Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
SGXELIDE: Enabling Enclave Code Secrecy viaSelf-Modification
Erick Bauman1, Huibo Wang1,Mingwei Zhang2, Zhiqiang Lin1,3
1University of Texas at Dallas2Intel Labs
3The Ohio State University
CGO 2018
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
2 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Intel SGXProvides secure enclaves
Memory regions isolated from allother codeCannot be accessed by OS orhypervisor
3 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Intel SGXProvides secure enclavesMemory regions isolated from allother code
Cannot be accessed by OS orhypervisor
3 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Intel SGXProvides secure enclavesMemory regions isolated from allother codeCannot be accessed by OS orhypervisor
3 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Hypervisor
Hardware
Operating System
App App App
Trusted
4 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Hypervisor
Hardware
Operating System
App App App
Trusted
4 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Disk
Application
Enclave
Code Data
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
Application
Enclave
Code Data
Code Data
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
Code Data
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
Code Data
Data Integrity
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
Code Data
Code IntegrityData Integrity
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
CodeSecret Data
Data
Code IntegrityData Integrity
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
CodeSecret Data
Data Secret Data
Code IntegrityData Integrity
Data Confidentiality
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
CodeSecret Code
Data Secret Data
?
Code IntegrityData Integrity
Data Confidentiality
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
Client
Enclave
Disk
AttestApplication
Enclave
Code Data
CodeSecret Code
Data Secret Data
?
Code IntegrityData Integrity
Data ConfidentialityCode Confidentiality
5 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Intel SGX
“The enclave file can be disassembled, so the algorithmsused by the enclave developer will not remain secret.”
–SGX SDK Manual
6 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE
DefinitionElide: To leave out or omit
7 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Challenges
Enclaves must be signed and unmodified until initialization
The entire enclave cannot be encryptedAny secrets cannot be stored in the enclaveThere should be minimal toolchain changes
8 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Challenges
Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encrypted
Any secrets cannot be stored in the enclaveThere should be minimal toolchain changes
8 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Challenges
Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encryptedAny secrets cannot be stored in the enclave
There should be minimal toolchain changes
8 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Challenges
Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encryptedAny secrets cannot be stored in the enclaveThere should be minimal toolchain changes
8 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Main Idea
Redact (or sanitize) secrets and restore at runtime
9 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
Blacklist
User specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)
Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encrypted
Burden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developer
Risk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
Whitelist
Only specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redacted
Applicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclave
No need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secrets
More code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Blacklist vs. Whitelist
BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes
WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted
10 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Our Solution
Sign sanitized enclave and restore secrets after initializing
Encrypt all nonessential functionsUse remote attestationUse both local and remote storage
11 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Our Solution
Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functions
Use remote attestationUse both local and remote storage
11 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Our Solution
Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functionsUse remote attestation
Use both local and remote storage
11 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Our Solution
Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functionsUse remote attestationUse both local and remote storage
11 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Overview
Enclave
Runtime Restorer
Sanitizer
secret.so
dummy.so
secret enclavecode
Compiler,Linker
Compiler,Linker
dummy enclave code
secret.so
sanitized.so
secretdata
Dummy Enclave Code Generation
Normal Enclave Code Generation
Runtime Secret Enclave Code Restoration
12 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Remote vs. Local Data
Secret Data
13 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Remote vs. Local Data
Secret Data
13 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Remote vs. Local Data
Secret Key
Secret Data
14 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Remote vs. Local Data
Secret Key
Secret Data
14 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Remote vs. Local Data
Secret Key
Secret Data
14 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
1
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
1
2
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
secretdata
metadata
1
2
3
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
secretdata
metadata
1
2
3
4
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
secretdata
metadata
1
2
3
4
5
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
secretdata
metadata
1
2
3
4
5
6
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Remote Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
secretdata
metadata
sealed secret data
1
2
3
4
5
6
7
15 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
encrypted secret data
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
1
encrypted secret data
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
1
2
encrypted secret data
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
metadata
1
2
3
encrypted secret data
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
metadata
metadata
1
2
3
encrypted secret data
4
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
metadata
1
2
35
encrypted secret data
4
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
metadata
1
2
35 6
encrypted secret data
4
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Design - Local Data
Authentication Server
User Platform
Application
Enclave
Untrusted Code
FileSystem
secretdata
metadata
metadata
sealed secret data
1
2
35 6
7
encrypted secret data
4
16 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Benchmarks
Original LOC w/ SGX LOC w/ SGXELIDE TC TC Sanitized SanitizedBenchmarks LOC UC TC UC TC Functions Bytes Functions Bytes
AES 802 472 427 522 540 185 75999 15 3840DES 473 463 372 513 485 179 75455 9 3296Sha1 315 423 251 473 364 179 73791 9 1632Shas 2417 1529 1240 1579 1353 224 80127 54 79682048 413 551 192 601 305 208 76351 38 4448Biniax 3523 3582 193 3632 306 208 76351 38 4448Crackme 48 316 93 366 206 182 73711 12 1536
17 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Sanitization/Restoration Time
Remote Data Local DataSanitize Stand. Restore Stand. Sanitize Stand. Restore Stand.
Benchmarks Time Dev. Time Dev. Time Dev. Time Dev.AES 0.09 0.01 4.06 0.54 0.15 0.01 3.76 0.20DES 0.09 0.01 3.99 0.52 0.14 0.01 3.97 0.75Sha1 0.09 0.01 3.67 0.35 0.14 0.01 3.97 0.98Shas 0.09 0.00 4.06 0.53 0.15 0.01 4.26 0.972048 0.09 0.01 3.78 0.52 0.15 0.01 3.73 0.28Biniax 0.09 0.00 4.44 0.61 0.15 0.01 4.32 0.92Crackme 0.09 0.01 3.53 0.28 0.15 0.00 3.54 0.78
18 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Overhead - Remote Data
AES DESSha1
ShasCrackme
99%
100%
101%
102%
103%
104%
105%
Rel
ativ
ePe
rform
ance
w/ SGX
w/ SGXELIDE
19 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
SGXELIDE Overhead - Local Data
AES DESSha1
ShasCrackme
99%
100%
101%
102%
103%
104%
105%
Rel
ativ
ePe
rform
ance
w/ SGX
w/ SGXELIDE
20 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!
How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?
How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?
How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future work
Framework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparent
Would be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale software
Framework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Discussions
SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?
Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready
21 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Conclusion
SGXELIDE
Presented framework for SGX that ensures code confidentialitySanitize enclave and dynamically restore code at runtimeEvaluated SGXELIDE’s performance with SGX benchmarks wedevelopedShowed SGXELIDE has very little overhead with no performancepenalty after restoration
SGXELIDE Sourcegithub.com/utds3lab/sgxelide
22 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Conclusion
SGXELIDE
Presented framework for SGX that ensures code confidentialitySanitize enclave and dynamically restore code at runtimeEvaluated SGXELIDE’s performance with SGX benchmarks wedevelopedShowed SGXELIDE has very little overhead with no performancepenalty after restoration
SGXELIDE Sourcegithub.com/utds3lab/sgxelide
22 / 23
Introduction Background and Overview Design and Implementation Evaluation Conclusion
Thank You
Enclave
Runtime
RestorerSanitizer
secret.so
dummy.so
secret enclavecode
Compiler,
Linker
Compiler,
Linker
dummy enclave code
secret.so
sanitized.so
secretdata
Dummy Enclave Code Generation
Normal Enclave Code Generation
Runtime Secret Enclave Code Restoration
outer enclave inner enclave
metadata
[email protected]/utds3lab/sgxelide
23 / 23