ConstMig: Enabling Secure Live Migration of Large Intel SGX-based applications

Cloud service providers are adopting Trusted Execution Environments (TEEs) to provide hardware-guaranteed security to applications running on remote, untrusted data centers. However, migrating such applications still relies on the decade-old stop-and-copy method, which introduces large downtimes. Modern live-migration approaches such as pre-copy and post-copy do not work for TEE-based applications due to hardware-enforced restrictions.We propose ConstMig, a near-zero-downtime live-migration mechanism for large memory-footprint TEE-based applications. ConstMig is fully compatible with containers, virtual machines (VMs), and microVMs. Our prototype, built on Intel SGX, achieves near-zero downtime irrespective of enclave size and requires no additional hardware support. ConstMig reduces total downtime by 77 - 96% for a suite of SGX applications with multi-gigabyte memory footprints compared to state-of-the-art TEE-based migration solutions such as MigSGX.