mptee bringing flexible and efficient memory protection
play

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel - PowerPoint PPT Presentation

Aug 05, 2023 •104 likes •626 views

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu 2 , Yong Qi 1 , Sqiyu Qi 3 1 Xian Jiaotong University, China 2 University of Minnesota, USA 3 Xidian University, China EuroSys'20, April 2730,

  1. MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu 2 , Yong Qi 1 , Sqiyu Qi 3 1 Xi’an Jiaotong University, China 2 University of Minnesota, USA 3 Xidian University, China EuroSys'20, April 27–30, 2020

  2. Intel Software eXecute Guard (SGX) • Hardware-based trusted execution environment • Provide secure region, namely enclave • Enhance Application Security Secure Cloud Services Blockchain Edge Computing Digital Wallet

  3. Two types of SGX Research Applications (to protect data/code) • VC3 [OAKLAND’15] • SCONE [OSDI’16] • JITGuard [CCS’17] • SGXCrypter [ASP-DAC’17] Protection/attack to SGX itself • Page Fault [OAKLAND’15] • SGX-Shield [NDSS’17] • SGXBOUNDS [EUROSYS’17] • Side-channel [OAKLAND’18, SECURITY’17]

  4. Examples and current disadvantages SGXCrypter protects code by unpacking the packed code in enclave. • relies on the OS page table to remove the W perm of unpacked code • is incompatible with the SGX security model SGX-Shield protects SGX code itself through randomization • uses software-based DEP to create an Non-RW boundary(R15) • wastes the R15 register • NRW boundary using a general register can be shifted[security’18]

  5. Two types of SGX Research Applications (to protect data/code) • VC3 [OAKLAND’15] • SCONE [OSDI’16] flexibly and securely enforcing • JITGuard [CCS’17] memory-page permissions • SGXCrypter [ASP-DAC’17] Protection/attack to SGX itself • Page Fault [OAKLAND’15] • SGX-Shield [NDSS’17] • SGXBOUNDS [EUROSYS’17] • Side-channel [OAKLAND’18, SECURITY’17]

  6. Unfortunately, the feature is missing

  7. Unfortunately, the feature is missing Why?

  8. Unfortunately, the feature is missing Why? Security considerations (untrusted os) Permissions are statically decided (sign-verify)

  9. Challenges Limited hardware support Strong adversary

  10. Challenges A software-based solution, significant performance overhead Limited hardware support Strong adversary

  11. Challenges Limited hardware The privileged software (e.g., OS, hypervisor) is untrusted support and SGX programs themselves might be vulnerable Strong adversary

  12. Challenges A hardware-assisted solution Limited hardware support Strong adversary

  13. Challenges A hardware-assisted solution low overhead Limited hardware support Strong adversary

  14. Challenges A hardware-assisted solution low overhead Limited hardware support Strong adversary

  15. MPTEE: memory permission protection Flexible, efficient, and isolated memory permission enforcement for SGX. • Flexible and Efficient Memory-Permission Enforcement • Enforcement Integrity Permission R/W/X enforcement Region Enforcement integrity Code Attack

  16. MPTEE: memory permission protection Flexible, efficient, and isolated memory permission enforcement for SGX. • Flexible and Efficient Memory-Permission Enforcement • Enforcement Integrity Permission R/W/X enforcement Region Enforcement integrity Code Attack

  17. MPTEE: memory permission protection Flexible, efficient, and isolated memory permission enforcement for SGX. • Flexible and Efficient Memory-Permission Enforcement • Enforcement Integrity Permission R/W/X enforcement Region Enforcement integrity Code Attack

  18. Memory-Permission Enforcement Elastic Cross-Region Bound Check(CRBC) Basic idea Use hardware-assisted technique(MPX) to bound-check access

  19. Elastic Cross-Region Bound Check(CRBC) Memory Protection Extension(MPX) • New instructions, bndcu, bndcl, bndmk… • Four dedicated bound registers (BND0 ∼ BND3) bnd0.lb bnd0.ub fun: : ……

  20. Elastic Cross-Region Bound Check(CRBC) Memory Protection Extension(MPX) • New instructions, bndcu, bndcl, bndmk… • Four dedicated bound registers (BND0 ∼ BND3) • More bounds will be stored in a bound table in memory Significant performance overhead (over 60%)

  21. Elastic Cross-Region Bound Check(CRBC) OS kernel region0 env,argv,argc Stack ... .data dynamic RW region1 .bss libraries X .text region2 region3 Heap .data region4 RW .bss program region5 X .text

  22. Elastic Cross-Region Bound Check(CRBC) OS kernel region0 bnd regs UBound LBound env,argv,argc Stack ... Bound Table0 .data dynamic RW region1 Bound Directory .bss libraries X .text region2 Bound Table1 region3 Heap Bound tables .data impose high region4 RW .bss program overhead region5 X .text

  23. Elastic Cross-Region Bound Check(CRBC) How can we use limited number of bound registers to protect multiple memory region access?

  24. Elastic Cross-Region Bound Check(CRBC) Key observation The same permission memory range is continuous in an enclave

  25. Elastic Cross-Region Bound Check(CRBC) Key observation The same permission memory range is continuous in an enclave Because All required libraries must be statically linked in the target enclave program

  26. Elastic Cross-Region Bound Check(CRBC) X .text,.rodata,... Permission change .got,.bss,.data,... ... R Heap Continuous à Non-continuous W Thread context Exceeded the number of MPX registers Enclave memory layout

  27. Elastic Cross-Region Bound Check(CRBC) X .text,.rodata,... .got,.bss,.data,... Remove W ... R Unpack code/randomize code Heap W Thread context Enclave memory layout

  28. Elastic Cross-Region Bound Check(CRBC) X .text,.rodata,... .got,.bss,.data,... W Remove W 3 regions à 5 regions ... R X Unpack code/randomize code Heap W Thread context Enclave memory layout

  29. Elastic Cross-Region Bound Check(CRBC) X .text,.rodata,... .got,.bss,.data,... W Remove W 3 regions à 5 regions ... R X Unpack code/randomize code Heap 4 MPX registers are not enough W Thread context Enclave memory layout

  30. Elastic Cross-Region Bound Check(CRBC) X .text,.rodata,... .got,.bss,.data,... W Remove W We design a new layout ... R X Unpack code/randomize code Heap W Thread context Enclave memory layout

  31. Elastic Cross-Region Bound Check(CRBC) non-permission X .text,.rodata,... X .got,.bss,.data,... .text,.rodata, … (RX) ... R Heap R W W .got,.bss,.data,heap (RW) Thread context Enclave memory layout New memory layout with CRBC

  32. Elastic Cross-Region Bound Check(CRBC) non-permission X .text,.rodata,... X .got,.bss,.data,... .text,.rodata, … (RX) ... R Heap R W W .got,.bss,.data,heap (RW) Thread context Enclave memory layout New memory layout with CRBC

  33. Elastic Cross-Region Bound Check(CRBC) Non-perm. (ImageBase, BND0.LB) non-permission X (BND0.LB, BND2.LB) RX (BND2.LB, BND1.LB) X(BND0) .text,.rodata, … (RX) RWX (BND1.LB, BND0.UB) R(BND2) W(BND1) .got,.bss,.data,heap (RW) RW (BND0.UB, BND1.UB) R (BND1.UB, BND2.UB) New memory layout with CRBC

  34. Elastic Cross-Region Bound Check(CRBC) Non-perm. (ImageBase, BND0.LB) non-permission X (BND0.LB, BND2.LB) RX (BND2.LB, BND1.LB) X(BND0) .text,.rodata, … (RX) Only three registers to offer six regions RWX (BND1.LB, BND0.UB) Continuous after permission change R(BND2) W(BND1) .got,.bss,.data,heap (RW) RW (BND0.UB, BND1.UB) R (BND1.UB, BND2.UB) New memory layout with CRBC

  35. Elastic Cross-Region Bound Check(CRBC) JIT code generator non-permission non-permission Remove W X X Generated code fragment0 Reserved area R R W W

  36. Elastic Cross-Region Bound Check(CRBC) JIT code generator non-permission non-permission Remove W Remove W X X Generated code fragment0 Generated code fragment0 Generated code fragment1 R R W W

  37. Elastic Cross-Region Bound Check(CRBC) JIT code generator non-permission non-permission Remove W Remove W X X Generated code fragment0 Generated code fragment0 Generated code fragment1 R R W W

  38. Elastic Cross-Region Bound Check(CRBC) • Initializing the bounds • Updating the bounds • Permission enforcement using CRBC • Four APIs, mpt_mmap, mpt_mremap, mpt_uunmap, mpt_write • Improving EPC usage • Optimizing CRBC: Adaptive Permission Enforcement More details in the paper

  39. Elastic Cross-Region Bound Check(CRBC) • CRBC leverages MPX to efficiently bound-check multiple regions with different boundary registers. Use only regs , bnd0, bnd1, and bnd2 • Provide six different permission regions • Allow the flexible changes of the ranges of • memory regions at runtime

  40. Elastic Cross-Region Bound Check(CRBC) • CRBC leverages MPX to efficiently bound-check multiple regions with different boundary registers Use only regs , bnd0, bnd1, and bnd2 • Provide six different permission regions • Without using MPX bound Allow the flexible changes of the ranges of • table to avoid the high memory regions at runtime performance overhead

  41. CRBC may be attacked Check-skipping attacks • Control-flow attacks that bypass the bound checks and abuse the permission control Unaligned call without check

  42. CRBC may be attacked Bound-manipulating attacks • Data-flow attacks that manipulate bounds Bndmk is called maliciously

  43. Enforcement Integrity control-data integrity + memory isolation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical Memory Through virtual memory N 2 32 -sized address spaces All isolated by default Uses for memory Make a new process Address

516 views • 22 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
Memory Protection ability to avoid unwanted memory accesses management Sharing

Memory Protection ability to avoid unwanted memory accesses management Sharing

Requirements Relocation ability to change process image position Memory Protection ability to avoid unwanted memory accesses management Sharing ability to share memory portions among processes Logical organization

504 views • 15 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
A Flexible and Efficient Presentation-Architecture for Adaptive Hypermedia: Description and

A Flexible and Efficient Presentation-Architecture for Adaptive Hypermedia: Description and

A Flexible and Efficient Presentation-Architecture for Adaptive Hypermedia: Description and Technical Evaluation Carsten Ullrich, Paul Libbrecht, Stefan Winterstein, Martin M uhlenbrock German Research Center for Artificial Intelligence

172 views • 5 slides
Access Downtown Charlottesville, Virginia Bringing People Downtown in an efficient and

Access Downtown Charlottesville, Virginia Bringing People Downtown in an efficient and

Access Downtown Charlottesville, Virginia Bringing People Downtown in an efficient and coordinated manner Prepared by CPC Inc. 3 Ways to Get Downtown Human Power Walking or Biking Public Vehicle CAT, Free Trolley or Taxi Cab

318 views • 29 slides
eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o

eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o

eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o efficient network i/o select/poll/epoll threads switch between async and sync queues/pipes coroutines main subroutine: subroutine(1, 2)

487 views • 23 slides
DSV XPress fast, flexible, efficient and on time Air & Sea DSV XPress From documents to

DSV XPress fast, flexible, efficient and on time Air & Sea DSV XPress From documents to

DSV XPress fast, flexible, efficient and on time Air & Sea DSV XPress From documents to heavy weight cargo we ship it worldwide at express speed. Whether by special courier or direct delivery, with DSV XPress your shipment is

444 views • 11 slides
DIGITAL OLED for Taillighting Most Efficient, Homogeneous, and Flexible Display Technology M.

DIGITAL OLED for Taillighting Most Efficient, Homogeneous, and Flexible Display Technology M.

Light Sources and Sensors DIGITAL OLED for Taillighting Most Efficient, Homogeneous, and Flexible Display Technology M. Kruppa, W. Thomas, Audi AG, Germany Keywords: OLED, Digital OLED, Bendable OLED, Flexible Digital OLED, Display Technol-

313 views • 9 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Adaptive Activation Network and Functional Regularization for Efficient and Flexible Deep

Adaptive Activation Network and Functional Regularization for Efficient and Flexible Deep

Adaptive Activation Network and Functional Regularization for Efficient and Flexible Deep Multi-Task Learning (AAAI-2020) Reading Group Dec. 11, 2019 Suman Saha (postdoc), Computer Vision Lab @ ETH Zurich M o t t i i v v a a t t i

370 views • 23 slides
Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging

Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging

Institute for CLEAN AND SECURE ENERGY THE UNIVERSITY OF UTAH TM Flexible, Efficient Abstractions for High Performance Computation on Current and Emerging Architectures J AMES C. S UTHERLAND Associate Professor - Chemical Engineering M ATT M

141 views • 10 slides
An Efficient and Flexible Approach to Resolution Proof Reduction N. Sharygina Formal

An Efficient and Flexible Approach to Resolution Proof Reduction N. Sharygina Formal

An Efficient and Flexible Approach to Resolution Proof Reduction N. Sharygina Formal Verification and Security Group University of Lugano March 9, 2011 Natasha Sharygina (USI) Flexible Proof Reduction March 9, 2011 1 / 60 Outline 1

1.32k views • 110 slides
Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection Memory Protection We share memory with Segmentation Fault devices, scheduler Preemption Sometimes no preemption Scheduling

377 views • 25 slides
SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides
Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers

Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers

Better tools for content editors Petr ILLEK Morpht Better tools for content editors Modifiers and Looks Petr ILLEK Front-End developer Morpht.com The team 2 years of development Countless iterations and refactoring Murray Vt

514 views • 34 slides
In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB

In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB

In-Database Factorized Learning Dan Olteanu Joint work with M. Schleich, J. Zavodny & FDB Team M. Abo-Khamis, H. Ngo, X. Nguyen http://www.cs.ox.ac.uk/projects/FDB/ Recent Trends in Knowledge Compilation Dagstuhl, Sept 2017 1 / 32 We

646 views • 36 slides
Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability High Performance How to sleep without the server-crash-fear Samstag, 3. November 12 High Availability Samstag, 3. November 12 High Availability

1.01k views • 79 slides
Building Applications Tutorial Session for Trustworthy Data Analysis in the Cloud Andrey Brito

Building Applications Tutorial Session for Trustworthy Data Analysis in the Cloud Andrey Brito

ISSRE 2019 Building Applications Tutorial Session for Trustworthy Data Analysis in the Cloud Andrey Brito Andr Martin Lilia Sampaio Fbio Silva Security-aware data processing Part 1 Why secure data processing? 3 In 2019, companies

1.24k views • 69 slides
Safe Interacting Enclaves for Heterogeneous Protected Module Architectures Sten Verbois 29 June

Safe Interacting Enclaves for Heterogeneous Protected Module Architectures Sten Verbois 29 June

Safe Interacting Enclaves for Heterogeneous Protected Module Architectures Sten Verbois 29 June 2018 Content 1. Motivation 2. Research Goals 3. Aspects of Using Rust 4. Case Study: Attestation server for VulCAN 5. Demo 1 Motivation

499 views • 27 slides
2019 1 STAT373/ Week 10 STAT814_STAT714 Descriptive statistics of the three strata

2019 1 STAT373/ Week 10 STAT814_STAT714 Descriptive statistics of the three strata

STAT373/ Week 10 STAT814_STAT714 Statistical Divisions (SD) NOTE: LGAs (182 of them) are grouped into 12 Statistical Week 10: STRATIFIED SAMPLING Divisions (SDs). These become our strata. SD id SD name Number of LGAs LGA example 5

235 views • 12 slides
and Binary Formats Don Porter CSE 506: Operating Systems Logical Diagram Binary Memory

and Binary Formats Don Porter CSE 506: Operating Systems Logical Diagram Binary Memory

CSE 506: Operating Systems Process Address Spaces and Binary Formats Don Porter CSE 506: Operating Systems Logical Diagram Binary Memory Threads Todays Formats Allocators User Lecture System Calls Kernel RCU File System

851 views • 47 slides

More recommend