research-article

Open access

Building GPU TEEs using CPU Secure Enclaves with GEVisor

Authors:

Dave Jing Tian,

Chung Hwan KimAuthors Info & Claims

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

Pages 249 - 264

https://doi.org/10.1145/3620678.3624659

Published: 31 October 2023 Publication History

Abstract

Trusted execution environments (TEEs) have been proposed to protect GPU computation for machine learning applications operating on sensitive data. However, existing GPU TEE solutions either require CPU and/or GPU hardware modification to realize TEEs for GPUs, which prevents current systems from adopting them, or rely on untrusted system software such as GPU device drivers. In this paper, we propose using CPU secure enclaves, e.g., Intel SGX, to build GPU TEEs without modifications to existing hardware. To tackle the fundamental limitations of these enclaves, such as no support for I/O operations, we design and develop GEVisor, a formally verified security reference monitor software to enable a trusted I/O path between enclaves and GPU without trusting the GPU device driver. GEVisor operates in the Virtual Machine Extension (VMX) root mode, monitors the host system software to prevent unauthorized access to the GPU code and data outside the enclave, and isolates the enclave GPU context from other contexts during GPU computation. We implement and evaluate GEVisor on a commodity machine with an Intel SGX CPU and an NVIDIA Pascal GPU. Our experimental results show that our approach maintains an average overhead of 13.1% for deep learning and 18% for GPU benchmarks compared to native GPU computation while providing GPU TEEs for existing CPU and GPU hardware.

References

[1]

2010. Intel Inc. Intel trusted execution technology. www.intel.com/technology/security/

[2]

2012. Nouveau Open-Source Driver. http://nouveau.freedesktop.org/

[3]

2020. Bareflank Hypervisor SDK. http://bareflank.github.io/hypervisor/

[4]

2021. A deep dive into cma. https://lwn.net/Articles/486301/.

[5]

2022. Microsoft confidential cloud using Nvidia GPUs. https://www.microsoft.com/en-us/research/blog/powering-the-next-generation-of-trustworthy-ai-in-a-confidential-cloud-using-nvidia-gpus/

[6]

2022. NVIDIA H100 Tensor Core GPU Architecture. https://resources.nvidia.com/en-us-tensor-core

[7]

Keith Adams and Ole Agesen. 2006. A comparison of software and hardware techniques for x86 virtualization. ACM Sigplan Notices 41, 11 (2006), 2--13.

Digital Library

[8]

Will Arthur, David Challener, and Kenneth Goldman. 2015. Platform security technologies that use TPM 2.0. In A Practical Guide to TPM 2.0. Springer, 331--348.

[9]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. ACM SIGOPS operating systems review 37, 5 (2003), 164--177.

[10]

Gilles Barthe, Pedro R D'argenio, and Tamara Rezk. 2011. Secure information flow by self-composition. Mathematical Structures in Computer Science 21, 6 (2011), 1207--1252.

Digital Library

[11]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 1--26.

Digital Library

[12]

Adam Betts, Nathan Chong, Alastair Donaldson, Shaz Qadeer, and Paul Thomson. 2012. GPUVerify: a verifier for GPU kernels. In Proceedings of the ACM international conference on Object oriented programming systems languages and applications. 113--132.

Digital Library

[13]

Ian Buck. 2007. Gpu computing with nvidia cuda. In ACM SIGGRAPH 2007 courses. 6--es.

Digital Library

[14]

Shuai Che, Michael Boyer, Jiayuan Meng, David Tarjan, Jeremy W Sheaffer, Sang-Ha Lee, and Kevin Skadron. 2009. Rodinia: A benchmark suite for heterogeneous computing. In 2009 IEEE international symposium on workload characterization (IISWC). Ieee, 44--54.

Digital Library

[15]

Chia che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai

Digital Library

[16]

Xiaoxin Chen, Tal Garfinkel, E Christopher Lewis, Pratap Subrahmanyam, Carl A Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan RK Ports. 2008. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems. ACM SIGOPS Operating Systems Review 42, 2 (2008), 2--13.

Digital Library

[17]

Pau-Chen Cheng, Wojciech Ozga, Enriquillo Valdez, Salman Ahmed, Zhongshu Gu, Hani Jamjoom, Hubertus Franke, and James Bottomley. 2023. Intel TDX Demystified: A Top-Down Approach. arXiv preprint arXiv:2303.15540 (2023).

[18]

Edmund Clarke, Daniel Kroening, and Flavio Lerda. 2004. A tool for checking ANSI-C programs. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 168--176.

[19]

John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual ghost: Protecting applications from hostile operating systems. ACM SIGARCH Computer Architecture News 42, 1 (2014), 81--96.

Digital Library

[20]

Yunjie Deng, Chenxu Wang, Shunchang Yu, Shiqing Liu, Zhenyu Ning, Kevin Leach, Jin Li, Shoumeng Yan, Zhengyu He, Jiannong Cao, et al. 2022. StrongBox: A GPU TEE on Arm Endpoints. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 769--783.

Digital Library

[21]

Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan Parno. 2017. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles. 287--305.

Digital Library

[22]

Joseph A Goguen and José Meseguer. 1982. Security policies and security models. In 1982 IEEE Symposium on Security and Privacy. IEEE, 11--11.

[23]

Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Newman Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. {CertiKOS}: An Extensible Architecture for Building Certified Concurrent {OS} Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). 653--669.

[24]

Jonathan Heusser and Pasquale Malacaria. 2010. Quantifying information leaks in software. In Proceedings of the 26th Annual Computer Security Applications Conference. 261--269.

Digital Library

[25]

Owen S Hofmann, Sangman Kim, Alan M Dunn, Michael Z Lee, and Emmett Witchel. 2013. Inktag: Secure applications on an untrusted operating system. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems. 265--278.

Digital Library

[26]

Dan Iorga, Alastair F. Donaldson, Tyler Sorensen, and John Wickerson. 2021. The Semantics of Shared Memory in Intel CPU/FPGA Systems. Proceedings of the ACM Programming Languages 5, undefined (2021).

Digital Library

[27]

Insu Jang, Adrian Tang, Taehoon Kim, Simha Sethumadhavan, and Jaehyuk Huh. 2019. Heterogeneous Isolated Execution for Commodity GPUs. In 24th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2019). ACM, Providence, RI, 455--468. http://doi.acm.org/10.1145/3297858.3304021

[28]

Shinpei Kato, Michael McThrow, Carlos Maltzahn, and Scott Brandt. 2012. Gdev: First-Class GPU Resource Management in the Operating System. In Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12). USENIX, Boston, MA, 401--412. https://www.usenix.org/conference/atc12/technical-sessions/presentation/kato

[29]

Kyungtae Kim, Chung Hwan Kim, Junghwan "John" Rhee, Xiao Yu, Haifeng Chen, Dave (Jing) Tian, and Byoungyoung Lee. 2020. Vessels: Efficient and Scalable Deep Learning Prediction on Trusted Processors. In 11th ACM Symposium on Cloud Computing (SoCC '20).

[30]

Gerwin Klein, June Andronick, Kevin Elphinstone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser. 2014. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems (TOCS) 32, 1 (2014), 1--70.

Digital Library

[31]

Youngjin Kwon, Alan M Dunn, Michael Z Lee, Owen S Hofmann, Yuanzhong Xu, and Emmett Witchel. 2016. Sego: Pervasive trusted metadata for efficiently verified untrusted system services. ACM SIGARCH Computer Architecture News 44, 2 (2016), 277--290.

Digital Library

[32]

S. Lee, Y. Kim, J. Kim, and J. Kim. 2014. Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities. In 2014 IEEE Symposium on Security and Privacy. 19--33. https://doi.org/10.1109/SP.2014.9

Digital Library

[33]

K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International conference on logic for programming artificial intelligence and reasoning. Springer, 348--370.

Digital Library

[34]

Haohui Mai, Edgar Pek, Hui Xue, Samuel Talmadge King, and Parthasarathy Madhusudan. 2013. Verifying security invariants in ExpressOS. In Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems. 293--304.

Digital Library

[35]

Richard Maliszewski, Ning Sun, Shane Wang, Jimmy Wei, and Ren Qiaowei. 2015. Trusted boot (tboot).

[36]

Jonathan M McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In 2010 IEEE Symposium on Security and Privacy. IEEE, 143--158.

Digital Library

[37]

Zeyu Mi, Dingji Li, Haibo Chen, Binyu Zang, and Haibing Guan. 2020. (Mostly) Exitless VM protection from untrusted hypervisor through disaggregated nested virtualization. In Proceedings of the 29th USENIX Conference on Security Symposium. 1695--1712.

[38]

Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.

[39]

Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, and Rich Uhlig. 2006. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal 10, 3 (2006).

[40]

Cong Nie. 2007. Dynamic root of trust in trusted computing. In TKK T1105290 Seminar on Network Security. Citeseer.

[41]

Roberto Di Pietro, Flavio Lombardi, and Antonio Villani. 2016. CUDA leaks: a detailed hack for CUDA and a (partial) fix. ACM Transactions on Embedded Computing Systems (TECS) 15, 1 (2016), 1--25.

Digital Library

[42]

PR Pietzuch, S Arnautov, B Trach, F Gregor, T Knauth, A Martin, C Priebe, J Lind, D Muthukumaran, D O'Keeffe, et al. 2016. SCONE: Secure Linux Containers with Intel SGX. USENIX.

[43]

Joseph Redmon. 2013--2016. Darknet: Open Source Neural Networks in C. http://pjreddie.com/darknet/.

[44]

Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, et al. 2015. Imagenet large scale visual recognition challenge. International journal of computer vision 115, 3 (2015), 211--252.

[45]

AMD Sev-Snp. 2020. Strengthening VM isolation with integrity protection and more. White Paper, January (2020), 8.

[46]

Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (Washington, DC, USA) (VEE '09). ACM, New York, NY, USA, 121--130. https://doi.org/10.1145/1508293.1508311

Digital Library

[47]

T. Simonite. 2016. Intel puts the brakes on Moore's Law. https://www.technologyreview.com/s/601102/.

[48]

Cong Sun, Liyong Tang, and Zhong Chen. 2009. Secure information flow by model checking pushdown system. In 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing. IEEE, 586--591.

Digital Library

[49]

Yusuke Suzuki, Shinpei Kato, Hiroshi Yamada, and Kenji Kono. 2015. Gpuvm: Gpu virtualization at the hypervisor. IEEE Trans. Comput. 65, 9 (2015), 2752--2766.

Digital Library

[50]

Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In 2013 IEEE Symposium on Security and Privacy. IEEE, 430--444.

Digital Library

[51]

Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: Trusted Execution Environments on GPUs. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2018). USENIX Association, Carlsbad, CA, 681--696. https://www.usenix.org/conference/osdi18/presentation/volos

[52]

Jisoo Yang and Kang G Shin. 2008. Using hypervisor to provide data secrecy for user applications on a per-page basis. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. 71--80.

Digital Library

[53]

Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the twenty-third acm symposium on operating systems principles. 203--216.

Digital Library

[54]

Kehuan Zhang and XiaoFeng Wang. 2009. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In USENIX Security Symposium, Vol. 20. 23.

[55]

Z. Zhou, V. D. Gligor, J. Newsome, and J. M. McCune. 2012. Building Verifiable Trusted Path on Commodity x86 Computers. In 2012 IEEE Symposium on Security and Privacy. 616--630. https://doi.org/10.1109/SP.2012.42

Digital Library

[56]

Jianping Zhu, Rui Hou, XiaoFeng Wang, Wenhao Wang, Jiangfeng Cao, Boyan Zhao, Zhongpu Wang, Yuhui Zhang, Jiameng Ying, Lixin Zhang, et al. 2020. Enabling rack-scale confidential computing using heterogeneous trusted execution environment. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1450--1465.

Cited By

Wu JZeng SChiu WLiu PMeng WLampe B(2023)Delay-masquerading Technique Upheld StrongBox: A Reinforced Side-Channel Protection2023 IEEE 29th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS60453.2023.00289(2135-2142)Online publication date: 17-Dec-2023
https://doi.org/10.1109/ICPADS60453.2023.00289

Index Terms

Building GPU TEEs using CPU Secure Enclaves with GEVisor
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

On the Efficacy of a Fused CPU+GPU Processor (or APU) for Parallel Computing
SAAHPC '11: Proceedings of the 2011 Symposium on Application Accelerators in High-Performance Computing

The graphics processing unit (GPU) has made significant strides as an accelerator in parallel computing. However, because the GPU has resided out on PCIe as a discrete device, the performance of GPU applications can be bottlenecked by data transfers ...
Adaptive Optimization for Petascale Heterogeneous CPU/GPU Computing
CLUSTER '10: Proceedings of the 2010 IEEE International Conference on Cluster Computing

In this paper, we describe our experiment developing an implementation of the Linpack benchmark for TianHe-1, a petascale CPU/GPU supercomputer system, the largest GPU-accelerated system ever attempted before. An adaptive optimization framework is ...
Radiation modeling using the Uintah heterogeneous CPU/GPU runtime system
XSEDE '12: Proceedings of the 1st Conference of the Extreme Science and Engineering Discovery Environment: Bridging from the eXtreme to the campus and beyond

The Uintah Computational Framework was developed to provide an environment for solving fluid-structure interaction problems on structured adaptive grids on large-scale, long-running, data-intensive problems. Uintah uses a combination of fluid-flow ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

October 2023

624 pages

ISBN:9798400703874

DOI:10.1145/3620678

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SoCC '23

Sponsor:

SoCC '23: ACM Symposium on Cloud Computing

October 30 - November 1, 2023

CA, Santa Cruz, USA

Acceptance Rates

Overall Acceptance Rate 169 of 722 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
1,442
Total Downloads

Downloads (Last 12 months)1,439
Downloads (Last 6 weeks)196

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu JZeng SChiu WLiu PMeng WLampe B(2023)Delay-masquerading Technique Upheld StrongBox: A Reinforced Side-Channel Protection2023 IEEE 29th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS60453.2023.00289(2135-2142)Online publication date: 17-Dec-2023
https://doi.org/10.1109/ICPADS60453.2023.00289

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents