Precursor: a fast, client-centric and trusted key-value store using RDMA and Intel SGX

Abstract

As offered by the Intel Software Guard Extensions (SGX), trusted execution enables confidentiality and integrity for off-site deployed services. Thereby, securing key-value stores has received particular attention, as they are a building block for many complex applications to speed-up request processing. Initially, the developers' main design challenge has been to address the performance barriers of SGX. Besides, we identified the integration of a SGX-secured key-value store with recent network technologies, especially RDMA, as an essential emerging requirement. RDMA allows fast direct access to remote memory at high bandwidth. As SGX-protected memory cannot be directly accessed over the network, a fast exchange between the main and trusted memory must be enabled. More importantly, SGX-protected services can be expected to be CPU-bound as a result of the vast number of cryptographic operations required to transfer and store data securely. In this paper, we present Precursor, a new key-value store design that utilizes trusted execution to offer confidentiality and integrity while relying on RDMA for low latency and high bandwidth communication. Precursor offloads cryptographic operations to the client-side to prevent a server-side CPU bottleneck and reduces data movement in and out of the trusted execution environment. Our evaluation shows that Precursor achieves up to 6--8.5 times higher throughput when compared against similar SGX-secured key-value store approaches.