A framework for application partitioning using trusted execution environments. (23rd April 2017)
- Record Type:
- Journal Article
- Title:
- A framework for application partitioning using trusted execution environments. (23rd April 2017)
- Main Title:
- A framework for application partitioning using trusted execution environments
- Authors:
- Atamli‐Reineh, Ahmad
Paverd, Andrew
Petracca, Giuseppe
Martin, Andrew - Other Names:
- Abawajy Jemal H. guestEditor.
Islam Rafiqul guestEditor.
Hodon Michal guestEditor.
Fouchal Hacene guestEditor. - Abstract:
- Summary: The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse‐grained partitioning, in which the whole application isSummary: The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse‐grained partitioning, in which the whole application is included in a single TEE, through to ultra‐fine partitioning, in which each piece of security‐sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application specific, we establish application‐independent relationships between the types we have defined. Because these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely used software packages, the Apache Web server and the OpenSSL library. In each case study, we provide four high‐level partitioning schemes—one for each of the types in our framework. We also systematically review the related work on hardware‐enforced partitioning by categorising previous research efforts according to our framework. Copyright © 2017 John Wiley & Sons, Ltd. … (more)
- Is Part Of:
- Concurrency and computation. Volume 29:Number 23(2017)
- Journal:
- Concurrency and computation
- Issue:
- Volume 29:Number 23(2017)
- Issue Display:
- Volume 29, Issue 23 (2017)
- Year:
- 2017
- Volume:
- 29
- Issue:
- 23
- Issue Sort Value:
- 2017-0029-0023-0000
- Page Start:
- n/a
- Page End:
- n/a
- Publication Date:
- 2017-04-23
- Subjects:
- SGX -- software vulnerabilities -- hardware security -- trusted execution environment
Parallel processing (Electronic computers) -- Periodicals
Parallel computers -- Periodicals
004.35 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/cpe.4130 ↗
- Languages:
- English
- ISSNs:
- 1532-0626
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3405.622000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 5425.xml