Docker is the most famous container program which is used a lot. That’s why it is a good choice for SCONE’s implementation. There is the probability in the future to be cooperative not only with Docker but with open container platform also (rkt (CoreOS)). SCONE mechanism provide secure containers which are composed of a single Linux process that is secured by an enclave, but from the other side is indiscernible from a Docker container (for example based on the shared central operating system kernel for the implementation of system calls).
For the creation of secure containers and for secure connection with those containers need the build of tasks of secure images and client-side extensions. In order to be able, this building is necessary the modifications of the combination of secure containers with Docker. The SCONE mechanism does not necessitate any changes to the Docker Engine or its API, but it based on a cover around the original Docker client. Also, for the creation of configuration files and launch containers in an untrusted environment, a secure SCONE client is used. Concluding, SCONE maintains a standard Docker workflow (for example, a programmer publishes an image with their application, and a user can adapt the image by adding extra layers.)
IV. EVALUATION OF SCONE MECHANISM
Subsequently, an evaluation is conducted of SCONE on SGX hardware and is divided in following sections. The first section is related with a benchmark on Redis, NGINX, Memcached and Apache applications. Afterward, through SCONE contrary alternatives is becoming the resulting of the performance of those applications that were mentioned above. In the second section there is an evaluation of the performance influence of a set of micro-benchmarks with the help of SCONE’s file system shield. The third and last section deals with the effects from a micro-benchmark concerning the system call overhead.