Embed Size (px)
Citation preview
Trust More, ServerlessSysTor’2019Stefan Brenner, June 3rd, 2019Technische Universität Braunschweig, Institute of Operating Systems and Computer Networks
Institute of Operating Systemsand Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Cloud Popularity Impacted by Security Issues
Increasing popularity of clouds
Cloud security challenges→ Hinder cloud adoption
Vision: Trusted cloudEnables currently impossible use casesUsage of trusted execution technology
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 2 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Usage of Trusted Execution Technology
Creation of a Trusted Execution Environment (TEE)Goal: Small sensitive compartments inside TEE
Holistic approach (legacy applications)Large Trusted Computing Base (TCB)
Application partitioning (tailored)High porting effort
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 3 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Software Design: Monolithic 6=Modern
Modern modular architecturese.g. micro services, functions
Small independent componentsClearly defined interfacesSelective scalabilitySimpler and independent development
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 4 Institute of OperatingSystems
and Computer Networks
Trusted FaaSTrusted serverless or Function-as-a-Service (FaaS) cloud!
Introduction Background Design & Implementation Evaluation Conclusion
Software Design: Monolithic 6=Modern
Modern modular architecturese.g. micro services, functions
Small independent componentsClearly defined interfacesSelective scalabilitySimpler and independent development
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 4 Institute of OperatingSystems
and Computer Networks
Trusted FaaSTrusted serverless or Function-as-a-Service (FaaS) cloud!
Introduction Background Design & Implementation Evaluation Conclusion
Trust More, Serverless
BackgroundIntel SGXServerless Computing
Design & Implementation
Evaluation
Conclusion
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 5 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation ConclusionIntel SGX Serverless Computing
Trust More, Serverless
BackgroundIntel SGXServerless Computing
Design & Implementation
Evaluation
Conclusion
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 6 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation ConclusionIntel SGX Serverless Computing
Intel Software Guard Extensions
Intel Software Guard Extensions (SGX)CPU instruction set extension for trusted execution“Secure enclaves” inside user processesTransparent memory encryption (with integrity)Remote Attestation via Intel Attestation Service
Application
Enclave
Priviledged System Code
Hardware
Create Enclave
Execute
Execute
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 7 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation ConclusionIntel SGX Serverless Computing
Serverless and FaaS
Evolution of cloud computing1. Infrastructure-as-a-Service (IaaS)2. Platform-as-a-Service (PaaS)3. Function-as-a-Service (FaaS)
– Single standalone functions→ Lambdas– Fine-grained accounting, no idle cost– Most maintenance done by provider
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 8 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Trust More, Serverless
BackgroundIntel SGXServerless Computing
Design & Implementation
Evaluation
Conclusion
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 9 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Platform Vision
Basic PropertiesLambda inside enclaveParallel (competing) Lambda executionResource efficiencyTransparent Lambda attestation
Challenges:Selection of suitable programming languageand Lambda library supportDesign of a secure and efficient Lambda execution platformTransparent remote attestation of Lambdas
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 10 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?
CPython: large TCB→ JavaScript
MuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?
CPython: large TCB→ JavaScript
MuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScript
MuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language support
Duktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language supportDuktape: lean TCB
Google V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Programming Language & Runtime
Native: sandbox?CPython: large TCB
→ JavaScriptMuJS: language supportDuktape: lean TCBGoogle V8: high performance
TCB Isolation Sharing
NativeMultiple Enclaves Process
Single Enclave Native Sandbox
InterpretedCPython Sub Interpr.
JavaScriptMuJS Context
Duktape ContextGoogle V8 V8 Isolate
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 11 Institute of OperatingSystems
and Computer Networks
Selected Variants:Pure JavaScript Lambdas on Duktape and Google V8.
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Architecture
JavaScript Runtime in enclaveLightweight JavaScript interpreter: DuktapeAdditional: Fast but large Google V8Lambdas executed in interpreter sandbox
Secure Lambdas:Signed Lambda bundlesLoad and verify on demand
Enclave
Runtime (JavaScript Interpreter)
Sandbox
λ1.js.bdl .sig
Sandbox
λ2.js.bdl .sig
ConnectionManagement
λ Store
λ1.js library3.jslibrary2.jslibrary1.js
λ1.js.bdl
λ1.js.bdl .sig
Webpack
Sign
Load & Verify
Request
Request
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 12 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Trust Model
How to establish trust into Lambdas?1. Signed Lambda is loaded2. Attester verifies enclave3. Attester verifies Lambda based on its signature4. Attester uploads TLS key
⇒ Implicit attestation on every requestCloud Provider
.git
Enclave
TLS Key
λ1
λ2
Platform Provider .git
λ-Provider 1
.git
λ-Provider 2
.git
User 1
User 2
Verify
Build & launchRequest
Request
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 13 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Trust More, Serverless
BackgroundIntel SGXServerless Computing
Design & Implementation
Evaluation
Conclusion
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 14 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Evaluation Methodology and Trusted Computing Base
MethodologyClients issue TLS-encrypted requests totrusted Lambda platformTCB, throughput and enclave memoryfootprint measurement
Trusted Computing BaseGoogle V8 TCB 7× larger than Duktape
Duktape V8
Interpreter 185,392 1,308,702Environment 214,156 17,193,624
Platform 1,529 1,002
Sum 401,077 18,503,328
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 15 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Evaluation Methodology and Trusted Computing Base
MethodologyClients issue TLS-encrypted requests totrusted Lambda platformTCB, throughput and enclave memoryfootprint measurement
Trusted Computing BaseGoogle V8 TCB 7× larger than Duktape
Duktape V8
Interpreter 185,392 1,308,702Environment 214,156 17,193,624
Platform 1,529 1,002
Sum 401,077 18,503,328
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 15 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Performance
Low overhead of secure Duktape (echo)Secure Google V8 almost 16× fasterthan secure DuktapeSecure Google V8 ≈50% of baselineSecure Duktape only ≈ 3% 1
10
100
1000
10000
100000
echo fibonacci jpeg base64 3dcube
Requ
ests
/s
Scriptname
BaselineDuktape
GoogleV8
556%
67%
6.5%
5.2% 7.1%
(base64 and 3dcube are part of the JetStream JavaScript benchmark suite)
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 16 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Secure Serverless Computing Memory Footprint
No excessive SGX paging due to leanmemory footprintSecure Duktape ≈ 38% lower memoryfootprint than secure Google V8
0
20
40
60
80
100
120
140
160
180
1 2 3 4 5 6 7 8 9 10
Work
ing
Set
Mem
ory
(M
B)
Fixed Number of Contexts
echofibonacci
jpegbase643dcube
Secure Google V8 memory footprint
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 17 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Trust More, Serverless
BackgroundIntel SGXServerless Computing
Design & Implementation
Evaluation
Conclusion
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 18 Institute of OperatingSystems
and Computer Networks
Introduction Background Design & Implementation Evaluation Conclusion
Conclusion
Secure Lambda execution platform based on Intel SGXExecution of pure JavaScript Lambda inside SGX enclaveSecure Duktape is much slower than secure Google V8…but requires significantly less memory…and comprises a much smaller TCB⇒ A price tag for transparent security in the FaaS cloud!
⇒ This project was funded by Intel in the TFaaS project!
June 3rd, 2019 Stefan Brenner Trust More, Serverless Page 19 Institute of OperatingSystems
and Computer Networks
