Entwicklung eines Tools zur Performanzanalyse von SGX Enklaven.Development of a SGX Enclave Performance Analysis Tool

Introduction

In the last years, a need for secure computing on untrusted host has come up. To achieve this, Intel developed Software Guard Extensions (SGX) [1,2] that allows developers to create secure compartments for their applications, called enclaves. Enclaves are a secure part of applications that can be entered to perform security critical computations while being guarded from an untrusted operating system and attackers by the processor itself. Enclaves operate in completely encrypted memory that only they can access. To ease development of enclaves, Intel released a Software Development Kit (SDK) [0].

Problem statement

Using SGX enclaves in applications incurs a non-negligible performance overhead that can hurt performance. Therefore, enclave code needs to be optimised and the number of enclave transitions should be kept low. However, sometimes the aid of a profiling tool is required to fully grasp why an application is not performing as expected. This is a problem when working with enclaves, as currently no profiling tool for SGX enclaves exists (There exists Intel VTune which claims to be able to analyse enclaves but not in the extend we want to.).

Task description

Based on a previous team project called Synchrolizer [3], a profiling tool for SGX enclaves is to be built. Synchrolizer is able to measure the wait times of synchronisation primitives like mutexes and has to be extended to also be able to show and process SGX specific blocks. In essence, the following (not exhaustive) list shows some of the potential hotspots that need to be profiled by the tool:

• Transitions to and from the enclave (SDK ECalls and OCalls)
• Synchronisation primitives inside enclaves
• Time spent inside the enclave (Grouped by ECalls)
• Time spent outside the enclave (when using an OCall)
• Hotspot analysis of code inside the enclave similar to tools like perf and Intel VTune

A base implementation that tracks E/OCalls already exists, however no integration with Synchrolyzer is done yet.

Prerequisites

• Basic knowledge of Linux systems as we work with SGX exclusively on Linux
• Good knowledge of C/C++