HyperEnclave: An Open and Cross-platform Trusted Execution Environment

TL;DR

HyperEnclave introduces an open, cross-platform trusted execution environment leveraging virtualization extensions, enabling secure, flexible enclaves on commodity hardware with minimal performance overhead.

Contribution

It presents HyperEnclave, a novel process-based TEE that operates across platforms without hardware modifications, supporting existing SGX programs and real-world applications.

Findings

Supports real-world privacy-preserving computations

Implements on commodity AMD servers with minimal overhead

Enables running SGX programs with little source code change

Abstract

A number of trusted execution environments (TEEs) have been proposed by both academia and industry. However, most of them require specific hardware or firmware changes and are bound to specific hardware vendors (such as Intel, AMD, ARM, and IBM). In this paper, we propose HyperEnclave, an open and cross-platform process-based TEE that relies on the widely-available virtualization extension to create the isolated execution environment. In particular, HyperEnclave is designed to support the flexible enclave operation modes to fulfill the security and performance demands under various enclave workloads. We provide the enclave SDK to run existing SGX programs on HyperEnclave with little or no source code changes. We have implemented HyperEnclave on commodity AMD servers and deployed the system in a world-leading FinTech company to support real-world privacy-preserving computations. The evaluation on both micro-benchmarks and application benchmarks shows the design of HyperEnclave introduces only a small overhead.