Dynamic Binary Translation for SGX Enclaves

Enclaves, such as those enabled by Intel SGX, offer a hardware primitive for shielding user-level applications from the OS. While enclaves are useful starting point, code running in enclave requires additional checks whenever control or data is transferred to/from untrusted The enclave-OS interface on however, can be extremely large if we wish to run existing unmodified binaries inside enclaves. This article presents Ratel , dynamic binary translation engine SGX Linux. offers complete interposition ability interpose all executed instructions and monitor interactions with Instruction-level general foundation implementing variety of inline security monitors thefuture. We take principled approach explaining why challenging. draw attention five design decisions that create fundamental trade-offs between performance ensuring interposition, explain how resolve them favor interposition. To illustrate utility framework, present first attempt compatibility software SGX. report over 200 programs tested, including micro-benchmarks real applications, Linux shell utilities. Runtimes two programming languages, namely, Python R, tested standard benchmarks work out-of-the-box without any specialized handling.