Toward an SGX-Friendly Java Runtime

Hardware enclaves assist in constructing a trusted execution environment (TEE) to store private code and data and thus become an appealing solution to enhance applications' security. Nevertheless, state-of-the-art enclave implementations like Intel Software Guard Extensions (SGX) have severe performance issues and hinder the deployment of more complicated applications, especially those written in high-level languages like Java. To reduce the performance overhead, prior work has partitioned applications or rebuilt lightweight language runtimes, but they either require manual labor from developers or fail to provide full-fledged support for existing applications. This work instead provides SAJ, a runtime built upon a full-fledged Java virtual machine (JVM) and thus requires no modifications to applications. SAJ first analyzes the performance of vanilla JVMs running in enclaves and finds that the memory management overhead and boot phase are culprits for performance slowdown. For memory management, SAJ introduces SGX-aware heap layout and garbage collector, which reduces both GC and application execution time. As for the boot phase, SAJ introduces an address-conscious launching mechanism to improve the boot performance. The evaluation under representative Java applications shows that SAJ can reduce the overall GC pause time, application time, and boot time by 2.93x, 2.58x, and 2.73x on average, respectively.