Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW - - PowerPoint PPT Presentation

hardware enclaves in intel sgx
SMART_READER_LITE
LIVE PREVIEW

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW - - PowerPoint PPT Presentation

Mar 26, 2024 862 likes •1.07k views

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms

slide-1
SLIDE 1

Hardware Enclaves & In Intel SGX

CS261

slide-2
SLIDE 2

Hardware Enclaves

  • HW abstractions for distributing trusted execution to

untrusted platforms

2

slide-3
SLIDE 3

Hardware Enclaves

  • HW abstractions for distributing trusted execution to

untrusted platforms

3

Sensitive data (e.g., medical records)

Encrypted Encrypted Encrypted Encrypted Encrypted

slide-4
SLIDE 4

System Threats to Trusted Execution

  • What can go wrong?
  • Side channels
  • out of scope for Intel SGX
  • Counterfeit software
  • Inject rootkits into OS
  • Privilege escalation
  • Install malicious kernel
  • Compromised HW devices
  • Cold-boot attacks

4

Medical System Operating System

Login DL from server Decrypted

slide-5
SLIDE 5

Process

Threat Model of Hardware Enclaves

5

Enclave Enclave Code Enclave Data

Trusted

Intel Attestation Service (IAS) Process Process Other Enclave OS and/or Hypervisor

Untrusted

Off-chip devices

slide-6
SLIDE 6

Elements of Hardware Enclaves

  • Secure boot: HW-verified measurement + first instruction
  • On-chip program isolation
  • Cryptographically protected external memory
  • Execution integrity; no interference from attackers
  • Attestation and/or secret sealing

6

slide-7
SLIDE 7

Process Enclave SECS

ECREATE

Enclave Creation with Intel SGX

  • ECREATE(SECS):

create an enclave range

  • EADD(SECS, addr, prot),

EEXTEND(SECS, addr): add a page to enclave and measure the content

  • EINIT(SECS, license):

check & initialize an enclave

7

OS CPU TCS Code Data

EADD EEXTEND EINIT

slide-8
SLIDE 8

Enclave Enter & Exit

  • EENTER(SECS, TCS):

enter at a static enclave addr

  • EEXIT(addr):

exit enclave to any addr

  • Enclave can accept parameters

after the entry

  • Attackers cannot interfere

control flow unpredictably

8

Process Enclave SECS TCS Code Data

Entry addr entry: EENTER cmp 0, rax … EEXIT exit: cmp 0, rsi …

slide-9
SLIDE 9

Enclave Isolation

9

Process Enclave Process

x = *(encl_addr); x = *(encl_addr);

Enclave Mode Non-Enclave Mode Physical Memory EPC Page Mapping Controlled by Page Table + EPCM

Abort page semantic: EPC pages contains all 0s for execution outside the enclave

slide-10
SLIDE 10

Memory Encryption Engine

  • EPC pages are encrypted in DRAM
  • Memory Encryption Engine (MEE) sits at the edge of CPU,

connected to Memory Controller (MC)

  • Cachelines are decrypted at cache misses, and re-encrypted

when being written back to DRAM

10

slide-11
SLIDE 11

EPC (plaintext)

Memory Encryption Engine

11

0x80200000 0x80200040 0x80200080 0x802000c0 0x80200100 0x80200140 0x80200180

Enc (e.g., AES-GCM) Cipher MAC Counter (nonce)

slide-12
SLIDE 12

EPC Paging

  • EPC pages are limited: currently 93.5 MB on each platform
  • Untrusted OS swaps the pages for enclaves
  • Swapped-out pages are not in EPC, so no longer protected

by MEE

12

slide-13
SLIDE 13

VA

EPC Paging

  • EWB:

copy a EPC page to non- EPC page

  • ELDU:

copy a non-EPC page to EPC page

13

Process Enclave Physical Memory EPC

EWB ELDU

Enc MAC Counter (nonce)

slide-14
SLIDE 14

Execution Integrity

  • Program states in either enclave memory or registers
  • Enclave can be interrupted
  • Page faults (Paging)
  • Scheduling events
  • Exceptions or signals
  • Interrupt  Asynchronous Exit (AEX)
  • Register values dumped inside enclave before exit
  • OS can only: (1) resume the enclave execution

(2) re-enter enclave for exception handling

14

slide-15
SLIDE 15

Attestation

  • Proof that the program runs in a genuine enclave
  • Each enclave has a set of unique keys
  • Report key

– intra-platform (local) attestation

  • Attestation key

– inter-platform (remote) attestation

  • Seal key

– Sealing enclave secrets

  • Other keys

– see Intel SDM

  • Generated by a root secret (EPID) hidden in Intel CPU
  • Verified by Intel Attestation Service

15

slide-16
SLIDE 16

Local Attestation

Attestation Procedure

16

IAS Remote Entity Enclave CPU Quoting Enclave

Nonce EREPORT (Nonce, MRQuote) Report, MACReport EGETKEY(MRX) Report KeyQuote,X Verify report EGETKEY Attestation Key (Only accessible in Quoting Enclave) CertificateMR, Nonce CertificateMR, Nonce Verify Certificate

slide-17
SLIDE 17

Use Cases for Hardware Enclaves

  • Digital Right Management (DRM)
  • Computation outsourcing, NFV
  • Distributed system, edge computing, blockchains
  • Alternative to HME or MPC
  • Protection for antivirus, JIT compilers, etc
  • Used for concealing attacks

17

slide-18
SLIDE 18

Questions?

Hardware Enclaves & Intel SGX

18