One System Call Hook to Rule All TEE OSes in the Cloud

Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy cod...

Full description

Saved in:
Bibliographic Details
Main Authors: Qin, Kailun, Gu, Dawu
Format: Conference Proceeding
Language:English
Subjects:
attack surface reduction
binary rewriting
Cloud computing
Codes
confidential containers
Data protection
operating systems
Production
Protection
Runtime
Switches
switchless calls
syscall interposition
trusted execution environment
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy code to execute with minimal changes. However, they encounter challenges in cloud environments, particularly in creating compatibility layers, ensuring runtime protection, and efficiently managing TEE boundary transitions. In response, our work proposes to extend TEE OSes through a unified approach centered on system call (syscall) rewriting and interposition. We present xpoline++ - a stepwise (++) binary rewriting strategy executed on-the-fly with its trampoline set up at a manageable address (x), This allows for efficient construction of a compatibility layer at the binary syscall level and seamless transition to custom hook functions. Further, we introduce two syscall interposition extensions, namely xfilter and xswitchless, which respectively reduce the attack surface and improve the efficiency of TEE boundary switching to better serve the needs of cloud applications. Evaluations on a set of real-world workloads confirmed their effectiveness.
ISSN:2159-6190
DOI:10.1109/CLOUD62652.2024.00032