Binary Compatibility For SGX Enclaves

TL;DR

This paper introduces Ratel, a system that achieves binary compatibility for SGX enclaves on Linux by using dynamic binary translation, addressing design restrictions that cause incompatibility with existing software.

Contribution

It is the first to provide a comprehensive binary compatibility solution for SGX enclaves, highlighting the trade-offs involved and evaluating with diverse real-world applications.

Findings

Ratel enables compatibility with over 200 programs including Linux utilities.

Performance trade-offs are evident due to OS-enclave interface mediation.

Design restrictions in SGX impact compatibility, which Ratel aims to mitigate.

Abstract

Enclaves, such as those enabled by Intel SGX, offer a powerful hardware isolation primitive for application partitioning. To become universally usable on future commodity OSes, enclave designs should offer compatibility with existing software. In this paper, we draw attention to 5 design decisions in SGX that create incompatibility with existing software. These represent concrete starting points, we hope, for improvements in future TEEs. Further, while many prior works have offered partial forms of compatibility, we present the first attempt to offer binary compatibility with existing software on SGX. We present Ratel, a system that enables a dynamic binary translation engine inside SGX enclaves on Linux. Through the lens of Ratel, we expose the fundamental trade-offs between performance and complete mediation on the OS-enclave interface, which are rooted in the aforementioned 5 SGX design restrictions. We report on an extensive evaluation of Ratel on over 200 programs, including micro-benchmarks and real applications such as Linux utilities.