Occlum is a memory-safe, multi-process library OS (LibOS) for Intel SGX. As a LibOS, it enables unmodified applications to run on SGX, thus protecting the confidentiality and integrity of user workloads transparently.
Compared to existing LibOSes for SGX, Occlum has following salient features:
- Efficient multitasking. The LibOS has a complete and efficient multi-process support, including fast process creation, low-cost IPC, shared OS services (e.g., encrypted file systems).
- Fault isolation. The crash of one user process cannot crash the LibOS or other user processes, which is good for security and robustness.
- Memory safety. The LibOS itself is written in Rust, a memory-safe programming language, thus free from low-level, memory bugs;
The primary motivation of Occlum project is to achieve efficient multitasking on LibOSes for SGX.
Multitasking is an important feature for LibOSes (or any OSes in general), but difficult to implement efficiently on SGX. It is important since virtually any non-trivial application demands more than one process. And its difficulty is evident from the fact that existing LibOSes for SGX either do not support multitasking (e.g., Haven and SCONE) or fail to do so efficiently (e.g., Graphene-SGX is nearly 10,000X slower than Linux on spawning new processes).
To realize efficient multitasking, Occlum adopts a novel multi-process-per-enclave approach, which runs all LibOS processes and the LibOS itself inside a single enclave. Running inside a single address space, Occlum's processes enjoy the benefits of fast startup, low-cost inter-process communication (IPC) and shared system services (e.g., encrypted file systems).
As there are no hardware isolation mechanisms available inside an enclave, Occlum emulates the traditional OS-enforced inter-process isolation and user-kernel isolation with Software Fault Isolation (SFI) technique. Specifically, we design a novel SFI scheme called Multi-Domain SFI (MDSFI) that enables Occlum to enforce process sandbox: any LibOS process cannot compromise or crash other LibOS processes or the LibOS itself.
Occlum also improves the memory safety of LibOS-based, SGX-protected applications. The memory safety of C/C++ programs is still an unresolved problem (e.g., Google syzkaller project found 600+ memory bugs in Linux kernel). And it is well known that memory-safe bugs are the most common class of security vulnerabilities. Compared to existing LibOSes for SGX, Occlum improves the memory safety of SGX applications in two folds:
- User programs are made more resilient to memory safety vulnerabilities. Thanks to MDSFI, Occlum enforces Data Execution Prevention (DEP) to prevent code injection attacks and Control Flow Integrity (CFI) to mitigate Return-Oriented Programming (ROP) attacks.
- LibOS itself is memory safe. Occlum LibOS is developed in Rust programming language, a memory-safe programming language. This reduces the odds of low-level memory-safety bugs in the LibOS, thus more trustworthy to the application developers.
Occlum LibOS has several explicit and implicit dependencies: the former ones must be installed manually, while the latter ones are downloaded and compiled automatically via Makefile.
Explicit dependencies are listed below:
- enable_rdfsbase kernel module, which enables rdfsbase instruction and its friends. See README.md for how to compile and install.
- Occlum's fork of Intel SGX SDK. See README.md for how to compile and install.
- Occlum's fork of LLVM toolchain. See README.occlum.md for how to compile and install.
- Occlum's fork of musl libc. See INSTALL for how to compile and install.
- Rust programming language. We have tested with Rust nightly-2019-01-28. Other versions of Rust may or may not work.
Implicit dependencies are managed by Git with .gitmodules and compiled with Makefile. The most important implicit dependency is Rust SGX SDK. After downloading Occlum LibOS project, run the following command to set up the implicit dependecies:
cd path/to/occlum/libos
make submodule
Then, compile the project and run tests with the following commands
cd path/to/occlum/libos
make
make test
The current version is only for technical preview, not ready for production use. Yet, even with this early version, we can achieve a speedup of multitasking-related operations by up to three orders of magnitude, thus demonstrating the effectiveness of our multi-process-per-enclave approach.
This project is being actively developed. We now focus on implementing more system calls and hopefully enable real-world applications on Occlum soon.
The roadmap and development plan of Occlum LibOS and its related projects are managed and tracked using organization-wide project boards.
The project name Occlum stems from the word Occlumency coined in Harry Porter series by J. K. Rowling. In Harry Porter and the Order of Pheonix, Occlumency is described as:
The magical defence of the mind against external penetration. An obscure branch of magic, but a highly useful one... Used properly, the power of Occlumency wil help sheild you from access or influence.
The same thing can be said to Occlum, not for mind, but program:
The magical defence of the program agaist external penetration. An obsecure branch of technology, but a highly useful one... Used properly, the power of Occlum will help sheild your program from access or influence.
Of course, Occlum must be run on Intel x86 CPUs with SGX support to do its magic.
The creators of Occlum project are
- Hongliang Tian and Shoumeng Yan from Intel Corporation; and
- Youren Shen, Yu Chen, and Kang Chen from Tsinghua University.
This project follows the all-contributors specification. Contributions of any kind are welcome! We will publish contributing guidelines and accept pull requests after the project gets more stable.
Thanks go to all these wonderful contributors for this project.
While Occlum was originally designed by and incubated inside Intel, it is NOT an official Intel product.