| With the rapid development of cloud computing technology in recent years,large number of security problems arise.How to provide trusted services for cloud tenants in untrustworthy cloud environment has become a hot topic in academia and industry.Based on trusted computing idea,the Intel Corporation proposed Software Guard Extension(SGX)in 2013.With this technology a trusted execution environment(Enclave)can be created in user space.By applying strict memory isolation and access control mechanisms,only internal codes in Enclave could access resources in trusted environment.Even privilege software cannot access this region either.Thus SGX could protect the confidentiality and integrity of the code/data in an enclave from malicious attackers.Meanwhile to balance load among computing nodes,to improve resource utilization and fault tolerance,and to build a relocatable trusted service in cloud,it is also necessary to study the live migration of SGX process.However,few research works have been conducted on how to migrate a trusted enclave.By studying traditional process live migration strategies,combing open source software CRIU and checkpoint/restore mechanism,we designed a C/R strategy for SGX process.Also by utilizing the CPU-based attestation and sealing technology,we proposed a secure SGX Process Migration model(SPM)and analyzed it in view of existing security problems.Finally,with the experimental verifications,our SPM scheme could migrate the SGX process successfully.During the migration,neither dump nor communication could reveal any sensitive information in enclaves.About the performance overhead,only millisecond loss has been introduced,which is negligible. |
PDF Full Text Request