1. Stress-SGX: Load and Stress your
Enclaves for Fun and Profit
Sébastien Vaucher Valerio Schiavoni Pascal Felber
Computer Science Department, University of Neuchâtel, Switzerland
sebastien.vaucher@unine.ch
10 May 2018, NETYS, Essaouira, Morocco
2. Intel SGX crash course
• X86 instructions of Intel processors ≥ Skylake
• Trusted Execution Environment (TEE) inside the processor
• A piece of trusted software is an Enclave
• Trust boundary is CPU package
• Execution and data shielded
• Using hardware access control inside CPU
• By means of cryptography outside CPU
Enclave
Create enclave
Call trusted function
…
Execute
Return
Call
gate
Trusted function
Untrusted Code Trusted Code
➊
➋
➏
➎
➍➌
➐
Architectural Enclaves
SGX user libraries
SGX AESM
LE QE PE
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 2
3. Motivation
• Few tools available to evaluate SGX performance
• Our use-cases:
• Evaluation of SGX power consumption
• Evaluation of our SGX-aware scheduler (to appear in ICDCS’18)
• Performance evaluation of multiple TEEs
Stress-SGX
• Artificially create load in SGX enclaves in a configurable way
• Gather metrics after stress run
• Makes it a benchmarking tool
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 3
4. Implementation
• Fork of well-known Stress-ng tool
• Ported to SGX using official Intel SDK
• Supported SGX stress methods:
• 54 out of 68 CPU-bound methods
• All 25 memory-bound methods (not shown in paper)
ackermann
bitops
callfunc
complex[f,d,ld]
correlate
crc16
decimal[32,64,128]
dither
djb2a
double
euler
explog
factorial
fft
fibonacci
float
fnv1a
gamma
gcd
gray
hamming
hanoi
hyperbolic
idct
int8
int16
int32[f,d,ld]
int64[f,d,ld]
int128[f,d,ld]
jenkin
jmp
ln2
longdouble
loop
matrixprod
nsqrt
ocall
omega
parity
phi
pi
pjw
prime
psi
queens
rand
rand48
rgb
sdbm
sieve
stats
sqrt
trig
union
zeta
Supported CPU-bound stress methods
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 4
5. Implementation workarounds
1. No support for timing and signals in the enclave
• Do timekeeping and receive signals in a separate process
• Share address of keep_stressing flag with the enclave
2. Certain standard functions not provided by the SGX SDK
• Copy compatible implementations in our code-base
3. Compiling SGX and non-SGX versions yield different binaries
• Compile SGX version; outputs a shared library
• Link non-SGX version against this shared library
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 5
7. Research work using Stress-SGX
1. “SGX-Aware Container Orchestration for Heterogeneous
Clusters”, to appear in ICDCS’18
2. One research article under submission
3. Ongoing work in LEGaTO European Union H2020 project
4. Ongoing work at Uni. Neuchâtel and other institutes
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 7
8. Conclusion
Stress-SGX
• Tool to artificially load SGX enclaves
• Easy-to-use benchmarking tool
• Freely available at:
https://github.com/sebva/stress-sgx
What we discovered using Stress-SGX
• Spectre patch considerably reduces SGX performance
• More to come in research papers to appear
Thank you for your attention!
Sébastien Vaucher Stress-SGX – NETYS 2018 – Essaouira, Morocco 8