SGX-based LibOS中系统调用转发机制研究

刘西蒙; 黄应康; 刘维杰; 范倍汐; 章恬; 张杰

doi:10.11959/j.issn.1000-436x.2024214

您当前的位置：

首页 >

文章列表页 >

SGX-based LibOS中系统调用转发机制研究

学术论文 | 更新时间：2025-01-08

- SGX-based LibOS中系统调用转发机制研究
- Research on system call forwarding mechanism of SGX-based LibOS
- 通信学报 2024年45卷第Z1期页码：31-40
- 作者机构：
  
  1.福州大学计算机与大数据学院/软件学院，福建福州 350108
  2.南开大学密码网络空间安全学院，天津 300350
  3.数据与智能系统安全教育部重点实验室，天津 300350
  4.山西师范大学数学与计算机科学学院，山西太原 030031
- 作者简介：
  
  [ "刘西蒙（1988- ），男，陕西西安人，博士，福州大学教授、博士生导师，主要研究方向为密码学、人工智能安全。" ]
  [ "黄应康（2000- ），男，江西上饶人，福州大学硕士生，主要研究方向为系统安全、可信计算。" ]
  [ "刘维杰（1991- ），男，湖北武汉人，博士，南开大学副教授、硕士生导师，主要研究方向为系统安全、可信计算环境和二进制程序分析，weijieliu@nankai.edu.cn。" ]
  范倍汐（2000- ），女，四川眉山人，山西师范大学硕士生，主要研究方向为容器安全、漏洞挖掘。
  [ "章恬（2001- ），女，江西上饶人，福州大学硕士生，主要研究方向为云原生安全、漏洞挖掘。" ]
  [ "张杰（1996- ），女，山东临沂人，山西师范大学硕士生，主要研究方向为系统安全、容器安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目;The National Natural Science Foundation of China(62072109);福建省自然科学基金资助项目(2021J06013)
- DOI：10.11959/j.issn.1000-436x.2024214
  中图分类号： N92
- 收稿日期：2024-10-06，
  
  纸质出版日期：2024-10-25
- 稿件说明：
移动端阅览
刘西蒙,黄应康,刘维杰等.SGX-based LibOS中系统调用转发机制研究[J].通信学报,2024,45(Z1):31-40.

LIU Ximeng,HUANG Yingkang,LIU Weijie,et al.Research on system call forwarding mechanism of SGX-based LibOS[J].Journal on Communications,2024,45(Z1):31-40.
刘西蒙,黄应康,刘维杰等.SGX-based LibOS中系统调用转发机制研究[J].通信学报,2024,45(Z1):31-40. DOI： 10.11959/j.issn.1000-436x.2024214.

LIU Ximeng,HUANG Yingkang,LIU Weijie,et al.Research on system call forwarding mechanism of SGX-based LibOS[J].Journal on Communications,2024,45(Z1):31-40. DOI： 10.11959/j.issn.1000-436x.2024214.

摘要

SGX-based LibOS允许现有的未经修改的应用程序在SGX Enclave中运行。然而，不同的SGX-based LibOS在架构设计、系统调用模拟以及系统调用转发机制上存在差异，增加了用户使用门槛，并使得调试程序错误变得棘手。为了应对这些问题，提出了系统调用动态测试框架，对各种SGX-based LibOS进行了测试，追踪了系统调用在LibOS中的执行状况，并比较了其在Linux宿主机上的运行差异。同时，分析了实验结果，深入探讨了不同基于SGX的LibOS中系统调用转发机制的差异，总结了它们对Linux功能的模拟情况以及编程语言运行时的支持状态，并指出了该领域的不足和待改进之处。

Abstract

SGX-based LibOS are designed to run unmodified applications within SGX Enclave

but differences in their architecture

system call simulation

and system call forwarding can make them difficult to use and debug. To overcome these challenges

a dynamic testing framework was introduced that traced system calls and verified their behaviors in various SGX-based LibOS. This framework compared the execution of system calls within the LibOS to their execution on regular Linux hosts

analyzing the differences in call forwarding mechanisms

Linux feature replication

and runtime support for programming languages. The study aims to highlight where improvements are needed and hopefully provides guidance for future research in this area.

关键词

Keywords

references

李凤华 , 李晖 , 贾焰 , 等 . 隐私计算研究范畴及发展趋势 [J ] . 通信学报 , 2016 , 37 ( 4 ): 1 - 11 .

LI F H , LI H , JIA Y , et al . Privacy computing: concept, connotation and its research trend [J ] . Journal on Communications , 2016 , 37 ( 4 ): 1 - 11 .

Intel Corporation . Intel software guard extensions (Intel SGX) [R ] . 2019 .

AMD . AMD SEV-SNP: strengthening VM isolation with integrity protection and more white paper [R ] . 2020 .

PINTO S , SANTOS N . Demystifying arm TrustZone [J ] . ACM Computing Surveys , 2019 , 51 ( 6 ): 1 - 36 .

董春涛 , 沈晴霓 , 罗武 , 等 . SGX应用支持技术研究进展 [J ] . 软件学报 , 2021 , 32 ( 1 ): 137 - 166 .

DONG C T , SHEN Q N , LUO W , et al . Research progress of SGX application supporting techniques [J ] . Journal of Software , 2021 , 32 ( 1 ): 137 - 166 .

ZHANG F , CECCHETTI E , CROMAN K , et al . Town crier: an authenticated data feed for smart contracts [C ] // Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2016 : 270 - 282 .

汤凌韬 , 陈左宁 , 张鲁飞 , 等 . 联邦学习中的隐私问题研究进展 [J ] . 软件学报 , 2023 , 34 ( 1 ): 197 - 229 .

TANG L T , CHEN Z N , ZHANG L F , et al . Research progress of privacy issues in federated learning [J ] . Journal of Software , 2023 , 34 ( 1 ): 197 - 229 .

Enarx . Confidential computing with Webassembly [R ] . 2021 .

AHMAD A , KIM J , SEO J , et al . CHANCEL: efficient multi-client isolation under adversarial programs [C ] // Proceedings 2021 Network and Distributed System Security Symposium . Reston : Internet Society , 2021 : 1 - 18 .

LIU W J , CHEN H B , WANG X F , et al . Understanding TEE containers, easy to use? hard to trust [J ] . arXivPreprint , arXiv: 2109.01923 , 2021 .

PORTER D E , BOYD-WICKIZER S , HOWELL J , et al . Rethinking the library OS from the top down [C ] // Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems . New York : ACM Press , 2011 : 291 - 304 .

PRIEBE C , MUTHUKUMARAN D , LIND J , et al . SGX-LKL: securing the host OS interface for trusted execution [J ] . arXiv Preprint , arXiv: 1908.11143 , 2019 .

TSAI C C , PORTER D E , VIJ M . Graphene-SGX: a practical library OS for unmodified applications on SGX [C ] // 2017 USENIX Annual Technical Conference (USENIX ATC 17) . Berkeley : USENIX Association , 2017 : 645 - 658 .

Gramine . The gramine project [R ] . 2024 .

SHEN Y R , TIAN H L , CHEN Y , et al . Occlum: secure and efficient multitasking inside a single enclave of intel SGX [C ] // Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2020 : 955 - 970 .

Occlum . Occlum team [R ] . 2024

Mystikos . Deis Labs [R ] . 2024

TIAN H L , ZHANG Q , YAN S M , et al . Switchless calls made practical in intel SGX [C ] // Proceedings of the 3rd Workshop on System Software for Trusted Execution . New York : ACM Press , 2018 : 22 - 27 .

ORENBACH M , LIFSHITS P , MINKIN M , et al . Eleos: ExitLess OS services for SGX enclaves [C ] // Proceedings of the Twelfth European Conference on Computer Systems . New York : ACM Press , 2017 : 238 - 253 .

SONG K T , OU S Q . A client-server architecture for object volume measurement on a conveyor belt [C ] // 2019 12th Asian Control Conference (ASCC) . Piscataway : IEEE Press , 2019 : 901 - 906 .

LARSON P . Testing linux with the linux test project [C ] // Proceedings of the Ottawa Linux Symposium . Piscataway : IEEE Press , 2002 : 265 - 273 .

Linux . Linux test project [R ] . 2024 .

TSAI C C , JAIN B , ABDUL N A , et al . A study of modern linux API usage and compatibility: what to support when you’re supporting [C ] // Proceedings of the Eleventh European Conference on Computer Systems . New York : ACM Press , 2016 : 1 - 16 .

AHMAD A , KIM K , SARFARAZ M I , et al . OBLIVIATE: a data oblivious filesystem for intel SGX [C ] // Proceedings 2018 Network and Distributed System Security Symposium . Reston : Internet Society , 2018 : 1 - 15 .

Github . Jinzhao-disk [R ] . 2024 .

Github . Mlsdisk [R ] . 2024 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于SGX的虚拟机动态迁移安全增强方法

Android智能终端安全综述

基于层次隐马尔科夫模型和变长语义模式的入侵检测方法