Autarky: Closing controlled channels with self-paging enclaves Meni - - PowerPoint PPT Presentation

autarky closing controlled channels with self paging
SMART_READER_LITE
LIVE PREVIEW

Autarky: Closing controlled channels with self-paging enclaves Meni - - PowerPoint PPT Presentation

Jul 12, 2023 662 likes •974 views

Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew Baumann, Microsoft Research Mark Silberstein, Technion Public cloud computing Enclave Enclave Enclave Sensitive data 29-Apr-20 Meni Orenbach,

slide-1
SLIDE 1

Autarky: Closing controlled channels with self-paging enclaves

Meni Orenbach, Technion Andrew Baumann, Microsoft Research Mark Silberstein, Technion

slide-2
SLIDE 2

Public cloud computing

Sensitive data Enclave Enclave Enclave

2 29-Apr-20 Meni Orenbach, EuroSys 2020

slide-3
SLIDE 3

Intel SGX

  • Isolated user-mode environment
  • Commodity CPUs
  • Small trusted computing base
  • CPU
  • Enclave’s code and data
  • Confidentiality
  • Integrity

Operating System

Enclave Enclave Enclave

3 29-Apr-20 Meni Orenbach, EuroSys 2020

slide-4
SLIDE 4

Page fault side-channel attack

4 29-Apr-20 Meni Orenbach, EuroSys 2020

Original Recovered

Xu, Y., Cui, W. and Peinado, M., 2015. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems.

  • OS-level attacker
  • Induces page faults
  • Tracks faulted address
  • Infer secrets content that depends
  • n page access patterns
  • Control-dependent accesses
  • Data-dependent accesses

Controlled-Channel Attacks:

slide-5
SLIDE 5

Controlled-channel attack

5 29-Apr-20 Meni Orenbach, EuroSys 2020

  • Precursor to other attacks
  • Foreshadow [Usenix Security’18]
  • Sgxspectre [arXiv’18]
  • LVI [IEEE S&P’20]
  • Microscope [ISCA’19]
  • Zombieload [CCS’19]

Why?

  • Attacker controls the channel
  • Precise
  • No noise
slide-6
SLIDE 6

Agenda

Background Controlled-Channel Attack Self-Paging Enclaves Evaluation

slide-7
SLIDE 7

SGX virtual memory protection

  • SGX validates the OS does not insert spurious mappings
  • SGX does not validate the prescence of expected mappings

SGX Reverse page table

7 29-Apr-20 Meni Orenbach, EuroSys 2020

Page table (maintained by OS) VA PA 10000 f0000 PA VA f0000 10000 (Inaccessible by OS)

slide-8
SLIDE 8

The missing component

29-Apr-20 Meni Orenbach, EuroSys 2020 8

SGX Reverse page table

?

Active mapping attacks defense Side-channel attacks defense Validate mapping Validate presence of expected mappings

slide-9
SLIDE 9

Implication: Controlled channel attack

9 29-Apr-20 Meni Orenbach, EuroSys 2020

Application code

for (i=0;i<key_len;i++) if (key[i] == 1) mul(msg); Page fault

  • n 0x5000

Enclave

Operating System

SGX Reverse page table resolve fault Resume PF addr: 0x5000 VA PA P 5000 f0000 2000 e0000

Branch in page 0x5000

1 Page fault

  • n 0x2000

PF addr: 0x2000

Function in page 0x2000 I know that key[i]=1

slide-10
SLIDE 10

Existing Software Mitigations

  • Detect attack due to high frequency of exceptions
  • Restrict demand-paging
  • False positive occurrence
  • Provably obfuscate all memory accesses
  • Orders of magnitude performance impact

29-Apr-20 Meni Orenbach, EuroSys 2020 10

[1] Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. T-SGX: eradicating controlled-channel attacks against enclave programs. In NDSS’2017. [2] Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. Varys: Protecting SGX enclaves from practical side-channel attacks. In USENIX ATC’2018. [3] Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, and Yinqian Zhang. Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In Asia CCS’2017. [4] Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. ZeroTrace: Oblivious memory primitives from Intel SGX. In NDSS’2018.

Software mitigations are limited

slide-11
SLIDE 11

Existing Hardware Mitigations

  • Private enclave page tables

29-Apr-20 Meni Orenbach, EuroSys 2020 11

Enclave modify

[1] Victor Costan, Ilia A. Lebedev, and Srinivas Devadas. Sanctum: Minimal hardware extensions for strong software isolation. In USENIX Security’2016. [2] Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song, and Krste Asanović. Keystone: A framework for architecting TEEs. In Eurosys’2020. [3] Shaizeen Aga and Satish Narayanasamy. InvisiPage: Oblivious demand paging for secure enclaves. In ISCA ’19

Requires major changes to SGX internals since SGX is entangled with the x86 architecture

slide-12
SLIDE 12

Our solution: Autarky

  • Minimal extension to SGX OS-hardware interface
  • Backward-compatible with SGX
  • Validate presence of expected mappings

29-Apr-20 Meni Orenbach, EuroSys 2020 12

SGX Reverse page table

Autarky

Active mapping attacks defense Side-channel attacks defense

slide-13
SLIDE 13

Agenda

Background Controlled-Channel Attack Self-Paging Enclaves Evaluation

slide-14
SLIDE 14

Give enclave power to control all page faults Enclave-OS cooperative paging Hide fault information from the OS Enclave can enforce its own paging policy

Design principles

Force the OS to call the enclave on every page fault Force the OS to call the enclave on every page fault Secure demand-paging Secure demand-paging

slide-15
SLIDE 15

Part of Library OS, SDK, etc.

Design overview

Legacy application Enclave Autarky runtime Operating System

Autarky paging module

Cooperative paging

Paging mechanism Paging policy Attack detection

slide-16
SLIDE 16

Self-Paging Enclaves

Application code

mov %rax, 0(10000) Page fault 0x0

Enclave

Operating System

Resume PF addr: 0x10000 VA PA P 10000 f0000 SGX Reverse page table

slide-17
SLIDE 17

Self-Paging Enclaves

Application code

mov %rax, 0(10000) Page fault 0x0

Enclave

Operating System

Resume PF addr: 0x10000

Custom paging policy

Self-paging fault handler

Enter page fault handler Exit Resume VA Present 10000 1

Secure tracking

VA PA P 10000 f0000

Attack detected!

SGX Reverse page table

slide-18
SLIDE 18

Enclave can protect against spurious page faults

Original attack required millions of page faults. Removing control is a huge improvement

slide-19
SLIDE 19

Support for legitimate page faults

Application code

mov %rax, 0(10000)

Enclave

Operating System

PF addr: 0x10000

Custom paging policy

Self-paging fault handler

Fetch(10000) VA Present 10000

Secure tracking

Fetch(10000)

Naïve paging policy leaks

Page fault 0x0

Naïve paging policy leaks

SGX Reverse page table

slide-20
SLIDE 20

Paging policy: part of the enclave’s runtime Control the leakage

slide-21
SLIDE 21

Agenda

Background Controlled-Channel Attack Self-Paging Enclaves Paging policies Evaluation

slide-22
SLIDE 22

Rate-limiting policy

  • Used by state-of-the-art

software mitigations

  • Put a limit on the rate
  • f exceptions
  • Low security guarantees

Enclave controls paging policy Limit only page faults Unmodified binaries Enforced by architecture Low

  • verhead

[1] Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. T-SGX: eradicating controlled-channel attacks against enclave programs. In NDSS’2017. [2] Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. Varys: Protecting SGX enclaves from practical side-channel attacks. In USENIX ATC’2018. [3] Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, and Yinqian Zhang. Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In Asia CCS’2017.

slide-23
SLIDE 23

ORAM policy

  • Provably obfuscates distribution of memory accesses
  • Prior solutions show substantial performance cost
  • Autarky is order-of-magnitude faster and makes it practical
  • Invoke ORAM only for paging

23

See paper for more details

[1] Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. ZeroTrace: Oblivious memory primitives from Intel SGX. In NDSS’2018. [2] Meni Orenbach, Yan Michalevsky, Christof Fetzer, and Mark Silberstein. CoSMIX: A compiler-based system for secure memory instrumentation and execution in enclaves. In Usenix ATC’2019.

slide-24
SLIDE 24

Enclave pages

Novel page clusters policy

Some applications do not need oblivious paging across all pages Page clusters: cooperative paging for all pages in the cluster Actual faulted address is hidden from the OS Actual page access is not leaked A B C

Upon page fault: Fetch all pages belonging to cluster C

C B

Non-sensitive page

24 29-Apr-20 Meni Orenbach, EuroSys 2020

slide-25
SLIDE 25

Page clusters policy use cases

English Hebrew Greek Spelling Server Attacker learns victim access to a dictionary. Not which word queried word, language

25 29-Apr-20 Meni Orenbach, EuroSys 2020

Similarly for libraries: Attacker learns library access, not which function executed.

slide-26
SLIDE 26
  • SGX1 and SGX2 cooperative paging mechanisms
  • Eliminate accessed, dirty bit leakage
  • Practical optimizations
  • Remove extra enclave crossing on page faults
  • Remove all enclave crossings on page faults

More details

slide-27
SLIDE 27

Agenda

Background Controlled-Channel Attack Self-Paging Enclaves Evaluation

slide-28
SLIDE 28

Memcached stores > 2x available memory Issuing random 1KB GET requests

28 29-Apr-20 Meni Orenbach, EuroSys 2020

Throughput increases due to less paging 30% slower due to enclave crossing overhead Just 7% slower Throughput decreases as each page fault fetches 10 pages ORAM only 60% slower compared to insecure baseline ORAM has better cache utilization than page clusters

slide-29
SLIDE 29

Conclusion

  • Autarky mitigates the controlled-channel attack
  • Practical modifications to the architecture
  • Runtime with a secure paging policy
  • Maintains backward compatibility
  • Operating system
  • Demand-paging
  • Attack is not unique to SGX enclaves
  • Retrofit Autarky for other enclave environments!

29 29-Apr-20 Meni Orenbach, EuroSys 2020

Thank you!