Preprint Open Access

SCONE: Secure Linux Containers with Intel SGX

Arnautov, Sergei; Trach, Bohdan; Gregor, Franz; Knauth, Thomas; Martin, Andrè; Priebe, Christian; Muthukumaran, Divya; O'Keeffe, Dan; Stillwell, Mark; Goltzsche, David; Eyers, David; Kapitza, Rüdiger; Pietzuch, Peter; Fetzer, Christof


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nam##2200000uu#4500</leader>
  <controlfield tag="005">20170908072616.0</controlfield>
  <controlfield tag="001">163059</controlfield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Trach, Bohdan</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Gregor, Franz</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Knauth, Thomas</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Martin, Andrè</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Imperial College London</subfield>
    <subfield code="a">Priebe, Christian</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Imperial College London</subfield>
    <subfield code="a">Muthukumaran, Divya</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Imperial College London</subfield>
    <subfield code="a">O'Keeffe, Dan</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Imperial College London</subfield>
    <subfield code="a">Stillwell, Mark</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Braunschweig</subfield>
    <subfield code="a">Goltzsche, David</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">University of Otago</subfield>
    <subfield code="a">Eyers, David</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Braunschweig</subfield>
    <subfield code="a">Kapitza, Rüdiger</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Imperial College London</subfield>
    <subfield code="a">Pietzuch, Peter</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Fetzer, Christof</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">384436</subfield>
    <subfield code="z">md5:6815ddc1287870ab7541abd7b9957bda</subfield>
    <subfield code="u">https://zenodo.org/record/163059/files/osdi2016scone-preprint.pdf</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2016-11-02</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="p">user-ecfunded</subfield>
    <subfield code="o">oai:zenodo.org:163059</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">TU Dresden</subfield>
    <subfield code="a">Arnautov, Sergei</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">SCONE: Secure Linux Containers with Intel SGX</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-ecfunded</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">645011</subfield>
    <subfield code="a">Secure Enclaves for REactive Cloud Applications</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">690111</subfield>
    <subfield code="a">Secure Big Data Processing in Untrusted Clouds</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">http://creativecommons.org/licenses/by/4.0/legalcode</subfield>
    <subfield code="a">Creative Commons Attribution 4.0 International</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;In multi-tenant environments, Linux containers managed by Docker or Kubernetes have a lower resource footprint, faster startup times, and higher I/O performance compared to virtual machines (VMs) on hypervisors. Yet their weaker isolation guarantees, enforced through software kernel mechanisms, make it easier for attackers to compromise the confidentiality and integrity of application data within containers.&lt;/p&gt;

&lt;p&gt;We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from outside attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead: SCONE offers a secure C standard library interface that transparently encrypts/decrypts I/O data; to reduce the performance impact of thread synchronization and system calls within SGX enclaves, SCONE supports user-level threading and asynchronous system calls. Our evaluation shows that it protects unmodified applications with SGX, achieving 0.6× – 1.2× of native throughput.&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.163059</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">preprint</subfield>
  </datafield>
</record>
37
23
views
downloads
All versions This version
Views 3737
Downloads 2323
Data volume 8.8 MB8.8 MB
Unique views 3737
Unique downloads 2222

Share

Cite as