SGXBounds Memory Safety for Shielded Execution

Size: px

Start display at page:

Download "SGXBounds Memory Safety for Shielded Execution"

Antonia Lyons
6 years ago
Views:

1 SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh, University of Neuchâtel

2 Security in the Cloud Security is a key barrier to adoption of cloud computing 1

3 Security in the Cloud Security is a key barrier to adoption of cloud computing Attackers compromise confidentiality and integrity 1

4 Security in the Cloud Security is a key barrier to adoption of cloud computing Attackers compromise confidentiality and integrity Malicious host (e.g., cloud provider) Software vulnerabilities 1

5 Security in the Cloud Security is a key barrier to adoption of cloud computing Attackers compromise confidentiality and integrity Malicious host (e.g., cloud provider) Software vulnerabilities Virtual Address Space Shielded execution (SGX Enclave) Malicious OS 1

6 Security in the Cloud Security is a key barrier to adoption of cloud computing Attackers compromise confidentiality and integrity Malicious host (e.g., cloud provider) Software vulnerabilities Virtual Address Space Shielded execution (SGX Enclave) 1

7 Security in the Cloud Security is a key barrier to adoption of cloud computing Attackers compromise confidentiality and integrity Malicious host (e.g., cloud provider) Software vulnerabilities Virtual Address Space Heartbleed Shielded execution (SGX Enclave) Cloudbleed 1

8 Protecting against Attacks SGX Enclave (malicious host) 2

9 Protecting against Attacks SGX Enclave (malicious host) + Memory safety (vulnerabilities) 2

10 Protecting against Attacks SGX Enclave (malicious host) + Memory safety (vulnerabilities) AddressSanitizer (software-based) Intel MPX (hardware-based) 2

11 Protecting against Attacks SGX Enclave (malicious host) + Memory safety (vulnerabilities) AddressSanitizer (software-based) Intel MPX (hardware-based) State-of-the-art memory-safety mechanisms are inefficient! 2

12 State-of-the-Art: SQLite example 3

13 State-of-the-Art: SQLite example lower better 3

14 State-of-the-Art: SQLite example lower better 3

15 State-of-the-Art: SQLite example lower better 3

16 State-of-the-Art: SQLite example lower better 3

17 SGX Enclave (malicious host) + Memory safety (vulnerabilities) How to make it efficient? 3

18 State-of-the-Art: SQLite example lower better 3

19 State-of-the-Art: SQLite example lower better SGXBounds is practical 3

20 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

21 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

22 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Virtual Address Space Shielded execution (SGX Enclave) 4

23 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Increased latency of memory accesses Virtual Address Space Shielded execution (SGX Enclave) 4

24 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Increased latency of memory accesses Physical Address Space Virtual Address Space Shielded execution (SGX Enclave) CPU Cache (8MB) Enclave Page Cache (94MB) DRAM (64GB) 4

25 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Increased latency of memory accesses Physical Address Space Virtual Address Space MEE encryption (1-12x) Shielded execution (SGX Enclave) CPU Cache (8MB) Enclave Page Cache (94MB) DRAM (64GB) 4

26 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Increased latency of memory accesses Physical Address Space Virtual Address Space EPC paging (2-2000x) MEE encryption (1-12x) Shielded execution (SGX Enclave) CPU Cache (8MB) Enclave Page Cache (94MB) DRAM (64GB) 4

27 Constraints of SGX Enclaves Why AddressSanitizer and Intel MPX perform poorly under SGX? Increased latency of memory accesses Limited enclave memory (4GB) Physical Address Space Virtual Address Space EPC paging (2-2000x) 4GB MEE encryption (1-12x) Shielded execution (SGX Enclave) CPU Cache (8MB) Enclave Page Cache (94MB) DRAM (64GB) 4

28 State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! 5

29 State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! 512MB AddressSanitizer Intel MPX Bounds Table 1 shadow object Bounds Directory red zone object object red zone pointer pointer 5

30 State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! Fast accesses to metadata Almost endless memory 512MB AddressSanitizer Intel MPX Bounds Table 1 shadow object Bounds Directory red zone object object red zone pointer pointer 5

31 State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! Fast accesses to metadata increased latency Almost endless memory limited enclave memory 512MB AddressSanitizer Intel MPX Bounds Table 1 shadow object Bounds Directory red zone object object red zone pointer pointer 5

32 State-of-the-Art: Metadata Layout Assumptions of AddressSanitizer and Intel MPX violated in SGX! Fast accesses to metadata increased latency Almost endless memory limited enclave memory 512MB AddressSanitizer Intel MPX Bounds Table 1 shadow object Inefficient! Bounds Directory red zone object object red zone pointer pointer 5

33 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

34 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds 6

35 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata 6

36 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata 6

37 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata SGXBounds object pointer 6

38 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata SGXBounds object pointer 6

39 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata LB 4B SGXBounds object 63 UB 31 0 pointer 6

40 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata LB 4B SGXBounds object Upper bound (UB) in pointer Lower bound (LB) per object 63 UB 31 0 pointer 6

41 SGXBounds: Metadata Layout Memory contraints of SGX dictated design of SGXBounds Increased latency minimize accesses to metadata Limited enclave memory minimize space of metadata LB 4B SGXBounds object Upper bound (UB) in pointer Lower bound (LB) per object 63 UB 31 pointer 0 Out-of-the-box multithreading (unlike MPX) 6

42 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? SGXBounds LB object UB pointer 7

43 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? SGXBounds LB password LB object UB pointer 7

44 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? Data leak through write(socket, pointer, objlen) SGXBounds LB password LB object UB pointer 7

45 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? Data leak through write(socket, pointer, objlen) SGXBounds LB password LB object UB pointer 7

46 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? Data leak through write(socket, pointer, objlen) Protect using efficient bounds checks SGXBounds Bounds-check before each memory access: LB pointer UB LB password LB object UB pointer 7

47 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? Data leak through write(socket, pointer, objlen) Protect using efficient bounds checks SGXBounds Bounds-check before each memory access: LB pointer UB LB password embedded in tagged pointer LB object UB pointer 7

48 SGXBounds: Detecting Vulnerabilities How SGXBounds detects vulnerabilities like Heartbleed? Data leak through write(socket, pointer, objlen) Protect using efficient bounds checks SGXBounds Bounds-check before each memory access: LB pointer UB LB password LB embedded in tagged pointer loaded from memory based on UB object UB pointer 7

49 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

50 SGXBounds: Implementation SGXBounds (LLVM pass) 8

51 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Shielded app (e.g., SCONE) 8

52 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Shielded app (e.g., SCONE) Operating System CPU SGX RAM 8

53 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Shielded app (e.g., SCONE) Operating System CPU SGX RAM Advanced features: 8

54 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Shielded app (e.g., SCONE) Operating System CPU SGX RAM Advanced features: Tolerating errors with boundless memory Metadata management support Compile-time optimizations 8

55 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Shielded app (e.g., SCONE) Operating System CPU SGX RAM Advanced features: Tolerating errors with boundless memory Metadata management support Compile-time optimizations See paper for details 8

56 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

57 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation Benchmark suites Case studies Security

58 Benchmark Suites ASan MPX SGXBounds 9

59 Benchmark Suites ASan Phoenix 1.41 MPX 2.27 SGXBounds

60 Benchmark Suites ASan MPX SGXBounds Phoenix PARSEC * 1.20 * some programs failed due to insufficient memory 9

61 Benchmark Suites ASan MPX SGXBounds Phoenix PARSEC * 1.20 SPEC * 1.41 * some programs failed due to insufficient memory 9

62 Case Studies 10

63 Case Studies 10

64 Case Studies 10

65 Case Studies MPX: EPC thrashing on Memcached 10

66 Case Studies MPX: EPC thrashing on Memcached ASan: metadata overload on Nginx 10

67 Case Studies MPX: EPC thrashing on Memcached ASan: metadata overload on Nginx SGXBounds: no corner cases 10

68 Security guarantees 11

69 Security guarantees RIPE synthetic benchmark: Similar guarantees as ASan and MPX 11

70 Security guarantees RIPE synthetic benchmark: Similar guarantees as ASan and MPX Real-world vulnerabilities detected and tolerated: Memcached denial-of-service Nginx stack buffer overflow Apache Heartbleed 11

71 Motivation Constraints of SGX enclaves Design of SGXBounds Implementation of SGXBounds Evaluation

72 Conclusion 12

73 Conclusion Security is barrier to adoption of cloud computing Use shielded execution with Intel SGX 12

74 Conclusion Security is barrier to adoption of cloud computing Use shielded execution with Intel SGX Insufficient to protect against SW vulnerabilities Use memory defense like ASan and MPX 12

75 Conclusion Security is barrier to adoption of cloud computing Use shielded execution with Intel SGX Insufficient to protect against SW vulnerabilities Use memory defense like ASan and MPX ASan and MPX perform poorly in SGX enclaves Their memory assumptions are violated in SGX 12

76 Conclusion Security is barrier to adoption of cloud computing Use shielded execution with Intel SGX Insufficient to protect against SW vulnerabilities Use memory defense like ASan and MPX ASan and MPX perform poorly in SGX enclaves Their memory assumptions are violated in SGX SGXBounds: memory safety for shielded execution 12

77 Conclusion Security is barrier to adoption of cloud computing Use shielded execution with Intel SGX Insufficient to protect against SW vulnerabilities Use memory defense like ASan and MPX ASan and MPX perform poorly in SGX enclaves Their memory assumptions are violated in SGX SGXBounds: memory safety for shielded execution Thank you! 12

78 Backup slides

79 Intel SGX and SCONE Virtual Address Space SCONE Asynchronous syscalls Application Libraries SGX Enclave (legacy app with SCONE) Network shield FS shield M:N user threading Modified Musl C library V. Costan, S. Devadas. Intel SGX Explained. IACR Cryptology eprint Archive '16 S. Arnautov et al. SCONE: Secure linux containers with Intel SGX. OSDI'16

80 SGXBounds: Implementation Source code SGXBounds (LLVM pass) Application Operating System CPU Native a = add x, i store 42, a SGXBounds x = specify_bounds(x, x+n) a = add x, i aptr = extract_ptr(a) UB = extract_upper_bound(a) LB = load_lower_bound(ub) if (aptr < LB or aptr >= UB): handle_error(aptr) store 42, a SGX RAM

81 Related Work (SPEC CPU2006 outside of SGX enclave) Perf Mem Comments 146% 116% FP/FN for multithreaded AddressSanitizer 38% 292% BaggyBounds1 70% 12% Not publicly available Low-Fat Pointers2 54% 12% Not publicly available SGXBounds 55% 0% (this work) Intel MPX 1 P. Akritidis et al. Baggy Bounds Checking: An efficient and backwards-compatible defense against out-of-bounds errors. Usenix Security'09 2 G. Duck et al. Stack Bounds Protection with Low Fat Pointers. NDSS'17

82 SGXBounds: Implementation SGXBounds (LLVM pass) Source code App (in SCONE) Operating System CPU SGX RAM Instrumentation: data: lower bound metadata after each allocated object pointers: upper bound metadata in each data pointer code: bounds-check before each memory access

83 Security guarantees D T detected? tolerated? MPX RIPE benchmark ASan SGXBounds 2/16 8/16 8/16 Memcached CVE D (T) D (T) D (T) Nginx CVE D (T) D (T) D (T) Apache Heartbleed D (T) D (T) D (T)

84 Case Studies: Full Picture

85 Classes of Defenses against Attacks CF control flow hijack, DO data-only attack, IL information leak

86 SGXBounds and Boundless Memory 63 rcx 31 UB 0 pointer p (p+offset) < LB (p+offset) UB out-ofbounds *(p+offset) referent object Lower Bound (LB) LB victim object Upper Bound (UB) mapping: aligned(p) -> chunk out-of-bounds access LRU cache chunk 1 M. chunk chunk redirect access Rinard et al. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). ACSAC'04

87 SGXBounds: Outside of Enclaves

SCONE: Secure Linux Container Environments with Intel SGX

SCONE: Secure Linux Container Environments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe,