# SCONE Related Publications

Enclosed is a list of publications related to SCONE. Note that the original paper about SCONE is our OSDI 2016 paper. During the last years, SCONE has evolved quite a bit and continues to evolve. In particular, some of the limitations of the original implementation has long been addressed.

Since one can find some wrong or at least out-of-date info about SCONE, here is a short summary of features:

• SCONE supports security policies and transparent attestation. The security policy permit to generate secrets and certificates. The policy part was published in DSN2020. We will continue to extend the policy to support more application domains.

• native application support: while we still recommend the recompilation of existing applications, SCONE supports to sconify native applications, i.e., we can extend existing binaries to automatically run inside of enclaves.

• libc: we support binaries that use musl libc (Alpine Linux) and glibc (most other Linux distributions). We support Alpine Linux, Ubuntu, and RHEL/Centos. We will add other Linux distributions in future. Just drop us a note if you need a different distribution.

• SCONE supports containers and in particular, Kubernetes (which we prefer for deployment). However, sconified applications and service also run inside of VMs as well as on baremetal.

• SCONE supports static linking as well as dynamic linking. Shared libraries can also be loaded after the application has started. The shared libraries have to be protected with the SCONE filesystem shields.

• SCONE supports fork. However, fork is inherently slow in enclaves (since Intel SGX does not support efficient copy-on-write memory) and hence, we typically try to avoid using fork as much as possible by 1) running applications in the foreground, 2) using threads instead of processes, or 3) using the distributed version of an application instead of multiprocessing version.

We have been working on side-channel protection. Our Usenix ATC2018 and Usenix Security 2020 papers describe parts of our effort. We continue to work on extending SCONE to have a practical way to address sidechannels of very sensitive application domains like eHealth.

## SCONE: Secure Linux Containers with Intel SGX, USENIX, OSDI 2016

This paper describes how we support unmodified applications inside of enclaves. The focus is on our asynchronous system call interface.

• Authors: Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, André Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel O'Keeffe, Mark L Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, Christof Fetzer

• Media: pdf, slides, audio, url

• Abstract: In multi-tenant environments, Linux containers managed by Docker or Kubernetes have a lower resource footprint, faster startup times, and higher I/O performance compared to virtual machines (VMs) on hypervisors. Yet their weaker isolation guarantees, enforced through software kernel mechanisms, make it easier for attackers to compromise the confidentiality and integrity of application data within containers. We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from outside attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead: SCONE offers a secure C standard library interface that transparently encrypts/decrypts I/O data; to reduce the performance impact of thread synchronization and system calls within SGX enclaves, SCONE supports user-level threading and asynchronous system calls. Our evaluation shows that it protects unmodified applications with SGX, achieving 0.6x–1.2x of native throughput.

Bibtex

@inproceedings {199364,
author = {Sergei Arnautov and Bohdan Trach and Franz Gregor and Thomas Knauth and Andre Martin and Christian Priebe and Joshua Lind and Divya Muthukumaran and Dan O{\textquoteright}Keeffe and Mark L. Stillwell and David Goltzsche and Dave Eyers and R{\"u}diger Kapitza and Peter Pietzuch and Christof Fetzer},
title = {{SCONE}: Secure Linux Containers with Intel {SGX}},
booktitle = {12th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 16)},
year = {2016},
isbn = {978-1-931971-33-1},
address = {Savannah, GA},
pages = {689--703},
url = {https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov},
publisher = {{USENIX} Association},
}


## Building Critical Applications Using Microservices, IEEE Security & Privacy, Volume: 14 Issue: 6, December 2016

• Author: Christof Fetzer

• Media: pdf, html

• Abstract: Safeguarding the correctness of critical software is a grand challenge. A microservice-based system is described that builds trustworthy systems on top of legacy hardware and software components, ensuring microservices' integrity, confidentiality, and correct execution with the help of secure enclaves.

Bibtex

@ARTICLE{7782696,
author={C. Fetzer},
journal={IEEE Security Privacy},
title={Building Critical Applications Using Microservices},
year={2016},
volume={14},
number={6},
pages={86-89},
keywords={trusted computing;critical applications;critical software correctness;legacy hardware;microservice confidentiality;microservice integrity;microservice-based system;secure enclaves;software components;trustworthy systems;Buildings;Containers;Kernel;Linux;Security;Linux;hardware;microservices;secure enclaves;security;software},
doi={10.1109/MSP.2016.129},
ISSN={1540-7993},
month={Nov},
}


## SGXBounds: Memory Safety for Shielded Execution, EuroSys 2017

To protect the code running inside of an enclave, we implemented a novel bounds checker for enclaves. While we had expected to just be able to use MPX, we had to realized that MPX does not perform that well inside of enclaves. For details regarding the overheads, please see this paper. This won the best paper award of EuroSys 2017.

• Authors: D. Kuvaiskii, O. Oleksenko, S. Arnautov, B. Trach, P. Bhatotia, P. Felber, C. Fetzer

• Media: pdf, html

• Abstract: Shielded execution based on Intel SGX provides strong security guarantees for legacy applications running on untrusted platforms. However, memory safety attacks such as Heartbleed can render the confidentiality and integrity properties of shielded execution completely ineffective. To prevent these attacks, the state-of-the-art memory-safety approaches can be used in the context of shielded execution. In this work, we first showcase that two prominent software- and hardware-based defenses, AddressSanitizer and Intel MPX respectively, are impractical for shielded execution due to high performance and memory overheads. This motivated our design of SGXBounds -- an efficient memory-safety approach for shielded execution exploiting the architectural features of Intel SGX. Our design is based on a simple combination of tagged pointers and compact memory layout. We implemented SGXBounds based on the LLVM compiler framework targeting unmodified multithreaded applications. Our evaluation using Phoenix, PARSEC, and RIPE benchmark suites shows that SGXBounds has performance and memory overheads of 18% and 0.1% respectively, while providing security guarantees similar to AddressSanitizer and Intel MPX. We have obtained similar results with four real-world case studies: SQLite, Memcached, Apache, and Nginx.

Bibtex

@inproceedings{Kuvaiskii:2017:SMS:3064176.3064192,
author = {Kuvaiskii, Dmitrii and Oleksenko, Oleksii and Arnautov, Sergei and Trach, Bohdan and Bhatotia, Pramod and Felber, Pascal and Fetzer, Christof},
title = {SGXBOUNDS: Memory Safety for Shielded Execution},
booktitle = {Proceedings of the Twelfth European Conference on Computer Systems},
series = {EuroSys '17},
year = {2017},
isbn = {978-1-4503-4938-3},
location = {Belgrade, Serbia},
pages = {205--221},
numpages = {17},
url = {http://doi.acm.org/10.1145/3064176.3064192},
doi = {10.1145/3064176.3064192},
acmid = {3064192},
publisher = {ACM},
address = {New York, NY, USA},
}


## FFQ: A Fast Single-Producer/Multiple-Consumer Concurrent FIFO Queue, IPDPS 2017

This paper describes our new lock-free queue for our asynchronous system calls.

• Authors: Sergei Arnautov, Pascal Felber, Christof Fetzer and Bohdan Trach

• Media: pdf, html

• Abstract: With the spreading of multi-core architectures, operating systems and applications are becoming increasingly more concurrent and their scalability is often limited by the primitives used to synchronize the different hardware threads. In this paper, we address the problem of how to optimize the throughput of a system with multiple producer and consumer threads. Such applications typically synchronize their threads via multi- producer/multi-consumer FIFO queues, but existing solutions have poor scalability, as we could observe when designing a secure application framework that requires high-throughput communication between many concurrent threads. In our target system, however, the items enqueued by different producers do not necessarily need to be FIFO ordered. Hence, we propose a fast FIFO queue, FFQ, that aims at maximizing throughput by specializing the algorithm for single-producer/multiple-consumer settings: each producer has its own queue from which multiple consumers can concurrently dequeue. Furthermore, while we pro- vide a wait-free interface for producers, we limit ourselves to lock-free consumers to eliminate the need for helping. We also propose a multi-producer variant to show which synchronization operations we were able to remove by focusing on a single producer variant. Our evaluation analyses the performance using micro- benchmarks and compares our results with other state-of-the-art solutions: FFQ exhibits excellent performance and scalability.

Bibtex

@INPROCEEDINGS{7967181,
author={S. Arnautov and P. Felber and C. Fetzer and B. Trach},
booktitle={2017 IEEE International Parallel and Distributed Processing Symposium (IPDPS)},
title={FFQ: A Fast Single-Producer/Multiple-Consumer Concurrent FIFO Queue},
year={2017},
volume={},
number={},
pages={907-916},
keywords={microprocessor chips;multi-threading;multiprocessing systems;operating systems (computers);queueing theory;FFQ;FIFO queue;consumer threads;fast single producer-multiple consumer concurrent FIFO queue;hardware threads;lock-free consumers;multicore architectures;multiple producer;operating systems;secure application;single producer variant;synchronization operations;Algorithm design and analysis;Context;Instruction sets;Message systems;Scalability;Synchronization;Throughput;FIFO queue;SPMC queue;concurrent FIFO queue;concurrent queue;lock-free algorithm;wait-free algorithm},
doi={10.1109/IPDPS.2017.41},
ISSN={},
month={May},
}


## PESOS: Policy Enhanced Secure Object Store, EuroSys 2018

• Authors: Robert Krahn, Bohdan Trach (TU Dresden), Anjo Vahldiek-Oberwagner (MPI-SWS), Thomas Knauth (Intel/TU Dresden), Pramod Bhatotia (University of Edinburgh), and Christof Fetzer (TU Dresden)

• Media: pdf, html

• Abstract: Third-party storage services pose the risk of integrity and confidentiality violations as the current storage policy enforcement mechanisms are spread across many layers in the system stack. To mitigate these security vulnerabilities, we present the design and implementation of Pesos, a Policy Enhanced Secure Object Store (Pesos) for untrusted third-party storage providers. Pesos allows clients to specify per-object security policies, concisely and separately from the storage stack, and enforces these policies by securely mediating the I/O in the persistence layer through a single uni ed enforcement layer. More broadly, Pesos exposes a rich set of storage policies ensuring the integrity, confidentiality, and access accounting for data storage through a declarative policy language.

Pesos enforces these policies on untrusted commodity plat- forms by leveraging a combination of two trusted computing technologies: Intel SGX for trusted execution environment (TEE) and Kinetic Open Storage for trusted storage. We have implemented Pesos as a fully-functional storage system supporting many useful end-to-end storage features, and a range of effective performance optimizations. We evaluated Pesos using a range of micro-benchmarks, and real-world use cases. Our evaluation shows that Pesos incurs reasonable performance overheads for the enforcement of policies while keeping the trusted computing base (TCB) small.

Bibtex

@inproceedings{Krahn:2018:PEP:3190508.3190518,
author = {Krahn, Robert and Trach, Bohdan and Vahldiek-Oberwagner, Anjo and Knauth, Thomas and Bhatotia, Pramod and Fetzer, Christof},
title = {Pesos: Policy Enhanced Secure Object Store},
booktitle = {Proceedings of the Thirteenth EuroSys Conference},
series = {EuroSys '18},
year = {2018},
isbn = {978-1-4503-5584-1},
location = {Porto, Portugal},
pages = {25:1--25:17},
articleno = {25},
numpages = {17},
url = {http://doi.acm.org/10.1145/3190508.3190518},
doi = {10.1145/3190508.3190518},
acmid = {3190518},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {intel SGX, kinetic disks, policy language, storage security},
}


## ShieldBox: Secure Middleboxes using Shielded Execution, SIGCOMM SOSR 2018

• Authors: Bohdan Trach, Alfred Krohmer, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, Christof Fetzer

• Media: pdf, html, video

• Abstract: Middleboxes that process confidential data cannot be securely deployed in untrusted cloud environments. To securely outsource middleboxes to the cloud, state-of-the-art systems advocate network processing over the encrypted traffic. Unfortunately, these systems support only restrictive functionalities, and incur prohibitively high overheads.% due to the complex computations involved over the encrypted traffic.

This motivated the design of ShieldBox---a secure middlebox framework for deploying high-performance network functions (NFs) over untrusted commodity servers. ShieldBox securely processes encrypted traffic inside a secure container by leveraging shielded execution. More specifically, ShieldBox builds on hardware-assisted memory protection based on Intel SGX to provide strong confidentiality and integrity guarantees. For middlebox developers, ShieldBox exposes a generic interface based on Click to design and implement a wide-range of NFs using its out-of-the-box elements and C++ extensions. For network operators, ShieldBox provides configuration and attestation service for seamless and verifiable deployment of middleboxes. We have implemented ShieldBox supporting important end-to-end features required for secure network processing, and performance optimizations. Our extensive evaluation shows that ShieldBox achieves a near-native throughput and latency to securely process confidential data at line rate.

Bibtex

@inproceedings{Trach:2018:SSM:3185467.3185469,
author = {Trach, Bohdan and Krohmer, Alfred and Gregor, Franz and Arnautov, Sergei and Bhatotia, Pramod and Fetzer, Christof},
title = {ShieldBox: Secure Middleboxes Using Shielded Execution},
booktitle = {Proceedings of the Symposium on SDN Research},
series = {SOSR '18},
year = {2018},
isbn = {978-1-4503-5664-0},
location = {Los Angeles, CA, USA},
pages = {2:1--2:14},
articleno = {2},
numpages = {14},
url = {http://doi.acm.org/10.1145/3185467.3185469},
doi = {10.1145/3185467.3185469},
acmid = {3185469},
publisher = {ACM},
address = {New York, NY, USA},
}


## Varys: Protecting SGX enclaves from practical side-channel attacks, USENIX ATC 2018

• Authors: Oleksii Oleksenko, Bohdan Trach, Robert Krahn, and André Martin, TU Dresden; Mark Silberstein, Technion; Christof Fetzer, TU Dresden

• Media: pdf, slides, audio, url

• Abstract: Numerous recent works have experimentally shown that Intel Software Guard Extensions (SGX) are vulnerable to cache timing and page table side-channel attacks which could be used to circumvent the data confidentiality guarantees provided by SGX. Existing mechanisms that protect against these attacks either incur high execution costs, are ineffective against certain attack variants, or require significant code modifications.

We present Varys, a system that protects unmodified programs running in SGX enclaves from cache timing and page table side-channel attacks. Varys takes a pragmatic approach of strict reservation of physical cores to security-sensitive threads, thereby preventing the attacker from accessing shared CPU resources during enclave execution. The key challenge that we are addressing is that of maintaining the core reservation in the presence of an untrusted OS.

Varys fully protects against all L1/L2 cache timing attacks and significantly raises the bar for page table side-channel attacks - all with only 15% overhead on average for Phoenix and PARSEC benchmarks. Additionally, we propose a set of minor hardware extensions that hold the potential to extend Varys' security guarantees to L3 cache and further improve its performance.

Bibtex

@inproceedings {216033,
author = {Oleksii Oleksenko and Bohdan Trach and Robert Krahn and Mark Silberstein and Christof Fetzer},
title = {Varys: Protecting {SGX} Enclaves from Practical Side-Channel Attacks},
booktitle = {2018 {USENIX} Annual Technical Conference ({USENIX} {ATC} 18)},
year = {2018},
isbn = {978-1-931971-44-7},
address = {Boston, MA},
pages = {227--240},
url = {https://www.usenix.org/conference/atc18/presentation/oleksenko},
publisher = {{USENIX} Association},
}


## SGX-PySpark: Secure Distributed Data Analytics, WWW2019

• Authors: Do Le Quoc, Franz Gregor, Jatinder Singh, and Christof Fetzer. 2019. SGX-PySpark: Secure Distributed Data Analytics. In The World Wide Web Conference (WWW '19), Ling Liu and Ryen White (Eds.). ACM, New York, NY, USA, 3564-3563.
• Abstract: Data analytics is central to modern online services, particularly those data-driven. Often this entails the processing of large-scale datasets which may contain private, personal and sensitive information relating to individuals and organisations. Particular challenges arise where cloud is used to store and process the sensitive data. In such settings, security and privacy concerns become paramount, as the cloud provider is trusted to guarantee the security of the services they offer, including data confidentiality. Therefore, the issue this work tackles is “How to securely perform data analytics in a public cloud?”

To assist this question, we design and implement SGX-PySpark- a secure distributed data analytics system which relies on a trusted execution environment (TEE) such as Intel SGX to provide strong security guarantees. To build SGX-PySpark, we integrate PySpark - a widely used framework for data analytics in industry to support a wide range of queries, with SCONE - a shielded execution framework using Intel SGX.

Bibtex

    @inproceedings{LeQuoc:2019:SSD:3308558.3314129,
author = {Le Quoc, Do and Gregor, Franz and Singh, Jatinder and Fetzer, Christof},
title = {SGX-PySpark: Secure Distributed Data Analytics},
booktitle = {The World Wide Web Conference},
series = {WWW '19},
year = {2019},
isbn = {978-1-4503-6674-8},
location = {San Francisco, CA, USA},
pages = {3564--3563},
numpages = {0},
url = {http://doi.acm.org/10.1145/3308558.3314129},
doi = {10.1145/3308558.3314129},
acmid = {3314129},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {Confidential computing, data analytics, distributed system, security},
}


## Clemmys: towards secure remote execution in FaaS, SYSTOR '19

• Authors: Bohdan Trach, Oleksii Oleksenko, Franz Gregor, Pramod Bhatotia, Christof Fetzer

• Abstract: We introduce Clemmys, a security-first serverless platform that ensures confidentiality and integrity of users' functions and data as they are processed on untrusted cloud premises, while keeping the cost of protection low. We provide a design for hardening FaaS platforms with Intel SGX---a hardware-based shielded execution technology. We explain the protocol that our system uses to ensure confidentiality and integrity of data, and integrity of function chains. To overcome performance and latency issues that are inherent in SGX applications, we apply several SGX-specific optimizations to the runtime system: we use SGXv2 to speed up the enclave startup and perform batch EPC augmentation. To evaluate our approach, we implement our design over Apache Open-Whisk, a popular serverless platform. Lastly, we show that Clemmys achieved same throughput and similar latency as native Apache OpenWhisk, while allowing it to withstand several new attack vectors.

• Conference: SYSTOR '19: Proceedings of the 12th ACM International Conference on Systems and StorageMay 2019 Pages 44–54, https://doi.org/10.1145/3319647.3325835

Bibtext

    @inproceedings{10.1145/3319647.3325835,
author = {Trach, Bohdan and Oleksenko, Oleksii and Gregor, Franz and Bhatotia, Pramod and Fetzer, Christof},
title = {Clemmys: Towards Secure Remote Execution in FaaS},
year = {2019},
isbn = {9781450367493},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3319647.3325835},
doi = {10.1145/3319647.3325835},
abstract = {We introduce Clemmys, a security-first serverless platform that ensures confidentiality and integrity of users' functions and data as they are processed on untrusted cloud premises, while keeping the cost of protection low. We provide a design for hardening FaaS platforms with Intel SGX---a hardware-based shielded execution technology. We explain the protocol that our system uses to ensure confidentiality and integrity of data, and integrity of function chains. To overcome performance and latency issues that are inherent in SGX applications, we apply several SGX-specific optimizations to the runtime system: we use SGXv2 to speed up the enclave startup and perform batch EPC augmentation. To evaluate our approach, we implement our design over Apache Open-Whisk, a popular serverless platform. Lastly, we show that Clemmys achieved same throughput and similar latency as native Apache OpenWhisk, while allowing it to withstand several new attack vectors.},
booktitle = {Proceedings of the 12th ACM International Conference on Systems and Storage},
pages = {44–54},
numpages = {11},
location = {Haifa, Israel},
series = {SYSTOR '19}
}


## Trust Management as a Service: Enabling Trusted Execution in the Face of Byzantine Stakeholders, DSN2020

• Authors: Gregor, F., W. Ozga, S. Vaucher, R. Pires, D. Le Quoc, S. Arnautov, A. Martin, V. Schiavoni, P. Felber, and C. Fetzer

• Abstract: Trust is arguably the most important challenge for critical services both deployed as well as accessed remotely over the network. These systems are exposed to a wide diversity of threats, ranging from bugs to exploits, active attacks, rogue operators, or simply careless administrators. To protect such applications, one needs to guarantee that they are properly configured and securely provisioned with the "secrets" (e.g., encryption keys) necessary to preserve not only the confidentiality, integrity and freshness of their data but also their code. Furthermore, these secrets should not be kept under the control of a single stakeholder—which might be compromised and would represent a single point of failure—and they must be protected across software versions in the sense that attackers cannot get access to them via malicious updates. Traditional approaches for solving these challenges often use ad hoc techniques and ultimately rely on a hardware security module (HSM) as root of trust. We propose a more powerful and generic approach to trust management that instead relies on trusted execution environments (TEEs) and a set of stakeholders as root of trust. Our system, PALÆMON, can operate as a managed service deployed in an untrusted environment, i.e., one can delegate its operations to an untrusted cloud provider with the guarantee that data will remain confidential despite not trusting any individual human (even with root access) nor system software. PALÆMON addresses in a secure, efficient and cost-effective way five main challenges faced when developing trusted networked applications and services. Our evaluation on a range of benchmarks and real applications shows that PALÆMON performs efficiently and can protect secrets of services without any change to their source code.

• Conference: 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2020)

Bibtex

    @INPROCEEDINGS{9153433,
author={F. {Gregor} and W. {Ozga} and S. {Vaucher} and R. {Pires} and D. {Le Quoc} and S. {Arnautov} and A. {Martin} and V. {Schiavoni} and P. {Felber} and C. {Fetzer}},
booktitle={2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
title={Trust Management as a Service: Enabling Trusted Execution in the Face of Byzantine Stakeholders},
year={2020},
volume={},
number={},
pages={502-514},}


## T-Lease: A Trusted Lease Primitive for Distributed Systems, SOCC2020

• Authors: B. Trach, R. Faqeh, O. Oleksenko, W. Ozga, P. Bhatotia, C. Fetzer

• Abstract: A lease is an important primitive for building distributed protocols, and it is ubiquitously employed in distributed systems. However, the scope of the classic lease abstraction is restricted to the trusted computing infrastructure. Unfortunately, this important primitive cannot be employed in the untrusted computing infrastructure because the trusted execution environments (TEEs) do not provide a trusted time source. In the untrusted environment, an adversary can easily manipulate the system clock to violate the correctness properties of lease-based systems.

We tackle this problem by introducing em trusted lease---a lease that maintains its correctness properties even in the presence of a clock-manipulating attacker. To achieve these properties, we follow a "trust but verify" approach for an untrusted timer, and transform it into a trusted timing primitive by leveraging two hardware-assisted ISA extensions (Intel TSX and SGX) available in commodity CPUs. We provide a design and implementation of trusted lease in a system called T-Lease---the first trusted lease system that achieves high security, performance, and precision. For the application developers, T-Lease exposes an easy-to-use generic APIs that facilitate its usage to build a wide range of distributed protocols.

• Conference: 2020 ACM Symposium on Cloud Computing

Bibtext

    @inproceedings{10.1145/3419111.3421273,
author = {Trach, Bohdan and Faqeh, Rasha and Oleksenko, Oleksii and Ozga, Wojciech and Bhatotia, Pramod and Fetzer, Christof},
title = {T-Lease: A Trusted Lease Primitive for Distributed Systems},
year = {2020},
isbn = {9781450381376},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3419111.3421273},
doi = {10.1145/3419111.3421273},
abstract = {A lease is an important primitive for building distributed protocols, and it is ubiquitously employed in distributed systems. However, the scope of the classic lease abstraction is restricted to the trusted computing infrastructure. Unfortunately, this important primitive cannot be employed in the untrusted computing infrastructure because the trusted execution environments (TEEs) do not provide a trusted time source. In the untrusted environment, an adversary can easily manipulate the system clock to violate the correctness properties of lease-based systems.We tackle this problem by introducing trusted lease---a lease that maintains its correctness properties even in the presence of a clock-manipulating attacker. To achieve these properties, we follow a "trust but verify" approach for an untrusted timer, and transform it into a trusted timing primitive by leveraging two hardware-assisted ISA extensions (Intel TSX and SGX) available in commodity CPUs. We provide a design and implementation of trusted lease in a system called T-Lease---the first trusted lease system that achieves high security, performance, and precision. For the application developers, T-Lease exposes an easy-to-use generic APIs that facilitate its usage to build a wide range of distributed protocols.},
booktitle = {Proceedings of the 11th ACM Symposium on Cloud Computing},
pages = {387–400},
numpages = {14},
location = {Virtual Event, USA},
series = {SoCC '20}
}


## A practical approach for updating an integrity-enforced OS, Middleware 2020

• Authors: W. Ozga, D. Le Quoc, C. Fetzer

• Abstract: Trusted computing defines how to securely measure, store, and verify the integrity of software controlling a computer. One of the major challenge that makes them hard to be applied in practice is the issue of software updates. Specifically, an operating system update causes the integrity violation because it changes the well-known initial state trusted by remote verifiers, such as integrity monitoring systems. Consequently, the integrity monitoring of remote computers becomes unreliable due to the high amount of false positives.

We address this problem by adding an extra level of indirection between the operating system and software repositories. We propose a trusted software repository (TSR), a secure proxy framework that overcomes the shortcomings of previous approaches by sanitizing software packages. Sanitization consists of modifying unsafe installation scripts and adding digital signatures in a way the software packages can be installed in the operating system without violating its integrity. TSR leverages shielded execution, i.e., Intel SGX, to achieve strong confidentiality and integrity guarantees of the sanitization process.

Moreover, TSR is transparent to package managers, and requires no changes in the software packages building and distributing processes. Our evaluation shows that running TSR inside Intel SGX is practical; since it induces only ∼ 1.18× performance overhead during package sanitization compared to the native execution without using Intel SGX. Also, TSR supports 99.76% of packages available in the main and community repositories of Alpine Linux while increasing the total repository size by 3.6%.

• Conference: ACM/IFIP Middleware 2020

Bibtext

    @inproceedings{10.1145/3423211.3425674,
author = {Ozga, Wojciech and Quoc, Do Le and Fetzer, Christof},
title = {A Practical Approach for Updating an Integrity-Enforced Operating System},
year = {2020},
isbn = {9781450381536},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3423211.3425674},
doi = {10.1145/3423211.3425674},
abstract = {Trusted computing defines how to securely measure, store, and verify the integrity of software controlling a computer. One of the major challenge that make them hard to be applied in practice is the issue with software updates. Specifically, an operating system update causes the integrity violation because it changes the well-known initial state trusted by remote verifiers, such as integrity monitoring systems. Consequently, the integrity monitoring of remote computers becomes unreliable due to the high amount of false positives.We address this problem by adding an extra level of indirection between the operating system and software repositories. We propose a trusted software repository (TSR), a secure proxy that overcomes the shortcomings of previous approaches by sanitizing software packages. Sanitization consists of modifying unsafe installation scripts and adding digital signatures in a way software packages can be installed in the operating system without violating its integrity. TSR leverages shielded execution, i.e., Intel SGX, to achieve confidentiality and integrity guarantees of the sanitization process.TSR is transparent to package managers, and requires no changes in the software packages building and distributing processes. Our evaluation shows that running TSR inside SGX is practical; since it induces only ~ 1.18\texttimes{} performance overhead during package sanitization compared to the native execution without SGX. TSR supports 99.76% of packages available in the main and community repositories of Alpine Linux while increasing the total repository size by 3.6%.},
booktitle = {Proceedings of the 21st International Middleware Conference},
pages = {311–325},
numpages = {15},
keywords = {intel software guard extensions, integrity measurement architecture (IMA), trusted computing, software updates},
location = {Delft, Netherlands},
series = {Middleware '20}
}


## secureTF: A Secure TensorFlow Framework, Middleware 2020

• Authors: D. Le Quoc, F. Gregor, R. Kunkel, S. Arnautov, P. Bhatotia, C. Fetzer

• Abstract: Data-driven intelligent applications in modern online services have become ubiquitous. These applications are usually hosted in the untrusted cloud computing infrastructure. This poses significant security risks since these applications rely on applying machine learning algorithms on large datasets which may contain private and sensitive information.

To tackle this challenge, we designed and implemented secureTF, a generic and secure machine learning framework based on Tensorflow. secureTF enables secure execution of unmodified TensorFlow applications on the untrusted cloud computing infrastructure. secureTF is built from ground-up based on the security properties provided by Trusted Execution Environments (TEEs). However, it extends the trust of a volatile memory region (or secure enclave) provided by the single node TEE to secure a distributed computing infrastructure required for supporting unmodified stateful machine learning applications running in the cloud.

The paper reports on our experiences about the system design choices and the system deployment in production use-cases. We conclude with the lessons learned based on the limitations of our commercially available platform and discuss open research problems for the future work.

• Conference: ACM/IFIP Middleware 2020

Bibtext

    @inproceedings{10.1145/3423211.3425687,
author = {Quoc, Do Le and Gregor, Franz and Arnautov, Sergei and Kunkel, Roland and Bhatotia, Pramod and Fetzer, Christof},
title = {SecureTF: A Secure TensorFlow Framework},
year = {2020},
isbn = {9781450381536},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3423211.3425687},
doi = {10.1145/3423211.3425687},
abstract = {Data-driven intelligent applications in modern online services have become ubiquitous. These applications are usually hosted in the untrusted cloud computing infrastructure. This poses significant security risks since these applications rely on applying machine learning algorithms on large datasets which may contain private and sensitive information.To tackle this challenge, we designed secureTF, a distributed secure machine learning framework based on Tensorflow for the untrusted cloud infrastructure. secureTF is a generic platform to support unmodified TensorFlow applications, while providing end-to-end security for the input data, ML model, and application code. secureTF is built from ground-up based on the security properties provided by Trusted Execution Environments (TEEs). However, it extends the trust of a volatile memory region (or secure enclave) provided by the single node TEE to secure a distributed infrastructure required for supporting unmodified stateful machine learning applications running in the cloud.The paper reports on our experiences about the system design choices and the system deployment in production use-cases. We conclude with the lessons learned based on the limitations of our commercially available platform, and discuss open research problems for the future work.},
booktitle = {Proceedings of the 21st International Middleware Conference},
pages = {44–59},
numpages = {16},
keywords = {tensorflow, intel software guard extensions (Intel SGX), confidential computing, secure machine learning},
location = {Delft, Netherlands},
series = {Middleware '20}
}


## TEEMon: A continuous performance monitoring framework for TEEs, Middleware 2020

• Authors: R. Krahn, D. Le Quoc, D. Dragoti, F. Gregor, V. Schiavoni, C. Souza, P. Felber, A. Brito, C. Fetzer

• Abstract: Trusted Execution Environments (TEEs), such as Intel Software Guard eXtensions (SGX), are considered as a promising approach to resolve security challenges in clouds. TEEs protect the confidentiality and integrity of application code and data even against privileged attackers with root and physical access by providing an isolated secure memory area, i.e., enclaves. The security guarantees are provided by the CPU, thus even if system software is compromised, the attacker can never access the enclave’s content. While this approach ensures strong security guarantees for applications, it also introduces a considerable runtime overhead in part by the limited availability of protected memory (enclave page cache). Currently, only a limited number of performance measurement tools for TEE-based applications exist and none offer performance monitoring and analysis during runtime.

This paper presents TEEMon, the first continuous performance monitoring and analysis tool for TEE-based applications. TEEMon provides not only fine-grained performance metrics during runtime, but also assists the analysis of identifying causes of performance bottlenecks, e.g., excessive system calls. Our approach smoothly integrates with existing open-source tools (e.g., Prometheus or Grafana) towards a holistic monitoring solution, particularly optimized for systems deployed through Docker containers or Kubernetes and offers several dedicated metrics and visualizations. Our evaluation shows that TEEMon’s overhead ranges from 5% to 17%.

• Conference: ACM/IFIP Middleware 2020

Bibtext

    @inproceedings{10.1145/3423211.3425677,
author = {Krahn, Robert and Dragoti, Donald and Gregor, Franz and Quoc, Do Le and Schiavoni, Valerio and Felber, Pascal and Souza, Clenimar and Brito, Andrey and Fetzer, Christof},
title = {TEEMon: A Continuous Performance Monitoring Framework for TEEs},
year = {2020},
isbn = {9781450381536},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3423211.3425677},
doi = {10.1145/3423211.3425677},
abstract = {Trusted Execution Environments (TEEs), such as Intel Software Guard eXtensions (SGX), are considered as a promising approach to resolve security challenges in clouds. TEEs protect the confidentiality and integrity of application code and data even against privileged attackers with root and physical access by providing an isolated secure memory area, i.e., enclaves. The security guarantees are provided by the CPU, thus even if system software is compromised, the attacker can never access the enclave's content. While this approach ensures strong security guarantees for applications, it also introduces a considerable runtime overhead in part by the limited availability of protected memory (enclave page cache). Currently, only a limited number of performance measurement tools for TEE-based applications exist and none offer performance monitoring and analysis during runtime.This paper presents TEEMon, the first continuous performance monitoring and analysis tool for TEE-based applications. TEEMon provides not only fine-grained performance metrics during runtime, but also assists the analysis of identifying causes of performance bottlenecks, e.g., excessive system calls. Our approach smoothly integrates with existing open-source tools (e.g., Prometheus or Grafana) towards a holistic monitoring solution, particularly optimized for systems deployed through Docker containers or Kubernetes and offers several dedicated metrics and visualizations. Our evaluation shows that TEEMon's overhead ranges from 5% to 17%.},
booktitle = {Proceedings of the 21st International Middleware Conference},
pages = {178–192},
numpages = {15},
keywords = {Computerized monitoring, Performance monitoring, Trusted Execution Environments},
location = {Delft, Netherlands},
series = {Middleware '20}
}


## Towards Formalization of Enhanced Privacy ID (EPID)-based Remote Attestation in Intel SGX, DSD 2020

• Authors: Sardar, Muhammad Usama and Quoc, Do Le and Fetzer, Christof

• Conference: 2020 23rd Euromicro Conference on Digital System Design (DSD)

Bibtext

    @inproceedings{Sardar2020EPID,
author = {Sardar, Muhammad Usama and Quoc, Do Le and Fetzer, Christof},
booktitle = {2020 23rd Euromicro Conference on Digital System Design (DSD)},
doi = {10.1109/DSD51259.2020.00099},
isbn = {978-1-7281-9535-3},
month = {aug},
pages = {604--607},
publisher = {IEEE},
title = {{Towards Formalization of Enhanced Privacy ID (EPID)-based Remote Attestation in Intel SGX}},
url = {https://ieeexplore.ieee.org/document/9217791/},
year = {2020}
}


## Formal Foundations for Intel SGX Data Center Attestation Primitives, Formal Methods and Software Engineering, 2020

• Authors: Sardar, Muhammad Usama and Faqeh, Rasha and Fetzer, Christof

• Conference: Formal Methods and Software Engineering, 2020

Bibtext

    @incollection{Sardar2020DCAP,
author = {Sardar, Muhammad Usama and Faqeh, Rasha and Fetzer, Christof},
booktitle = {Formal Methods and Software Engineering},
doi = {10.1007/978-3-030-63406-3_16},
editor = {Lin, Shang-Wei and Hou, Zhe and Mahoney, Brendan},
isbn = {978-3-030-63405-6},
keywords = {Data center attestation primitives,Data centers,Formal verification,Intel SGX,Remote attestation,Trusted execution environment,data center attestation,data centers,formal verification,intel sgx,remote attestation,trusted execution environment},
pages = {268--283},
publisher = {Springer International Publishing},
series = {Lecture Notes in Computer Science},
title = {{Formal Foundations for Intel SGX Data Center Attestation Primitives}},
volume = {12531},
year = {2020}
}


## SpecFuzz: Bringing Spectre-type vulnerabilities to the surface, Usenix Security 2020

• Authors: Oleksii Oleksenko, Bohdan Trach, Mark Silberstein, Christof Fetzer

• Abstract: SpecFuzz is the first tool that enables dynamic testing for speculative execution vulnerabilities (e.g., Spectre). The key is a novel concept of speculation exposure: The program is instrumented to simulate speculative execution in software by forcefully executing the code paths that could be triggered due to mispredictions, thereby making the speculative memory accesses visible to integrity checkers (e.g., AddressSanitizer). Combined with the conventional fuzzing techniques, speculation exposure enables more precise identification of potential vulnerabilities compared to state-of-the-art static analyzers.

Our prototype for detecting Spectre V1 vulnerabilities successfully identifies all known variations of Spectre V1 and decreases the mitigation overheads across the evaluated applications, reducing the amount of instrumented branches by up to 77% given a sufficient test coverage.

• Media: html, paper, slides, video

• Conference: Usenix Security 2020

Bibtext

    @inproceedings {251530,
author = {Oleksii Oleksenko and Bohdan Trach and Mark Silberstein and Christof Fetzer},
title = {SpecFuzz: Bringing Spectre-type vulnerabilities to the surface},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1481--1498},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/oleksenko},
publisher = {{USENIX} Association},
month = aug,
}


## SGXTuner: Performance Enhancement of Intel SGX Applications via Stochastic Optimization, IEEE Transactions on Dependable and Secure Computing, 2021

• Authors: G. Mazzeo, S. Arnautov, C. Fetzer, and L. Romano

• Abstract: Intel SGX has started to be widely adopted. Cloud providers (Microsoft Azure, IBM Cloud, Alibaba Cloud) are offering new solutions, implementing data-in-use protection via SGX. A major challenge faced by both academia and industry is providing transparent SGX support to legacy applications. The approach with the highest consensus is linking the target software with SGX-extended libc libraries. Unfortunately, the increased security entails a dramatic performance penalty, which is mainly due to the intrinsic overhead of context switches, and the limited size of protected memory. Performance optimization is non-trivial since it depends on key parameters whose manual tuning is a very long process. We present the architecture of an automated tool, called SGXTuner, which is able to find the best setting of SGX-extended libc library parameters, by iteratively adjusting such parameters based on continuous monitoring of performance data. The tool is to a large extent algorithm agnostic. We decided to base the current implementation on a particular type of stochastic optimization algorithm, specifically Simulated Annealing. A massive experimental campaign was conducted on a relevant case study. Three client-server applications Memcached, Redis, and Apache were compiled with SCONE's sgx-musl and tuned for best performance. Results demonstrate the effectiveness of SGXTuner.

Bibtext

    @ARTICLE{9372883,
author={G. {Mazzeo} and S. {Arnautov} and C. {Fetzer} and L. {Romano}},
journal={IEEE Transactions on Dependable and Secure Computing},
title={SGXTuner: Performance Enhancement of Intel SGX Applications via Stochastic Optimization},
year={2021},
volume={},
number={},
pages={1-1},
doi={10.1109/TDSC.2021.3064391}}


## Perun: Confidential Multi-Stakeholder Machine Learning Framework with Hardware Acceleration Support, DBSec'21

• Authors: Wojciech Ozga, Do Le Quoc, Christof Fetzer
• Abstract: Confidential multi-stakeholder machine learning (ML) allows multiple parties to perform collaborative data analytics while not revealing their intellectual property, such as ML source code, model, or datasets. State-of-the-art solutions based on homomorphic encryption incur a large performance overhead. Hardware-based solutions, such as trusted execution environments (TEEs), significantly improve the performance in inference computations but still suffer from low performance in training computations, e.g., deep neural networks model training, because of limited availability of protected memory and lack of GPU support.

To address this problem, we designed and implemented Perun, a framework for confidential multi-stakeholder machine learning that allows users to make a trade-off between security and performance. Perun executes ML training on hardware accelerators (e.g., GPU) while providing security guarantees using trusted computing technologies, such as trusted platform module and integrity measurement architecture. Less compute-intensive workloads, such as inference, execute only inside TEE, thus at a lower trusted computing base. The evaluation shows that during the ML training on CIFAR-10 and real-world medical datasets, Perun achieved a 161x to 1560x speedup compared to a pure TEE-based approach.

• Conference: DBSec'21

Bibtext

    @ARTICLE{Perun2021,
author={Wojciech Ozga and  Do Le Quoc and Christof Fetzer},
booktitle={CONFERENCE ON DATA AND APPLICATIONS SECURITY AND PRIVACY (DBSec'21)},
title={Perun: Confidential Multi-Stakeholder Machine Learning Framework with Hardware Acceleration Support},
year={2021}
}


## ADAM-CS: Advanced Asynchronous Monotonic Counter Service, DSN'21

• Authors: Franz Gregor (TU Dresden; scontain GmbH), Robert Krahn (TU Dresden), Cong Lian (TU Dresden), André Martin (TU Dresden), Pascal Felber (University of Neuchatel), Valerio Schiavoni (University of Neuchatel), Christof Fetzer (TU Dresden; scontain GmbH)

• Abstract: Abstract—Trusted Execution Environments (TEEs) offer the technological breakthrough to allow several applications to be deployed and executed over untrusted public cloud environments. Although TEEs (e.g., Intel SGX, ARM TrustZone, AMD SEV) provide several mechanisms to ensure confidentiality and in- tegrity of data and code, they do not offer freshness out of the box, a critical aspect yet often overlooked, for instance, to protect against rollback attacks. Monotonic counters are a popular way to detect rollbacks, as their counter values cannot be decremented. However, counter increments are slow (i.e., 10th of milliseconds), making their use impractical for distributed services and applications processing thousands of transactions simultaneously, for which an order of magnitude improvement is needed.

ADAM-CS is an asynchronous monotonic counter service to protect such high-traffic applications against rollback attacks. Leveraging a set of distributed monotonic counters and specific algorithms, ADAM-CS minimizes the maximum vulnerability window (MVW), i.e., the time in which an adversary could successfully rollback an application state/transactions at any point in time. Thanks to its asynchronous nature, ADAM-CS supports thousands of increments per second without introducing additional latency in the transactions performed by applications. Our measurements indicate that MVW is at most 10 ms (i.e., too short to launch a rollback attack in a practical scenario) while supporting a throughput of more than 21K requests/s when using eight counters.

• Conference: DSN'21

Bibtext

    @ARTICLE{AdamCS2021,
author={Franz Gregor and Robert Krahn and Cong Lian and André Martin and Pascal Felber and Valerio Schiavoni and Christof Fetzer},
booktitle={Dependable Systems and Networks (DSN 2021)},
year={2021}
}


## Extended Abstract / Keynote: Formal Foundations for SCONE attestation and Intel SGX Data Center Attestation Primitives, PaveTrust'21

• Authors: Muhammad Usama Sardar and Christof Fetzer

• Abstract One of the essential features of confidential computing is the ability to attest to an application remotely. Remote attestation ensures that the right code is running in the correct environment. We need to ensure that all components that an adversary might use to impact the integrity, confidentiality, and consistency of an application are attested. Which components need to be attested is defined with the help of a policy. Verification of the policy is performed with the help of an attestation engine. Since remote attestation bootstraps the trust in remote applications, any vulnerability in the attestation mechanism can therefore impact the security of an application. Moreover, mistakes in the attestation policy can result in data, code, and secrets being vulnerable. Our work focuses on 1) how we can verify the attestation mechanisms and 2) how to verify the policy to ensure that data, code, and secrets are always protected.\end{abstract}

• Workshop: PaveTrust'21

• Media: extended abstract

• Presentation:

## Keynote: Building safety-critical applications executing in hostile environments, LADC2021

This presentation is an invited keynote to LADC2021. The talk addresses the problem of how one can build safety- and mission-critical applications that need to execute in hostile environments like edge clouds. Consider that we want to execute some critical automotive functions in the edge cloud and ensure that we can trust the results of these functions. The talk focuses on various challenges that we need to address to be able to make this happen in practice.

• Authors: Christof Fetzer

• Presentation:

## CHORS: Hardening High-Assurance Security Systems with Trusted Computing, SAC2022

• Authors: Wojciech Ozga, Rasha Faqeh, Do Le Quoc, Franz Gregor, Silvio Dragone and Christof Fetzer

• Date: April 2022