Secure and Efficient Migration of Large Enclaves in a Data Center (2311.06991v4)

Abstract: Cloud service providers are increasingly adopting Trusted Execution Environments, or TEEs, to provide hardware guaranteed security to an application executing on remote, untrusted data centers. Often, there is a need to live-migrate such secure applications for load balancing or data center maintenance. Today, state-of-the-art migration methods for TEE still use the decade-old stop-and-copy-based method, which introduces large downtimes. This is because state-of-the-art live-migration approaches do not work for applications that run on TEEs. We propose a novel method that has a near-zero downtime live-migration mechanism for large memory footprint TEE-based applications. We provide two alternatives: a kernel-based approach and a compiler-based approach. Based on the memory usage, we can prefer one approach over the other. Our method is fully compatible with containers, virtual machines (VMs) and microVMs. Our prototype, built on Intel SGX, a TEE solution from Intel, has a near-zero downtime irrespective of enclave size. Our approach reduces the total downtime by 77-96% for a suite of SGX applications with multi-GB memory footprints compared to state-of-the-art TEE-based migration, MigSGX.