UniGuard: Protecting Unikernels using Intel SGX

Title

UniGuard: Protecting Unikernels using Intel SGX

Authors

Ioannis Sfyrakis, Thomas Groß

Abstract

Computations executed in lightweight virtual machines called unikernels have a minimal attack surface and improved performance. However, unikernels are still prone to leaking information to the operating system or to the hypervisor that hosts them. This is attributed to vulnerabilities in privileged software and to malicious insiders operating in cloud infrastructures. Indeed, the deployment of unikernels requires a protection mechanism to ensure that information does not leak from unikernels. In this paper, we present our initial experiments into the use of an approach for creating a Trusted Execution Environment (TEE) in unikernels. We present UniGuard: a security architecture that leverages Intel Software Guard Extensions (SGX) to protect security-sensitive computations inside unikernels. We believe that unikernels are an excellent match for Intel SGX to create a TEE. We implemented our solution on top of the KVM hypervisor and its Intel SGX support. Results show that UniGuard has a comparable 20% overhead when starting an enclave inside a unikernel and 10% when executing ocalls.

Venue

IEEE International Conference on Cloud Engineering 2018 (http://conferences.computer.org/IC2E/2018/)

Place and Date 

Orlando, Florida,  U.S.A, April 17 - 20, 2018.