This repository contains the software related to our Middleware'19 paper "AccTEE: A WebAssembly-based Two-way Sandbox for Trusted Resource Accounting".
Authors:
Abstract: Remote computation has numerous use cases such as cloud computing, client-side web applications or volunteer computing. Typically, these computations are executed inside a sandboxed environment for two reasons: first, to isolate the execution in order to protect the host environment from unauthorised access, and second to control and restrict resource usage. Often, there is mutual distrust between entities providing the code and the ones executing it, owing to concerns over three potential problems: (i) loss of control over code and data by the providing entity, (ii) uncertainty of the integrity of the execution environment for customers, and (iii) a missing mutually trusted accounting of resource usage.
In this paper we present AccTEE, a two-way sandbox that offers remote computation with resource accounting trusted by consumers and providers. AccTEE leverages two recent technologies: hardware-protected trusted execution environments, and Web-Assembly, a novel platform independent byte-code format. We show how AccTEE uses automated code instrumentation for fine-grained resource accounting while maintaining confidentiality and integrity of code and data. Our evaluation of AccTEE in three scenarios -- volunteer computing, serverless computing, and pay-by-computation for the web -- shows a maximum accounting overhead of 10%.
This code has been tested with the following versions:
- Emscripten SDK: 1.38.16
- Node.js: 10.11.0
- SGX-LKL: Commit 5fb6d120
cd middleware
npm install
For WebAssembly compilation, the Emscripten SDK is needed. Follow the instructions and execute:
source emsdk_env.sh
Build the mainModule by executing
cd middleware/
./build-mainModule.sh
The folder benchmarks
containes the following benchmarks:
For building WASM binaries for and instrumenting these binaries, execute:
cd benchmark/
./build.sh
Additional dependencies might be required for building, please check the log output!
Execution of the benchmark can be done with or without SGX enclaves.
Every benchmark folder contains a script called run.sh
. Execute it to run the benchmarks.
For execution inside SGX, clone the SGX-LKL repository. Build and set it up as described.
Replace the invocations of the node
binary in the benchmark scripts with invocations to a node instance inside SGX-LKL.
We recommend setting the following environment variable: SGXLKL_HEAP=2048MB