sgxbounds
play

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , - PowerPoint PPT Presentation

Oct 15, 2023 •620 likes •1.51k views

SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko , Sergei Arnautov , Bohdan Trach , Pramod Bhatotia * , Pascal Felber , Christof Fetzer TU Dresden, * The University of Edinburgh,

  1. SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii † , Oleksii Oleksenko † , Sergei Arnautov † , Bohdan Trach † , Pramod Bhatotia * , Pascal Felber ‡ , Christof Fetzer † † TU Dresden, * The University of Edinburgh, ‡ University of Neuchâtel Eurosys 2017

  2. Security in the Cloud • Security is a key barrier to adoption of cloud computing 1 Eurosys 2017

  3. Security in the Cloud • Security is a key barrier to adoption of cloud computing • Attackers compromise confjdentiality and integrity 1 Eurosys 2017

  4. Security in the Cloud • Security is a key barrier to adoption of cloud computing • Attackers compromise confjdentiality and integrity ➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities 1 Eurosys 2017

  5. Security in the Cloud • Security is a key barrier to adoption of cloud computing • Attackers compromise confjdentiality and integrity ➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities Virtual Address Space Shielded execution Malicious OS (SGX Enclave) 1 Eurosys 2017

  6. Security in the Cloud • Security is a key barrier to adoption of cloud computing • Attackers compromise confjdentiality and integrity ➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities Virtual Address Space Shielded execution (SGX Enclave) 1 Eurosys 2017

  7. Security in the Cloud • Security is a key barrier to adoption of cloud computing • Attackers compromise confjdentiality and integrity ➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities Virtual Address Space Heartbleed Shielded execution (SGX Enclave) Cloudbleed 1 Eurosys 2017

  8. Protecting against Attacks SGX Enclave (malicious host) 2 Eurosys 2017

  9. Protecting against Attacks + SGX Enclave Memory safety (malicious host) (vulnerabilities) 2 Eurosys 2017

  10. Protecting against Attacks + SGX Enclave Memory safety (malicious host) (vulnerabilities) AddressSanitizer Intel MPX (software-based) (hardware-based) 2 Eurosys 2017

  11. Protecting against Attacks + SGX Enclave Memory safety (malicious host) (vulnerabilities) AddressSanitizer Intel MPX (software-based) (hardware-based) State-of-the-art memory-safety mechanisms are ineffjcient! 2 Eurosys 2017

  12. State-of-the-Art: SQLite example 3 Eurosys 2017

  13. State-of-the-Art: SQLite example lower better 3 Eurosys 2017

  14. State-of-the-Art: SQLite example lower better 3 Eurosys 2017

  15. State-of-the-Art: SQLite example lower better 3 Eurosys 2017

  16. State-of-the-Art: SQLite example lower better 3 Eurosys 2017

  17. + SGX Enclave Memory safety (malicious host) (vulnerabilities) How to make it effjcient? 3 Eurosys 2017

  18. State-of-the-Art: SQLite example lower better 3 Eurosys 2017

  19. State-of-the-Art: SQLite example lower better SGXBounds is practical 3 Eurosys 2017

  20. – Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation Eurosys 2017

  21. – Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation Eurosys 2017

  22. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Virtual Address Space Shielded execution (SGX Enclave) 4 Eurosys 2017

  23. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? ☹ Increased latency of memory accesses Virtual Address Space Shielded execution (SGX Enclave) 4 Eurosys 2017

  24. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? ☹ Increased latency of memory accesses Physical Address Space Virtual Address Space Shielded execution CPU Cache (8MB) (SGX Enclave) Enclave Page Cache (94MB) DRAM (64GB) 4 Eurosys 2017

  25. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? ☹ Increased latency of memory accesses Physical Address Space Virtual Address Space MEE encryption (1-12x) Shielded execution CPU Cache (8MB) (SGX Enclave) Enclave Page Cache (94MB) DRAM (64GB) 4 Eurosys 2017

  26. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? ☹ Increased latency of memory accesses Physical Address Space Virtual Address Space EPC paging (2-2000x) MEE encryption (1-12x) Shielded execution CPU Cache (8MB) (SGX Enclave) Enclave Page Cache (94MB) DRAM (64GB) 4 Eurosys 2017

  27. Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? ☹ Increased latency of memory accesses ☹ Limited enclave memory (4GB) Physical Address Space Virtual Address Space EPC paging (2-2000x) MEE encryption (1-12x) Shielded execution 4GB CPU Cache (8MB) (SGX Enclave) Enclave Page Cache (94MB) DRAM (64GB) 4 Eurosys 2017

  28. State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! 5 Eurosys 2017

  29. State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! AddressSanitizer Intel MPX Bounds Table 1 512MB shadow object Bounds Directory red zone object object red zone pointer pointer 5 Eurosys 2017

  30. State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! ☹ Fast accesses to metadata ☹ Almost endless memory AddressSanitizer Intel MPX Bounds Table 1 512MB shadow object Bounds Directory red zone object object red zone pointer pointer 5 Eurosys 2017

  31. State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! ☹ Fast accesses to metadata ≠ increased latency ☹ Almost endless memory ≠ limited enclave memory AddressSanitizer Intel MPX Bounds Table 1 512MB shadow object Bounds Directory red zone object object red zone pointer pointer 5 Eurosys 2017

  32. State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! ☹ Fast accesses to metadata ≠ increased latency ☹ Almost endless memory ≠ limited enclave memory AddressSanitizer Intel MPX Bounds Table 1 512MB shadow object Ineffjcient! Bounds Directory red zone object object red zone pointer pointer 5 Eurosys 2017

  33. – Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation Eurosys 2017

  34. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds 6 Eurosys 2017

  35. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata 6 Eurosys 2017

  36. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata 6 Eurosys 2017

  37. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata SGXBounds object 63 31 0 pointer 6 Eurosys 2017

  38. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata SGXBounds object 63 31 0 pointer 6 Eurosys 2017

  39. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata SGXBounds 4B LB object 63 31 0 UB pointer 6 Eurosys 2017

  40. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata SGXBounds 4B LB object – Upper bound (UB) in pointer – Lower bound (LB) per object 63 31 0 UB pointer 6 Eurosys 2017

  41. SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds ☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata SGXBounds 4B LB object – Upper bound (UB) in pointer – Lower bound (LB) per object – Out-of-the-box multithreading (unlike MPX) 63 31 0 UB pointer 6 Eurosys 2017

  42. SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? SGXBounds LB object UB pointer 7 Eurosys 2017

  43. SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? SGXBounds LB password LB object UB pointer 7 Eurosys 2017

  44. SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? ☹ Data leak through write (socket, pointer, objlen) SGXBounds LB password LB object UB pointer 7 Eurosys 2017

  45. SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? ☹ Data leak through write (socket, pointer , objlen) SGXBounds LB password LB object UB pointer 7 Eurosys 2017

  46. SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? ☹ Data leak through write (socket, pointer , objlen) ☺ Protect using effjcient bounds checks SGXBounds Bounds-check before each memory access: LB ≤ pointer ≤ UB LB password LB object UB pointer 7 Eurosys 2017

Recommend

More recommend