Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX
|
|
- Christopher Rose
- 6 years ago
- Views:
Transcription
1 Lecture Secure, and Trustworthy Computing Introduction to Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17
2 Intel Software Guard Extensions () [ckeen et al, Hoekstra et al., Anati et al., HASP 13] Security critical code isolated in enclave Only CPU is trusted Transparent memory encryption 18 new instructions Enclaves cannot harm the system Only unprivileged code (CPU ring3) emory protection Designed for ulti-core systems ulti-threaded execution of enclaves Parallel execution of enclaves and untrusted code Enclaves are interruptible Available in current Intel Core i-6xxx processors (code name Skylake) APP1 APP2 Enclave Security Service Operating System CPU Hardware
3 Enclaves Enclaves are isolated memory regions of code and data One part of physical memory (RA) is reserved for enclaves It is called Enclave Page Cache (EPC) EPC memory is encrypted in the main memory (RA) hardware consists of the CPU-Die only EPC is managed by OS/V RA: Random Access emory OS: Operating System V: Virtual achine onitor (also known as Hypervisor)
4 Instructions and Data Structures 18 Instruction 13 Supervisor Instructions 5 User Instructions 13 Data Structures 8 data structures associated to a certain enclave 3 data structures associated to certain memory page(s) 2 data structures associated to overall resource management
5 emory Access Control Access control in two directions From enclaves to outside Isolating malicious enclaves Enclaves need some means to communicate with the outside world, e.g., their host applications From outside to enclaves Enclave memory must be protected from Applications Privileged software (OS/V) Other enclaves OS: Operating System V: Virtual achine onitor (also known as Hypervisor)
6 AC from enclaves to outside From enclaves to outside emory access has to comply to OS/V segmentation & paging policies Enclaves cannot manipulate those policies, because they can only execute unprivileged instructions inside an enclave Code fetches from inside an enclave to a linear address outside that enclave will result in a fault/exception i.e., the code with the enclave cannot jump outside an enclave AC: emory Access Control V: Virtual achine onitor
7 AC outside to enclaves From outside to enclaves Non-enclave accesses to EPC memory result in an abort Direct jumps from outside to any linear address that maps to an enclave do not enable enclave mode and result in an abort The virtual-to-physical memory mapping of an enclave is fixed at enclave creation time, i.e., the OS cannot manipulate this mapping during the run-time of the enclave A modified mapping could manipulate the behavior of an enclave At every memory access the hardware (U) verifies that the mapping is unchanged AC: emory Access Control EPC: Enclave Page Cache
8 Create Enclave 1 Loader User space Client driver Operating system SK/PK 1. Create App Hardware
9 Create Enclave 1 2 Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK)
10 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader
11 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave
12 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages
13 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App
14 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity
15 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 8 K Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity 8. Generate enclave K key
16 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 K 8 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity 8. Generate enclave K key 9. Protect enclave
17 Enclave Enclave Creation Details Application Encl. Code EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
18 Enclave Enclave Creation Details Application Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
19 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
20 SECS Enclave Enclave Creation Details 3b. copy Application Encl. Code 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
21 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
22 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 5a. EINIT 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC 5b. Update HASH RA U EE CPU # Key ID n n+1 K PK 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure
23 TCS Enclave Enclave Entry and Exit Details Application EENTER(TCS, AEP) Stack AEP ISR EPC list OS U CPU EPC EPC RA EE Lock TCS, start Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure
24 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EEXIT ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure
25 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EPC list ISR OS Interrupt U CPU EPC EPC Save context in Enclave RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure
26 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ERESUE ISR EPC list OS U CPU EPC EPC RA EE Resume Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure
27 Side Channel Attacks Hardware side channels E.g., power consumption, RF radiation Software side channels E.g., cache timing side channel specific side channel: Page fault side channel Controlled-Channel Attacks: Deterministic Side Channels for Operating Systems. Y. Xu, W. Cui and. Peinado. IEEE S&P 15
28 Reading aterial General Information: Programming Reference: / pdf Report:
SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 3b SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees Slide deck extracted from Kamran s tutorial on SGX and Chenglu s security analysis
More informationCIS 4360 Secure Computer Systems SGX
CIS 4360 Secure Computer Systems SGX Professor Qiang Zeng Spring 2017 Some slides are stolen from Intel docs Previous Class UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure
More informationIntel SGX Virtualization
Sean Christopherson Intel Intel SGX Virtualization KVM Forum 2018 Traditional VM Landscape App s secrets accessible by any privileged entity, e.g. VMM and OS App App App or a malicious app that has exploited
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2015 Roadmap: Trusted Computing Motivation Notion of trust
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Introduction to Trusted Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Summer Term 2017 Roadmap: Trusted Computing Motivation
More informationControlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado
: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado 2 Goal Protect the data of applications running on remote hardware 3 New tech Trusted Platform Modules
More informationIntroduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017
Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup
More informationIntel Software Guard Extensions
Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel
More informationEmbedded System Security Mobile Hardware Platform Security
1 Embedded System Security Mobile Hardware Platform Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2017 Acknowledgement This slide set
More informationEmbedded System Security Mobile Hardware Platform Security
1 Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Summer Term 2016 Acknowledgement This slide set is based on slides provided by
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationApplications of Attestation:
Lecture Secure, Trusted and Trustworthy Computing : IMA and TNC Prof. Dr. Ing. Ahmad Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2011/2012 1 Roadmap: TC
More informationLecture Embedded System Security Introduction to Trusted Computing
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Summer Term 2012 Roadmap: Trusted Computing Motivation Notion of trust
More informationTRUSTED COMPUTING TECHNOLOGIES
TRUSTED COMPUTING TECHNOLOGIES TEE = Trusted Execution Environment Mandatory reading Innovative Instructions and Software Model for Isolated Execution, Frank McKeen, Ilya Alexandrovich, Alex Berenzon,
More informationIntel Software Guard Extensions (Intel SGX) SGX2
Intel Software Guard Extensions (Intel SGX) SGX2 Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie- Hurd, Carlos Rozas, Mark Shanahan, Bin (Cedric) Xing June 18,
More informationComputer Architecture Background
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 2b Computer Architecture Background Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering
More informationBUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX
BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE
More informationSanctum: Minimal HW Extensions for Strong SW Isolation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 7a Sanctum: Minimal HW Extensions for Strong SW Isolation Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical &
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Roadmap: TPM
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2017/18 Roadmap: TPM
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationRacing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18
Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races CS 563 Young Li 10/31/18 Intel Software Guard extensions (SGX) and Hyper-Threading What is Intel SGX? Set of
More informationOperating System Control Structures
Operating System Control Structures Information about the current status of each process and resource Tables are constructed for each entity the operating system manages 26 Memory Tables Allocation of
More informationCLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.
CLASS AGENDA INTEL SGX OVERVIEW... DEVELOPER TOOLKIT... DEVELOPING FOR INTEL SGX... BREAK FOR LUNCH... PROVISIONING SECRETS... DATA SEALING...... 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00
More informationLecture 4: Mechanism of process execution. Mythili Vutukuru IIT Bombay
Lecture 4: Mechanism of process execution Mythili Vutukuru IIT Bombay Low-level mechanisms How does the OS run a process? How does it handle a system call? How does it context switch from one process to
More informationKomodo: Using Verification to Disentangle Secure-Enclave Hardware from Software
Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon
More informationBinding keys to programs using Intel SGX remote attestation
Binding keys to programs using Intel SGX remote attestation Mark D. Ryan London Crypto Day 22 September 2017 1 Intel SGX Intel SGX is a set of processor instructions which allow one: To set up an enclave
More informationRecommendations for TEEP Support of Intel SGX Technology
Recommendations for TEEP Support of Intel SGX Technology Overview of SGX & Selected TEEP Topics David M. Wheeler david.m.wheeler@intel.com 1 Apologies If you are really interested in the details of SGX
More informationA Comparison Study of Intel SGX and AMD Memory Encryption Technology
A Comparison Study of Intel SGX and AMD Memory Encryption Technology Saeid Mofrad, Fengwei Zhang Shiyong Lu Wayne State University {saeid.mofrad, Fengwei, Shiyong}@wayne.edu Weidong Shi (Larry) University
More informationCSE 153 Design of Operating Systems
CSE 153 Design of Operating Systems Winter 2019 Lecture 4: Processes Administrivia If you have not already, please make sure to enroll in piazza ~20 students have not yet Lab 1: please check the hints
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationELEC 377 Operating Systems. Week 1 Class 2
Operating Systems Week 1 Class 2 Labs vs. Assignments The only work to turn in are the labs. In some of the handouts I refer to the labs as assignments. There are no assignments separate from the labs.
More informationWilliam Stallings Computer Organization and Architecture. Chapter 11 CPU Structure and Function
William Stallings Computer Organization and Architecture Chapter 11 CPU Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Registers
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationCOS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Outline Protection
More informationCSCE Introduction to Computer Systems Spring 2019
CSCE 313-200 Introduction to Computer Systems Spring 2019 Processes Dmitri Loguinov Texas A&M University January 24, 2019 1 Chapter 3: Roadmap 3.1 What is a process? 3.2 Process states 3.3 Process description
More informationLec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements
Lec 22: Interrupts Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University HW 3 HW4: due this Friday Announcements PA 3 out Nov 14 th Due Nov 25 th (feel free to turn it in early) Demos and
More informationInterrupts & System Calls
Interrupts & System Calls Nima Honarmand Previously on CSE306 Open file hw1.txt App Ok, here s handle App 4 App Libraries Libraries Libraries User System Call Table (350 1200) Supervisor Kernel Hardware
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationScotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage
Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1, Fengwei Zhang 2, and Westley Weimer 1 1 University of Michigan, 2 Wayne State University
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationLeveraging Intel SGX to Create a Nondisclosure Cryptographic library
CS 2530 - Computer and Network Security Project presentation Leveraging Intel SGX to Create a Nondisclosure Cryptographic library Mohammad H Mofrad & Spencer L Gray University of Pittsburgh Thursday, December
More informationTown Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016
Town Crier Authenticated Data Feeds For Smart Contracts CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016 Smart Contract Decentralized App: Programs are executed by all miners who reach consensus
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationCSC 5930/9010 Cloud S & P: Virtualization
CSC 5930/9010 Cloud S & P: Virtualization Professor Henry Carter Fall 2016 Recap Network traffic can be encrypted at different layers depending on application needs TLS: transport layer IPsec: network
More informationCache Side Channel Attacks on Intel SGX
Cache Side Channel Attacks on Intel SGX Princeton University Technical Report CE-L2017-001 January 2017 Zecheng He Ruby B. Lee {zechengh, rblee}@princeton.edu Department of Electrical Engineering Princeton
More informationSecurity of Embedded Systems
Security of Embedded Systems Matthias Schunter, Intel Labs, Ahmad Sadeghi, TU Darmstadt + Teams (F. Brasser, L. Davi, P. Koeberl, S. Schulz, et. al.) 1 2015 Intel Corporation What is an Embedded System?
More informationLecture Embedded System Security Trusted Platform Module
1 Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2015 Roadmap: TPM Introduction to TPM TPM architecture
More informationCPU Structure and Function. Chapter 12, William Stallings Computer Organization and Architecture 7 th Edition
CPU Structure and Function Chapter 12, William Stallings Computer Organization and Architecture 7 th Edition CPU must: CPU Function Fetch instructions Interpret/decode instructions Fetch data Process data
More informationSCONE: Secure Linux Container Environments with Intel SGX
SCONE: Secure Linux Container Environments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe,
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationWhat is an Operating System? A Whirlwind Tour of Operating Systems. How did OS evolve? How did OS evolve?
What is an Operating System? A Whirlwind Tour of Operating Systems Trusted software interposed between the hardware and application/utilities to improve efficiency and usability Most computing systems
More informationLocking Down the Processor via the Rowhammer Attack
SGX-BOMB: Locking Down the Processor via the Rowhammer Attack Yeongjin Jang*, Jaehyuk Lee, Sangho Lee, and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the
More informationEE458 - Embedded Systems Exceptions and Interrupts
EE458 - Embedded Systems Exceptions and Interrupts Outline Exceptions Interrupts References RTC: Chapters 10 CUG: Chapters 8, 21, 23 1 Introduction An exception is any event that disrupts the normal execution
More informationThe Security Challenges & Issues From SGX Practice
The Security Challenges & Issues From SGX Practice Xiaoning Li Chief Security Architect Alibaba Cloud 为了无法计算的价值 Agenda Secure Computing Introduction Intel SGX Applications and Challenges Secure Computing
More informationProcess Concepts. CSC400 - Operating Systems. 3. Process Concepts. J. Sumey
CSC400 - Operating Systems 3. Process Concepts J. Sumey Overview Concurrency Processes & Process States Process Accounting Interrupts & Interrupt Processing Interprocess Communication CSC400 - Process
More informationLast 2 Classes: Introduction to Operating Systems & C++ tutorial. Today: OS and Computer Architecture
Last 2 Classes: Introduction to Operating Systems & C++ tutorial User apps OS Virtual machine interface hardware physical machine interface An operating system is the interface between the user and the
More informationEmbedded System Security
http://www.trust.cased.de Assignments for the Course Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi Last updated: May 10, 2012 Authors: Sven Bugiel Based on ETISS 10 MobileLab of Kurt Dietrich
More informationHakim Weatherspoon CS 3410 Computer Science Cornell University
Hakim Weatherspoon CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Deniz Altinbuken, Professors Weatherspoon, Bala, Bracy, and Sirer. C practice
More informationCSE 153 Design of Operating Systems
CSE 153 Design of Operating Systems Winter 19 Lecture 3: OS model and Architectural Support Last time/today Historic evolution of Operating Systems (and computing!) Today: We start our journey in exploring
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationCSE 153 Design of Operating Systems Fall 18
CSE 153 Design of Operating Systems Fall 18 Lecture 2: OS model and Architectural Support Last time/today l Historic evolution of Operating Systems (and computing!) l Today: We start our journey in exploring
More informationControlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems
Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationHardware OS & OS- Application interface
CS 4410 Operating Systems Hardware OS & OS- Application interface Summer 2013 Cornell University 1 Today How my device becomes useful for the user? HW-OS interface Device controller Device driver Interrupts
More informationProtection and System Calls. Otto J. Anshus
Protection and System Calls Otto J. Anshus Protection Issues CPU protection Prevent a user from using the CPU for too long Throughput of jobs, and response time to events (incl. user interactive response
More informationCS 326: Operating Systems. Process Execution. Lecture 5
CS 326: Operating Systems Process Execution Lecture 5 Today s Schedule Process Creation Threads Limited Direct Execution Basic Scheduling 2/5/18 CS 326: Operating Systems 2 Today s Schedule Process Creation
More informationComputer Architecture and OS. EECS678 Lecture 2
Computer Architecture and OS EECS678 Lecture 2 1 Recap What is an OS? An intermediary between users and hardware A program that is always running A resource manager Manage resources efficiently and fairly
More informationThe Kernel Abstraction. Chapter 2 OSPP Part I
The Kernel Abstraction Chapter 2 OSPP Part I Kernel The software component that controls the hardware directly, and implements the core privileged OS functions. Modern hardware has features that allow
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 21 Main Memory Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 FAQ Why not increase page size
More informationTrusted Virtual Domains: Towards Trustworthy Distributed Services. Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum
Trusted Virtual Domains: Towards Trustworthy Distributed Services Ahmad-Reza Sadeghi System Security Lab Ruhr-Universität Bochum The Main Motivation Trustworthy Distributed Computing Selected Applications..
More informationToday: Protection! Protection!
Today: Protection! Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based Systems Language-Based Protection Lecture 27, page
More informationOPERATING SYSTEM OVERVIEW
OPERATING SYSTEM OVERVIEW Contents Basic hardware elements Interrupts Most I/O devices are much slower than the processor Active waiting cycle (polling) Interrupt request signal Interrupt mechanism An
More informationCOS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Outline Protection mechanisms
More informationObliviate: A Data Oblivious File System for Intel SGX. Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee
Obliviate: A Data Oblivious File System for Intel SGX Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee 1 Clouds? The Ultimate Dream? User Clouds 2 Clouds? The Ultimate Dream? User Clouds
More informationEleos: Exit-Less OS Services for SGX Enclaves
Eleos: Exit-Less OS Services for SGX Enclaves Meni Orenbach Marina Minkin Pavel Lifshits Mark Silberstein Accelerated Computing Systems Lab Haifa, Israel What do we do? Improve performance: I/O intensive
More informationKernel Support for Paravirtualized Guest OS
Kernel Support for Paravirtualized Guest OS Shibin(Jack) Xu University of Washington shibix@cs.washington.edu ABSTRACT Flexibility at the Operating System level is one of the most important factors for
More informationOS lpr. www. nfsd gcc emacs ls 1/27/09. Process Management. CS 537 Lecture 3: Processes. Example OS in operation. Why Processes? Simplicity + Speed
Process Management CS 537 Lecture 3: Processes Michael Swift This lecture begins a series of topics on processes, threads, and synchronization Today: processes and process management what are the OS units
More informationInterrupts Peter Rounce
Interrupts Peter Rounce P.Rounce@cs.ucl.ac.uk 22/11/2011 11-GC03 Interrupts 1 INTERRUPTS An interrupt is a signal to the CPU from hardware external to the CPU that indicates than some event has occured,
More informationProcess Scheduling Queues
Process Control Process Scheduling Queues Job queue set of all processes in the system. Ready queue set of all processes residing in main memory, ready and waiting to execute. Device queues set of processes
More informationLecture Secure, Trusted and Trustworthy Computing Trusted Platform Module
1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016 Roadmap: TPM Introduction
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationIntel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com
More informationChapter 12. CPU Structure and Function. Yonsei University
Chapter 12 CPU Structure and Function Contents Processor organization Register organization Instruction cycle Instruction pipelining The Pentium processor The PowerPC processor 12-2 CPU Structures Processor
More informationMain Memory: Address Translation
Main Memory: Address Translation (Chapter 8) CS 4410 Operating Systems Can t We All Just Get Along? Physical Reality: different processes/threads share the same hardware à need to multiplex CPU (temporal)
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,
More informationSecure Set Intersection with Untrusted Hardware Tokens
Secure Set Intersection with Untrusted Hardware Tokens Thomas Schneider Engineering Cryptographic Protocols Group, TU Darmstadt http://encrypto.de joint work with Marc Fischlin (TU Darmstadt) Benny Pinkas
More informationIT 540 Operating Systems ECE519 Advanced Operating Systems
IT 540 Operating Systems ECE519 Advanced Operating Systems Prof. Dr. Hasan Hüseyin BALIK (3 rd Week) (Advanced) Operating Systems 3. Process Description and Control 3. Outline What Is a Process? Process
More informationThe next step in IT security after Snowden
The next step in IT security after Snowden Prof. Dr. (TU NN) Norbert Pohlmann Institute for Internet Security - if(is) Westphalian University of Applied Sciences Gelsenkirchen, Germany www.internet-sicherheit.de
More informationOperating Systems and Interrupts/Exceptions
Operating Systems and Interrupts/Exceptions Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology Code for the lecture is available on the course website under the
More informationArchitectural Support for OS
Architectural Support for OS Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu EEE3052: Introduction to Operating Systems, Fall 2017, Jinkyu Jeong (jinkyu@skku.edu)
More informationJan 20, 2005 Lecture 2: Multiprogramming OS
Jan 20, 2005 Lecture 2: Multiprogramming OS February 17, 2005 1 Review OS mediates between hardware and user software QUIZ: Q: What is the most important function in an OS? A: To support multiprogramming
More informationProcesses. Johan Montelius KTH
Processes Johan Montelius KTH 2017 1 / 47 A process What is a process?... a computation a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other
More informationTraps, Exceptions, System Calls, & Privileged Mode
Traps, Exceptions, System Calls, & Privileged Mode Hakim Weatherspoon CS 3410, Spring 2013 Computer Science Cornell University P&H Chapter 4.9, pages 509 515, appendix B.7 Administrivia: Where are we now
More informationCS 550 Operating Systems Spring Interrupt
CS 550 Operating Systems Spring 2019 Interrupt 1 Revisit -- Process MAX Stack Function Call Arguments, Return Address, Return Values Kernel data segment Kernel text segment Stack fork() exec() Heap Data
More informationSpring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand
Introduction to Virtual Machines Nima Honarmand Virtual Machines & Hypervisors Virtual Machine: an abstraction of a complete compute environment through the combined virtualization of the processor, memory,
More informationLecture Secure, Trusted and Trustworthy Computing Mobile Hardware Platform Security
1 Lecture Secure, Trusted and Trustworthy Computing Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016 Overview General model for
More informationMicrokernel Construction
Introduction SS2013 Class Goals Provide deeper understanding of OS mechanisms Introduce L4 principles and concepts Make you become enthusiastic L4 hackers Propaganda for OS research at 2 Administration
More informationA process. the stack
A process Processes Johan Montelius What is a process?... a computation KTH 2017 a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other processes
More informationCPU Structure and Function
Computer Architecture Computer Architecture Prof. Dr. Nizamettin AYDIN naydin@yildiz.edu.tr nizamettinaydin@gmail.com http://www.yildiz.edu.tr/~naydin CPU Structure and Function 1 2 CPU Structure Registers
More information