Building A Trusted Execution Environment for In-Storage Computing
In-storage computing with modern solid-state drives (SSDs) enables developers to offload programs from the host to the SSD. It has been proven to be an effective approach to alleviating the I/O bottleneck. To facilitate in-storage computing, many frameworks have been proposed. However, few of them c...
Saved in:
Main Authors | , , , , , , , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
12.05.2022
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | In-storage computing with modern solid-state drives (SSDs) enables developers
to offload programs from the host to the SSD. It has been proven to be an
effective approach to alleviating the I/O bottleneck. To facilitate in-storage
computing, many frameworks have been proposed. However, few of them consider
security as the priority for in-storage computing. Specifically, since modern
SSD controllers do not have a trusted execution environment, an offloaded
(malicious) program could steal, modify, and even destroy the data stored in
the SSD. In this paper, we first investigate the attacks that could be
conducted by offloaded in-storage programs. To defend against these attacks, we
build IceClave, a lightweight trusted execution environment for in-storage
computing. IceClave enables security isolation between in-storage programs and
flash management functions. IceClave also achieves security isolation between
in-storage programs and enforces memory encryption and integrity verification
of in-storage DRAM with low overhead. To protect data loaded from flash chips,
IceClave develops a lightweight data encryption/decryption mechanism in flash
controllers. We develop IceClave with a full system simulator and evaluate
IceClave with a variety of data-intensive applications. Compared to
state-of-the-art in-storage computing approaches, IceClave introduces only 7.6%
performance overhead, while enforcing security isolation in the SSD controller
with minimal hardware cost. IceClave still keeps the performance benefit of
in-storage computing by delivering up to 2.31$\times$ better performance than
the conventional host-based trusted computing approach. |
---|---|
DOI: | 10.48550/arxiv.2205.06361 |