This approach involves utilizing the Intel SGX Software Development Kit (SDK) to build an enclaved program. It requires partitioning the application and implementing secure communication mechanisms independently. Developers have full control over the implementation but need to handle all aspects of enclave development themselves.

Library Operating Systems (libOSs) have gained attention as an alternative to virtualization. The concept behind libOSes is that applications don't necessarily require the entire functionality of a host Operating System. Operating Systems act as a middle layer between hardware and applications, facilitating application development. In the context of enclaves, libOSes allow wrapping an existing program with minimal modifications.

LibOSes offer several benefits, including security isolation, host platform compatibility, and migration support. By refactoring a traditional OS kernel into an application library, duplicate functionality and overheads are minimized. This lean approach makes libOSes particularly appealing for cloud virtualization. However, it's important to note that the lack of certain OS functions may limit the applicability of enclaving any type of application.

Normal application stack (left) vs. libOSed application stack (right)

The decision on how much functionality to include within the enclave depends on the chosen libOS. At one extreme, a library OS can pull most of the application-supporting code of the OS into the enclave. At the other extreme, thin "shim" layers wrap an API layer like the system call table. Pulling more code into the enclave increases the Trusted Computing Base (TCB) size but reduces the complexity and attack surface between the enclave and the untrusted OS. Performance implications depend on reducing enclave border crossings and managing the size of the Enclave Page Cache.