CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Size: px

Start display at page:

Download "CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m."

Josephine Small
5 years ago
Views:

2 CLASS AGENDA INTEL SGX OVERVIEW... DEVELOPER TOOLKIT... DEVELOPING FOR INTEL SGX... BREAK FOR LUNCH... PROVISIONING SECRETS... DATA SEALING :00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

3 CLASS LOGISTICS [To be filled out on a site-by-site basis.]

4 INTEL SGX OVERVIEW Introduction Developer Toolkit Developing for SGX Provisioning Secrets Data Sealing

5 WHY USE INTEL SGX? Protect secrets running in your applications Examples of secrets include: Healthcare records Personally identifiable information (PII) Biometric factors and templates Passwords Encryption keys Intellectual property (IP)

6 INTEL SGX ENCLAVES Enclaves are the non-addressable system-memory spaces that Intel SGX creates in order to protect secrets. Only secrets belong in enclaves.

7 INTEL TRUSTED EXECUTION ENVIRONMENT Intel SGX is a per-process application trusted execution environment (TEE) for user-mode code. Isolates memory regions of code and data Reserves part of physical memory (RAM) for enclaves Encrypts the reserved part of main memory (RAM)

HARDWARE REQUIREMENTS Processor must support Intel SGX: Supported by 6th generation Intel processors and later BIOS must support Intel SGX memory reservation

8 HARDWARE REQUIREMENTS Processor must support Intel SGX: Supported by 6th generation Intel processors and later BIOS must support Intel SGX memory reservation Three states of Intel SGX in the BIOS: Enabled Software Enabled Disabled Intel SGX does have simulation mode for writing code on systems that do not support Intel SGX.

9 LOCATIONS OF INTEREST Intel SGX landing zone: software.intel.com/en-us/sgx Intel SGX forum: software.intel.com/en-us/forums/ intel-software-guard-extensions-intel-sgx Request a production license: software.intel.com/ en-us/sgx/commercial-use-license-request Request access to the Intel SGX remote-attestation service:

10 INTEL SGX DEVELOPER TOOLKIT Introduction Developer Toolkit Developing for SGX Provisioning Secrets Data Sealing Developer Toolkit

11 EVALUATION VERSUS PRODUCTION TOOLS Evaluation software development kit (SDK) Dev tool kit and platform software (PSW) are always evaluation. This SDK version is for development. Debug enclaves can be inspected. To build release enclaves, developers need to get a production license from Intel. Production SDK This SDK version contains a legally binding commercial license from Intel. This license supersedes all other licenses. A production key is added to the Intel SGX whitelist. Permission from Intel to ship the PSW with ISV applications comes with this SDK version.

12 INTEL SGX PLATFORM SOFTWARE OVERVIEW PSW extends the Intel SGX hardware and installs the architectural enclaves. Different from developer-created enclaves Platform Services Enclave (PSE) Launch Enclave (LE) Provisioning Certificate Enclave (PCE) Quoting Enclave (QE) PSW loads architectural enclaves to the Enclave Page Cache (EPC). Intel SGX loader is different and separate from the Windows loader. PSW includes drivers to map to memory. PSW loads the Architectural Enclave Service Manager (AESM) service on boot. AESM must be running to launch enclaves. AESM maintains the whitelist of production keys. Intel SGX memory-access restrictions only come with production keys. PSW is not downloadable from Intel by the end user. Packaged with application installers Required for enclaves to run (no exceptions) Enclaves cannot launch without the architectural enclaves Specifically, LE is needed Trusted computing base (TCB) consists of: PSW CPU

13 HANDS-ON LAB 1

14 DEMONSTRATION: DETECTING INTEL SGX SUPPORT 1. Copy folder to your personal computer. 2. The folder contains three binaries: 1. Application with proper Intel SGX detection 2. Application with improper Intel SGX detection 3. Application with no Intel SGX detection 3. Execute the binaries on your personal computers and see the results of each.

15 DEVELOPING FOR INTEL SGX Introduction Developer Toolkit Developing for SGX Provisioning Secrets Data Sealing

16 PARTITIONING YOUR CODE Identify your secrets Identify providers and consumers of the secrets Identify the enclave boundary Tailor the modules for the enclave DEMO

17 HANDS-ON LAB 2

18 EXERCISE: INSERT ECALL CODE INTO SAMPLE APP

19 ADVANCED ENCLAVE INTERFACES Callbacks How to make an OCALL Advanced enclave-definition language (EDL) One example: user_check Default ECALL and OCALL behavior is to pass a copy of the buffer to which a pointer points user_check overrides this and directly passes the pointer through

20 EXERCISE: INSERT OCALL CODE WITH USER_CHECK

21 DEBUGGING INTEL SGX APPLICATIONS A local Windows debugger will not see breakpoints in an enclave. The Intel SGX debugger is a plug-in for Microsoft Visual Studio 2013 (update as support for 2015 is released). Must be the Professional Edition of Visual Studio Debugging plugins are not enabled in the Community Edition. Need to change Working Directory to Solution Directory in Visual Studio.

22 DEMONSTRATION: DEBUGGING THE SAMPLE APP 1. Cannot step into enclave from untrusted code 2. Break point must be in enclave code 3. Can inspect the enclave memory just like any other memory page

23 PROVISIONING SECRETS INTO ENCLAVES Introduction Developer Toolkit Developing for SGX Provisioning Secrets Data Sealing

24 HOW DO SECRETS GET INTO YOUR ENCLAVES Enclaves are simply shared libraries. Dynamic-link libraries Shared objects Open to inspection Do not build secrets (DLLs) in Windows in Linux into the enclave

25 HOW DO SECRETS GET INTO YOUR ENCLAVES (Continued) Secret origination from least to most secure: 1 Keyboard or clipboard Intel SGX can limit, but not eliminate, the attack surface. 3 Data generated by an algorithm within the enclave 2 Provisioning from a trusted service on the system Monotonic counter or trusted time (a clock users cannot manipulate) 4 Data imported from sealed data and local attestation Still better than other encrypted files because the secret is secured by a key that is unique to that system 5 Remote attestation Attested by remote service Session key derived from an enclave

26 HANDS-ON LAB 3

27 LOCAL ATTESTATION Two enclaves on a single system Why use? More efficiently use limited EPC resources Be a better citizen in using shared resources Reduce attack surface Use cases: Two enclaves, one application, and one signer (for example: sample encryption app) Two enclaves, two applications, and one signer (for example: stand-alone password manager and interacting with a browser)

28 EXERCISE: INSERT LOCAL- ATTESTATION CODE

29 REMOTE ATTESTATION Quote Quote Enclave ISV Server Quote Intel

30 DEMONSTRATION: REMOTE ATTESTATION

31 SEALING DATA WITH INTEL SGX Introduction Developer Toolkit Developing for SGX Provisioning Secrets Data Sealing

32 DATA PERSISTENCE FOR ENCLAVES Small piece of protected data saved to memory or disk Reasons for sealing data Primary: Power events Secondary: Enclave needs info from session to session

33 HANDS-ON LAB 4

34 EXERCISE: INSERT OCALLS TO HANDLE DATA SEALING AND UNSEALING

35 COURSE TAKEAWAYS Intel SGX enclaves provide a trusted execution environment. Tools in the Intel SGX SDK do much of the heavy lifting for developers. Developing applications for Intel SGX can require a shift of paradigm. Provisioning secrets securely in Intel SGX is a primary concern. Sealing data in Intel SGX is essential, particularly for power events.

Intel Software Guard Extensions

Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel