One System Call Hook to Rule All TEE OSes in the Cloud

Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy cod...

Full description

Saved in:
Bibliographic Details
Main Authors: Qin, Kailun, Gu, Dawu
Format: Conference Proceeding
Language:English
Subjects:
attack surface reduction
binary rewriting
Cloud computing
Codes
confidential containers
Data protection
operating systems
Production
Protection
Runtime
Switches
switchless calls
syscall interposition
trusted execution environment
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 216
container_issue
container_start_page 205
container_title
container_volume
creator Qin, Kailun
Gu, Dawu
description Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy code to execute with minimal changes. However, they encounter challenges in cloud environments, particularly in creating compatibility layers, ensuring runtime protection, and efficiently managing TEE boundary transitions. In response, our work proposes to extend TEE OSes through a unified approach centered on system call (syscall) rewriting and interposition. We present xpoline++ - a stepwise (++) binary rewriting strategy executed on-the-fly with its trampoline set up at a manageable address (x), This allows for efficient construction of a compatibility layer at the binary syscall level and seamless transition to custom hook functions. Further, we introduce two syscall interposition extensions, namely xfilter and xswitchless, which respectively reduce the attack surface and improve the efficiency of TEE boundary switching to better serve the needs of cloud applications. Evaluations on a set of real-world workloads confirmed their effectiveness.
doi_str_mv 10.1109/CLOUD62652.2024.00032
format conference_proceeding
fullrecord <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_10643906</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10643906</ieee_id><sourcerecordid>10643906</sourcerecordid><originalsourceid>FETCH-LOGICAL-i106t-2ae85c3e9252558944e4ccb9ff576e1fe6e8f6895ff82391d94021c9e335782d3</originalsourceid><addsrcrecordid>eNotjMFKw0AQQFdBsNT8gcL-QOLsbGazcywxWiEQsO25xGQWo2kjTXro3xuwpwePx1PqyUBiDPBzXla7F4eOMEHANAEAizcq4oy9JbDOk3W3aoGGOHaG4V5F4_g9ZwY8kbEL5aqj6M1lnOSg87rv9XoYfvQ06I9zL3o1i21R6Gojo-6OevoSnffDuX1Qd6HuR4muXKrda7HN13FZvb3nqzLuDLgpxlo8NVYYCYk8p6mkTfPJIVDmxARx4oPzTCF4tGxaTgFNw2ItZR5bu1SP_99ORPa_p-5Qny77-Z1aBmf_ANg0RMQ</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>One System Call Hook to Rule All TEE OSes in the Cloud</title><source>IEEE Xplore All Conference Series</source><creator>Qin, Kailun ; Gu, Dawu</creator><creatorcontrib>Qin, Kailun ; Gu, Dawu</creatorcontrib><description>Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy code to execute with minimal changes. However, they encounter challenges in cloud environments, particularly in creating compatibility layers, ensuring runtime protection, and efficiently managing TEE boundary transitions. In response, our work proposes to extend TEE OSes through a unified approach centered on system call (syscall) rewriting and interposition. We present xpoline++ - a stepwise (++) binary rewriting strategy executed on-the-fly with its trampoline set up at a manageable address (x), This allows for efficient construction of a compatibility layer at the binary syscall level and seamless transition to custom hook functions. Further, we introduce two syscall interposition extensions, namely xfilter and xswitchless, which respectively reduce the attack surface and improve the efficiency of TEE boundary switching to better serve the needs of cloud applications. Evaluations on a set of real-world workloads confirmed their effectiveness.</description><identifier>EISSN: 2159-6190</identifier><identifier>EISBN: 9798350368536</identifier><identifier>DOI: 10.1109/CLOUD62652.2024.00032</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>attack surface reduction ; binary rewriting ; Cloud computing ; Codes ; confidential containers ; Data protection ; operating systems ; Production ; Protection ; Runtime ; Switches ; switchless calls ; syscall interposition ; trusted execution environment</subject><ispartof>2024 IEEE 17th International Conference on Cloud Computing (CLOUD), 2024, p.205-216</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10643906$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,27902,54530,54907</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10643906$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Qin, Kailun</creatorcontrib><creatorcontrib>Gu, Dawu</creatorcontrib><title>One System Call Hook to Rule All TEE OSes in the Cloud</title><title>2024 IEEE 17th International Conference on Cloud Computing (CLOUD)</title><addtitle>CLOUD</addtitle><description>Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy code to execute with minimal changes. However, they encounter challenges in cloud environments, particularly in creating compatibility layers, ensuring runtime protection, and efficiently managing TEE boundary transitions. In response, our work proposes to extend TEE OSes through a unified approach centered on system call (syscall) rewriting and interposition. We present xpoline++ - a stepwise (++) binary rewriting strategy executed on-the-fly with its trampoline set up at a manageable address (x), This allows for efficient construction of a compatibility layer at the binary syscall level and seamless transition to custom hook functions. Further, we introduce two syscall interposition extensions, namely xfilter and xswitchless, which respectively reduce the attack surface and improve the efficiency of TEE boundary switching to better serve the needs of cloud applications. Evaluations on a set of real-world workloads confirmed their effectiveness.</description><subject>attack surface reduction</subject><subject>binary rewriting</subject><subject>Cloud computing</subject><subject>Codes</subject><subject>confidential containers</subject><subject>Data protection</subject><subject>operating systems</subject><subject>Production</subject><subject>Protection</subject><subject>Runtime</subject><subject>Switches</subject><subject>switchless calls</subject><subject>syscall interposition</subject><subject>trusted execution environment</subject><issn>2159-6190</issn><isbn>9798350368536</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2024</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotjMFKw0AQQFdBsNT8gcL-QOLsbGazcywxWiEQsO25xGQWo2kjTXro3xuwpwePx1PqyUBiDPBzXla7F4eOMEHANAEAizcq4oy9JbDOk3W3aoGGOHaG4V5F4_g9ZwY8kbEL5aqj6M1lnOSg87rv9XoYfvQ06I9zL3o1i21R6Gojo-6OevoSnffDuX1Qd6HuR4muXKrda7HN13FZvb3nqzLuDLgpxlo8NVYYCYk8p6mkTfPJIVDmxARx4oPzTCF4tGxaTgFNw2ItZR5bu1SP_99ORPa_p-5Qny77-Z1aBmf_ANg0RMQ</recordid><startdate>20240707</startdate><enddate>20240707</enddate><creator>Qin, Kailun</creator><creator>Gu, Dawu</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20240707</creationdate><title>One System Call Hook to Rule All TEE OSes in the Cloud</title><author>Qin, Kailun ; Gu, Dawu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i106t-2ae85c3e9252558944e4ccb9ff576e1fe6e8f6895ff82391d94021c9e335782d3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2024</creationdate><topic>attack surface reduction</topic><topic>binary rewriting</topic><topic>Cloud computing</topic><topic>Codes</topic><topic>confidential containers</topic><topic>Data protection</topic><topic>operating systems</topic><topic>Production</topic><topic>Protection</topic><topic>Runtime</topic><topic>Switches</topic><topic>switchless calls</topic><topic>syscall interposition</topic><topic>trusted execution environment</topic><toplevel>online_resources</toplevel><creatorcontrib>Qin, Kailun</creatorcontrib><creatorcontrib>Gu, Dawu</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEL</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Qin, Kailun</au><au>Gu, Dawu</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>One System Call Hook to Rule All TEE OSes in the Cloud</atitle><btitle>2024 IEEE 17th International Conference on Cloud Computing (CLOUD)</btitle><stitle>CLOUD</stitle><date>2024-07-07</date><risdate>2024</risdate><spage>205</spage><epage>216</epage><pages>205-216</pages><eissn>2159-6190</eissn><eisbn>9798350368536</eisbn><coden>IEEPAD</coden><abstract>Confidential computing has revolutionized the way of in-use data protection in the Cloud, using the concept of Trusted Execution Environments (TEEs). Emerging from this paradigm are TEE OSes. They are extensively deployed in production settings, providing isolation protection and allowing legacy code to execute with minimal changes. However, they encounter challenges in cloud environments, particularly in creating compatibility layers, ensuring runtime protection, and efficiently managing TEE boundary transitions. In response, our work proposes to extend TEE OSes through a unified approach centered on system call (syscall) rewriting and interposition. We present xpoline++ - a stepwise (++) binary rewriting strategy executed on-the-fly with its trampoline set up at a manageable address (x), This allows for efficient construction of a compatibility layer at the binary syscall level and seamless transition to custom hook functions. Further, we introduce two syscall interposition extensions, namely xfilter and xswitchless, which respectively reduce the attack surface and improve the efficiency of TEE boundary switching to better serve the needs of cloud applications. Evaluations on a set of real-world workloads confirmed their effectiveness.</abstract><pub>IEEE</pub><doi>10.1109/CLOUD62652.2024.00032</doi><tpages>12</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2159-6190
ispartof 2024 IEEE 17th International Conference on Cloud Computing (CLOUD), 2024, p.205-216
issn 2159-6190
language eng
recordid cdi_ieee_primary_10643906
source IEEE Xplore All Conference Series
subjects attack surface reduction
binary rewriting
Cloud computing
Codes
confidential containers
Data protection
operating systems
Production
Protection
Runtime
Switches
switchless calls
syscall interposition
trusted execution environment
title One System Call Hook to Rule All TEE OSes in the Cloud
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-07T12%3A39%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=One%20System%20Call%20Hook%20to%20Rule%20All%20TEE%20OSes%20in%20the%20Cloud&rft.btitle=2024%20IEEE%2017th%20International%20Conference%20on%20Cloud%20Computing%20(CLOUD)&rft.au=Qin,%20Kailun&rft.date=2024-07-07&rft.spage=205&rft.epage=216&rft.pages=205-216&rft.eissn=2159-6190&rft.coden=IEEPAD&rft_id=info:doi/10.1109/CLOUD62652.2024.00032&rft.eisbn=9798350368536&rft_dat=%3Cieee_CHZPO%3E10643906%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i106t-2ae85c3e9252558944e4ccb9ff576e1fe6e8f6895ff82391d94021c9e335782d3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10643906&rfr_iscdi=true