Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ConstMig: Enabling Secure Live Migration of Large Intel SGX-based applications

Sandeep Kumar, Abhisek Panda, Smruti R. Sarangi

TL;DR

This work addresses the challenge of securely migrating large SGX-based applications with minimal downtime, where traditional stop-and-copy and hardware-assisted options fall short due to SGX’s restrictions. The authors introduce ConstMig, a two-component solution combining a CRIU-powered Migration Manager and an SGX-resident ConstMigLib that saves and restores only the enclave’s memory—the heap—while maintaining data integrity and freshness through encryption, integrity checks, and fine-grained access tracking. They implement two complementary mechanisms, Fault Tracker and Access Tracker, to prevent use-before-restore in restored enclaves, and evaluate ConstMig against MigSGX and (where available) TDX, showing downtime reductions of 77–96% and end-to-end throughput that often matches native once migration completes. The results indicate significant practical impact for data-center operators seeking high availability, low-latency migrations, and seamless patching of SGX-based services without hardware changes. Overall, ConstMig enables scalable, secure live migration for large SGX enclaves, advancing practical deployment of TEEs in cloud environments.

Abstract

Cloud service providers are adopting Trusted Execution Environments (TEEs) to provide hardware-guaranteed security to applications running on remote, untrusted data centers. However, migrating such applications still relies on the decade-old stop-and-copy method, which introduces large downtimes. Modern live-migration approaches such as pre-copy and post-copy do not work for TEE-based applications due to hardware-enforced restrictions. We propose ConstMig, a near-zero-downtime live-migration mechanism for large memory-footprint TEE-based applications. ConstMig is fully compatible with containers, virtual machines (VMs), and microVMs. Our prototype, built on Intel SGX, achieves near-zero downtime irrespective of enclave size and requires no additional hardware support. ConstMig reduces total downtime by 77 - 96% for a suite of SGX applications with multi-gigabyte memory footprints compared to state-of-the-art TEE-based migration solutions such as MigSGX.

ConstMig: Enabling Secure Live Migration of Large Intel SGX-based applications

TL;DR

This work addresses the challenge of securely migrating large SGX-based applications with minimal downtime, where traditional stop-and-copy and hardware-assisted options fall short due to SGX’s restrictions. The authors introduce ConstMig, a two-component solution combining a CRIU-powered Migration Manager and an SGX-resident ConstMigLib that saves and restores only the enclave’s memory—the heap—while maintaining data integrity and freshness through encryption, integrity checks, and fine-grained access tracking. They implement two complementary mechanisms, Fault Tracker and Access Tracker, to prevent use-before-restore in restored enclaves, and evaluate ConstMig against MigSGX and (where available) TDX, showing downtime reductions of 77–96% and end-to-end throughput that often matches native once migration completes. The results indicate significant practical impact for data-center operators seeking high availability, low-latency migrations, and seamless patching of SGX-based services without hardware changes. Overall, ConstMig enables scalable, secure live migration for large SGX enclaves, advancing practical deployment of TEEs in cloud environments.

Abstract

Cloud service providers are adopting Trusted Execution Environments (TEEs) to provide hardware-guaranteed security to applications running on remote, untrusted data centers. However, migrating such applications still relies on the decade-old stop-and-copy method, which introduces large downtimes. Modern live-migration approaches such as pre-copy and post-copy do not work for TEE-based applications due to hardware-enforced restrictions. We propose ConstMig, a near-zero-downtime live-migration mechanism for large memory-footprint TEE-based applications. ConstMig is fully compatible with containers, virtual machines (VMs), and microVMs. Our prototype, built on Intel SGX, achieves near-zero downtime irrespective of enclave size and requires no additional hardware support. ConstMig reduces total downtime by 77 - 96% for a suite of SGX applications with multi-gigabyte memory footprints compared to state-of-the-art TEE-based migration solutions such as MigSGX.
Paper Structure (44 sections, 14 figures, 3 tables, 2 algorithms)

This paper contains 44 sections, 14 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background & Motivation
  3. Intel Software Guard eXtensions or SGX
  4. Intel Trusted Domain Extension or TDX
  5. Intel SGX vs Intel TDX
  6. Execution Overhead
  7. TCB Size:
  8. Initialization overhead
  9. Migration methods and Challenges with SGX
  10. Stop-and-Copy Migration
  11. Pre-copy Migration
  12. Post-Copy Migration
  13. Design
  14. Scope
  15. Threat Model
  16. ...and 29 more sections

Figures (14)

  • Figure 1: ConstMig ensures a non-zero total downtime while migrating an SGX-based application, irrespective of its size. TDX enables a hardware-based live migration but has long boot/respond time.
  • Figure 2: Performance of Key-Value with No-SGX, TDX, and SGX for varying amount of secure portion of the allocated data.
  • Figure 3: For stop-and-copy, for large enclaves, the total migration time is dominated by the enclave initialization time on the destination machine and the total transfer time.
  • Figure 4: pre-copy and post-copy migration mechanisms. The total downtime is independent of the memory footprint. Start,Pause, and Resume indicate the start of migration, pausing, and resuming of the application, respectively.
  • Figure 5: ConstMig handles the migration of the secure portion of an application. The rest is handled by CRIU.
  • ...and 9 more figures