Secured Routines: Language-based Construction of Trusted Execution Environments

Trusted Execution Environments (TEEs), such as Intel SGX enclaves, use hardware to ensure the confidentiality and integrity of operations on sensitive data. While the technology is available on many processors, the complexity of its programming model and its performance overhead have limited adoption. TEEs provide a new and valuable hardware functionality that has no obvious analogue in programming languages, which means that developers must manually partition their application into trusted and untrusted components. This paper describes an approach that fully integrates trusted execution into a language. We extend the Go language to allow a programmer to execute a goroutine within an enclave, to use low-overhead channels to communicate between the trusted and untrusted environments, and to rely on a compiler to automatically extract the secure code and data. Our prototype compiler and runtime, GOTEE, is a backward-compatible fork of the Go compiler. The evaluation shows that our compiler-driven code and data partitioning efficiently executes both microbenchmarks and applications. On the former, GOTEE achieves a 5.2×throughput and a 2.3× latency improvement over the Intel SGX SDK. Our case studies, a Go ssh server, the Go tls package, and a secured keystore inspired by the go-ethereum project, demonstrate that minor source-code modifications suffice to provide confidentiality and integrity guarantees with only moderate performance overheads.

Processeur à haut degré de parallélisme basé sur des composantes sérielles

Ralph Hoffmann

Nowaday, the world of processors is still dominated by the RISC architectures, which foundations have been laid down in the 70's. The RISC concept may be summarized by one word : simplicity. With this concept, much simpler architectures are born, in particular from their instruction sets point of view. As a result, these architectures have a more efficient instruction decoding and smaller computing units which in turn provides the ability to have more of these units for the same price, a reduced clock per instruction ratio — a single cycle per instruction ideally — and increased clock frequencies. As time goes by, RISC architectures have shown outstanding performances, on one hand with the spectacular improvements of semiconductor technologies, and on the other hand with the use of large cache memories and with the development of new ways of execution such as speculative execution. Later developments have greatly altered the original spirit of the simplicity of the RISC concept. Current high performance processors are extremely complex and difficult to design. Moreover, semiconductor technologies begin to show serious problems ignored or neglected for a long time. In this thesis, we would like to introduce a new architecture. Two complementary aspects have been taken in consideration : the design of the processor's units (arithmetic operators, control logic, and so on) and the architectural model, the way the processing units are used. The first aspect has been addressed with an unusual and original approach which involves the use of the serial arithmetic principles. Serial arithmetic tends to reduce the hardware cost, enables higher clock rates, and shows interesting properties which will be developped later on. The research of an architectural model is driven by the same wish of simplicity, recurrent in this field, and will inevitably shift the complexity from the processor to the compiler. This simplification relies on two things : first, the way we think of the problem is inspired by the EPIC philosophy (Explicitly Parallel Instruction Computer), the latest offspring of the VLIW model which advocates the delegation of decisions from the hardware to the software. In one sentence, "the compiler decides, the hardware executes". Second, the way we act has been given by the TTA model (Transport Triggered Architecture), the last offspring of the MOVE model which not only removes from the processor the responsability to decide which processing unit to be used for each instruction (it's already the case in a VLIW processor), but also releases the processor from scheduling the data flows. In doing so, the processor is confined to provide a set of computing units, storage units and means of communication, and the compiler decides how to move the data. In this way, a part of the control logic is removed, communication resources may be fine-tuned and the compiler's code-optimization can be enhanced. With the combination of those elements, we wish to get an architecture which exhibits a better computing power/consumption ratio, which is more flexible, easier to developp and to evolve.

EPFL2004

Using Managed Runtime Systems to Tolerate Holes in Wearable Memories

James Richard Larus

New memory technologies, such as phase-change memory (PCM), promise denser and cheaper main memory, and are expected to displace DRAM. However, many of them experience permanent failures far more quickly than DRAM. DRAM mechanisms that handle permanent failures rely on very low failure rates and, if directly applied to PCM, are extremely inefficient: Discarding a page when the first line fails wastes 98% of the memory. This paper proposes low complexity cooperative software and hardware that handle failure rates as high as 50%. Our approach makes error handling transparent to the application by using the memory abstraction offered by managed languages. Once hardware error correction for a memory line is exhausted, rather than discarding the entire page, the hardware communicates the failed line to a failure-aware OS and runtime. The runtime ensures memory allocations never use failed lines and moves data when lines fail during program execution. This paper describes minimal extensions to an Immix mark-region garbage collector, which correctly utilizes pages with failed physical lines by skipping over failures. This paper also proposes hardware support that clusters failed lines at one end of a memory region to reduce fragmentation and improve performance under failures. Contrary to accepted hardware wisdom that advocates for wear-leveling, we show that with software support non-uniform failures delay the impact of memory failure. Together, these mechanisms incur no performance overhead when there are no failures and at failure levels of 10% to 50% suffer only an average overhead of 4% and 12%}, respectively. These results indicate that hardware and software cooperation can greatly extend the life of wearable memories.

ACM2013

Cooperative Shared Memory: Software and Hardware for Scalable Multiprocessors

James Richard Larus, David Wood

We believe the paucity of massively parallel, shared-memory machines follows from the lack of a shared-memory programming performance model that can inform programmers of the cost of operations (so they can avoid expensive ones) and can tell hardware designers which cases are common (so they can build simple hardware to optimize them). Cooperative shared memory, our approach to shared-memory design, addresses this problem. Our initial implementation of cooperative shared memory uses a simple programming model, called Check-In/Check-Out (CICO), in conjunction with even simpler hardware, called Dir1SW. In CICO, programs bracket uses of shared data with a check_in directive terminating the expected use of the data. A cooperative prefetch directive helps hide communication latency. Dir1SW is a minimal directory protocol that adds little complexity to message-passing hardware, but efficiently supports programs written within the CICO model.

ACM1993

Processeur à haut degré de parallélisme basé sur des composantes sérielles

Ralph Hoffmann

EPFL2004