Using a Shared SGX Enclave in the UNIX PAM Authentication Service

摘要

Confidentiality in the storage and handling of sensitive data is a central concern in computing security; one of the most sensitive data in computer systems is users’ credentials. To ensure the confidentiality and integrity of sensitive data, developers can use a Trusted Execution Environment (TEE). One of such TEE is Intel Software Guard Extensions (SGX), which reduces the trusted computing base to a hardware/software concept called enclave. However, using SGX enclaves usually incurs in a performance impact in the application execution. In this paper we propose an enclave sharing approach to reduce the performance overhead in scenarios where multiple enclaves handle the same data. To evaluate this approach, we implemented a SGX-secured OS authentication service. Three prototypes were built, considering distinct concerns about security and performance. Results show that this approach can be used in high demand environments, presenting a small overhead.