SgxElide: Enabling Enclave Code Secrecy via Self-Modificationlin.3021/file/CGO18-slides.pdfIntroduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist

SGXELIDE: Enabling Enclave Code Secrecy viaSelf-Modification

Erick Bauman1, Huibo Wang1,Mingwei Zhang2, Zhiqiang Lin1,3

1University of Texas at Dallas2Intel Labs

3The Ohio State University

CGO 2018

Introduction Background and Overview Design and Implementation Evaluation Conclusion

Intel SGX

2 / 23


Intel SGX

Intel SGXProvides secure enclaves

Memory regions isolated from allother codeCannot be accessed by OS orhypervisor

3 / 23


Intel SGX

Intel SGXProvides secure enclavesMemory regions isolated from allother code

Cannot be accessed by OS orhypervisor

3 / 23


Intel SGX

Intel SGXProvides secure enclavesMemory regions isolated from allother codeCannot be accessed by OS orhypervisor

3 / 23


Intel SGX

Hypervisor

Hardware

Operating System

App App App

Trusted

4 / 23


Intel SGX

Hypervisor

Hardware

Operating System

App App App

Trusted

4 / 23


Intel SGX

Client

Disk

Application

Enclave

Code Data

5 / 23


Intel SGX

Client

Enclave

Disk

Application

Enclave

Code Data

Code Data

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

Code Data

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

Code Data

Data Integrity

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

Code Data

Code IntegrityData Integrity

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

CodeSecret Data

Data


5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

CodeSecret Data

Data Secret Data


Data Confidentiality

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

CodeSecret Code

Data Secret Data

?


Data Confidentiality

5 / 23


Intel SGX

Client

Enclave

Disk

AttestApplication

Enclave

Code Data

CodeSecret Code

Data Secret Data

?


Data ConfidentialityCode Confidentiality

5 / 23


Intel SGX

“The enclave file can be disassembled, so the algorithmsused by the enclave developer will not remain secret.”

–SGX SDK Manual

6 / 23


SGXELIDE

DefinitionElide: To leave out or omit

7 / 23


Challenges

Enclaves must be signed and unmodified until initialization

The entire enclave cannot be encryptedAny secrets cannot be stored in the enclaveThere should be minimal toolchain changes

8 / 23


Challenges

Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encrypted

Any secrets cannot be stored in the enclaveThere should be minimal toolchain changes

8 / 23


Challenges

Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encryptedAny secrets cannot be stored in the enclave

There should be minimal toolchain changes

8 / 23


Challenges

Enclaves must be signed and unmodified until initializationThe entire enclave cannot be encryptedAny secrets cannot be stored in the enclaveThere should be minimal toolchain changes

8 / 23


Main Idea

Redact (or sanitize) secrets and restore at runtime

9 / 23


Blacklist vs. Whitelist

Blacklist

User specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes

WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted

10 / 23



BlacklistUser specifies secrets (e.g. annotations)

Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes


10 / 23



BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encrypted

Burden of annotating secrets on developerRisk of mistakes


10 / 23



BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developer

Risk of mistakes


10 / 23



BlacklistUser specifies secrets (e.g. annotations)Minimizes code that must be encryptedBurden of annotating secrets on developerRisk of mistakes


10 / 23




Whitelist

Only specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secretsMore code must be encrypted

10 / 23




WhitelistOnly specify code that must not be redacted

Applicable to any enclaveNo need for developer to mark secretsMore code must be encrypted

10 / 23




WhitelistOnly specify code that must not be redactedApplicable to any enclave

No need for developer to mark secretsMore code must be encrypted

10 / 23




WhitelistOnly specify code that must not be redactedApplicable to any enclaveNo need for developer to mark secrets

More code must be encrypted

10 / 23





10 / 23


Our Solution

Sign sanitized enclave and restore secrets after initializing

Encrypt all nonessential functionsUse remote attestationUse both local and remote storage

11 / 23


Our Solution

Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functions

Use remote attestationUse both local and remote storage

11 / 23


Our Solution

Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functionsUse remote attestation

Use both local and remote storage

11 / 23


Our Solution

Sign sanitized enclave and restore secrets after initializingEncrypt all nonessential functionsUse remote attestationUse both local and remote storage

11 / 23


SGXELIDE Overview

Enclave

Runtime Restorer

Sanitizer

secret.so

dummy.so

secret enclavecode

Compiler,Linker

Compiler,Linker

dummy enclave code

secret.so

sanitized.so

secretdata

Dummy Enclave Code Generation

Normal Enclave Code Generation

Runtime Secret Enclave Code Restoration

12 / 23


Remote vs. Local Data

Secret Data

13 / 23



Secret Data

13 / 23



Secret Key

Secret Data

14 / 23



Secret Key

Secret Data

14 / 23



Secret Key

Secret Data

14 / 23


SGXELIDE Design - Remote Data

Authentication Server

User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

1

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

1

2

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

secretdata

metadata

1

2

3

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

secretdata

metadata

1

2

3

4

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

secretdata

metadata

1

2

3

4

5

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

secretdata

metadata

1

2

3

4

5

6

15 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

secretdata

metadata

sealed secret data

1

2

3

4

5

6

7

15 / 23


SGXELIDE Design - Local Data


User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

encrypted secret data

16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

1


16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

1

2


16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

metadata

1

2

3


16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

metadata

metadata

1

2

3


4

16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

metadata

1

2

35


4

16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

metadata

1

2

35 6


4

16 / 23




User Platform

Application

Enclave

Untrusted Code

FileSystem

secretdata

metadata

metadata

sealed secret data

1

2

35 6

7


4

16 / 23


Benchmarks

Original LOC w/ SGX LOC w/ SGXELIDE TC TC Sanitized SanitizedBenchmarks LOC UC TC UC TC Functions Bytes Functions Bytes

AES 802 472 427 522 540 185 75999 15 3840DES 473 463 372 513 485 179 75455 9 3296Sha1 315 423 251 473 364 179 73791 9 1632Shas 2417 1529 1240 1579 1353 224 80127 54 79682048 413 551 192 601 305 208 76351 38 4448Biniax 3523 3582 193 3632 306 208 76351 38 4448Crackme 48 316 93 366 206 182 73711 12 1536

17 / 23


Sanitization/Restoration Time

Remote Data Local DataSanitize Stand. Restore Stand. Sanitize Stand. Restore Stand.

Benchmarks Time Dev. Time Dev. Time Dev. Time Dev.AES 0.09 0.01 4.06 0.54 0.15 0.01 3.76 0.20DES 0.09 0.01 3.99 0.52 0.14 0.01 3.97 0.75Sha1 0.09 0.01 3.67 0.35 0.14 0.01 3.97 0.98Shas 0.09 0.00 4.06 0.53 0.15 0.01 4.26 0.972048 0.09 0.01 3.78 0.52 0.15 0.01 3.73 0.28Biniax 0.09 0.00 4.44 0.61 0.15 0.01 4.32 0.92Crackme 0.09 0.01 3.53 0.28 0.15 0.00 3.54 0.78

18 / 23


SGXELIDE Overhead - Remote Data

AES DESSha1

ShasCrackme

99%

100%

101%

102%

103%

104%

105%

Rel

ativ

ePe

rform

ance

w/ SGX

w/ SGXELIDE

19 / 23


SGXELIDE Overhead - Local Data

AES DESSha1

ShasCrackme

99%

100%

101%

102%

103%

104%

105%

Rel

ativ

ePe

rform

ance

w/ SGX

w/ SGXELIDE

20 / 23


Discussions

SGXELIDE enclaves are self-modifying!

How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?

Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready

21 / 23


Discussions

SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?

How do we protect vulnerable enclaves?How does this influence side-channel attacks?


21 / 23


Discussions

SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?

How does this influence side-channel attacks?


21 / 23


Discussions

SGXELIDE enclaves are self-modifying!How do we defend against malicious enclaves?How do we protect vulnerable enclaves?How does this influence side-channel attacks?


21 / 23


Discussions


Limitations and future work

Framework not completely transparentWould be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready

21 / 23


Discussions


Limitations and future workFramework not completely transparent

Would be useful to test SGXELIDE with large-scale softwareFramework is proof-of-concept and not production ready

21 / 23


Discussions


Limitations and future workFramework not completely transparentWould be useful to test SGXELIDE with large-scale software

Framework is proof-of-concept and not production ready

21 / 23


Discussions



21 / 23


Conclusion

SGXELIDE

Presented framework for SGX that ensures code confidentialitySanitize enclave and dynamically restore code at runtimeEvaluated SGXELIDE’s performance with SGX benchmarks wedevelopedShowed SGXELIDE has very little overhead with no performancepenalty after restoration

SGXELIDE Sourcegithub.com/utds3lab/sgxelide

22 / 23

github.com/utds3lab/sgxelide


Conclusion

SGXELIDE

Presented framework for SGX that ensures code confidentialitySanitize enclave and dynamically restore code at runtimeEvaluated SGXELIDE’s performance with SGX benchmarks wedevelopedShowed SGXELIDE has very little overhead with no performancepenalty after restoration

SGXELIDE Sourcegithub.com/utds3lab/sgxelide

22 / 23



Thank You

Enclave

Runtime

RestorerSanitizer

secret.so

dummy.so

secret enclavecode

Compiler,

Linker

Compiler,

Linker

dummy enclave code

secret.so

sanitized.so

secretdata

Dummy Enclave Code Generation

Normal Enclave Code Generation

Runtime Secret Enclave Code Restoration

outer enclave inner enclave

metadata

[email protected]/utds3lab/sgxelide

23 / 23


Documents

SgxElide: Enabling Enclave Code Secrecy via Self-Modificationlin.3021/file/CGO18-slides.pdfIntroduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist