hardware enclaves in intel sgx
play

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW - PowerPoint PPT Presentation

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms


  1. Hardware Enclaves & In Intel SGX CS261

  2. Hardware Enclaves • HW abstractions for distributing trusted execution to untrusted platforms 2

  3. Hardware Enclaves • HW abstractions for distributing trusted execution to untrusted platforms Sensitive data (e.g., medical records) Encrypted Encrypted Encrypted Encrypted Encrypted 3

  4. System Threats to Trusted Execution DL from server • What can go wrong? • Side channels Medical System Login • out of scope for Intel SGX • Counterfeit software • Inject rootkits into OS Decrypted • Privilege escalation • Install malicious kernel Operating System • Compromised HW devices • Cold-boot attacks 4

  5. Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 5

  6. Elements of Hardware Enclaves • Secure boot: HW-verified measurement + first instruction • On-chip program isolation • Cryptographically protected external memory • Execution integrity; no interference from attackers • Attestation and/or secret sealing 6

  7. Enclave Creation with Intel SGX • ECREATE(SECS): Process create an enclave range Enclave • EADD(SECS, addr, prot), SECS TCS EEXTEND(SECS, addr): Code add a page to enclave and measure Data the content • EINIT(SECS, license): OS check & initialize an enclave EADD ECREATE EEXTEND EINIT CPU 7

  8. Enclave Enter & Exit Process • EENTER(SECS, TCS): Enclave enter at a static enclave addr SECS • EEXIT(addr): TCS Entry addr exit enclave to any addr EENTER Code • Enclave can accept parameters exit: entry: cmp 0, rsi cmp 0, rax after the entry … … EEXIT • Attackers cannot interfere Data control flow unpredictably 8

  9. Enclave Isolation Non-Enclave Enclave Mode Physical Mode Memory Process Process x = *(encl_addr); EPC Enclave x = *(encl_addr); Page Mapping Controlled by Page Table + EPCM Abort page semantic: EPC pages contains all 0s for execution outside the enclave 9

  10. Memory Encryption Engine • EPC pages are encrypted in DRAM • Memory Encryption Engine (MEE) sits at the edge of CPU, connected to Memory Controller (MC) • Cachelines are decrypted at cache misses, and re-encrypted when being written back to DRAM 10

  11. Memory Encryption Engine Cipher EPC (plaintext) Enc (e.g., AES-GCM) 0x80200000 0x80200040 MAC 0x80200080 0x802000c0 0x80200100 Counter (nonce) 0x80200140 0x80200180 11

  12. EPC Paging • EPC pages are limited: currently 93.5 MB on each platform • Untrusted OS swaps the pages for enclaves • Swapped-out pages are not in EPC, so no longer protected by MEE 12

  13. EPC Paging Physical • EWB: Process Memory copy a EPC page to non- EPC page Enclave EPC • ELDU: copy a non-EPC page to EPC page VA Counter EWB Enc ELDU (nonce) MAC 13

  14. Execution Integrity • Program states in either enclave memory or registers • Enclave can be interrupted • Page faults (Paging) • Scheduling events • Exceptions or signals • Interrupt  Asynchronous Exit (AEX) • Register values dumped inside enclave before exit • OS can only: (1) resume the enclave execution (2) re-enter enclave for exception handling 14

  15. Attestation • Proof that the program runs in a genuine enclave • Each enclave has a set of unique keys • Report key – intra-platform (local) attestation • Attestation key – inter-platform (remote) attestation • Seal key – Sealing enclave secrets • Other keys – see Intel SDM • Generated by a root secret (EPID) hidden in Intel CPU • Verified by Intel Attestation Service 15

  16. Attestation Procedure Quoting Remote IAS CPU Enclave Enclave Entity Nonce EREPORT (Nonce, MR Quote ) Report, MAC Report EGETKEY(MR X ) Local Verify Report Key Quote,X report Attestation Verify EGETKEY Certificate Attestation Key Certificate MR, Nonce (Only accessible Certificate MR, Nonce in Quoting Enclave) 16

  17. Use Cases for Hardware Enclaves • Digital Right Management (DRM) • Computation outsourcing, NFV • Distributed system, edge computing, blockchains • Alternative to HME or MPC • Protection for antivirus, JIT compilers, etc • Used for concealing attacks 17

  18. Questions? Hardware Enclaves & Intel SGX 18

Recommend


More recommend