Speeding up enclave transitions for IO-intensive applications

TL;DR

This paper introduces SGX-Bundler, a library that reduces transition overhead in Intel SGX enclaves, significantly improving performance for IO-intensive applications like network switching.

Contribution

We propose SGX-Bundler, a novel library that minimizes enclave transition costs, enabling practical use of SGX enclaves for IO-heavy workloads.

Findings

SGX-Bundler reduces transition overhead by up to 50%.

Performance improvements enable real-world IO-intensive applications.

Case study with Open vSwitch demonstrates practical benefits.

Abstract

Process-based confidential computing enclaves such as Intel SGX can be used to protect the confidentiality and integrity of workloads, without the overhead of virtualisation. However, they introduce a notable performance overhead, especially when it comes to transitions in and out of the enclave context. Such overhead makes the use of enclaves impractical for running IO-intensive applications, such as network packet processing or biological sequence analysis. We build on earlier approaches to improve the IO performance of work-loads in Intel SGX enclaves and propose the SGX-Bundler library, which helps reduce the cost of both individual single enclave transitions well as of the total number of enclave transitions in trusted applications running in Intel SGX enclaves. We describe the implementation of the SGX-Bundler library, evaluate its performance and demonstrate its practicality using the case study of Open vSwitch, a widely used software switch implementation.