Clemmys - SYSTOR › 2019 › slides › S3P2 Clemmys Towards Secu… · Clemmys Towards Secure...

ClemmysTowards Secure Remote Execution in FaaS

Bohdan Trach, Oleksii Oleksenko, Franz Gregor,Pramod Bhatotia, Christof Fetzer

ACM SYSTOR 2019

Guest OS

FaaS Paradigm of Cloud Computing

Function Runtime

Host OS

Hypervisor

Function

FaaS Paradigm of Cloud Computing

● Less boilerplate work ☺● Easy autoscaling ☺

Guest OS

Function Runtime

Host OS

Hypervisor

Worker 1

Worker 2

How does FaaS work?

Function A

Function B

Function C

ControllerGateway

Worker 1

Worker 2

How does FaaS work?

Function A

Function B

Function C

Controller

Gateway

Worker 1

Worker 2

How does FaaS work?

Function A

Function B

Function C

ControllerGateway

Worker 1

Worker 2

How does FaaS work?

Function A

Function BControllerGateway

itQX/e8=

Function C

Worker 1

Worker 2

How does FaaS work?

Function A


Secret

Function C

Worker 2

Worker 1

How does FaaS work?

Function A


A(Secret)

Function C

Support for function chaining is an important requirement for serverless computing

Worker 2

Worker 1

How does FaaS work?

Function A

Function BControllerGateway B(A(Secret))

Function C


Worker 2

Worker 1

How does FaaS work?

Function A


C(B(A(Secret))) Function C


Worker 2

Worker 1

How does FaaS work?

Function A


C(B(A(Secret)))

Function C

Worker 2

Worker 1

How does FaaS work?

Function A


IysMdOmldNYL

Function C

Worker 2

Worker 1

Is Faas secure?

Function A


Function C

● Less boilerplate work ☺● Easy autoscaling ☺

Worker 2

Worker 1

Is Faas secure?

Function A


Function C

● Less boilerplate work ☺● Easy autoscaling ☺● Low-trust environment

Worker 2

Worker 1

Why is FaaS insecure?

Function A


Function C

Inspect Network Traffic

Worker 2

Worker 1

Why is FaaS insecure?

Function A


Function C

Inspect Network Traffic

Inspect Process Memory

State-of-the-Art: Computing on Untrusted Systems

● High performance overhead ● Low flexibility

Related Work:● nGraph-HE [IACR 2019/350]● PySyft

Guest OS

Function Runtime

Host OS

Hypervisor

Multiparty ComputationsHomomorphic Encryption

State-of-the-Art: Computing on Untrusted Systems

● Acceptable overhead ☺● Arbitrary workloads ☺

Related Work:● S-FaaS [CoRR abs/1810.06080]

Guest OS

Function Runtime

Host OS

Hypervisor

Intel SGX

What is Intel SGX?

User Application (Untrusted Memory)

Operating System

What is Intel SGX?

● Adds enclave abstraction User Application (Untrusted Memory)

Enclave

Operating System/Hypervisor

What is Intel SGX?

● Adds enclave abstraction○ Encrypted in RAM only


Enclave


Encrypted in RAMUnencrypted in CPU cache

What is Intel SGX?

● Adds enclave abstraction○ Encrypted in RAM only○ Not accessible from outside


Enclave


Read,Write

Read,Write

What is Intel SGX?

● Adds enclave abstraction○ Encrypted in RAM only○ Not accessible from outside○ Developer-specified entry points


Enclave


Call

Enter

Exit

Call

What are the limitations of Intel SGX?

● High overheads for:○ Secure memory paging○ Enclave startup with large heap


Enclave


94MB of HW-encrypted memory available

Why do Intel SGX limitations matter?

Function startup time as an optimization target:

● SAND, SOCK [ATC’18]




Problem for SGXv1 enclaves




Problem for SGXv1 enclaves

● Can be solved with SGXv2

Additional optimizations are worth investigating.

Problem Statement

How to execute a wide range of user functions in FaaS in a trustworthy and efficient manner?

Outline

● Motivation● Design● Evaluation● Summary

What is Clemmys?

SGX Enclave Native Application

Function A


Function C

TLS

Based on Apache OpenWhisk

What is Clemmys?


Function A


Function C

TLS

Key Mgmt Service

Based on Apache OpenWhisk

1. Trustworthy environment for function execution

What is Clemmys?


Function A


Function C

TLS Plaintext Metadata ++ Encrypted Data

Plaintext Metadata +

+ Encrypted Data

Key Mgmt Service

Based on Apache OpenWhisk2. Message format for secure function chaining


What is Clemmys?


Function A


Function C



+ Encrypted Data

Key Mgmt Service



3. Function startup time optimizations (SGXv2)

What is Clemmys?


Function A


Function C



+ Encrypted Data

Key Mgmt Service



3. Function startup time optimizations (SGXv2)

4. Key management and deployment scheme

Components of Clemmys

● Internal encryption ● Function chain verification● Function startup optimizations● Function deployment and key management

How does Clemmys secure communication?

Function A


Function C

TLS TLS TLS

EPC paging → slow!



Function A


Function C

TLS ??? ???



Function A


Function C

TLS ??? ???

Idea: separate controller metadata (plaintext) from function arguments (encrypted)



Function A


Function C

TLS

Idea: separate controller metadata (plaintext) from function arguments (encrypted)

Plaintext Metadata ++ Encrypted Data



● Naive encryption does not preserve function order.

Scale

Detect FeaturesControllerGateway

Report & Log


Why should function chain order be enforced?


Scale


Report & Log



● Naive encryption does not preserve function order.



Scale


Report & Log



● Naive encryption does not preserve function order.● Message format should preclude these attack vector.



Scale


Report & Log



● Naive encryption does not preserve function order.● Message format should preclude these attack vector.



See paper for technical details

Startup Optimizations

1. SGXv1 Enclave Creation

Enclave VM Range

Physical Pages



Enclave VM Range

EPC Size



Enclave VM Range

EPC Size

Paged out!



Enclave VM Range

Enclave .text and .data sectionsMetadata for heap allocator

SGXv2 allows adding pages at runtime



Enclave VM Range

Memory access inside enclave




Enclave VM Range


Page added (augmented) dynamically



1. SGXv2 Enclave Creation2. EPC Batch Augmentation

Enclave VM Range


Page added (augmented) dynamically



Enclave VM Range


Block of N pages augmented at once



Enclave VM Range

Freshly allocated region of heap memory

3. Memory zeroing on deallocation

Need to be explicitly zeroed with SGXv1



Enclave VM Range

Freshly allocated region of heap memory


Guaranteed to be zero-filled with SGXv2



Enclave VM Range


Zero-filled on memory deallocation

How is Clemmys function deployed?

Function A

Function B

Function C

ControllerGateway

Client Palaemon



Function A

Function B

Function C

ControllerGateway

Client Palaemon

● Palaemon - remote attestation and configuration service● Transparent configuration management:

○ Environment variables and command-line arguments


Remote AttestationIntel


Function A

Function B

Function C

ControllerGateway

Client Palaemon

SGX Enclave Native Application Trust Established

Upload configuration(chains, secrets)


Function A

Function B

Function C

ControllerGateway

Client Palaemon



Function A

Function B

Function C

ControllerGateway

Client Palaemon

Upload functions(Docker images)


How is Clemmys function invoked?

Function A

Function B

Function C

ControllerGateway

Client Palaemon



Function A

Function B

Function C

ControllerGateway

Client Palaemon

Remote attestation via Palaemon at launch



Function A

Function B

Function C

ControllerGateway

Client Palaemon



Function A

Function B

Function C

ControllerGateway

Client Palaemon

TLS API Request



Function A

ControllerGateway

Client Palaemon

TLS API Request

Plaintext Metadata ++ Encrypted Data Worker Platform




Function A

ControllerGateway

Client Palaemon

TLS API Request



1. Platform launches the enclave using the plaintext metadata



Function A

ControllerGateway

Client Palaemon

TLS API Request



1. Platform launches the enclave using the plaintext metadata2. Enclave performs remote attestation and configuration with Palaemon




Function A

ControllerGateway

Client Palaemon

TLS API Request

Worker PlatformPlaintext Metadata ++ Encrypted Data

1. Platform launches the enclave using the plaintext metadata2. Enclave performs remote attestation and configuration with Palaemon3. Enclave decrypts and processes the request


Outline

● Motivation● Design● Evaluation● Summary

56

Gateway Overhead

Function A

Function B

Function C

ControllerGateway

Function A

Function B

Function C

ControllerGateway

VS.


Gateway Overhead

lower ➝ better

Gateway Overhead

lower ➝ better

Number of functions running on the worker node

Gateway Overhead

lower ➝ better

Gateway Overhead

Minimal overhead (~1-5%) over native API Gateway

lower ➝ better

Function Overhead

FunctionControllerGateway


VS.


Function Overhead

lower ➝ better

Function Overhead

Minimal overhead over native functions (up to 25%)

lower ➝ better

SGXv2 Optimizations



VS.


SGXv1

SGXv2

SGXv2 Optimizations

Speedup normalized by the SGXv1 function run time

SGXv2 Optimizations

higher ➝ better

SGXv2 Optimizations

● SGXv2 - all optimizations● SGXv2(NB) - no batched augmentation● SGXv2(NB,NO) - no batched augmentation and memory zeroing on deallocation

higher ➝ better

SGXv2 Optimizations

10 times lower latency on Phoenix benchmarks with SGXv210% lower latency from additional optimizations on a few benchmarks

higher ➝ better

Summary

Clemmys is:

- Secure - protects functions using enclave

- Fast - achieves near-native performance

- Flexible - does not restrict workloads

Summary

Clemmys is:

- Secure - protects functions using enclave

- Fast - achieves near-native performance

- Flexible - does not restrict workloads

Thank You for your attention!

[email protected]

Funding

This project was funded by the European Union’s Horizon 2020 program under grant agreement No. 690588 (Selis), and BMBF No. 03ZZ0517A (FastCloud)

Clemmys - SYSTOR › 2019 › slides › S3P2 Clemmys Towards Secu… · Clemmys Towards Secure...

Documents

Transcript of Clemmys - SYSTOR › 2019 › slides › S3P2 Clemmys Towards Secu… · Clemmys Towards Secure...