Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

Transcription

1 Lecture Secure, and Trustworthy Computing Introduction to Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17

2 Intel Software Guard Extensions () [ckeen et al, Hoekstra et al., Anati et al., HASP 13] Security critical code isolated in enclave Only CPU is trusted Transparent memory encryption 18 new instructions Enclaves cannot harm the system Only unprivileged code (CPU ring3) emory protection Designed for ulti-core systems ulti-threaded execution of enclaves Parallel execution of enclaves and untrusted code Enclaves are interruptible Available in current Intel Core i-6xxx processors (code name Skylake) APP1 APP2 Enclave Security Service Operating System CPU Hardware

3 Enclaves Enclaves are isolated memory regions of code and data One part of physical memory (RA) is reserved for enclaves It is called Enclave Page Cache (EPC) EPC memory is encrypted in the main memory (RA) hardware consists of the CPU-Die only EPC is managed by OS/V RA: Random Access emory OS: Operating System V: Virtual achine onitor (also known as Hypervisor)

4 Instructions and Data Structures 18 Instruction 13 Supervisor Instructions 5 User Instructions 13 Data Structures 8 data structures associated to a certain enclave 3 data structures associated to certain memory page(s) 2 data structures associated to overall resource management

5 emory Access Control Access control in two directions From enclaves to outside Isolating malicious enclaves Enclaves need some means to communicate with the outside world, e.g., their host applications From outside to enclaves Enclave memory must be protected from Applications Privileged software (OS/V) Other enclaves OS: Operating System V: Virtual achine onitor (also known as Hypervisor)

6 AC from enclaves to outside From enclaves to outside emory access has to comply to OS/V segmentation & paging policies Enclaves cannot manipulate those policies, because they can only execute unprivileged instructions inside an enclave Code fetches from inside an enclave to a linear address outside that enclave will result in a fault/exception i.e., the code with the enclave cannot jump outside an enclave AC: emory Access Control V: Virtual achine onitor

7 AC outside to enclaves From outside to enclaves Non-enclave accesses to EPC memory result in an abort Direct jumps from outside to any linear address that maps to an enclave do not enable enclave mode and result in an abort The virtual-to-physical memory mapping of an enclave is fixed at enclave creation time, i.e., the OS cannot manipulate this mapping during the run-time of the enclave A modified mapping could manipulate the behavior of an enclave At every memory access the hardware (U) verifies that the mapping is unchanged AC: emory Access Control EPC: Enclave Page Cache

8 Create Enclave 1 Loader User space Client driver Operating system SK/PK 1. Create App Hardware

9 Create Enclave 1 2 Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK)

10 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader

11 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave

12 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages

13 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App

14 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity

15 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 8 K Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity 8. Generate enclave K key

16 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 K 8 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity 8. Generate enclave K key 9. Protect enclave

17 Enclave Enclave Creation Details Application Encl. Code EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

18 Enclave Enclave Creation Details Application Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

19 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

20 SECS Enclave Enclave Creation Details 3b. copy Application Encl. Code 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

21 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

22 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 5a. EINIT 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC 5b. Update HASH RA U EE CPU # Key ID n n+1 K PK 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure

23 TCS Enclave Enclave Entry and Exit Details Application EENTER(TCS, AEP) Stack AEP ISR EPC list OS U CPU EPC EPC RA EE Lock TCS, start Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure

24 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EEXIT ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure

25 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EPC list ISR OS Interrupt U CPU EPC EPC Save context in Enclave RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure

26 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ERESUE ISR EPC list OS U CPU EPC EPC RA EE Resume Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure

27 Side Channel Attacks Hardware side channels E.g., power consumption, RF radiation Software side channels E.g., cache timing side channel specific side channel: Page fault side channel Controlled-Channel Attacks: Deterministic Side Channels for Operating Systems. Y. Xu, W. Cui and. Peinado. IEEE S&P 15

28 Reading aterial General Information: Programming Reference: / pdf Report: