cse 5095 & ece 4451 & ece 5451 spring 2017 extracted from ...computation and storage, a...
TRANSCRIPT
![Page 1: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/1.jpg)
Marten van Dijk
Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen
Department of Electrical & Computer Engineering
University of Connecticut
CSE 5095 & ECE 4451 & ECE 5451 – Spring 2017
SGX Enclave Life CycleTracking TLB FlushesSecurity Guarantees
With the help of:
1. Intel SGX Tutorial (Reference Number: 332680-002) presented at ISCA 2015
2. “Intel SGX Explained”, Victor Costan and Srinivas Devadas, CSAIL MIT
Lecture 3b
• Slide deck extracted from Kamran’s tutorial on SGX
and Chenglu’s security analysis of SGX, both
presented during ECE 6095 Spring 2017 on Secure
Computation and Storage, a precursor to this course
![Page 2: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/2.jpg)
Outline
SGX Enclave Life Cycle
Tracking TLB Flushes
SGX Security Properties
Misconceptions about SGX
Interaction with Anti-Virus Software
2
![Page 3: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/3.jpg)
The Life Cycle of an SGX Enclave• Overview
• Relevant SGX Instructions
• Example
3
![Page 4: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/4.jpg)
The Life Cycle of an SGX Enclave
An enclave’s life cycle is all about the allocation of EPC pages.
Following are the major transitions during an SGX enclave’s life cycle:
Creation (ECREATE)
Loading (EADD, EEXTEND)
Initialization (EINIT)
Enter/Exit the Enclave (EENTER/EEXIT)
Teardown (EREMOVE)
4
![Page 5: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/5.jpg)
Enclave Creation (ECREATE)
Creates a unique instance of an enclave, establishes the linear address range, and serves as the enclave’s root of trust
Enclave mode of operation (32/64)
This information is stored within a Secure Enclaves Control Structure (SECS) generated by ECREATE.
5
![Page 6: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/6.jpg)
Loading (EADD, EEXTEND)
EADD
Add Regular (REG) or Thread Control Structure (TCS) pages into the enclave
System software responsible for selecting free EPC page, type, and attributes, content of the page and the enclave to which the page added to.
Initial EPCM entry to indicate type of page (REG, TCS)
Linear address, RWX, associate the page to enclave SECS
EEXTEND
Generates a cryptographic hash of the content of the enclave in 256Byte chunks
EEXTEND 16 times for measuring a 4K page
6
![Page 7: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/7.jpg)
Initialization (EINIT)
Verifies the enclave’s content against the ISV’s signed SIGSTRUCT and initializes the enclave – Mark it ready to be used
Validate SIGSTRUCT is signed using SIGSTRUCT public key
Enclave measurement matches the measurement specified in SIGSTRUCT.
Enclave attributes compatible with SIGSTRUCT
Record sealing identity (sealing authority, product id, SVN) in the SECS
7
![Page 8: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/8.jpg)
Synchronous Enclave Entry (EENTER)
Check that Thread Control Structure (TCS) is not busy and flush TLB entries for enclave addresses.
Transfer control from outside enclave to pre-determined location inside the enclave
Change the mode of operation to be in enclave mode
Save RSP/RBP for later restore on enclave asynchronous exit
Save XCR0 and replace it with enclave XFRM value
8
![Page 9: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/9.jpg)
Synchronous Enclave Exit (EEXIT)
Clear enclave mode and TLB entries for enclave addresses.
Transfer control from inside enclave to a location outside the enclave
Mark TCS as not busy
Responsibility to clear register state is on enclave writer!
9
![Page 10: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/10.jpg)
Teardown (EREMOVE)
EREMOVE deallocates/removes a 4KByte page permanently from the EPC
A page cannot be removed until there is no thread executing code inside this enclave.
A SECS page cannot be removed until all the regular pages of this enclave are removed.
The SECS page is removed at the very last, and this also destroys the Enclave.
10
![Page 11: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/11.jpg)
Context Switching/Exception Handling
A context switch or exception (e.g. Interrupt) may occur during Enclave’s code execution.
Enclave’s execution context must be stored
General Purpose Registers (GPRs)
Special Registers indicated by Requested-Feature BitMap (RFBM) register
The area used to store an enclave thread’s execution context while a hardware exception is handled is called State Save Area (SSA)
SSA is implemented by special EPC Page(s)
Notice that the saved context (i.e. SSA) is protected being inside the EPC
11
EPC
SECS
SSA FRAME
![Page 12: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/12.jpg)
EPC
SECS
SSA FRAME
The State Save Area (SSA)
State Save Area (SSA) stores the Enclave’s execution context
SSAFRAMESIZE field in SECS defines size of the SSA frame (in pages)
GPRs are saved to GPR area on top of SSA frame
Special Feature Registers are saved into XSAVE area at bottom of SSA frame
XFRM field in SECS controls the size of XSAVE area
ECREATE instruction checks that all areas fit within an SSA frame
12
SSAFRAMESIZE
GPR Area
XSAVE Area
Misc.
XFRM
![Page 13: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/13.jpg)
SGX Enclave Life Cycle Example
13
![Page 14: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/14.jpg)
SGX Enclave Life Cycle Example
14
![Page 15: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/15.jpg)
SGX Enclave Life Cycle Example
15
![Page 16: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/16.jpg)
SGX Enclave Life Cycle Example
16
![Page 17: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/17.jpg)
SGX Enclave Life Cycle Example
17
![Page 18: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/18.jpg)
SGX Enclave Life Cycle Example
18
![Page 19: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/19.jpg)
SGX Enclave Life Cycle Example
19
![Page 20: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/20.jpg)
SGX Enclave Life Cycle Example
20
![Page 21: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/21.jpg)
SGX Enclave Life Cycle Example
21
![Page 22: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/22.jpg)
SGX Enclave Life Cycle Example
22
![Page 23: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/23.jpg)
SGX Enclave Life Cycle Example
23
![Page 24: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/24.jpg)
SGX Enclave Life Cycle Example
24
![Page 25: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/25.jpg)
SGX Enclave Life Cycle Example
25
![Page 26: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/26.jpg)
SGX Enclave Life Cycle Example
26
![Page 27: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/27.jpg)
SGX Enclave Life Cycle Example
27
![Page 28: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/28.jpg)
Outline
SGX Enclave Life Cycle
Tracking TLB Flushes
SGX Security Properties
Misconceptions about SGX
Interaction with Anti-Virus Software
28
![Page 29: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/29.jpg)
Tracking TLB Flushes
In order to evict a batch of EPC pages, the OS kernel must first issue EBLOCK instructions targeting them. The OS is also expected to remove the EPC page’s mapping from page tables, but is not trusted to do so.
After all the desired pages have been blocked, the OS kernel must execute an ETRACK instruction, which directs the SGX implementation to keep track of which logical processors have had their TLBs flushed.
If the OS wishes to evict a batch of EPC pages belonging to multiple enclaves, it must issue an ETRACK for each enclave. (Next slides show an example for a single enclave.)
Following the ETRACK instructions, the OS kernel must induce enclave exits on all the logical processors that are executing code inside the enclaves that have been ETRACKed. The SGX design expects that the OS will use IPIs (interrupt processor instructions) to cause AEXs (asynchronous enclave exits) in the logical processors whose TLBs must be flushed.
The EPC page eviction process is completed when the OS executes an EWB instruction for each EPC page to be evicted (see previous lecture).
29
![Page 30: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/30.jpg)
Tracking TLB Flushes
Tracking TLB flushes is equivalent to verifying that all the logical processors (i.e., all the execution threads within the SGX Enclave) have exited Enclave mode at least once after we start tracking.
When a thread exits enclave mode (EEXIT or AES), the corresponding enclave address in the TLB are flushed.
We rely on the SECS to store variables for tracking.
30
![Page 31: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/31.jpg)
Tracking TLB Flushes
ECREATE
SECS.tracking = False
SECS.done-tracking = False
SECS.active-threads = 1
SECS.tracked-threads = 0
SECS.lp-mask = [.,.,.,.]
31
E NE
NE NE
![Page 32: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/32.jpg)
Tracking TLB Flushes
EBLOCK
Targeting a batch of EPC pages to be swapped out
ETRACK
Start of a TLB tracking cycle
SECS.tracking = True
SECS.done-tracking = False
SECS.active-threads = 4
SECS.tracked-threads = 4
SECS.lp-mask = [0,0,0,0]
32
E E
E E
![Page 33: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/33.jpg)
Tracking TLB Flushes
EEXIT
SECS.tracking = True
SECS.done-tracking = False
SECS.active-threads = 3
SECS.tracked-threads = 3
SECS.lp-mask = [1,0,0,0]
33
NE E
E E
![Page 34: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/34.jpg)
Tracking TLB Flushes
EENTER
SECS.tracking = True
SECS.done-tracking = False
SECS.active-threads = 4
SECS.tracked-threads = 3
SECS.lp-mask = [1,0,0,0]
34
E E
E E
![Page 35: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/35.jpg)
Tracking TLB Flushes
EEXIT / AES
SECS.tracking = True
SECS.done-tracking = True
SECS.active-threads = 1
SECS.tracked-threads = 0
SECS.lp-mask = [1,1,1,1]
35
E NE
NE NE
![Page 36: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/36.jpg)
Tracking TLB Flushes
EWB-VERIFY
SECS.tracking = True
SECS.done-tracking = True
SECS.active-threads = 1
SECS.tracked-threads = 0
SECS.lp-mask = [1,1,1,1]
36
E NE
NE NE
![Page 37: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/37.jpg)
Tracking TLB Flushes
EBLOCK
End of a TLB tracking cycle
SECS.tracking = False
SECS.done-tracking = True
SECS.active-threads = 1
SECS.tracked-threads = 0
SECS.lp-mask = [1,1,1,1]
37
E NE
NE NE
![Page 38: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/38.jpg)
Passive Attacks Address translation used for page swapping
An untrusted page table manager can swap pages using page faults and leak information
Successful practical attacks on SGX! Image inferred even though it was isolated by
SGX
“Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems”, IEEE S&P 2015, by Y. Xu, W. Cui, and M. Peinado
Intel’s response (by Matt Hoekstra and Frank McKeen) puts blame on software developers
https://software.intel.com/en-us/blogs/2015/05/19/look-both-ways-and-watch-out-for-side-channels
38
![Page 39: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/39.jpg)
Other Buffers which Need Flushing?
Processors do branch prediction and store a history of branch selections in a branch history buffer
SGX does not flush this buffer Infer control flow Leaks privacy
Demonstrated “Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing”, eprint Nov 2016, by S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, M. Peinado
EEXIT and EAS should have updated microcode which includes a flush of this buffer
39
![Page 40: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/40.jpg)
Outline
SGX Enclave Life Cycle
Tracking TLB Flushes
SGX Security Properties
Misconceptions about SGX
Interaction with Anti-Virus Software
40
![Page 41: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/41.jpg)
SGX Security Properties
An isolated container whose contents receive special hardware protection. This translates to privacy, integrity and freshness guarantees.
Offers a certificate-based identity system that can be used to migrate secrets between enclaves that have certificates issued by the same authority. More on this when we talk about attestation (next lecture).
41
![Page 42: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/42.jpg)
Physical Attacks
Lack of publicly available details about the hardware implementation of SGX => some avenues for future exploration
Note recent NDSS’16 paper “OpenSGX: An Open Platform for SGX Research”
Port attack, especially Generic Debug eXternal Connection.
Bus attack, because the data in cache is in plaintext.
Bus tapping attack, because SGX does not hide the memory access patterns.
Cache timing attack.
Intel Management Engine may not be protected. (Will discuss ME in a next lecture.)
Fused seal key. -> May use PUF technology instead (a later lecture)
Power analysis
42
![Page 43: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/43.jpg)
Privileged Software Attacks
The SGX design prevents malicious software from directly reading or from modifying the EPC pages that store an enclave’s code and data.
This relies on two pillars (isolation principle):
First, the SGX implementation runs in the processor’s microcode, which is effectively a higher privilege level to which system software has no access.
Second, SGX’s microcode is always involved when a CPU transitions between enclave code and non-enclave code, and therefore regulates all interactions between system software and an enclave’s environment
43
![Page 44: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/44.jpg)
Memory Mapping Attacks
SGX can prevent active attacks by rejecting undesirable address translations before they reach the TLB. Also, it prevents the active attacks using page swapping or stale TLB entries.
Passive address translation attacks can learn the memory access patterns (as discussed when explaining page swapping).
44
![Page 45: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/45.jpg)
Software Attacks on Peripherals
PCI (Peripheral Controller Interface) Express attacks are prevented, because MC rejects any DMA transfer that falls within the Processor Reserved Memory
DRAM attacks (e.g. Rowhammer) are prevented due to MEE.
Firmware attacks (especially, ME’s firmware) are not mentioned in the documents. (ME compromise = DRAM attacks)
SGX does not protect against software side-channel attacks that rely on performance counters (e.g. cache misses, branch predictors).
45
![Page 46: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/46.jpg)
Cache Timing Attacks
Cache timing attacks are not mentioned in the threat model.
A malicious system software can make it worse.
Control the enclave scheduling
Control address translation
SGX does not prevent this attack, but increases the difficulties: SGX’s enclave entry implementation could flush the core’s private caches.
The Last Level Cache is still vulnerable, because it is shared among all the cores.
46
![Page 47: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/47.jpg)
Misconceptions about SGX
Remote attestation relies on the Quoting Enclave with special privileges that allows it to access the processor’s attestation key.
This assumes the Enclave is isolated properly, but this is not true (e.g. cache side channel).
Intel suggests the programmer to remove data dependent memory access, especially for crypto algorithms.
47
![Page 48: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/48.jpg)
Misconceptions about SGX
Enclaves Can DOS (Denial-of-service) the System Software
The SGX design provides system software the capability to protect itself from enclaves that engage in CPU hogging and DRAM hogging.
System software needs to reserve at least one Logical Processor (LP) for non-enclave computation.
SGX is tamper-resistant
The chip itself does not prevent physical tampering.
48
![Page 49: CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 extracted from ...Computation and Storage, a precursor to this course. Outline SGX Enclave Life Cycle Tracking TLB Flushes SGX Security Properties](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecfe728094e1f33b2607fa2/html5/thumbnails/49.jpg)
Interaction with Anti-Virus Software
Today’s anti-virus (AV) systems are pattern matchers.
1. A generic loader that is undetectable by AV’s pattern matcher.
2. Load encrypted malicious payload from Internet.
3. Execute malicious code inside the Enclave. (botnets?)
Possible solutions:
recording and filtering the I/O performed by software
Static analysis
49