IceClave: A Trusted Execution Environment for In-Storage Computing

by   Luyi Kang, et al.

In-storage computing with modern solid-state drives (SSDs) enables developers to offload programs from the host to the SSD. It has been proven to be an effective approach to alleviate the I/O bottleneck. To facilitate in-storage computing, many frameworks have been proposed. However, few of them treat the in-storage security as the first citizen. Specifically, since modern SSD controllers do not have a trusted execution environment, an offloaded (malicious) program could steal, modify, and even destroy the data stored in the SSD. In this paper, we first investigate the attacks that could be conducted by offloaded in-storage programs. To defend against these attacks, we build a lightweight trusted execution environment, named IceClave for in-storage computing. IceClave enables security isolation between in-storage programs and flash management functions that include flash address translation, data access control, and garbage collection, with TrustZone extensions. IceClave also achieves security isolation between in-storage programs by enforcing memory integrity verification of in-storage DRAM with low overhead. To protect data loaded from flash chips, IceClave develops a lightweight data encryption/decryption mechanism in flash controllers. We develop IceClave with a full system simulator. We evaluate IceClave with a variety of data-intensive applications such as databases. Compared to state-of-the-art in-storage computing approaches, IceClave introduces only 7.6 enforcing security isolation in the SSD controller with minimal hardware cost. IceClave still keeps the performance benefit of in-storage computing by delivering up to 2.31× better performance than the conventional host-based trusted computing approach.


page 1

page 2

page 3

page 4


Building A Trusted Execution Environment for In-Storage Computing

In-storage computing with modern solid-state drives (SSDs) enables devel...

Towards a Trusted Execution Environment via Reconfigurable FPGA

Trusted Execution Environments (TEEs) are used to protect sensitive data...

SGX-LKL: Securing the Host OS Interface for Trusted Execution

Hardware support for trusted execution in modern CPUs enables tenants to...

LeaFTL: A Learning-Based Flash Translation Layer for Solid-State Drives

In modern solid-state drives (SSDs), the indexing of flash pages is a cr...

Safe and Efficient Remote Application Code Execution on Disaggregated NVM Storage with eBPF

With rapid improvements in NVM storage devices, the performance bottlene...

MOAT: Towards Safe BPF Kernel Extension

The Linux kernel makes considerable use of Berkeley Packet Filter (BPF) ...

RSSD: Defend against Ransomware with Hardware-Isolated Network-Storage Codesign and Post-Attack Analysis

Encryption ransomware has become a notorious malware. It encrypts user d...

Please sign up or login with your details

Forgot password? Click here to reset