 6 Image: Standardising WASI, Mozilla, 2020 developer WebAssembly runtime clang -target wasm32-unknown-wasi user
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 1: Interface • Intel SGX does not allow system calls, but provides out calls (OCALLs) • WebAssembly does not provides POSIX-like library, but does have import/export functions capability • Solution: use WebAssembly System Interface (WASI) to wire application system calls to OS system calls through OCALLs 7 Process Enclave WASI Call gate System library Wasm Runtime App OS Twine architecture ① ② ③ ④ ⑤ ⑥
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 2: Performance • Interpreters are slower than native execution • Solution: Ahead of Time (AOT) compilation • Just in Time (JIT) compilation increases the complexity of the enclaves (e.g., using LLVM) 8 Developers env. .cpp .rs .go ① Source code ② Compilation into WebAssembly .wasm ③ Ahead of time compilation .aot Cloud env. Enclave ④ Deployment
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Our contribution • Twine is a trusted runtime executing WebAssembly bytecode in enclaves with a subset of WASI support • Adaptation of the runtime WebAssembly Micro Runtime (WAMR) • Twine provides non-volatile storage to store database engine artefacts 9 Hardware VMM Company OS Your apps Attack surface of your apps Twine (trusted) Twine (untrusted) Trusted by cloud providers Trusted by you Software stack
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Use case: SQLite • Compilation of SQLite into WebAssembly, • No source code modification except the usage of a virtual file system for using general I/O POSIX API (e.g., open, write, fsync, etc.) • File I/O operations are handled by Intel Protected File System (IPFS) transparently through WASI • Files are encrypted and decrypted thanks to IPFS 10 Process Enclave WASI Call gate System library Wasm Runtime OS ② Encryption ① ③ ④ ⑤
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, Speedtest1 Across all tests with database stored in files, the slowdowns are: 11 Insert Update Sequential Select Delete Random Select 0 5 10 35.1 22.4 Normalised run time J Lower is better Native: mem. (= 1) file WAMR: mem. file Twine: mem. file SGX-LKL: mem. file We made these Native WAMR SGX-LKL Twine 3.7x 2.6x 1.8x 2.5x 6.5x 1.0x
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 12 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file • Enclave Page Cache (EPC) is a special memory area to store the enclaves’ code and data (size of 92 MiB) • Once full, encrypted memory pages are swapped out into the unprotected memory, which is a costly operation We made these
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 13 Insertion Sequential Random 0 0.5 1 Type of query Normalised run time J Lower is better Twine: HW SW SGX-LKL: HW SW 2.5x 3.3x 0.9x Slowdowns 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file We made these
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Optimisations: Intel Protected File System • Optimisations: • Memory clearing operations have been removed • Memory copy operations have been reduced • Speedup compared to Intel’s version with SQLite: • Insertion: 1.5x • Sequential reading: 2.5x • Random reading: 4.1x 14 0 5 10 15 20 25 30 IPFS Optimised Time [s] (J Lower is better) SQLite inner work Read: other ops. OCALL memset
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Takeaway • Twine is a trusted runtime for running WebAssembly within SGX enclaves on untrusted clouds with practical performance. • Applications compiled into WebAssembly do not need to be modified, as long as the system calls are covered by WASI • File system I/O is seamlessly secured by Intel Protected File System • SQLite can be compiled into WebAssembly and executed on Twine Thanks for your attention! 15 I’m open source!

Recommended

A Robust and Flexible Operating System Compatibility Architecture
A Robust and Flexible Operating System Compatibility ArchitectureA Robust and Flexible Operating System Compatibility Architecture
A Robust and Flexible Operating System Compatibility ArchitectureShinagawa Laboratory, The University of Tokyo
 
Lecture 1-vs.pptx.......................
Lecture 1-vs.pptx.......................Lecture 1-vs.pptx.......................
Lecture 1-vs.pptx.......................HassamShahid2
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationVEDLIoT Project
 
DeltaV Virtualization
DeltaV VirtualizationDeltaV Virtualization
DeltaV VirtualizationEmerson Exchange
 
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).ppt
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).pptVIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).ppt
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).pptnagarajans87
 
Handout2o
Handout2oHandout2o
Handout2oShahbaz Sidhu
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...WASdev Community
 
Operating system Definition Structures
Operating system Definition StructuresOperating system Definition Structures
Operating system Definition Structuresanair23
 

Recommended

A Robust and Flexible Operating System Compatibility Architecture
A Robust and Flexible Operating System Compatibility ArchitectureA Robust and Flexible Operating System Compatibility Architecture
A Robust and Flexible Operating System Compatibility ArchitectureShinagawa Laboratory, The University of Tokyo
 
Lecture 1-vs.pptx.......................
Lecture 1-vs.pptx.......................Lecture 1-vs.pptx.......................
Lecture 1-vs.pptx.......................HassamShahid2
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationVEDLIoT Project
 
DeltaV Virtualization
DeltaV VirtualizationDeltaV Virtualization
DeltaV VirtualizationEmerson Exchange
 
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).ppt
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).pptVIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).ppt
VIRTUAL MACHINE VERSATILE PLATFORM01~chapter 1 (1).pptnagarajans87
 
Handout2o
Handout2oHandout2o
Handout2oShahbaz Sidhu
 
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...
AAI-2016 WebSphere Application Server Installation and Maintenance in the Ent...WASdev Community
 
Operating system Definition Structures
Operating system Definition StructuresOperating system Definition Structures
Operating system Definition Structuresanair23
 
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0xKinAnx
 
What's Inside a JVM?
What's Inside a JVM?What's Inside a JVM?
What's Inside a JVM?Azul Systems Inc.
 
Packaging tool options
Packaging tool optionsPackaging tool options
Packaging tool optionsLen Bass
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities Ramya SK
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentalsashishsharma1506
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamentalashishsharma1506
 
Virtualization
VirtualizationVirtualization
Virtualizationkousardiffi
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesAngelos Kapsimanis
 
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Jämes Ménétrey
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...Jämes Ménétrey
 
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwareBenchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwaresolarisyougood
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newsolarisyourep
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newxKinAnx
 
Introduction to Virtualization
Introduction to Virtualization Introduction to Virtualization
Introduction to Virtualization Wellshop.pk
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to VirtualizationMuhammadRizkyFaza
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresMonitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresJohnnie Burke-Gaffney
 
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresManaging and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresJohnnie Burke-Gaffney
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 

More Related Content

Similar to Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides

Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0xKinAnx
 
Packaging tool options
Packaging tool optionsPackaging tool options
Packaging tool optionsLen Bass
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities Ramya SK
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesAngelos Kapsimanis
 
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Jämes Ménétrey
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...Jämes Ménétrey
 
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwareBenchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwaresolarisyougood
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newsolarisyourep
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newxKinAnx
 
Introduction to Virtualization
Introduction to Virtualization Introduction to Virtualization
Introduction to Virtualization Wellshop.pk
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to VirtualizationMuhammadRizkyFaza
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresMonitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresJohnnie Burke-Gaffney
 
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresManaging and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresJohnnie Burke-Gaffney
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 

Similar to Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides (20)

Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
 
What's Inside a JVM?
What's Inside a JVM?What's Inside a JVM?
What's Inside a JVM?
 
Packaging tool options
Packaging tool optionsPackaging tool options
Packaging tool options
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
 
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
 
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwareBenchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Introduction to Virtualization
Introduction to Virtualization Introduction to Virtualization
Introduction to Virtualization
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresMonitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT Infrastructures
 
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresManaging and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 

Recently uploaded

Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 

Recently uploaded (20)

Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 

Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides

  • 1. Twine: An Embedded Trusted Runtime for WebAssembly Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni University of Neuchâtel, Switzerland 19-22 April 2021 37th IEEE International Conference on Data Engineering 1
  • 2. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Context Hardware VMM Company OS Software stack Trusted by cloud providers Your apps Trusted by you Developers Cloud providers Your apps Attack surface of your apps • We process and store important data in clouds • From cloud providers’ perspective: the users deploy untrusted apps on their trusted systems • From users’ perspective: they deploy trusted apps on systems they assume to be trustworthy 2
  • 3. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Users’ apps shielding • Twine relies on a Trusted Execution Environment (TEE) • We focus on Intel Secure Guard Extensions (SGX), which provide: • Memory access protection, integrity • Persist non-volatile data • Attestation of code (local and remote) • Applications are isolated inside hardware enforced enclaves Enclave Hardware VMM Company OS Software stack Your apps 3
  • 4. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Primer on Intel SGX Trusted Untrusted ① Enclave creation ② Call trusted function (ECALL) Call gates Trusted function ③ ⑤ Returns ⑥ Enclave destruction ④ Code execution • Hardware enforced security • Enclave memory access is restricted • Partitioned applications • Some instructions are illegal, e.g., syscall OS, VMM, … 4
  • 5. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Interoperability • Relax the constraints imposed by the TEE, such as: • Programming languages • Programming paradigm (e.g., code partitioning) • No built-in system calls (e.g., printf) • Abstract the host OS and the TEE • Provide practical performance 5 Cloud providers Your apps OS TEEs Programming lang. Deploy
  • 6. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 WebAssembly • WebAssembly is a standard for a lightweight bytecode format • A compilation target for most mainstream programming languages • Initially meant for the web, can be used anywhere today 6 Image: Standardising WASI, Mozilla, 2020 developer WebAssembly runtime clang -target wasm32-unknown-wasi user
  • 7. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 1: Interface • Intel SGX does not allow system calls, but provides out calls (OCALLs) • WebAssembly does not provides POSIX-like library, but does have import/export functions capability • Solution: use WebAssembly System Interface (WASI) to wire application system calls to OS system calls through OCALLs 7 Process Enclave WASI Call gate System library Wasm Runtime App OS Twine architecture ① ② ③ ④ ⑤ ⑥
  • 8. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 2: Performance • Interpreters are slower than native execution • Solution: Ahead of Time (AOT) compilation • Just in Time (JIT) compilation increases the complexity of the enclaves (e.g., using LLVM) 8 Developers env. .cpp .rs .go ① Source code ② Compilation into WebAssembly .wasm ③ Ahead of time compilation .aot Cloud env. Enclave ④ Deployment
  • 9. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Our contribution • Twine is a trusted runtime executing WebAssembly bytecode in enclaves with a subset of WASI support • Adaptation of the runtime WebAssembly Micro Runtime (WAMR) • Twine provides non-volatile storage to store database engine artefacts 9 Hardware VMM Company OS Your apps Attack surface of your apps Twine (trusted) Twine (untrusted) Trusted by cloud providers Trusted by you Software stack
  • 10. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Use case: SQLite • Compilation of SQLite into WebAssembly, • No source code modification except the usage of a virtual file system for using general I/O POSIX API (e.g., open, write, fsync, etc.) • File I/O operations are handled by Intel Protected File System (IPFS) transparently through WASI • Files are encrypted and decrypted thanks to IPFS 10 Process Enclave WASI Call gate System library Wasm Runtime OS ② Encryption ① ③ ④ ⑤
  • 11. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, Speedtest1 Across all tests with database stored in files, the slowdowns are: 11 Insert Update Sequential Select Delete Random Select 0 5 10 35.1 22.4 Normalised run time J Lower is better Native: mem. (= 1) file WAMR: mem. file Twine: mem. file SGX-LKL: mem. file We made these Native WAMR SGX-LKL Twine 3.7x 2.6x 1.8x 2.5x 6.5x 1.0x
  • 12. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 12 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file • Enclave Page Cache (EPC) is a special memory area to store the enclaves’ code and data (size of 92 MiB) • Once full, encrypted memory pages are swapped out into the unprotected memory, which is a costly operation We made these
  • 13. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 13 Insertion Sequential Random 0 0.5 1 Type of query Normalised run time J Lower is better Twine: HW SW SGX-LKL: HW SW 2.5x 3.3x 0.9x Slowdowns 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file We made these
  • 14. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Optimisations: Intel Protected File System • Optimisations: • Memory clearing operations have been removed • Memory copy operations have been reduced • Speedup compared to Intel’s version with SQLite: • Insertion: 1.5x • Sequential reading: 2.5x • Random reading: 4.1x 14 0 5 10 15 20 25 30 IPFS Optimised Time [s] (J Lower is better) SQLite inner work Read: other ops. OCALL memset
  • 15. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Takeaway • Twine is a trusted runtime for running WebAssembly within SGX enclaves on untrusted clouds with practical performance. • Applications compiled into WebAssembly do not need to be modified, as long as the system calls are covered by WASI • File system I/O is seamlessly secured by Intel Protected File System • SQLite can be compiled into WebAssembly and executed on Twine Thanks for your attention! 15 I’m open source!