Intel®So*wareGuardExtensions(Intel®SGX)SupportforDynamicMemoryManagementInsideanEnclave

FrankMcKeen,IlyaAlexandrovich,IGaiAnaH,DrorCaspi,SimonJohnson,RebekahLeslie-Hurd,CarlosRozasIntelCorporaHon

SaeidMofrad

1-INTRODUCTION:

SGX:So*wareGuardExtensionsprovidesthecapabilitytoprotectspecifiedareasofanapplicaHonfromoutsideaccess.TheareaiscalledanenclaveandhardwareprovidesconfidenHalityandintegrityforthespecifiedarea.SGXallowsso*waredeveloperstobuildtrustedmodulesinsideanapplicaHontoprotectsecrets.Aso*waredeveloperspecifiesthecontentsofanenclaveandarelyingpartycanconfirmthattheareaisinstanHatedcorrectlyonaremotemachine.

ApplicaHondevelopmentconsideraHon:

ApplicaHondevelopmentconsideraHon[3]:

ApplicaHondevelopmentconsideraHon[3]:

ApplicaHondevelopmentconsideraHon[3]:

MOTIVATION OF SGX-2: THREE SHORTCOMINGS WITH THE SGX1

•  Firstallenclavememorymustbecommi2edatenclavebuild4me.Thisincreasesthebuild4me.Commi\ngmemoryplacespressureontheenclavepagecache(EPC),theenclavedevelopermustallocatememoryforworst-casememoryconsumpHonofanyworkload.Otherwise,theenclavedeveloperwillneedtoreleasesenclavesdesignedfordifferentsizeworkloads.

•  Thesecondshortcomingisrelatedtothemanagementofaccesspermissionsassociatedwithanenclavepage.SGXextendstheaccesspermissionmodelbyassociaHnganaddiHonalsetofaccesspermissionswithenclavepagethatarestoredinaSGXstructurecalledtheEnclavePageCacheMap(EPCM)

•  ThelastshortcomingisrelatedtolibraryOSsupportwheresecureexcepHonalhandlingandlazyloadingcodeinsideanenclaveareimportantfeatures.SGX-1didn’thaveinformaHonrecordedwhenageneralprotecHonfaultorpagefaultoccursinsideanenclave

•  Toaddresstheseproblemssixnewinstruc4onsandnewexcep4onbehaviorwereaddedtotheSGXarchitectureknownasSGX2

2 SGX2 CONSIDERATIONS & REQUIREMENTS: •  ManipulaHngmemoryandpermissionsofanenclavemustbedonewiththeknowledgeandconsentoftheenclave.

•  Ifenclavecodeischangedincorrectlyorwithoutknowledgeoftheenclave,execuHonshouldbesuspendedunHlthecondiHonisresolved.Itenablestheenclavetomanageitsownsecurity

•  Thesystemresourcemanager(OSorVMM)mustbeabletomanageandallocatetheresourcesasrequestedusingstandardtechniquesandprioriHes.

•  ManipulaHonofmemorypermissionsinvolvesboththesystempermissionsandtheEPCMpermissions.EPCMpermissionsallowtheenclavedevelopertospecifytherestricHonsandaccesscontrolfortheenclave

•  SGX2memorymanagement->(systemmanager)whichmanagesthesystemresources

•  internalenclaveresourcemanager(internalmanager)whichmanagestheenclavememoryfrominsidetheenclave.

•  AprotocolwhichconsistsofcommunicaHonbetweenthesystemmanagerandaninternalmanageristhis:

•  Thesystemmemorymanager•  allocaHngmemory->pagingmemory->changing

permissions,->changingpagetypes.->managingthepagetableentrypermissions->iniHaHngEPCMpermissionsoftheenclaves(bycallinginstrucHon.)

•  Theinternalmanager•  star4ngmemorychangerequests->verifying

thatthesystemmanagerhasprocessedtherequestscorrectly.

•  Theinternalmanagerdoesnothavedirectaccesstothepagetablesandmustrequestthesystemmanagertomakechangesinpagetableentry(PTE)permissions.

2.1 SECURITY CONSIDERATIONS

•  Mustensurethatchangesinpermissiondonotaffectthesecurityoftheenclave.

•  Whenrestrictpagepermissions->checkpermissionrestric4onsarecompleteandthepreviouscachedaddresstranslaHonsorcachedpermissionsareremoved.SGX2checksoldpermissionsareremovedfromtheTLBs

•  SGX1allowsthesystemmemorymanagertoremovepagesfromanenclaveusingtheEREMOVEleaffuncHon.However,sincetheenclavedoesn’tparHcipateinthisprocessitdoesn’tknowifthepageremoved.

2.2 SOFTWARE CONSIDERATIONS

•  Internalmemorymanagerwantstoreallocatethememoryresources:addathread;mustallocatedasThreadControlStructure(TCS),StateSaveArea(SSA)pages.Addmorememorytoenclave.

•  Excep4onRepor4ngInsideanEnclave:forLibraryOSusage.InthiscasetheexcepHoncondiHonshouldbereportedinsidetheenclave.SGX2addsseveralexcepHoncondiHonstotheSSAframewhenexiHnganenclave.Theyincludepagefaults(#PF)andgeneralprotecHonviolaHons(#GP).

•  DemandLoadingofLibraryPages:TheinternalmanagermusthaveamechanismtoloadthepagewithoutallowingaccessunHlthecopyiscomplete.SGX2addsaleaffuncHontoperformthecopysecurely.

3.1 ENCLAVE MALLOC

•  Thefollowingisprotocol:

•  1.Internalmanagerrequestsmemory->enclaverunHmesystemfromitsinternalpoolofmemory.memorypoollowtheinternalmanager->requeststhesystemmanagertoallocatemorememory.

•  2.Thesystemmanagerallocatesvirtualaddressspacebutdoesnotcommitmemoryand->returnsareferencetothevirtualaddressspacetotheinternalmanager

•  3.Theenclaveinternalmanager->returnsareferencetotheenclave.Whentheenclaveaccessesthenewlyallocatedmemory,->apagefaultisgeneratedasmemoryhasnotbeencommiGed.

•  4.TheOSpagefaulthandlerdetectsthatthevirtualaddresshasbeenallocatedbutmemoryhasnotbeencommiGed.->TheOScommitsmemorybyusingEAUGandmapsthecommiGedbutpendingpageintotheenclaveaddressspace->TheOSthensendsasignaltotheenclaveinternalmanager.

•  5.Theinternalmanagerreceivesthe->TheinternalmanagerchecksthatthevirtualaddresshasbeencommiGed->theinternalmanagerexecutesEACCEPTwhichallowstheenclavetoaccessthependingpage.->ThesignalhandlerreturnsbacktotheapplicaHonwhicheventuallyresultsintheenclaveexecuHonresuming.

3.2 ENCLAVE FREE

•  Thefollowingisanexampleprotocol:

•  1.Theenclavereleasesmemory->internalmanagerreleaseaddressspacebacktotheOS.

•  2.ThesystemmanagerexecutesEMODTonallpages->changethepagetypetoPT_TRIMand->cleartheEPCMaccesspermissionbits.Thisbeginstheprocessofdecommi\ngmemory.ThesystemmanagerthenexecutesETRACKontheSECSofthecallingenclaveandthensendsIPIstologicalprocessorswhichmaycontainTLBmappingstothepagesthathadbeentrimmed.

•  3.OncealllogicalprocessorsrespondedtotheIPI,controlisreturnedtotheinternalmanager.

•  4.TheinternalmanagerverifiesthatcommiGedmemoryhasbeendecommiGedbyexecuHngEACCEPTtoverifythatthepagestrimmedandallstaleTLBmappingshavebeenflushed.TheinternalmanagerneedstoupdateitstrackinginformaHonthatthevirtualaddresshasnocommiGedmemory.

•  5.ThesystemmanagercanlaterreclaimthecommiGedmemorybyexecuHngEREMOVEonthetrimmedpages.

3.3 CHANGING PAGE PERMISSIONS

•  Changeispermissivethenthefollowingprotocol:

•  1.internalmanagerrunsEMODPEtoextendthepagepermissionsintheEPCM.

•  2.Theinternalmanagerrequeststhesystemmanagertoextendpagepermissionsinthepagetables.

•  IfthechangeinpermissionisrestricHvethenthefollowingprotocol:

•  1.Theinternalmanagerrequeststhatthesystemmanagertorestrictpermissionsonapage.

•  2.ThesystemmanagerexecutesEMODPRandupdatespagetablepermissions.A*erpermissionshavebeenupdated,thesystemmanagerexecutesETRACKontheSECSofthecallingenclaveandsendsIPIstoallprocessorsthatmaybeexecuHnginsidetheenclavetoflushTLBmappings.

•  3.A*erallIPIshavebeenacknowledged,controlisreturnedtotheinternalmanager.TheinternalmanagerverifiesthatpagepermissionsrestrictedandTLBmappingsflushedbyexecuHngEACCEPT

3.4 THREAD CONTROL STRUCTURE ALLOCATION

•  1.InternalmanageriniHalizesfromaregularEPCpagewithappropriateTCSvalues.IftheenclavememoryhasnotbeencommiGedtheninternalmanagerwillneedtoperformarequesttoallocatememoryasdescribedinsecHon3.1.,theninternalmanagerrequeststhatthesystemmanagerconvertthepagetoaTCS.

•  2.ThesystemmanagerexecutesEMODTtosetthepagetypetoPT_TCSandtocleartheEPCMaccesspermissionbits.ThepageisalsomarkedmodifiedwhichpreventsthepagefrombeingusedasaTCS.

•  3.ThesystemmanagerthenexecutesETRACK.ThesystemmanagersendsIPIstoflushalloldmappingstothepageandreturnscontroltotheinternalmanager.

•  4.TheinternalmanagerexecutesEACCEPTonthemodifiedTCSpage.EACCEPTwillverifythatTLBmappingsflushedandperformconsistencychecksontheTCSpagethenclearingthemodifiedbitandmakingthepageavailabletoEENTER.

DYNAMIC LOADING OF MODULES

•  SGX2providesEACCEPTCOPYwhichallowstheinternalmanagertoatomicallyiniHalizethecontentsandpermissionofapage.

•  1.theinternalmanagerindicatestothesystemmanagerthatavirtualaddressspaceallocatedbutnotcommiGed(sameasin3.1).

•  2.WhenanenclaveaGemptstoaccessapageinthisvirtualaddress,apagefaultisgeneratedandthesystemmanagercommitsmemorybyexecuHngEAUGandsignalstheinternalmanager.

•  3.TheinternalmanageridenHfiesthevirtualaddressasbelongingtoamodulepagetobeloaded.ThesystemmanagermayloadthecontentsofthepageintoregularmemoryortheenclaverunHmesystemmayneedtorequestthecontentbeloadedintoregularmemory.

•  4.Theinternalmanagerthencopiesthecontentsofthemoduleintoprivateenclavememory.TheinternalmanagershouldverifytheintegrityofthecontentsandapplyanyrequiredrelocaHons.Finally,theinternalmanagercopiesthecontentsandiniHalizespermissionsusingEACCEPTCOPY.

3.6 LIBRARY OS SUPPORT

1.  TheprocessbeginswithanexcepHongeneratedinsideanenclave.TheprocessorrecordsexcepHoninformaHonintheSSAanddeliverstheexcepHontotheOSexcepHonhandler.

2.  IftheOScannothandletheexcepHon,theOSsignalstheLibOSPAL(PlamormAdaptaHonLayer)excepHonhandler.

3.  3.TheLibOSPALexecutesEENTERtoinvoketheLibOSexcepHonhandlerinsidetheenclave.

4.  4.TheLibOSexcepHonhandlerreadstheexcepHoninformaHonthengeneratesanOSspecificexcepHoncontext,andinvokestheapplicaHonexcepHonhandlerinsidetheSGXenabledLibOS.

4.1 SGX2 ISA, ENCLS LEAF FUNCTIONS , EAUG •  EAUGaugmentstheenclavewithapageofEPCmemory->associatesthatpagewithanSECSpage,andupdaHngthelinearaddressandsecurityaGributesinthepage’sEPCM->putsthepagein“Pending”state.

•  twoinputparameters,apointertothedesHnaHonpageinEPC,andapointertotheenclave’sSECSpage.

•  Whilein“Pending”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]thepagebeaccessibletotheenclave.

ENCLS LEAF FUNCTIONS , EMODT

•  EMODTmodifiesthetypeofanEPCpageandputsthepagein“Modified”state.AllowedpagetypesarePT_TCSandPT_TRIM.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.Whilein“Modified”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]leaffuncHon,willthepagebeaccessibletotheenclave.

ENCLS LEAF FUNCTIONS , EMODPR

•  EMODPRThisleaffuncHonrestrictstheaccessrightsassociatedwithanEPCpageofaniniHalizedenclaveandputsthepagein“PermissionRestricHon”state.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.TheoperaHonwillfailifitaGemptstoextendthepermissionsofthepage.Whilein“PermissionRestricHon”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]leaffuncHon,willthepagebeaccessibletotheenclave.

ENCLU LEAF FUNCTIONS, EACCEPT

•  ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItacceptschangestoapageintherunningenclavebyverifyingthatthesecurityaGributesspecifiedinSECINFOmatchthepage’ssecurityaGributesinEPCM.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’sapprovednewsecurityaGributes.A*erasuccessfulexecuHonofEACCEPTthepage’s“Pending”,“Modified”,or“PermissionRestricHon”stateisclearedandthepagebecomesaccessibletotheenclave.

ENCLU LEAF FUNCTIONS ,EACCEPTCOPY

•  ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItcopiesthecontentsofanexisHngEPCpageintoanuniniHalizedEPCpagethatwascreatedbyEAUG.TheoperaHonreceivesthreeinputparameters,apointertothetargetpageinEPC,apointertothepage’snewsecurityaGributes,andapointertothepage’snewcontent.A*erasuccessfulexecuHonofEACCEPTCOPYthepage’s“Pending”stateisclearedandthepagebecomesaccessiblefortheenclave

ENCLU LEAF FUNCTIONS, EMODPE

•  ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItextendstheaccessrightsassociatedwithanexisHngEPCpageintherunningenclave.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.TheoperaHonwillfailifitaGemptstorestrictpermissionsofthepage.SincetheexecuHonhappensfromwithintheenclave,it’strustedandtakeseffectimmediately.

MANAGING PAGE TABLE TRANSLATIONS

ENCLAVE EXCEPTION HANDLING ENHANCEMENTS

•  thecauseoftheAEXisstoredintheEXITINFOfieldintheSSA.

•  IfSECS.MISCSELECT.EXINFObitissetbyenclavewriter,theprocessorsaves#PFand#GPinformaHonintotheEXINFOstructure

4.5 EPCM-INDUCED MEMORY FAULT REPORTING

•  A#PFexcepHonisgenerated•  AbitinthePageFaultErrorCode(PFEC)indicatesthatthepagefaultwasduetoEPCMaccesschecks.ThisbitislocatedatbitposiHon15andcalled“SGX”

SUMMARY AND RELATED WORK

•  NewinstrucHonstotheSGX1providebeGerso*waredevelopmentenvironmentwhilemaintainingthesecurityoftheenclave.TheSGX2instrucHonsenablebeGerprotecHonofproprietarycodewhichcanbeloadedandthenprotectedusingtheEPCM.

•  Allowfordynamicmemoryandthreadingsupport•  SupportdynamicallocaHonoflibrarypagesinthelibraryOSenvironment.

EndofPresenta4on