SGX应用支持技术研究进展

doi:10.13328/j.cnki.jos.006095

微信服务号

微信订阅号

2025年8月5日 23:40 星期二

首页 > 过刊浏览>2021年第32卷第1期 >137-166. DOI:10.13328/j.cnki.jos.006095

PDF HTML阅读 XML下载导出引用引用提醒

SGX应用支持技术研究进展
DOI:
                        10.13328/j.cnki.jos.006095
                    
CSTR:
                        
                    
作者:
                        董春涛董春涛
北京大学 软件与微电子学院, 北京 102600;北京大学 软件工程国家工程研究中心, 北京 100871;高可信软件技术教育部重点实验室(北京大学), 北京 100871
在期刊界中查找
在百度中查找
在本站中查找
沈晴霓沈晴霓
北京大学 软件与微电子学院, 北京 102600;北京大学 软件工程国家工程研究中心, 北京 100871;高可信软件技术教育部重点实验室(北京大学), 北京 100871
在期刊界中查找
在百度中查找
在本站中查找
罗武罗武
北京大学 信息科学技术学院, 北京 100871;北京大学 软件工程国家工程研究中心, 北京 100871;高可信软件技术教育部重点实验室(北京大学), 北京 100871
在期刊界中查找
在百度中查找
在本站中查找
吴鹏飞吴鹏飞
北京大学 软件与微电子学院, 北京 102600;北京大学 软件工程国家工程研究中心, 北京 100871;高可信软件技术教育部重点实验室(北京大学), 北京 100871
在期刊界中查找
在百度中查找
在本站中查找
吴中海吴中海
北京大学 软件与微电子学院, 北京 102600;北京大学 信息科学技术学院, 北京 100871;北京大学 软件工程国家工程研究中心, 北京 100871;高可信软件技术教育部重点实验室(北京大学), 北京 100871
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:董春涛(1991-),男,博士生,主要研究领域为分布式系统安全,云计算,大数据安全,可信计算.
沈晴霓(1970-),女,博士,教授,博士生导师,CCF高级会员,主要研究领域为操作系统,虚拟化安全,云计算,大数据安全与隐私,可信计算.
罗武(1994-),男,博士生,主要研究领域为操作系统,虚拟化安全,云计算,可信计算,浏览器安全.
吴鹏飞(1994-),男,博士生,主要研究领域为分布式系统安全,隐私保护,大数据安全.
吴中海(1968-),男,博士,教授,博士生导师,CCF杰出会员,主要研究领域为大数据系统与分析,大数据与云安全,嵌入式系统.
通讯作者:沈晴霓,E-mail:qingnishen@ss.pku.edu.cn
中图分类号:
基金项目:国家自然科学基金（61672062，61232005）

Research Progress of SGX Application Supporting Techniques

Author:

DONG Chun-Tao
DONG Chun-Tao
School of Software and Microelectronics, Peking University, Beijing 102600, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China;Key Laboratory of High Confidence Software Technologies of Ministry of Education (Peking University), Beijing 100871, China
在期刊界中查找
在百度中查找
在本站中查找
SHEN Qing-Ni
SHEN Qing-Ni
School of Software and Microelectronics, Peking University, Beijing 102600, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China;Key Laboratory of High Confidence Software Technologies of Ministry of Education (Peking University), Beijing 100871, China
在期刊界中查找
在百度中查找
在本站中查找
LUO Wu
LUO Wu
School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China;Key Laboratory of High Confidence Software Technologies of Ministry of Education (Peking University), Beijing 100871, China
在期刊界中查找
在百度中查找
在本站中查找
WU Peng-Fei
WU Peng-Fei
School of Software and Microelectronics, Peking University, Beijing 102600, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China;Key Laboratory of High Confidence Software Technologies of Ministry of Education (Peking University), Beijing 100871, China
在期刊界中查找
在百度中查找
在本站中查找
WU Zhong-Hai
WU Zhong-Hai
School of Software and Microelectronics, Peking University, Beijing 102600, China;School of Electronics Engineering and Computer Science, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China;Key Laboratory of High Confidence Software Technologies of Ministry of Education (Peking University), Beijing 100871, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

National Natural Science Foundation of China (61672062, 61232005)

摘要

图/表

访问统计

参考文献 [102]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

安全与可信是云计算中极为重要的需求，如何保护用户在云平台上托管的应用程序代码和数据的安全、防止云服务提供商和其他攻击者窃取用户机密数据，一直是个难题.2013年，Intel公司提出了新的处理器安全技术SGX，能够在计算平台上提供一个用户空间的可信执行环境，保证用户关键代码及数据的机密性和完整性.SGX技术自提出以来，已成为云计算安全问题的重要解决方案.如何有效地应用SGX技术来保护用户的应用程序，成为近年来的研究热点.介绍了SGX的相关机制和SDK，概括了SGX应用所面临的安全问题、性能瓶颈问题、开发困难问题和功能局限性等问题，总结并归纳了SGX应用支持技术的研究进展，包括SGX应用安全防护技术、SGX应用性能优化技术、SGX应用辅助开发技术和SGX功能扩展技术，并展望了未来的发展方向.

关键词:可信计算;SGX;系统安全;云安全;应用开发

Abstract:

Security and trustworthiness are extremely important requirements for cloud computing. How to protect critical application code and data on the cloud platform and prevent cloud service providers and other attackers from stealing user's confidential data is a difficult problem. In 2013, Intel proposed a new processor security technology SGX, which can provide a trusted execution environment for user space on the computing platform to ensure the confidentiality and integrity of critical user code and data. Since SGX technology is proposed, it has gradually become an important solution to cloud computing security issues. How to effectively apply SGX technology to protect application has become research a hotspot in recent years. In this paper, the mechanisms and SDK of SGX are introduced, and the bottlenecks such as security issues, performance bottlenecks, development difficulties, and function limitations faced by SGX application are summarized. The research progress of SGX application supporting techniques are analyzed and summarized, including SGX application security protection technique, SGX application performance optimization technique, SGX application assisted development technique, and SGX function extension technique. Finally, the development directions of SGX application supporting techniques are suggested.

Key words:trusted computing;SGX;system security;cloud security;application development

参考文献

[1] Amazon Web services. 2019. https://aws.amazon.com

[2] Microsoft azure. 2019. https://azure.microsoft.com

[3] Popa RA, Redfield C, Zeldovich N, et al. CryptDB:Protecting confidentiality with encrypted query processing. In:Proc. of the 23rd ACM Symp. on Operating Systems Principles. ACM, 2011.85-100.[doi:10.1145/2043556.2043566]

[4] Puttaswamy KPN, Kruegel C, Zhao BY. Silverline:Toward data confidentiality in storage-intensive cloud applications. In:Proc. of the 2nd ACM Symp. on Cloud Computing (SOCC 2011). ACM, 2011.1-11.[doi:10.1145/2038916.2038926]

[5] Tu S, Kaashoek MF, Madden S, et al. Processing analytical queries over encrypted data. VLDB Endowment. 2013,6(5):289-300.[doi:10.14778/2535573.2488336]

[6] Gentry C. Fully homomorphic encryption using ideal lattices. In:Proc. of the 41st Annual ACM Symp. on Theory of Computing (SToC 2009). 2009.169-178.[doi:10.1145/1536414.1536440]

[7] Intel Corporation. Intel Software Guard Extensions (Intel SGX). Intel Labs, 2019. https://software.intel.com/sgx

[8] Intel Corporation. Intel Software Guard Extensions Programming Reference. Intel Labs, 2019. https://download.01.org/intel-sgx/sgx-linux/2.7.1/docs/Intel_SGX_Developer_Reference_Linux_2.7.1_Open_Source.pdf

[9] Wang WH, Chen GX, Pan XR, et al. Leaky cauldron on the dark land:Understanding memory side-channel hazards in SGX. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). 2017.2421-2434.[doi:10.1145/3133956.3134038]

[10] Xu YZ, Cui WD, Peinado M. Controlled-channel attacks:Deterministic side channels for untrusted operating systems. In:Proc. of the 2015 IEEE Symp. on Security and Privacy (SP 2015). 2015.640-656.[doi:10.1109/SP.2015.45]

[11] Shinde S, Chua ZL, Narayanan V, Saxena P. Preventing page faults from telling your secrets. In:Proc. of the 11th ACM on Asia Conf. on Computer and Communications Security (ASIA CCS 2016). 2016.317-328.[doi:10.1145/2897845:2897885]

[12] Costan V, Lebedev I, Devadas S. Secure processors part ii:Intel SGX security analysis and mit sanctum architecture. Foundations and Trends in Electronic Design Automation, 2017,11(3):249-361.[doi:10.1561/1000000052]

[13] Neiger G, Santoni A, Leung F, et al. Intel virtualization technology:Hardware support for efficient processor virtualization. In:Proc. of the Computer. IEEE, 2005.48-56.[doi:10.1109/MC.2005.163]

[14] Intel SGX Developer Guide. 2019. https://download.01.org/intel-sgx/sgx-linux/2.7.1/docs/Intel_SGX_Developer_Guide.pdf

[15] McKeen F, Alexandrovich I, Berenzon A, et al. Innovative instructions and software model for isolated execution. In:Proc. of the 2nd Int'l Workshop on Hardware and Architecture Support for Security and Privacy (HASP 2013). ACM, 2013.[doi:10.1145/2487726.2488368]

[16] Hoekstra M, Lal R, Pappachan P, et al. Using innovative instructions to create trustworthy software solutions. In:Proc. of the 2nd Int'l Workshop on Hardware and Architectural Support for Security and Privacy (HASP 2013). ACM, 2013.11.[doi:10.1145/2487726.2488370]

[17] Anati I, Gueron S, Johnson S, et al. Innovative technology for CPU based attestation and sealing. In:Proc. of the 2nd Int'l Workshop on Hardware and Architectural Support for Security and Privacy (HASP 2013). ACM, 2013.13.

[18] Wang JW, Jiang Y, Li Q, Yang Y. Survey of research on SGX technology application. Journal of Network New Media, 2017,6(5):3-9(in Chinese with English abstract).[doi:CNKI:SUN:WJSY.0.2017-05-003]

[19] Wang J, Fan CY, Cheng YQ, Zhao B, Wei T, Yan F, Zhang HG, Ma J. Analysis and research on SGX technology. Ruan Jian Xue Bao/Journal of Software, 2018,29(9):2778-2798(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5594.htm[doi:10.13328/j.cnki.jos.005594]

[20] Sartakov V, Weichbrodt N, Krieter S, et al. STANlite-A database engine for secure data processing at rack-scale level. In:Proc. of the 2018 IEEE Int'l Conf. on Cloud Engineering (IC2E 2018). IEEE, 2018.23-33.[doi:10.1109/IC2E.2018.00024]

[21] Brenner S, Wulf C, Goltzsche D, et al. Securekeeper:Confidential ZooKeeper using Intel SGX. In:Proc. of the 17th Int'l Middleware Conf. (Middleware 2016). ACM, 2016.14.[doi:10.1145/2988336.2988350]

[22] Goltzsche D, Rüsch S, Nieke M, et al. Endbox:Scalable middlebox functions using client-side trusted execution. In:Proc. of the 48th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN 2018). IEEE, 2018.386-397.[doi:10.1109/DSN. 2018.00048]

[23] Shih MW, Kumar M, Kim T, et al. S-NFV:Securing NFV states by using SGX. In:Proc. of the 2016 ACM Int'l Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 2016.45-48.[doi:10.1145/2876019.2876032]

[24] Trach B, Krohmer A, Gregor F, et al. ShieldBox:Secure middleboxes using shielded execution. In:Proc. of the Symp. on SDN Research. ACM, 2018.2.[doi:10.1145/3185467.3185469]

[25] Pires R, Pasin M, Felber P, et al. Secure content-based routing using Intel software guard extensions. In:Proc. of the 17th Int'l Middleware Conf. (Middleware 2016). ACM, 2016.1-10.[doi:10.1145/2988336.2988346]

[26] Krawiecka K, Kurnikov A, Paverd A, et al. SafeKeeper:Protecting Web passwords using trusted execution environments. In:Proc.of the 2018 World Wide Web Conf. (WWW 2018). Int'l World Wide Web Conf. on Steering Committee, 2018.349-358.[doi:10.1145/3178876.3186101]

[27] Kim S, Han J, Ha J, et al. Enhancing security and privacy of tor's ecosystem by using trusted execution environments. In:Proc. of the 14th USENIX Symp. on Networked Systems Design and Implementation (NSDI 2017). 2017.145-161.

[28] Karande V, Bauman E, Lin Z, et al. SGX-Log:Securing system logs with SGX. In:Proc. of the 2017 ACM on Asia Conf. on Computer and Communications Security. ACM, 2017.19-30.[doi:10.1145/3052973.3053034]

[29] Goltzsche D, Wulf C, Muthukumaran D, et al. Trustjs:Trusted client-side execution of javascript. In:Proc. of the 10th European Workshop on Systems Security (EuroSec 2017). ACM, 2017.1-6.[doi:10.1145/3065913.3065917]

[30] Baumann A, Peinado M, Hunt G. Shielding applications from an untrusted cloud with haven. ACM Trans. on Computer Systems (TOCS), 2015,33(3):8.[doi:10.1145/2799647]

[31] Ahmad A, Kim K, Sarfaraz MI, et al. OBLIVIATE:A data oblivious filesystem for Intel SGX. In:Proc. of the 2018 Network and Distributed System Security Symp. (NDSS 2018). 2018.

[32] Hunt T, Zhu Z, Xu Y, et al. Ryoan:A distributed sandbox for untrusted computation on secret data. ACM Trans. on Computer Systems (TOCS), 2018,35(4):1.[doi:10.1145/3231594]

[33] Schuster F, Costa M, Fournet C, et al. VC3:Trustworthy data analytics in the cloud using SGX. In:Proc. of the 2015 IEEE Symp. on Security and Privacy (SP 2015). IEEE, 2015.38-54.[doi:10.1109/SP.2015.10]

[34] Zheng W, Dave A, Beekman JG, et al. Opaque:An oblivious and encrypted distributed analytics platform. In:Proc. of the 14th USENIX Symp. on Networked Systems Design and Implementation (NSDI 2017). 2017.283-298.

[35] Arnautov S, Trach B, Gregor F, et al. SCONE:Secure linux containers with Intel SGX. In:Proc. of the 12th USENIX Symp. on Operating Systems Design and Implementation (OSDI 2016). 2016.689-703.

[36] Apache Software Foundation. Hadoop. 2019. http://wiki.apache.org/hadoop/

[37] Merkel D. Docker:Lightweight Linux containers for consistent development and deployment. Linux Journal, 2014,239:76-90.[doi:10.1097/01.NND.0000320699.47006.a3]

[38] Microsoftware azure confidential computing with Intel SGX. https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions/microsoft-confidential-computing-sgx-video.html

[39] IBM data shield with Intel SGX. https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions/ibm-cloud-data-shield-sgx-video.html

[40] Porter DE, Boyd-Wickizer S, Howell J, et al. Rethinking the library OS from the top down. In:Proc. of the 16th Int'l Conf. on Architectural Support for Programming Languages and Operating Systems. ACM, 2011,46(3):291-304.[doi:10.1145/1950365.1950399]

[41] Ohrimenko O, Schuster F, Fournet C, et al. Oblivious multi-party machine learning on trusted processors. In:Proc. of the 25th USENIX Security Symp. (USENIX Security 2016). 2016.619-636.

[42] Chandra S, Karande V, Lin Z, et al. Securing data analytics on SGX with randomization. LNCS, 2017.352-369.[doi:10.1007/978-3-319-66402-6_21]

[43] Shaon F, Kantarcioglu M, Lin Z, et.al. SGX-BigMatrix:A practical encrypted data analytic framework with trusted processors. In:Proc. of the 2017 ACMSIGSAC Conf. on Computer and Communications Security. 2017.1211-1228.[doi:10.1145/3133956.3134095]

[44] Zhang F, Eyal I, Escriva R, et al. REM:Resource-efficient mining for blockchains. In:Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). 2017.1427-1444.

[45] Zhang F, Cecchetti E, Croman K, et al. Town crier:An authenticated data feed for smart contracts. In:Proc. of the 2016 ACMSIGSAC Conf. on Computer and Communications Security. ACM, 2016.270-282.[doi:10.1145/2976749.2978326]

[46] Das P, Eckey L, Frassetto T, et al. FastKitten:Practical smart contracts on Bitcoin. In:Proc. of the 28th USENIX Security Symp. (USENIX Security 2019). 2019.801-818.

[47] Cheng R, Zhang F, Kos J, He W, Hynes N, Johnson N, et al. Ekiden:A platform for confidentiality-preserving, trustworthy, and performant smart contracts. In:Proc. of the 2019 IEEE Symp. on Security and Privacy (SP 2019). IEEE, 2019.185-200.[doi:10.1109/EuroSP.2019.00023]

[48] Confidential computing cloud service. https://tech.antfin.com/docs/2/151322

[49] Shinde S, Le Tien D, Tople S, et al. Panoply:Low-TCB Linux applications with SGX enclaves. In:Proc. of the 2017 Network and Distributed System Security Symp. (NDSS 2017). 2017.

[50] Tian H, Zhang Y, Xing C, et al. SGXKernel:A library operating system optimized for Intel SGX. In:Proc. of the Computing Frontiers Conf. 2017.[doi:35-44.10.1145/3075564.3075572]

[51] Tsai CC, Porter DE, Vij M. Graphene-SGX:A practical library OS for unmodified applications on SGX. In:Proc. of the 2017 USENIX Annual Technical Conf. (ATC 2017). 2017.645-658.

[52] Lind J, Priebe C, Muthukumaran D, et al. Glamdring:Automatic application partitioning for Intel SGX. In:Proc. of the 2017 USENIX Annual Technical Conf. (ATC 2017). 2017.285-298.

[53] Sinha R, Rajamani S, Seshia S, et al. Moat:Verifying confidentiality of enclave programs. In:Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2015.1169-1184.[doi:10.1145/2810103.2813608]

[54] Shih MW, Lee S, Kim T, et al. T-SGX:Eradicating controlled-channel attacks against enclave programs. In:Proc. of the 2017 Network and Distributed System Security Symp. (NDSS 2017). 2017.

[55] Kuvaiskii D, Oleksenko O, Arnautov S, et al. SGXBOUNDS:Memory safety for shielded execution. In:Proc. of the 12th European Conf. on Computer Systems (EuroSys 2017). ACM, 2017.205-221.[doi:10.1145/3064176.3064192]

[56] Weisse O, Bertacco V, Austin T. Regaining lost cycles with HotCalls:A fast interface for SGX secure enclaves. ACM SIGARCH Computer Architecture News, 2017,45(2):81-93.[doi:10.1145/3079856.3080208]

[57] Tian H, Zhang Q, Yan S, et al. Switchless calls made practical in Intel SGX. In:Proc. of the 3rd Workshop on System Software for Trusted Execution (SysTEX 2018). ACM, 2018.22-27.[doi:10.1145/3268935.3268942]

[58] Orenbach M, Lifshits P, Minkin M, et al. Eleos:ExitLess OS services for SGX enclaves. In:Proc. of the 12th European Conf. on Computer Systems. ACM, 2017.238-253.[doi:10.1145/3064176.3064219]

[59] Taassori M, Shafiee A, Balasubramonian R. VAULT:Reducing paging overheads in SGX with efficient integrity verification structures. In:Proc. of the 23rd Int'l Conf. on Architectural Support for Programming Languages and Operating Systems. ACM, 2018.665-678.[doi:10.1145/3173162.3177155]

[60] Sartakov VA, Brenner S, Ben Mokhtar S, et al. EActors:Fast and flexible trusted computing using SGX. In:Proc. of the 19th Int'l Middleware Conf. (Middleware 2018). ACM, 2018.187-200.[doi:10.1145/3274808.3274823]

[61] Ding Y, Duan R, Li L, et al. POSTER:Rust SGX SDK:Towards memory safety in Intel SGX enclave. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). ACM, 2017.2491-2493.

[62] MesaPy. 2019. https://github.com/mesalock-linux/mesapy

[63] Ghosn A, Larus JR, Bugnion E. Secured routines:Language-based construction of trusted execution environments. In:Proc. of the 2019 USENIX Annual Technical Conf. (ATC 2019). 2019.571-586.

[64] Weichbrodt N, Aublin PL, Kapitza R. SGX-perf:A performance analysis tool for Intel SGX enclaves. In:Proc. of the 19th Int'l Middleware Conf. (Middleware 2018). ACM, 2018.201-213.[doi:10.1145/3274808.3274824]

[65] Park J, Park S, Oh J, et al. Toward live migration of SGX-enabled virtual machines. In:Proc. of the 2016 IEEE World Congress on Services (SERVICES 2016). IEEE, 2016.111-112.[doi:10.1109/SERVICES.2016.23]

[66] Gu J, Hua Z, Xia Y, et al. Secure live migration of SGX enclaves on untrusted cloud. In:Proc. of the 47th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN 2017). IEEE, 2017.225-236.[doi:10.1109/DSN.2017.37]

[67] Alder F, Kurnikov A, Paverd A, et al. Migrating SGX enclaves with persistent state. In:Proc. of the 48th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN 2018). IEEE, 2018.195-206.[doi:10.1109/DSN.2018.00031]

[68] Vaucher S, Pires R, Felber P, et al. SGX-aware container orchestration for heterogeneous clusters. In:Proc. of the 38th IEEE Int'l Conf. on Distributed Computing Systems (ICDCS 2018). IEEE, 2018.730-741.[doi:10.1109/ICDCS.2018.00076]

[69] Weiser S, Werner M. SGXIO:Generic trusted I/O path for Intel SGX. In:Proc. of the 7th ACM on Conf. on Data and Application Security and Privacy. ACM, 2017.261-268.

[70] Misra SC, Bhavsar VC. Relationships between selected software measures and latent bug-density:Guidelines for improving quality. In:Proc. of the Int'l Conf. on Computational Science and Its Applications. Springer-Verlag, 2003.724-732.

[71] Shen VY, Yu TJ, Thebaut SM, et al. Identifying error-prone software-an empirical study. IEEE Trans. on Software Engineering, 1985,SE-11(4):317-324.[doi:10.1109/TSE.1985.232222]

[72] Larsen P, Homescu A, Brunthaler S, et al. SoK:Automated software diversity. In:Proc. of the 2014 IEEE Symp. on Security and Privacy. IEEE, 2014.276-291.[doi:10.1109/SP.2014.25]

[73] Saltzer JH, Schroeder MD. The protection of information in computer systems. Proc. of the IEEE, 1975,63(9):1278-1308.[doi:10.1109/PROC.1975.9939]

[74] Hunt P, Konar M, Junqueira FP, et al. ZooKeeper:Wait-free coordination for Internet-scale systems. In:Proc. of the USENIX Annual Technical Conf. 2010.[doi:10.1111/j.1468-0262.2007.00765.x]

[75] Checkoway S, Shacham H. Iago attacks:Why the system call API is a bad untrusted RPC interface. ACM SIGPLAN Notices, 2013, 13:253-264.[doi:10.1145/2499368.2451145]

[76] Howell J, Parno B, Douceur JR. How to run POSIX apps in a minimal picoprocess. In:Proc. of the USENIX Conf. on Technical Conf. 2013.321-332.

[77] Weichbrodt N, Kurmus A, Pietzuch P, Kapitza R. AsyncShock:Exploiting synchronisation bugs in Intel SGX enclaves. In:Proc. of the 21st European Symp. on Research in Computer Security (ESORICS 2016). 2016.[doi:10.1007/978-3-319-45744-4_22]

[78] Jiao XJ. Potential security issue:Ecall SSL write using user check. 2018. https://github.com/lsds/TaLoS/issues/13

[79] Liu S, Tan G, Jaeger T. PtrSplit:Supporting general pointers in automatic program partitioning. In:Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). ACM, 2017.2359-2371.[doi:10.1145/3133956.3134066]

[80] Durumeric Z, Li F, Kasten J, et al. The matter of heartbleed. In:Proc. of the 2014 Conf. on Internet Measurement Conf. ACM, 2014.475-488.[doi:10.1145/2663716.2663755]

[81] Götzfried J, Eckert M, Schinzel S, Müller T. Cache attacks on Intel SGX. In:Proc. of the 10th European Workshop on Systems Security (EuroSec 2017). 2017.1-6.[doi:10.1145/3065913.3065915]

[82] Lee S, Shih MW, Gera P, Kim T, Kim H, Peinado M. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In:Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). 2017.557-574.

[83] Goldreich O, Ostrovsky R. Software protection and simulation on oblivious RAMs. Journal of the ACM (JACM), 1996,43(3):431-473.[doi:10.1145/233551.233553]

[84] Costan V, Lebedev I, Devadas S. Sanctum:Minimal hardware extensions for strong software isolation. In:Proc. of the 25th USENIX Security Symp. (USENIX Security 2016). 2016.857-874.

[85] Lee J, Jang J, Jang Y, et al. Hacking in darkness:Return-oriented programming against secure enclaves. In:Proc. of the 26th USENIX Security Symp. (USENIX Security 2017). 2017.523-539.

[86] Akritidis P, Costa M, Castro M, et al. Baggy bounds checking:An efficient and backwards-compatible defense against out-of-bounds errors. In:Proc. of the 18th USENIX Security Symp. (USENIX Security 2009). 2009.51-66.

[87] Kocher P, Horn J, Fogh A, et al. Spectre attacks:Exploiting speculative execution. In:Proc. of the 2019 IEEE Symp. on Security and Privacy (SP 2019). IEEE, 2019.1-19.[doi:10.1109/SP.2019.00002]

[88] Chen G, Chen S, Xiao Y, et al. SGXpectre:Stealing Intel secrets from SGX enclaves via speculative execution. In:Proc. of the 2019 IEEE European Symp. on Security and Privacy (EuroS&P). 2019.142-157.[doi:10.1109/EuroSP.2019.00020]

[89] Van Bulck J, Minkin M, Weisse O, et al. Foreshadow:Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In:Proc. of the 27th USENIX Security Symp. (USENIX Security 2018). 2018.991-1008.

[90] Xing BC, Shanahan M, Leslie-Hurd R. Intel software guard extensions (Intel SGX) software support for dynamic memory allocation inside an enclave. In:Proc. of the Hardware and Architectural Support for Security and Privacy 2016(HASP 2016). ACM, 2016.1-9.[doi:10.1145/2948618.2954330]

[91] Henning JL. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News, 2006,34(4):1-17.[doi:10.1145/1186736.1186737]

[92] Intel VTune Amplifier. 2019. https://software.intel.com/en-us/vtune

[93] Soltesz S, Pötzl H, Fiuczynski ME, et al. Container-based operating system virtualization:A scalable, high-performance alternative to hypervisors. ACM SIGOPS Operating Systems Review (SIGOPS OSR), 2007,41(3):275-287.[doi:10.1145/1272996.1273025]

[94] SWARM. 2016. https://docs.docker.com/engine/swarm/

[95] KUBERNETES. 2016. http://kubernetes.io/

[96] Felter W, Ferreira A, Rajamony R, et al. An updated performance comparison of virtual machines and linux containers. In:Proc. of the 2015 IEEE Int'l Symp. on Performance Analysis of Systems and Software (ISPASS 2015). IEEE, 2015.171-172.[doi:10.1109/ISPASS.2015.7095802]

[97] Gao X, Gu Z, Kayaalp M, et al. ContainerLeaks:Emerging security threats of information leakages in container clouds. In:Proc. of the 47th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN). 2017.237-248.[doi:10.1109/DSN.2017.49]

[98] Zetter K. NSA hacker chief explains how to keep him out of your system. Wired, 2016. https://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/

[99] UCloud. https://www.ucloud.cn/

附中文参考文献:

[18] 王进文,江勇,李琦,等.SGX技术应用研究综述.网络新媒体技术,2017,6(5):3-9.

[19] 王鹃,樊成阳,程越强,赵波,韦韬,严飞,张焕国,马婧.SGX技术的分析和研究.软件学报,2018,29(9):2778-2798. http://www.jos.org. cn/1000-9825/5594.htm[doi:10.13328/j.cnki.jos.005594]

引用本文

董春涛,沈晴霓,罗武,吴鹏飞,吴中海. SGX应用支持技术研究进展.软件学报,2021,32(1):137-166

复制

文章指标

点击次数:4171
下载次数: 9497
HTML阅读次数: 6777
引用次数: 0

历史

收稿日期:2019-11-24
最后修改日期:2020-05-14
录用日期:
在线发布日期: 2020-07-27
出版日期: 2021-01-06

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码