SlideShare a Scribd company logo
Twine: An Embedded Trusted
Runtime for WebAssembly
Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni
University of Neuchâtel, Switzerland
19-22 April 2021
37th IEEE International Conference on Data Engineering
1
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Context
Hardware
VMM
Company
OS
Software stack
Trusted
by cloud
providers
Your apps
Trusted
by
you
Developers Cloud providers
Your apps
Attack surface of your apps
• We process and store important data in clouds
• From cloud providers’ perspective: the users deploy
untrusted apps on their trusted systems
• From users’ perspective: they deploy trusted apps
on systems they assume to be trustworthy
2
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Users’ apps shielding
• Twine relies on a Trusted Execution Environment (TEE)
• We focus on Intel Secure Guard Extensions (SGX),
which provide:
• Memory access protection, integrity
• Persist non-volatile data
• Attestation of code (local and remote)
• Applications are isolated inside hardware enforced enclaves
Enclave
Hardware
VMM
Company
OS
Software stack
Your apps
3
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Primer on Intel SGX
Trusted
Untrusted
① Enclave creation
② Call trusted function (ECALL)
Call gates Trusted function
③
⑤ Returns
⑥ Enclave destruction
④ Code execution
• Hardware enforced security
• Enclave memory access is
restricted
• Partitioned applications
• Some instructions are
illegal, e.g., syscall
OS, VMM, …
4
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Interoperability
• Relax the constraints imposed by the TEE, such as:
• Programming languages
• Programming paradigm (e.g., code partitioning)
• No built-in system calls (e.g., printf)
• Abstract the host OS and the TEE
• Provide practical performance
5
Cloud providers
Your apps
OS TEEs
Programming lang.
Deploy
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
WebAssembly
• WebAssembly is a standard for a
lightweight bytecode format
• A compilation target for most mainstream
programming languages
• Initially meant for the web, can be used
anywhere today
6
Image: Standardising WASI, Mozilla, 2020
developer
WebAssembly
runtime
clang -target wasm32-unknown-wasi
user
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Challenge 1: Interface
• Intel SGX does not allow system calls, but provides
out calls (OCALLs)
• WebAssembly does not provides POSIX-like library,
but does have import/export functions capability
• Solution: use WebAssembly System Interface
(WASI) to wire application system calls to OS
system calls through OCALLs
7
Process
Enclave
WASI
Call gate
System library
Wasm
Runtime
App
OS
Twine architecture
①
②
③
④
⑤
⑥
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Challenge 2: Performance
• Interpreters are slower than native execution
• Solution: Ahead of Time (AOT) compilation
• Just in Time (JIT) compilation increases the
complexity of the enclaves (e.g., using LLVM)
8
Developers env.
.cpp .rs .go
① Source code
② Compilation into WebAssembly
.wasm
③ Ahead of time compilation
.aot
Cloud env.
Enclave
④ Deployment
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Our contribution
• Twine is a trusted runtime executing WebAssembly
bytecode in enclaves with a subset of WASI support
• Adaptation of the runtime WebAssembly Micro
Runtime (WAMR)
• Twine provides non-volatile storage to store
database engine artefacts
9
Hardware
VMM
Company
OS
Your apps
Attack surface of your apps
Twine (trusted)
Twine (untrusted)
Trusted
by cloud
providers
Trusted
by
you
Software stack
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Use case: SQLite
• Compilation of SQLite into WebAssembly,
• No source code modification except the usage of a
virtual file system for using general I/O POSIX API
(e.g., open, write, fsync, etc.)
• File I/O operations are handled by Intel Protected File
System (IPFS) transparently through WASI
• Files are encrypted and decrypted thanks to IPFS
10
Process
Enclave
WASI
Call gate
System library
Wasm
Runtime
OS
② Encryption
①
③
④
⑤
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, Speedtest1
Across all tests with database stored in files, the slowdowns are:
11
Insert Update Sequential Select
Delete Random Select
0
5
10
35.1 22.4
Normalised
run
time
J
Lower
is
better
Native: mem. (= 1) file WAMR: mem. file Twine: mem. file SGX-LKL: mem. file
We made these
Native
WAMR
SGX-LKL
Twine
3.7x
2.6x
1.8x
2.5x
6.5x
1.0x
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, microbenchmark
12
0 50 100 150
0
1
2
EPC full
Database size [MiB]
Time
[s]
J
Lower
is
better
(a) Insertion
0 50 100 150
0
0.5
1
EPC full
Database size [MiB]
(b) Sequential reading
0 50 100 150
0
2
4
6
8
EPC full
Database size [MiB]
(c) Random reading
Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file
• Enclave Page Cache (EPC) is a special memory area to store
the enclaves’ code and data (size of 92 MiB)
• Once full, encrypted memory pages are swapped out into
the unprotected memory, which is a costly operation
We made these
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Evaluation: SQLite, microbenchmark
13
Insertion Sequential Random
0
0.5
1
Type of query
Normalised
run
time
J
Lower
is
better
Twine: HW SW SGX-LKL: HW SW
2.5x
3.3x 0.9x
Slowdowns
0 50 100 150
0
1
2
EPC full
Database size [MiB]
Time
[s]
J
Lower
is
better
(a) Insertion
0 50 100 150
0
0.5
1
EPC full
Database size [MiB]
(b) Sequential reading
0 50 100 150
0
2
4
6
8
EPC full
Database size [MiB]
(c) Random reading
Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file
We made these
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Optimisations: Intel Protected File System
• Optimisations:
• Memory clearing operations have been removed
• Memory copy operations have been reduced
• Speedup compared to Intel’s version with SQLite:
• Insertion: 1.5x
• Sequential reading: 2.5x
• Random reading: 4.1x
14
0 5 10 15 20 25 30
IPFS
Optimised
Time [s] (J Lower is better)
SQLite inner work Read: other ops. OCALL memset
Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21
Takeaway
• Twine is a trusted runtime for running WebAssembly within SGX enclaves on
untrusted clouds with practical performance.
• Applications compiled into WebAssembly do not need to be modified, as long as
the system calls are covered by WASI
• File system I/O is seamlessly secured by Intel Protected File System
• SQLite can be compiled into WebAssembly and executed on Twine
Thanks for your attention!
15
I’m open source!

More Related Content

Similar to Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides

Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
xKinAnx
 
What's Inside a JVM?
What's Inside a JVM?What's Inside a JVM?
What's Inside a JVM?
Azul Systems Inc.
 
Packaging tool options
Packaging tool optionsPackaging tool options
Packaging tool options
Len Bass
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
Ramya SK
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
ashishsharma1506
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
ashishsharma1506
 
Virtualization
VirtualizationVirtualization
Virtualization
kousardiffi
 
Open Audit
Open AuditOpen Audit
Open Audit
ncspa
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
Angelos Kapsimanis
 
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Jämes Ménétrey
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
Jämes Ménétrey
 
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark   emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwareBenchmark   emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
solarisyougood
 
Presentation cloud infrastructure launch – what’s new
Presentation   cloud infrastructure launch – what’s newPresentation   cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
solarisyourep
 
Presentation cloud infrastructure launch – what’s new
Presentation   cloud infrastructure launch – what’s newPresentation   cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
xKinAnx
 
Introduction to Virtualization
Introduction to Virtualization Introduction to Virtualization
Introduction to Virtualization
Wellshop.pk
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
MuhammadRizkyFaza
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresMonitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT Infrastructures
Johnnie Burke-Gaffney
 
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresManaging and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Johnnie Burke-Gaffney
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 

Similar to Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides (20)

Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
Emc vspex customer_presentation_private_cloud_v_mware_smb_2.0
 
What's Inside a JVM?
What's Inside a JVM?What's Inside a JVM?
What's Inside a JVM?
 
Packaging tool options
Packaging tool optionsPackaging tool options
Packaging tool options
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
 
Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...Securing cloud and IoT applications using WebAssembly and trusted execution e...
Securing cloud and IoT applications using WebAssembly and trusted execution e...
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
 
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark   emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mwareBenchmark   emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
Benchmark emc vnx7500, emc fast suite, emc snap sure and oracle rac on v-mware
 
Presentation cloud infrastructure launch – what’s new
Presentation   cloud infrastructure launch – what’s newPresentation   cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Presentation cloud infrastructure launch – what’s new
Presentation   cloud infrastructure launch – what’s newPresentation   cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Introduction to Virtualization
Introduction to Virtualization Introduction to Virtualization
Introduction to Virtualization
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT InfrastructuresMonitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT Infrastructures
 
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical InfrastructuresManaging and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 

Recently uploaded

Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
jhkdigitalmarketing
 
Splunk_Remote_Work_Insights_Overview.pptx
Splunk_Remote_Work_Insights_Overview.pptxSplunk_Remote_Work_Insights_Overview.pptx
Splunk_Remote_Work_Insights_Overview.pptx
sudsdeep
 
Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)
miso_uam
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
karim wahed
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
shivamt017
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
DNUG e.V.
 
11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf
kalichargn70th171
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
karim wahed
 
active-directory-auditing-solution (2).pptx
active-directory-auditing-solution (2).pptxactive-directory-auditing-solution (2).pptx
active-directory-auditing-solution (2).pptx
sudsdeep
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
ssuser2b426d1
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
rachitkumar09887
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
neshakor5152
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Sparity1
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
sheqnetworkmarketing
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
kayash1656
 
Break data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud ConnectorsBreak data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud Connectors
confluent
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
karim wahed
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
Srinivas Dukka
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
VishrutGoyani1
 

Recently uploaded (20)

Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
 
Splunk_Remote_Work_Insights_Overview.pptx
Splunk_Remote_Work_Insights_Overview.pptxSplunk_Remote_Work_Insights_Overview.pptx
Splunk_Remote_Work_Insights_Overview.pptx
 
Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
 
11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) .pdf
 
active-directory-auditing-solution (2).pptx
active-directory-auditing-solution (2).pptxactive-directory-auditing-solution (2).pptx
active-directory-auditing-solution (2).pptx
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
 
Break data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud ConnectorsBreak data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud Connectors
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Final Course Know...
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
 

Twine: An Embedded Trusted Runtime for WebAssembly - Presentation slides

  • 1. Twine: An Embedded Trusted Runtime for WebAssembly Jämes Ménétrey Marcelo Pasin Pascal Felber Valerio Schiavoni University of Neuchâtel, Switzerland 19-22 April 2021 37th IEEE International Conference on Data Engineering 1
  • 2. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Context Hardware VMM Company OS Software stack Trusted by cloud providers Your apps Trusted by you Developers Cloud providers Your apps Attack surface of your apps • We process and store important data in clouds • From cloud providers’ perspective: the users deploy untrusted apps on their trusted systems • From users’ perspective: they deploy trusted apps on systems they assume to be trustworthy 2
  • 3. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Users’ apps shielding • Twine relies on a Trusted Execution Environment (TEE) • We focus on Intel Secure Guard Extensions (SGX), which provide: • Memory access protection, integrity • Persist non-volatile data • Attestation of code (local and remote) • Applications are isolated inside hardware enforced enclaves Enclave Hardware VMM Company OS Software stack Your apps 3
  • 4. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Primer on Intel SGX Trusted Untrusted ① Enclave creation ② Call trusted function (ECALL) Call gates Trusted function ③ ⑤ Returns ⑥ Enclave destruction ④ Code execution • Hardware enforced security • Enclave memory access is restricted • Partitioned applications • Some instructions are illegal, e.g., syscall OS, VMM, … 4
  • 5. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Interoperability • Relax the constraints imposed by the TEE, such as: • Programming languages • Programming paradigm (e.g., code partitioning) • No built-in system calls (e.g., printf) • Abstract the host OS and the TEE • Provide practical performance 5 Cloud providers Your apps OS TEEs Programming lang. Deploy
  • 6. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 WebAssembly • WebAssembly is a standard for a lightweight bytecode format • A compilation target for most mainstream programming languages • Initially meant for the web, can be used anywhere today 6 Image: Standardising WASI, Mozilla, 2020 developer WebAssembly runtime clang -target wasm32-unknown-wasi user
  • 7. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 1: Interface • Intel SGX does not allow system calls, but provides out calls (OCALLs) • WebAssembly does not provides POSIX-like library, but does have import/export functions capability • Solution: use WebAssembly System Interface (WASI) to wire application system calls to OS system calls through OCALLs 7 Process Enclave WASI Call gate System library Wasm Runtime App OS Twine architecture ① ② ③ ④ ⑤ ⑥
  • 8. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Challenge 2: Performance • Interpreters are slower than native execution • Solution: Ahead of Time (AOT) compilation • Just in Time (JIT) compilation increases the complexity of the enclaves (e.g., using LLVM) 8 Developers env. .cpp .rs .go ① Source code ② Compilation into WebAssembly .wasm ③ Ahead of time compilation .aot Cloud env. Enclave ④ Deployment
  • 9. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Our contribution • Twine is a trusted runtime executing WebAssembly bytecode in enclaves with a subset of WASI support • Adaptation of the runtime WebAssembly Micro Runtime (WAMR) • Twine provides non-volatile storage to store database engine artefacts 9 Hardware VMM Company OS Your apps Attack surface of your apps Twine (trusted) Twine (untrusted) Trusted by cloud providers Trusted by you Software stack
  • 10. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Use case: SQLite • Compilation of SQLite into WebAssembly, • No source code modification except the usage of a virtual file system for using general I/O POSIX API (e.g., open, write, fsync, etc.) • File I/O operations are handled by Intel Protected File System (IPFS) transparently through WASI • Files are encrypted and decrypted thanks to IPFS 10 Process Enclave WASI Call gate System library Wasm Runtime OS ② Encryption ① ③ ④ ⑤
  • 11. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, Speedtest1 Across all tests with database stored in files, the slowdowns are: 11 Insert Update Sequential Select Delete Random Select 0 5 10 35.1 22.4 Normalised run time J Lower is better Native: mem. (= 1) file WAMR: mem. file Twine: mem. file SGX-LKL: mem. file We made these Native WAMR SGX-LKL Twine 3.7x 2.6x 1.8x 2.5x 6.5x 1.0x
  • 12. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 12 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file • Enclave Page Cache (EPC) is a special memory area to store the enclaves’ code and data (size of 92 MiB) • Once full, encrypted memory pages are swapped out into the unprotected memory, which is a costly operation We made these
  • 13. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Evaluation: SQLite, microbenchmark 13 Insertion Sequential Random 0 0.5 1 Type of query Normalised run time J Lower is better Twine: HW SW SGX-LKL: HW SW 2.5x 3.3x 0.9x Slowdowns 0 50 100 150 0 1 2 EPC full Database size [MiB] Time [s] J Lower is better (a) Insertion 0 50 100 150 0 0.5 1 EPC full Database size [MiB] (b) Sequential reading 0 50 100 150 0 2 4 6 8 EPC full Database size [MiB] (c) Random reading Native: mem. file SGX-LKL: mem. file WAMR: mem. file Twine: mem. file We made these
  • 14. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Optimisations: Intel Protected File System • Optimisations: • Memory clearing operations have been removed • Memory copy operations have been reduced • Speedup compared to Intel’s version with SQLite: • Insertion: 1.5x • Sequential reading: 2.5x • Random reading: 4.1x 14 0 5 10 15 20 25 30 IPFS Optimised Time [s] (J Lower is better) SQLite inner work Read: other ops. OCALL memset
  • 15. Jämes Ménétrey — Twine: An Embedded Trusted Runtime for WebAssembly — ICDE ‘21 Takeaway • Twine is a trusted runtime for running WebAssembly within SGX enclaves on untrusted clouds with practical performance. • Applications compiled into WebAssembly do not need to be modified, as long as the system calls are covered by WASI • File system I/O is seamlessly secured by Intel Protected File System • SQLite can be compiled into WebAssembly and executed on Twine Thanks for your attention! 15 I’m open source!