SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Similar documents
Sanctum: Minimal HW Extensions for Strong SW Isolation

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Crypto Background & Concepts SGX Software Attestation

Computer Architecture Background

Intel Software Guard Extensions (Intel SGX)

Intel SGX Virtualization

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Binding keys to programs using Intel SGX remote attestation

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Locking Down the Processor via the Rowhammer Attack

Hardware Enclave Attacks CS261

Intel Software Guard Extensions (Intel SGX) SGX2

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

Cache Side Channel Attacks on Intel SGX

CIS 4360 Secure Computer Systems SGX

Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen. Department of Electrical & Computer Engineering University of Connecticut

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Last 2 Classes: Introduction to Operating Systems & C++ tutorial. Today: OS and Computer Architecture

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Intel So*ware Guard Extensions (Intel SGX) Support for Dynamic Memory Management Inside an Enclave

Recommendations for TEEP Support of Intel SGX Technology

Refresher: Applied Cryptography

Intel 64 and IA-32 Architectures Software Developer s Manual

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Side Channels and Runtime Encryption Solutions with Intel SGX

OS Security IV: Virtualization and Trusted Computing

Software Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Efficient Memory Integrity Verification and Encryption for Secure Processors

SGXBounds Memory Safety for Shielded Execution

Operating Systems CMPSCI 377 Spring Mark Corner University of Massachusetts Amherst

CSAIL. Computer Science and Artificial Intelligence Laboratory. Massachusetts Institute of Technology

Intel Software Guard Extensions (Intel SGX) Developer Guide

TRUSTED COMPUTING TECHNOLOGIES

Intel Software Guard Extensions

SGX memory oversubscription

Micro-Architectural Attacks and Countermeasures

Sealing and Attestation in Intel Software Guard Extensions (SGX)

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

T-SGX: Eradicating Controlled-Channel

Trusted Computing and O/S Security

Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Intel Analysis of Speculative Execution Side Channels

Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. November 15, MIT Fall 2018 L20-1

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing

Obliviate: A Data Oblivious File System for Intel SGX. Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee

Hakim Weatherspoon CS 3410 Computer Science Cornell University

Influential OS Research Security. Michael Raitza

Operating System Security

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data

Anne Bracy CS 3410 Computer Science Cornell University

Anne Bracy CS 3410 Computer Science Cornell University

Malware Guard Extension: Using SGX to Conceal Cache Attacks

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

CPS 510 final exam, 4/27/2015

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. April 12, 2018 L16-1

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

CSE 120 Principles of Operating Systems

Trustzone Security IP for IoT

When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

A Developer's Guide to Security on Cortex-M based MCUs

Side-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Overshadow: Retrofitting Protection in Commodity Operating Systems

Eleos: Exit-Less OS Services for SGX Enclaves

EXTERNALLY VERIFIABLE CODE EXECUTION

SimpleSim: A Single-Core System Simulator

SafeBricks: Shielding Network Functions in the Cloud

Dawn Song

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

arxiv: v2 [cs.cr] 30 Aug 2017

Task Based Programming Revisited Real Time Operating Systems

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing

Operating System Support


6.857 L17. Secure Processors. Srini Devadas

Connecting Securely to the Cloud

IT 540 Operating Systems ECE519 Advanced Operating Systems

Architectural Support for Operating Systems

Comp 204: Computer Systems and Their Implementation. Lecture 18: Devices

Last class: Today: Course administration OS definition, some history. Background on Computer Architecture

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races

AEGIS Secure Processor

0x1A Great Papers in Computer Security

HY225 Lecture 12: DRAM and Virtual Memory

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

HaTCh: State-of-the-Art in Hardware Trojan Detection

Transcription:

CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 3b SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees Slide deck extracted from Kamran s tutorial on SGX and Chenglu s security analysis of SGX, both presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering University of Connecticut With the help of: 1. Intel SGX Tutorial (Reference Number: 332680-002) presented at ISCA 2015 2. Intel SGX Explained, Victor Costan and Srinivas Devadas, CSAIL MIT

Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties Misconceptions about SGX Interaction with Anti-Virus Software 2

The Life Cycle of an SGX Enclave Overview Relevant SGX Instructions Example 3

The Life Cycle of an SGX Enclave An enclave s life cycle is all about the allocation of EPC pages. Following are the major transitions during an SGX enclave s life cycle: Creation (ECREATE) Loading (EADD, EEXTEND) Initialization (EINIT) Enter/Exit the Enclave (EENTER/EEXIT) Teardown (EREMOVE) 4

Enclave Creation (ECREATE) Creates a unique instance of an enclave, establishes the linear address range, and serves as the enclave s root of trust Enclave mode of operation (32/64) This information is stored within a Secure Enclaves Control Structure (SECS) generated by ECREATE. 5

Loading (EADD, EEXTEND) EADD Add Regular (REG) or Thread Control Structure (TCS) pages into the enclave System software responsible for selecting free EPC page, type, and attributes, content of the page and the enclave to which the page added to. Initial EPCM entry to indicate type of page (REG, TCS) Linear address, RWX, associate the page to enclave SECS EEXTEND Generates a cryptographic hash of the content of the enclave in 256Byte chunks EEXTEND 16 times for measuring a 4K page 6

Initialization (EINIT) Verifies the enclave s content against the ISV s signed SIGSTRUCT and initializes the enclave Mark it ready to be used Validate SIGSTRUCT is signed using SIGSTRUCT public key Enclave measurement matches the measurement specified in SIGSTRUCT. Enclave attributes compatible with SIGSTRUCT Record sealing identity (sealing authority, product id, SVN) in the SECS 7

Synchronous Enclave Entry (EENTER) Check that Thread Control Structure (TCS) is not busy and flush TLB entries for enclave addresses. Transfer control from outside enclave to pre-determined location inside the enclave Change the mode of operation to be in enclave mode Save RSP/RBP for later restore on enclave asynchronous exit Save XCR0 and replace it with enclave XFRM value 8

Synchronous Enclave Exit (EEXIT) Clear enclave mode and TLB entries for enclave addresses. Transfer control from inside enclave to a location outside the enclave Mark TCS as not busy Responsibility to clear register state is on enclave writer! 9

Teardown (EREMOVE) EREMOVE deallocates/removes a 4KByte page permanently from the EPC A page cannot be removed until there is no thread executing code inside this enclave. A SECS page cannot be removed until all the regular pages of this enclave are removed. The SECS page is removed at the very last, and this also destroys the Enclave. 10

Context Switching/Exception Handling A context switch or exception (e.g. Interrupt) may occur during Enclave s code execution. Enclave s execution context must be stored General Purpose Registers (GPRs) Special Registers indicated by Requested-Feature BitMap (RFBM) register The area used to store an enclave thread s execution context while a hardware exception is handled is called State Save Area (SSA) SSA is implemented by special EPC Page(s) Notice that the saved context (i.e. SSA) is protected being inside the EPC EPC SECS SSA FRAME 11

The State Save Area (SSA) State Save Area (SSA) stores the Enclave s execution context SSAFRAMESIZE field in SECS defines size of the SSA frame (in pages) GPRs are saved to GPR area on top of SSA frame Special Feature Registers are saved into XSAVE area at bottom of SSA frame XFRM field in SECS controls the size of XSAVE area ECREATE instruction checks that all areas fit within an SSA frame EPC SECS SSAFRAMESIZE XFRM GPR Area SSA FRAME Misc. XSAVE Area 12

SGX Enclave Life Cycle Example 13

SGX Enclave Life Cycle Example 14

SGX Enclave Life Cycle Example 15

SGX Enclave Life Cycle Example 16

SGX Enclave Life Cycle Example 17

SGX Enclave Life Cycle Example 18

SGX Enclave Life Cycle Example 19

SGX Enclave Life Cycle Example 20

SGX Enclave Life Cycle Example 21

SGX Enclave Life Cycle Example 22

SGX Enclave Life Cycle Example 23

SGX Enclave Life Cycle Example 24

SGX Enclave Life Cycle Example 25

SGX Enclave Life Cycle Example 26

SGX Enclave Life Cycle Example 27

Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties Misconceptions about SGX Interaction with Anti-Virus Software 28

Tracking TLB Flushes In order to evict a batch of EPC pages, the OS kernel must first issue EBLOCK instructions targeting them. The OS is also expected to remove the EPC page s mapping from page tables, but is not trusted to do so. After all the desired pages have been blocked, the OS kernel must execute an ETRACK instruction, which directs the SGX implementation to keep track of which logical processors have had their TLBs flushed. If the OS wishes to evict a batch of EPC pages belonging to multiple enclaves, it must issue an ETRACK for each enclave. (Next slides show an example for a single enclave.) Following the ETRACK instructions, the OS kernel must induce enclave exits on all the logical processors that are executing code inside the enclaves that have been ETRACKed. The SGX design expects that the OS will use IPIs (interrupt processor instructions) to cause AEXs (asynchronous enclave exits) in the logical processors whose TLBs must be flushed. The EPC page eviction process is completed when the OS executes an EWB instruction for each EPC page to be evicted (see previous lecture). 29

Tracking TLB Flushes Tracking TLB flushes is equivalent to verifying that all the logical processors (i.e., all the execution threads within the SGX Enclave) have exited Enclave mode at least once after we start tracking. When a thread exits enclave mode (EEXIT or AES), the corresponding enclave address in the TLB are flushed. We rely on the SECS to store variables for tracking. 30

Tracking TLB Flushes ECREATE SECS.tracking = False SECS.done-tracking = False SECS.active-threads = 1 SECS.tracked-threads = 0 SECS.lp-mask = [.,.,.,.] E NE NE NE 31

Tracking TLB Flushes EBLOCK Targeting a batch of EPC pages to be swapped out ETRACK Start of a TLB tracking cycle SECS.tracking = True SECS.done-tracking = False SECS.active-threads = 4 SECS.tracked-threads = 4 SECS.lp-mask = [0,0,0,0] E E E E 32

Tracking TLB Flushes EEXIT SECS.tracking = True SECS.done-tracking = False SECS.active-threads = 3 SECS.tracked-threads = 3 SECS.lp-mask = [1,0,0,0] NE E E E 33

Tracking TLB Flushes EENTER SECS.tracking = True SECS.done-tracking = False SECS.active-threads = 4 SECS.tracked-threads = 3 SECS.lp-mask = [1,0,0,0] E E E E 34

Tracking TLB Flushes EEXIT / AES SECS.tracking = True SECS.done-tracking = True SECS.active-threads = 1 SECS.tracked-threads = 0 SECS.lp-mask = [1,1,1,1] E NE NE NE 35

Tracking TLB Flushes EWB-VERIFY SECS.tracking = True SECS.done-tracking = True SECS.active-threads = 1 SECS.tracked-threads = 0 SECS.lp-mask = [1,1,1,1] E NE NE NE 36

Tracking TLB Flushes EBLOCK End of a TLB tracking cycle SECS.tracking = False SECS.done-tracking = True SECS.active-threads = 1 SECS.tracked-threads = 0 SECS.lp-mask = [1,1,1,1] E NE NE NE 37

Passive Attacks Address translation used for page swapping An untrusted page table manager can swap pages using page faults and leak information Successful practical attacks on SGX! Image inferred even though it was isolated by SGX Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems, IEEE S&P 2015, by Y. Xu, W. Cui, and M. Peinado Intel s response (by Matt Hoekstra and Frank McKeen) puts blame on software developers https://software.intel.com/enus/blogs/2015/05/19/look-both-ways-andwatch-out-for-side-channels 38

Other Buffers which Need Flushing? Processors do branch prediction and store a history of branch selections in a branch history buffer SGX does not flush this buffer Infer control flow Leaks privacy Demonstrated Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing, eprint Nov 2016, by S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, M. Peinado EEXIT and EAS should have updated microcode which includes a flush of this buffer 39

Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties Misconceptions about SGX Interaction with Anti-Virus Software 40

SGX Security Properties An isolated container whose contents receive special hardware protection. This translates to privacy, integrity and freshness guarantees. Offers a certificate-based identity system that can be used to migrate secrets between enclaves that have certificates issued by the same authority. More on this when we talk about attestation (next lecture). 41

Physical Attacks Lack of publicly available details about the hardware implementation of SGX => some avenues for future exploration Note recent NDSS 16 paper OpenSGX: An Open Platform for SGX Research Port attack, especially Generic Debug external Connection. Bus attack, because the data in cache is in plaintext. Bus tapping attack, because SGX does not hide the memory access patterns. Cache timing attack. Intel Management Engine may not be protected. (Will discuss ME in a next lecture.) Fused seal key. -> May use PUF technology instead (a later lecture) Power analysis 42

Privileged Software Attacks The SGX design prevents malicious software from directly reading or from modifying the EPC pages that store an enclave s code and data. This relies on two pillars (isolation principle): First, the SGX implementation runs in the processor s microcode, which is effectively a higher privilege level to which system software has no access. Second, SGX s microcode is always involved when a CPU transitions between enclave code and non-enclave code, and therefore regulates all interactions between system software and an enclave s environment 43

Memory Mapping Attacks SGX can prevent active attacks by rejecting undesirable address translations before they reach the TLB. Also, it prevents the active attacks using page swapping or stale TLB entries. Passive address translation attacks can learn the memory access patterns (as discussed when explaining page swapping). 44

Software Attacks on Peripherals PCI (Peripheral Controller Interface) Express attacks are prevented, because MC rejects any DMA transfer that falls within the Processor Reserved Memory DRAM attacks (e.g. Rowhammer) are prevented due to MEE. Firmware attacks (especially, ME s firmware) are not mentioned in the documents. (ME compromise = DRAM attacks) SGX does not protect against software sidechannel attacks that rely on performance counters (e.g. cache misses, branch predictors). 45

Cache Timing Attacks Cache timing attacks are not mentioned in the threat model. A malicious system software can make it worse. Control the enclave scheduling Control address translation SGX does not prevent this attack, but increases the difficulties: SGX s enclave entry implementation could flush the core s private caches. The Last Level Cache is still vulnerable, because it is shared among all the cores. 46

Misconceptions about SGX Remote attestation relies on the Quoting Enclave with special privileges that allows it to access the processor s attestation key. This assumes the Enclave is isolated properly, but this is not true (e.g. cache side channel). Intel suggests the programmer to remove data dependent memory access, especially for crypto algorithms. 47

Misconceptions about SGX Enclaves Can DOS (Denial-of-service) the System Software The SGX design provides system software the capability to protect itself from enclaves that engage in CPU hogging and DRAM hogging. System software needs to reserve at least one Logical Processor (LP) for non-enclave computation. SGX is tamper-resistant The chip itself does not prevent physical tampering. 48

Interaction with Anti-Virus Software Today s anti-virus (AV) systems are pattern matchers. 1. A generic loader that is undetectable by AV s pattern matcher. 2. Load encrypted malicious payload from Internet. 3. Execute malicious code inside the Enclave. (botnets?) Possible solutions: recording and filtering the I/O performed by software Static analysis 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback