Efficient Enclave Communication through Shared Memory : A case study of Intel SGX enabled Open vSwitch

Sammanfattning: Open vSwitch is a virtual network switch commonly used to forward network packages between virtual machines. The switch routes network packets based on a set of flow rules stored in its flow tables. Open vSwitch does not provide confidentiality or integrity protection of its flow tables; therefore, an attacker can exploit software vulnerabilities in Open vSwitch to gain access to the host machine and observe or modify installed flow rules. Medina [1] brought integrity and confidentially guarantees to the flow tables of Open vSwitch, even in the presence of untrusted privileged software, by confining them inside of an Intel SGX enclave. However, using an enclave to protect the flow tables has significantly reduced the performance of Open vSwitch. This thesis investigates how and to what extent the performance overhead introduced by Intel SGX in Open vSwitch can be reduced. The method consisted of the development of a general-purpose communication library for Intel SGX enclaves, and two optimized SGX enabled Open vSwitch prototypes. The library enables efficient communication between the enclave and the untrusted application through shared memory-based techniques. Integrating the communication library in Open vSwitch, combined with other optimization techniques, resulted in two optimized prototypes that were evaluated on a set of common Open vSwitch use cases. The results of this thesis show that it is possible to reduce the overhead introduced by Intel SGX in Open vSwitch with several orders of magnitude, depending on the use case and optimization technique, without compromising its security guarantees.