Twine is a trusted runtime that allows WebAssembly applications to execute securely within Intel SGX enclaves on untrusted cloud infrastructure. It addresses challenges of interfacing WebAssembly with hardware security modules and optimizing performance. Evaluations show Twine can execute SQLite compiled to WebAssembly within SGX enclaves with overhead of only 2.5-6.5x compared to native execution. Twine shields user applications while allowing them to be deployed across programming languages and hardware security environments.
The Strategic Impact of Buying vs Building in Test Automation
Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides
1. Twine: An Embedded Trusted
Runtime for WebAssembly
Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni
University of Neuchâtel, Switzerland
19-22 April 2021
37th IEEE International Conference on Data Engineering
1
2. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Context
Hardware
VMM
Company
OS
Software stack
Trusted
by cloud
providers
Your apps
Trusted
by
you
Developers Cloud providers
Your apps
Attack surface of your apps
• We process and store important data in clouds
• From cloud providers’ perspective: the users deploy
untrusted apps on their trusted systems
• From users’ perspective: they deploy trusted apps
on systems they assume to be trustworthy
2
3. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Users’ apps shielding
• Twine relies on a Trusted Execution Environment (TEE)
• We focus on Intel Secure Guard Extensions (SGX),
which provide:
• Memory access protection, integrity
• Persist non-volatile data
• Attestation of code (local and remote)
• Applications are isolated inside hardware enforced enclaves
Enclave
Hardware
VMM
Company
OS
Software stack
Your apps
3
4. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Primer on Intel SGX
Trusted
Untrusted
① Enclave creation
② Call trusted function (ECALL)
Call gates Trusted function
③
⑤ Returns
⑥ Enclave destruction
④ Code execution
• Hardware enforced security
• Enclave memory access is
restricted
• Partitioned applications
• Some instructions are
illegal, e.g., syscall
OS, VMM, …
4
5. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Interoperability
• Relax the constraints imposed by the TEE, such as:
• Programming languages
• Programming paradigm (e.g., code partitioning)
• No built-in system calls (e.g., printf)
• Abstract the host OS and the TEE
• Provide practical performance
5
Cloud providers
Your apps
OS TEEs
Programming lang.
Deploy
6. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
WebAssembly
• WebAssembly is a standard for a
lightweight bytecode format
• A compilation target for most mainstream
programming languages
• Initially meant for the web, can be used
anywhere today
6
Image: Standardising WASI, Mozilla, 2020
developer
WebAssembly
runtime
clang -target wasm32-unknown-wasi
user
7. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Challenge 1: Interface
• Intel SGX does not allow system calls, but provides
out calls (OCALLs)
• WebAssembly does not provides POSIX-like library,
but does have import/export functions capability
• Solution: use WebAssembly System Interface
(WASI) to wire application system calls to OS
system calls through OCALLs
7
Process
Enclave
WASI
Call gate
System library
Wasm
Runtime
App
OS
Twine architecture
①
②
③
④
⑤
⑥
8. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Challenge 2: Performance
• Interpreters are slower than native execution
• Solution: Ahead of Time (AOT) compilation
• Just in Time (JIT) compilation increases the
complexity of the enclaves (e.g., using LLVM)
8
Developers env.
.cpp .rs .go
① Source code
② Compilation into WebAssembly
.wasm
③ Ahead of time compilation
.aot
Cloud env.
Enclave
④ Deployment
9. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Our contribution
• Twine is a trusted runtime executing WebAssembly
bytecode in enclaves with a subset of WASI support
• Adaptation of the runtime WebAssembly Micro
Runtime (WAMR)
• Twine provides non-volatile storage to store
database engine artefacts
9
Hardware
VMM
Company
OS
Your apps
Attack surface of your apps
Twine (trusted)
Twine (untrusted)
Trusted
by cloud
providers
Trusted
by
you
Software stack
10. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Use case: SQLite
• Compilation of SQLite into WebAssembly,
• No source code modification except the usage of a
virtual file system for using general I/O POSIX API
(e.g., open, write, fsync, etc.)
• File I/O operations are handled by Intel Protected File
System (IPFS) transparently through WASI
• Files are encrypted and decrypted thanks to IPFS
10
Process
Enclave
WASI
Call gate
System library
Wasm
Runtime
OS
② Encryption
①
③
④
⑤
11. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, Speedtest1
Across all tests with database stored in files, the slowdowns are:
11
Insert Update Sequential Select
Delete Random Select
0
5
10
35.1 22.4
Normalised
run
time
J
Lower
is
better
Native: mem. (= 1) file WAMR: mem. file Twine: mem. file SGX-LKL: mem. file
We made these
Native
WAMR
SGX-LKL
Twine
3.7x
2.6x
1.8x
2.5x
6.5x
1.0x
12. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, microbenchmark
12
0 50 100 150
0
1
2
EPC full
Database size [MiB]
Time
[s]
J
Lower
is
better
(a) Insertion
0 50 100 150
0
0.5
1
EPC full
Database size [MiB]
(b) Sequential reading
0 50 100 150
0
2
4
6
8
EPC full
Database size [MiB]
(c) Random reading
Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file
• Enclave Page Cache (EPC) is a special memory area to store
the enclaves’ code and data (size of 92 MiB)
• Once full, encrypted memory pages are swapped out into
the unprotected memory, which is a costly operation
We made these
13. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, microbenchmark
13
Insertion Sequential Random
0
0.5
1
Type of query
Normalised
run
time
J
Lower
is
better
Twine: HW SW SGX-LKL: HW SW
2.5x
3.3x 0.9x
Slowdowns
0 50 100 150
0
1
2
EPC full
Database size [MiB]
Time
[s]
J
Lower
is
better
(a) Insertion
0 50 100 150
0
0.5
1
EPC full
Database size [MiB]
(b) Sequential reading
0 50 100 150
0
2
4
6
8
EPC full
Database size [MiB]
(c) Random reading
Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file
We made these
14. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Optimisations: Intel Protected File System
• Optimisations:
• Memory clearing operations have been removed
• Memory copy operations have been reduced
• Speedup compared to Intel’s version with SQLite:
• Insertion: 1.5x
• Sequential reading: 2.5x
• Random reading: 4.1x
14
0 5 10 15 20 25 30
IPFS
Optimised
Time [s] (J Lower is better)
SQLite inner work Read: other ops. OCALL memset
15. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Takeaway
• Twine is a trusted runtime for running WebAssembly within SGX enclaves on
untrusted clouds with practical performance.
• Applications compiled into WebAssembly do not need to be modified, as long as
the system calls are covered by WASI
• File system I/O is seamlessly secured by Intel Protected File System
• SQLite can be compiled into WebAssembly and executed on Twine
Thanks for your attention!
15
I’m open source!