UniGuard: Protecting Unikernels Using Intel SGX.

Ioannis Sfyrakis, Thomas Gross

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Computations executed in lightweight virtual machines called unikernels have a minimal attack surface and improved performance. However, unikernels are still prone to leaking information to the operating system or to the hypervisor that hosts them. This is attributed to vulnerabilities in privileged software and to malicious insiders operating in cloud infrastructures. Indeed, the deployment of unikernels requires a protection mechanism to ensure that information does not leak from unikernels. In this paper, we present our initial experiments into the use of an approach to creating a Trusted Execution Environment (TEE) in unikernels. We present UniGuard: a security architecture that leverages Intel Software Guard Extensions (SGX) to protect security-sensitive computations inside unikernels. We believe that unikernels are an excellent match for Intel SGX to create a TEE. We implemented our solution on top of the KVM hypervisor and its Intel SGX support. Results show that UniGuard has a comparable 20% overhead when starting an enclave inside a unikernel and 10% when executing ocalls.
Original languageEnglish
Title of host publicationProceedings 2018 IEEE International Conference on Cloud Engineering
Number of pages6
Publication statusPublished - 17 Apr 2018
Externally publishedYes
Event2018 IEEE International Conference on Cloud Engineering - Orlando, United States
Duration: 17 Apr 201820 Apr 2018


Conference2018 IEEE International Conference on Cloud Engineering
Abbreviated titleIC2E 2018
Country/TerritoryUnited States
Internet address

Bibliographical note

DBLP's bibliographic metadata records provided through http://dblp.org/search/publ/api are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.


Dive into the research topics of 'UniGuard: Protecting Unikernels Using Intel SGX.'. Together they form a unique fingerprint.

Cite this