Trusted execution environments (TEEs) give a cost-effective, “lift-and-shift” solution for deploying security-sensitive ap- plications in untrusted clouds. For this, they must support rich, multi-component applications, risking a large trusted computing base inside the TEE. Fine-grained compartmentalisation can increase security through defense-in-depth, but current solutions either run all software components unprotected in the same TEE, lack efficient shared memory support, or isolate application processes using separate TEEs, impacting performance and compatibility.
We describe the Spons & Shields framework (SSF) for Intel SGX TEEs. Spons and Shields are new abstractions that generalise process, library and user/kernel isolation inside the TEE while allowing for efficient memory sharing. For unmodified multi-component applications in a TEE, SSF dynamically creates Spons (one per POSIX process or library) and Shields (to enforce a memory access policy). Applications can be hardened easily, e.g., by using a separate Shield to isolate an SSL library. SSF uses compiler instrumentation to protect Shield boundaries, exploiting MPX instructions if available. We evaluate SSF using a complex application service (NGINX, PHP interpreter and PostgreSQL) and show that its overhead is comparable to process isolation.