Hardware Enclaves & In Intel SGX CS261
Hardware Enclaves • HW abstractions for distributing trusted execution to untrusted platforms 2
Hardware Enclaves • HW abstractions for distributing trusted execution to untrusted platforms Sensitive data (e.g., medical records) Encrypted Encrypted Encrypted Encrypted Encrypted 3
System Threats to Trusted Execution DL from server • What can go wrong? • Side channels Medical System Login • out of scope for Intel SGX • Counterfeit software • Inject rootkits into OS Decrypted • Privilege escalation • Install malicious kernel Operating System • Compromised HW devices • Cold-boot attacks 4
Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 5
Elements of Hardware Enclaves • Secure boot: HW-verified measurement + first instruction • On-chip program isolation • Cryptographically protected external memory • Execution integrity; no interference from attackers • Attestation and/or secret sealing 6
Enclave Creation with Intel SGX • ECREATE(SECS): Process create an enclave range Enclave • EADD(SECS, addr, prot), SECS TCS EEXTEND(SECS, addr): Code add a page to enclave and measure Data the content • EINIT(SECS, license): OS check & initialize an enclave EADD ECREATE EEXTEND EINIT CPU 7
Enclave Enter & Exit Process • EENTER(SECS, TCS): Enclave enter at a static enclave addr SECS • EEXIT(addr): TCS Entry addr exit enclave to any addr EENTER Code • Enclave can accept parameters exit: entry: cmp 0, rsi cmp 0, rax after the entry … … EEXIT • Attackers cannot interfere Data control flow unpredictably 8
Enclave Isolation Non-Enclave Enclave Mode Physical Mode Memory Process Process x = *(encl_addr); EPC Enclave x = *(encl_addr); Page Mapping Controlled by Page Table + EPCM Abort page semantic: EPC pages contains all 0s for execution outside the enclave 9
Memory Encryption Engine • EPC pages are encrypted in DRAM • Memory Encryption Engine (MEE) sits at the edge of CPU, connected to Memory Controller (MC) • Cachelines are decrypted at cache misses, and re-encrypted when being written back to DRAM 10
Memory Encryption Engine Cipher EPC (plaintext) Enc (e.g., AES-GCM) 0x80200000 0x80200040 MAC 0x80200080 0x802000c0 0x80200100 Counter (nonce) 0x80200140 0x80200180 11
EPC Paging • EPC pages are limited: currently 93.5 MB on each platform • Untrusted OS swaps the pages for enclaves • Swapped-out pages are not in EPC, so no longer protected by MEE 12
EPC Paging Physical • EWB: Process Memory copy a EPC page to non- EPC page Enclave EPC • ELDU: copy a non-EPC page to EPC page VA Counter EWB Enc ELDU (nonce) MAC 13
Execution Integrity • Program states in either enclave memory or registers • Enclave can be interrupted • Page faults (Paging) • Scheduling events • Exceptions or signals • Interrupt Asynchronous Exit (AEX) • Register values dumped inside enclave before exit • OS can only: (1) resume the enclave execution (2) re-enter enclave for exception handling 14
Attestation • Proof that the program runs in a genuine enclave • Each enclave has a set of unique keys • Report key – intra-platform (local) attestation • Attestation key – inter-platform (remote) attestation • Seal key – Sealing enclave secrets • Other keys – see Intel SDM • Generated by a root secret (EPID) hidden in Intel CPU • Verified by Intel Attestation Service 15
Attestation Procedure Quoting Remote IAS CPU Enclave Enclave Entity Nonce EREPORT (Nonce, MR Quote ) Report, MAC Report EGETKEY(MR X ) Local Verify Report Key Quote,X report Attestation Verify EGETKEY Certificate Attestation Key Certificate MR, Nonce (Only accessible Certificate MR, Nonce in Quoting Enclave) 16
Use Cases for Hardware Enclaves • Digital Right Management (DRM) • Computation outsourcing, NFV • Distributed system, edge computing, blockchains • Alternative to HME or MPC • Protection for antivirus, JIT compilers, etc • Used for concealing attacks 17
Questions? Hardware Enclaves & Intel SGX 18
Recommend
More recommend
