Preprint Open Access

SCONE: Secure Linux Containers with Intel SGX

Arnautov, Sergei; Trach, Bohdan; Gregor, Franz; Knauth, Thomas; Martin, Andrè; Priebe, Christian; Muthukumaran, Divya; O'Keeffe, Dan; Stillwell, Mark; Goltzsche, David; Eyers, David; Kapitza, Rüdiger; Pietzuch, Peter; Fetzer, Christof


JSON-LD (schema.org) Export

{
  "description": "<p>In multi-tenant environments, Linux containers managed by Docker or Kubernetes have a lower resource footprint, faster startup times, and higher I/O performance compared to virtual machines (VMs) on\u00a0hypervisors. Yet their weaker isolation guarantees, enforced through software kernel mechanisms,\u00a0make it easier for attackers to compromise the confidentiality and integrity of application data within containers.</p>\n\n<p>We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from outside attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead: SCONE offers a secure\u00a0C\u00a0standard\u00a0library interface that transparently encrypts/decrypts I/O data; to reduce the performance impact of\u00a0thread synchronization and system calls within SGX enclaves, SCONE supports user-level threading and\u00a0asynchronous system calls. Our evaluation shows that it protects unmodified applications with SGX,\u00a0achieving 0.6\u00d7 \u2013 1.2\u00d7 of native throughput.</p>", 
  "license": "http://creativecommons.org/licenses/by/4.0/legalcode", 
  "creator": [
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Arnautov, Sergei"
    }, 
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Trach, Bohdan"
    }, 
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Gregor, Franz"
    }, 
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Knauth, Thomas"
    }, 
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Martin, Andr\u00e8"
    }, 
    {
      "affiliation": "Imperial College London", 
      "@type": "Person", 
      "name": "Priebe, Christian"
    }, 
    {
      "affiliation": "Imperial College London", 
      "@type": "Person", 
      "name": "Muthukumaran, Divya"
    }, 
    {
      "affiliation": "Imperial College London", 
      "@type": "Person", 
      "name": "O'Keeffe, Dan"
    }, 
    {
      "affiliation": "Imperial College London", 
      "@type": "Person", 
      "name": "Stillwell, Mark"
    }, 
    {
      "affiliation": "TU Braunschweig", 
      "@type": "Person", 
      "name": "Goltzsche, David"
    }, 
    {
      "affiliation": "University of Otago", 
      "@type": "Person", 
      "name": "Eyers, David"
    }, 
    {
      "affiliation": "TU Braunschweig", 
      "@type": "Person", 
      "name": "Kapitza, R\u00fcdiger"
    }, 
    {
      "affiliation": "Imperial College London", 
      "@type": "Person", 
      "name": "Pietzuch, Peter"
    }, 
    {
      "affiliation": "TU Dresden", 
      "@type": "Person", 
      "name": "Fetzer, Christof"
    }
  ], 
  "url": "https://zenodo.org/record/163059", 
  "image": "https://zenodo.org/static/img/logos/zenodo-gradient-round.svg", 
  "datePublished": "2016-11-02", 
  "headline": "SCONE: Secure Linux Containers with Intel SGX", 
  "@context": "https://schema.org/", 
  "identifier": "https://doi.org/10.5281/zenodo.163059", 
  "@id": "https://doi.org/10.5281/zenodo.163059", 
  "@type": "ScholarlyArticle", 
  "name": "SCONE: Secure Linux Containers with Intel SGX"
}
71
51
views
downloads
All versions This version
Views 7171
Downloads 5151
Data volume 19.6 MB19.6 MB
Unique views 6969
Unique downloads 4747

Share

Cite as