Trusted Execution Environments (TEEs), such as Intel Software Guard eXtensions (SGX), are considered as a promising approach to resolve security challenges in clouds. TEEs protect the confidentiality and integrity of application code and data even against privileged attackers with root and physical access by providing an isolated secure memory area, i.e., enclaves. The security guarantees are provided by the CPU, thus even if system software is compromised, the attacker can never access the enclave's content. While this approach ensures strong security guarantees for applications, it also introduces a considerable runtime overhead in part by the limited availability of protected memory (enclave page cache). Currently, only a limited number of performance measurement tools for TEE-based applications exist and none offer performance monitoring and analysis during runtime. This paper presents TEEMon, the first continuous performance monitoring and analysis tool for TEE-based applications. TEEMon provides not only fine-grained performance metrics during runtime, but also assists the analysis of identifying causes of performance bottlenecks, e.g., excessive system calls. Our approach smoothly integrates with existing open-source tools (e.g., Prometheus or Grafana) towards a holistic monitoring solution, particularly optimized for systems deployed through Docker containers or Kubernetes and offers several dedicated metrics and visualizations. Our evaluation shows that TEEMon's overhead ranges from 5% to 17%.
翻译:信任的执行环境(TEEs),例如 Intel 软件保护 extensions (SGX) 等信任的执行环境(TEEs),被视为解决云层安全挑战的一种很有希望的方法。TEE通过提供一个孤立的安全记忆区,即飞地,保护应用代码和数据,甚至针对有根和物理访问权的特权攻击者,保护应用代码和数据的保密性和完整性;由CPU提供安全保障,因此即使系统软件受损,攻击者也永远无法访问飞地的内容。虽然这种方法确保了对应用程序的有力安全保障,但部分由于受保护记忆(加固页面缓存)有限,它也引入了相当长的运行时间性管理。目前,只有数量有限的基于TEE应用程序的绩效衡量工具,而且没有在运行时提供绩效监测和分析。本文介绍了TEEMon,这是基于TEE的应用的第一个持续的业绩监测和分析工具。TEEMon不仅在运行期间提供精确的性能衡量标准,而且不仅协助分析性能瓶颈的原因,例如,过度的系统呼叫。我们的方法与现有的开放源(例如, Prome ) 或直观模型中的一些系统顺利地结合了现有的最佳监测系统,以展示了我们部署的17 。