TGh: A TEE/GC Hybrid Enabling Confidential FaaS Platforms

TL;DR

This paper introduces TGh, a hybrid TEE/garbled circuits protocol that enhances confidential FaaS platforms by reducing enclave management overhead while maintaining security guarantees.

Contribution

It proposes a novel TEE/GC hybrid protocol that shifts computation outside enclaves to improve performance in confidential FaaS environments.

Findings

Reduces enclave management overhead in FaaS functions

Maintains security guarantees of enclaves

Improves performance for short-running functions

Abstract

Trusted Execution Environments (TEEs) suffer from performance issues when executing certain management instructions, such as creating an enclave, context switching in and out of protected mode, and swapping cached pages. This is especially problematic for short-running, interactive functions in Function-as-a-Service (FaaS) platforms, where existing techniques to address enclave overheads are insufficient. We find FaaS functions can spend more time managing the enclave than executing application instructions. In this work, we propose a TEE/GC hybrid (TGh) protocol to enable confidential FaaS platforms. TGh moves computation out of the enclave onto the untrusted host using garbled circuits (GC), a cryptographic construction for secure function evaluation. Our approach retains the security guarantees of enclaves while avoiding the performance issues associated with enclave management instructions.