A comparative analysis of emerging approaches for securing java software with Intel SGX

Intel SGX enables developers to protect security critical parts of their application code and data even from privileged software. This type of protection is needed in all cases where applications run on untrusted infrastructures, including public clouds. Since a significant fraction of current applications is written in Java, the research strand on how to fully unleash the potential of SGX in Java is flourishing, and multiple techniques have been proposed. In this paper, we review such techniques, and select the most promising ones – namely SCONE, SGX-LKL, and SGX-JNI Bridge – for an experimental comparison with respect to effort, security, and performance. We use a benchmark application from a real-world case study based on microservices – possibly the most prominent software architecture for current applications – and built on the widely adopted Vert.x development framework. We focus on specific microservices characterized by three different profiles in terms of resource usage – I/O-, CPU-, and Memory-intensive – and assess the trade-offs of the three aforementioned techniques for SGX integration. The results of the analysis can be used as a reference by practitioners willing to identify the best approach for integrating SGX in their Java applications, based on priorities of their particular context.