An experimental evaluation of TEE technology: Benchmarking transparent approaches based on SGX, SEV, and TDX

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-31 DOI:10.1016/j.cose.2025.104457

Luigi Coppolino, Salvatore D’Antonio, Giovanni Mazzeo, Luigi Romano

{"title":"An experimental evaluation of TEE technology: Benchmarking transparent approaches based on SGX, SEV, and TDX","authors":"Luigi Coppolino, Salvatore D’Antonio, Giovanni Mazzeo, Luigi Romano","doi":"10.1016/j.cose.2025.104457","DOIUrl":null,"url":null,"abstract":"<div><div>Protection of data-in-use is a key priority, for which Trusted Execution Environment (TEE) technology has unarguably emerged as a — possibly the most — promising solution. Multiple server-side TEE offerings have been released over the years, exhibiting substantial differences with respect to several aspects. The first comer was Intel SGX, which featured <em>Process-based TEE</em> protection, an efficient yet difficult to use approach. Some SGX limitations were (partially) overcome by runtimes, notably: <em>Gramine</em>, <em>Scone</em>, and <em>Occlum</em>. A major paradigm shift was later brought by AMD SEV, with <em>VM-based TEE</em> protection, which enabled ”lift-and-shift” deployment of legacy applications. This new paradigm has been implemented by Intel only recently, in TDX. While the threat model of the aforementioned TEE solutions has been widely discussed, a thorough performance comparison is still lacking in the literature. This paper provides a comparative evaluation of <em>TDX</em>, <em>SEV</em>, <em>Gramine-SGX</em>, and <em>Occlum-SGX</em>. We study computational overhead and resource usage, under different operational scenarios and using a diverse suite of legacy applications. By doing so, we provide a reliable performance assessment under realistic conditions. We explicitly emphasize that — at the time of writing — TDX was recently released to the public. Thus, the evaluation of TDX is a unique feature of this study.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104457"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001464","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Protection of data-in-use is a key priority, for which Trusted Execution Environment (TEE) technology has unarguably emerged as a — possibly the most — promising solution. Multiple server-side TEE offerings have been released over the years, exhibiting substantial differences with respect to several aspects. The first comer was Intel SGX, which featured Process-based TEE protection, an efficient yet difficult to use approach. Some SGX limitations were (partially) overcome by runtimes, notably: Gramine, Scone, and Occlum. A major paradigm shift was later brought by AMD SEV, with VM-based TEE protection, which enabled ”lift-and-shift” deployment of legacy applications. This new paradigm has been implemented by Intel only recently, in TDX. While the threat model of the aforementioned TEE solutions has been widely discussed, a thorough performance comparison is still lacking in the literature. This paper provides a comparative evaluation of TDX, SEV, Gramine-SGX, and Occlum-SGX. We study computational overhead and resource usage, under different operational scenarios and using a diverse suite of legacy applications. By doing so, we provide a reliable performance assessment under realistic conditions. We explicitly emphasize that — at the time of writing — TDX was recently released to the public. Thus, the evaluation of TDX is a unique feature of this study.

查看原文本刊更多论文

TEE技术的实验评估：基于SGX、SEV和TDX的透明方法的基准测试

保护使用中的数据是一个关键的优先事项，可信执行环境（TEE）技术无可争议地成为一种（可能是最有前途的）解决方案。多年来已经发布了多个服务器端TEE产品，在几个方面表现出了实质性的差异。第一个出现的是英特尔SGX，它的特点是基于进程的TEE保护，这是一种高效但难以使用的方法。一些SGX的限制（部分）被运行时克服，特别是：Gramine， Scone和Occlum。后来AMD SEV带来了一个重大的范式转变，基于vm的TEE保护，使传统应用程序的“提升和转移”部署成为可能。这个新范例最近才由英特尔在TDX中实现。虽然上述TEE解决方案的威胁模型已经被广泛讨论，但文献中仍然缺乏彻底的性能比较。本文对TDX、SEV、Gramine-SGX和Occlum-SGX进行了比较评价。我们在不同的操作场景下研究计算开销和资源使用情况，并使用不同的遗留应用程序套件。通过这样做，我们在现实条件下提供可靠的性能评估。我们明确强调，在撰写本文时，TDX是最近向公众发布的。因此，TDX的评估是本研究的一个独特之处。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.