Cloud-native-based software development is in trend now. The end-users use the cloud services to save the local computation resources for other intensive tasks. Compiling is one of the vital required services. The compiling-on-the-cloud service like CloudCompiling or CityCloud requires the user to upload their source code for online compiling. However, the latest online compiling service can neither protect the users' source code privacy nor prove the integrity of the whole compiling process. To fill this gap, we designed COM URICE to provide a user-transparent, secure compiling service employing the trusted execution environment (TEE) to enforce security by blocking all the attempts in code or data theft during the compiling procedure. COM URICE leverages the hardware security feature of TEE to prevent the compiling process from malicious access and modification while encrypting the communication channel to protect the integrity and privacy of the source code. The challenges in realizing COM URICE lie in porting a fully functional compiler such as GCC or LLVM and designing an efficient compiling service to minimize the performance lag brought by confidential computing. According to the characteristics of the compiling process, it consists of several routines, pre-processing, compiling/obfuscation, and linking. The division of the routines requires multiple enclaves to run simultaneously. In the experiment, we compare COM URICE'S compiling service with nativeLLVM, SCONELLVM, and GrapheneLLVM. From a performance perspective, COM URICE pays a fair cost for security. Generally, a project compiling with COM URICE suffers 1–2 times more performance loss than nativeLLVM. Compared to other confidential compiling techniques like GrapheneLLVM or SCONELLVM, COM URICE is up to 20 times faster when compiling the same projects.
IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)
2024-06-30
2024-08-29