OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil - - PowerPoint PPT Presentation

β–Ά
obfuscuro a commodity
SMART_READER_LITE
LIVE PREVIEW

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil - - PowerPoint PPT Presentation

Mar 06, 2023 183 likes β€’1.35k views

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee (* denotes equal contribution) Program Obfuscation Program Obfuscation Trusted Untrusted (except

slide-1
SLIDE 1

OBFUSCURO: : A Commodity Obfuscation Engine for Intel SGX

Adil Ahmad*, Byunggill Joe*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee

(* denotes equal contribution)

slide-2
SLIDE 2

Program Obfuscation

slide-3
SLIDE 3

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Trusted Untrusted (except the Black box) Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜

slide-4
SLIDE 4

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine Trusted Untrusted (except the Black box) Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜

slide-5
SLIDE 5

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

π‘Έπ’’π’”π’‹π’˜

Trusted Untrusted (except the Black box) Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜

slide-6
SLIDE 6

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

…

Trusted Untrusted (except the Black box) Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜

slide-7
SLIDE 7

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

Untrusted System

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

…

Trusted Untrusted (except the Black box)

Black box

Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜

slide-8
SLIDE 8

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

Untrusted System

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

…

Trusted Untrusted (except the Black box)

Black box

Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜ Receiver’s Goal Disclose the internals

  • f program π‘Έπ’’π’”π’‹π’˜
slide-9
SLIDE 9

Program Obfuscation

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

Untrusted System

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

…

Trusted Untrusted (except the Black box)

Black box

If the black box is β€œsecure”? Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜ Receiver’s Goal Disclose the internals

  • f program π‘Έπ’’π’”π’‹π’˜
slide-10
SLIDE 10

Program Obfuscation

Output

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

Untrusted System

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

… After constant time 𝑼

Trusted Untrusted (except the Black box)

Black box

If the black box is β€œsecure”? Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜ Receiver’s Goal Disclose the internals

  • f program π‘Έπ’’π’”π’‹π’˜
slide-11
SLIDE 11

Program Obfuscation

Output

π‘Έπ’’π’”π’‹π’˜

Encryption Engine

Untrusted System

Observable execution traces

π‘Έπ’’π’”π’‹π’˜

Attacker chooses inputs 𝐽0 𝐽1 𝐽𝑂

…

Ξ¦0 Ξ¦1 Φ𝑂

… After constant time 𝑼

Trusted Untrusted (except the Black box)

Black box

If the black box is β€œsecure”? Sender’s Goal Protect the internals of private program π‘Έπ’’π’”π’‹π’˜ Receiver’s Goal Disclose the internals

  • f program π‘Έπ’’π’”π’‹π’˜

Execution traces should not leak information about π‘Έπ’’π’”π’‹π’˜

slide-12
SLIDE 12

Wait, isn’t that what In Intel SGX does?

3

slide-13
SLIDE 13

Wait, isn’t that what In Intel SGX does?

Program

3

slide-14
SLIDE 14

Wait, isn’t that what In Intel SGX does?

Program Non- Enclave Enclave

3

slide-15
SLIDE 15

Wait, isn’t that what In Intel SGX does?

Program Non- Enclave Enclave Confidentiality and integrity guarantees Trusted execution region

3

slide-16
SLIDE 16

Wait, isn’t that what In Intel SGX does?

Program Non- Enclave Enclave

Operating System

(and other untrusted software)

Restricted by the processor Confidentiality and integrity guarantees Trusted execution region

3

slide-17
SLIDE 17

4

In Intel SGX is not perfect!

slide-18
SLIDE 18

4

Enclave

In Intel SGX is not perfect!

slide-19
SLIDE 19

4

Enclave Memory accessed by the enclave

In Intel SGX is not perfect!

slide-20
SLIDE 20

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Visible traces on untrusted/shared components! Timing

slide-21
SLIDE 21

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Operating System

Visible traces on untrusted/shared components!

Granularity: 4KB (1 page)

Timing

slide-22
SLIDE 22

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Operating System

Visible traces on untrusted/shared components!

Granularity: 4KB (1 page) Granularity: 64B (1 line)

Timing

slide-23
SLIDE 23

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Operating System

Visible traces on untrusted/shared components!

Granularity: 4KB (1 page) Granularity: Jmp address Granularity: 64B (1 line)

Timing

slide-24
SLIDE 24

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Operating System

Visible traces on untrusted/shared components!

Granularity: 4KB (1 page) Granularity: Jmp address Granularity: 64B (1 line)

Timing

Granularity: Execution Time

slide-25
SLIDE 25

4

Enclave Memory accessed by the enclave

Access Frame #

0x1000

Page Table

Paging, Branch-prediction and Cache attacks!

[S&P14, SEC17, ASPLOS18, DIMVA17, WOOT17]

cache-set 0 cache-set 3

CPU Cache

Taken Address

0x1000

Branch Target Buffer

In Intel SGX is not perfect!

Operating System

Visible traces on untrusted/shared components!

Granularity: 4KB (1 page) Granularity: Jmp address Granularity: 64B (1 line)

Timing

Granularity: Execution Time

slide-26
SLIDE 26

Learning fr from existing solutions!

5

slide-27
SLIDE 27

Learning fr from existing solutions!

5

Access patterns attacks!

slide-28
SLIDE 28

Transactional Memory

[NDSS17, SEC17]

Learning fr from existing solutions!

5

Access patterns attacks!

Possible Soln.

Incomplete

slide-29
SLIDE 29

Transactional Memory

[NDSS17, SEC17]

Learning fr from existing solutions!

5

Access patterns attacks!

Possible Soln.

Incomplete ring-0 required

Cache Partitioning

[SEC18]

slide-30
SLIDE 30

Transactional Memory

[NDSS17, SEC17]

Learning fr from existing solutions!

5

Access patterns attacks!

Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-31
SLIDE 31

Transactional Memory

[NDSS17, SEC17]

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels!

Access patterns attacks!

Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-32
SLIDE 32

Transactional Memory

[NDSS17, SEC17]

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels!

Access patterns attacks! Timing attacks!

Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-33
SLIDE 33

Transactional Memory

[NDSS17, SEC17]

RDTSC

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels!

Access patterns attacks! Timing attacks!

OS-controllable

Possible Soln. Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-34
SLIDE 34

Transactional Memory

[NDSS17, SEC17]

RDTSC Network timers

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels!

Access patterns attacks! Timing attacks!

OS-controllable OS-controllable

Possible Soln. Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-35
SLIDE 35

Transactional Memory

[NDSS17, SEC17]

RDTSC Network timers Thread timers

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels!

Access patterns attacks! Timing attacks!

OS-controllable OS-controllable OS-controllable

Possible Soln. Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-36
SLIDE 36

Transactional Memory

[NDSS17, SEC17]

RDTSC Network timers Thread timers

Learning fr from existing solutions!

5

Lesson #1 Ring-3 enclaves cannot hide access patterns through side-channels! Lesson #2 Unreliable timers for SGX enclaves!

Access patterns attacks! Timing attacks!

OS-controllable OS-controllable OS-controllable

Possible Soln. Possible Soln.

Incomplete ring-0 required Insecure

Cache Partitioning

[SEC18]

Address Randomization

[NDSS17]

slide-37
SLIDE 37

Our approach

6

slide-38
SLIDE 38

Our approach

6

  • Indistinguishable enclave program(s)
slide-39
SLIDE 39

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
slide-40
SLIDE 40

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!
slide-41
SLIDE 41

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

# of executions: 0

slide-42
SLIDE 42

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Single data access # of executions: 0

slide-43
SLIDE 43

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access # of executions: 0 1

slide-44
SLIDE 44

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access # of executions: 0 1

slide-45
SLIDE 45

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access # of executions: 0 1 N

slide-46
SLIDE 46

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

# of executions: 0 1 N

slide-47
SLIDE 47

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

Paging Attack: Same page # of executions: 0 1 N

slide-48
SLIDE 48

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

Cache Attack: Same cache-lines Paging Attack: Same page # of executions: 0 1 N

slide-49
SLIDE 49

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

Cache Attack: Same cache-lines Branch Attack: Same branch Paging Attack: Same page # of executions: 0 1 N

slide-50
SLIDE 50

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

Cache Attack: Same cache-lines Branch Attack: Same branch Paging Attack: Same page Timing Attack: Same time to execute N code blocks # of executions: 0 1 N

slide-51
SLIDE 51

Our approach

6

  • Indistinguishable enclave program(s)
  • A code block executed N times on C-Pad, and data block accessed from D-Pad
  • C-Pad and D-Pad are one cache-line (64B) in size!

C-Pad

64B

D-Pad

64B

Branch to the start of C-Pad Single data access

What do the attacks reveal?

Cache Attack: Same cache-lines Branch Attack: Same branch Paging Attack: Same page Timing Attack: Same time to execute N code blocks # of executions: 0 1 N Instead of trying to hide traces,

all enclaves should leak the same traces!

slide-52
SLIDE 52

Let Hermione explain!

7

slide-53
SLIDE 53

Let Hermione explain!

π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ‘

Operating System

7

slide-54
SLIDE 54

Let Hermione explain!

π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ‘

Operating System

Pattern Pattern

Before (Native)

7

slide-55
SLIDE 55

Let Hermione explain!

π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ‘

Operating System

Pattern Pattern

Before (Native)

Obfuscuro

7

slide-56
SLIDE 56

Let Hermione explain!

π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ π‘­π’π’…π’Žπ’ƒπ’˜π’‡πŸ‘

Operating System

Pattern Pattern

Before (Native) After (Obfuscuro)

Obfuscuro

7

slide-57
SLIDE 57

Cool, what’s the challenge?

8

slide-58
SLIDE 58

Cool, what’s the challenge?

8

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad
slide-59
SLIDE 59

Cool, what’s the challenge?

8

C-Pad 64B

Enclave Storage

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad

Foo Bar Main

Translator

D-Pad

64B

slide-60
SLIDE 60

Cool, what’s the challenge?

8

C-Pad 64B

Enclave Storage

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad

Foo Bar Main 56B 78B 67B

Translator

  • C1. Native code is

not in 64B blocks!

D-Pad

64B

slide-61
SLIDE 61

Cool, what’s the challenge?

8

C-Pad 64B

Enclave Storage

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad

Foo Bar Main 56B 78B 67B

Translator

  • C1. Native code is

not in 64B blocks!

  • C2. Access patterns

leaked while copying!

D-Pad

64B

Foo Bar

slide-62
SLIDE 62

Cool, what’s the challenge?

8

C-Pad 64B

Enclave Storage

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad

Foo Bar Main 56B 78B 67B

Translator

  • C1. Native code is

not in 64B blocks!

  • C2. Access patterns

leaked while copying!

Foo jmp jmp Bar jmp

  • C3. Code can have

different branches!

D-Pad

64B

Foo Bar

slide-63
SLIDE 63

Cool, what’s the challenge?

8

C-Pad 64B

Enclave Storage

  • NaΓ―ve solution
  • Use a software-translator to copy all code and data onto C/D-Pad

Foo Bar Main 56B 78B 67B

Translator

  • C1. Native code is

not in 64B blocks!

  • C2. Access patterns

leaked while copying!

Foo jmp jmp Bar jmp

  • C3. Code can have

different branches!

  • C4. Timing issues

not even discussed!

D-Pad

64B

Foo Bar

slide-64
SLIDE 64

Obfuscuro

  • Program obfuscation on Intel SGX
  • All programs should exhibit same patterns irrespective of logic/input.
  • Adapted from Harry Potter spell β€œObscuro” (translation :> Darkness)

9

Code Controller Data Controller

stash

  • pos. map

D-Tree

C-Pad

64B

D-Pad

64B

stash

  • pos. map

ORAM Bank

C-Tree

Code execution model Data access model

slide-65
SLIDE 65

C1. . Enforce code blocks of f identical sizes

10

slide-66
SLIDE 66

C1. . Enforce code blocks of f identical sizes

10

  • Break code blocks into 64 bytes and pad using nop
slide-67
SLIDE 67

C1. . Enforce code blocks of f identical sizes

10

  • Break code blocks into 64 bytes and pad using nop

Foo()

Native

90B

slide-68
SLIDE 68

C1. . Enforce code blocks of f identical sizes

10

  • Break code blocks into 64 bytes and pad using nop

Foo()

Native

Obfuscuro Compiler 90B

slide-69
SLIDE 69

C1. . Enforce code blocks of f identical sizes

10

  • Break code blocks into 64 bytes and pad using nop

Foo()

Native

Obfuscuro Compiler 90B

Foo.1()

Instrumented

64B

NOPs 38 bytes

26 bytes 64B 64 bytes

Foo.2()

Split Foo()

slide-70
SLIDE 70

C1. . Enforce code blocks of f identical sizes

10

  • Break code blocks into 64 bytes and pad using nop

Foo()

Native

Obfuscuro Compiler 90B

Foo.1()

Instrumented

64B

NOPs 38 bytes

26 bytes 64B 64 bytes

Foo.2()

Split Foo()

64B (single cache-line) code blocks can be loaded onto the C-Pad!

slide-71
SLIDE 71

C2. . Securely loading C/D-Pad

11

slide-72
SLIDE 72

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.
slide-73
SLIDE 73

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map
slide-74
SLIDE 74

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

1

Execute old code block

slide-75
SLIDE 75

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block

slide-76
SLIDE 76

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block Retrieve the block using ORAM

3

slide-77
SLIDE 77

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block Retrieve the block using ORAM

3

Instrumented code is located in C-Tree

slide-78
SLIDE 78

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block Update C-Pad with new code block

4

Retrieve the block using ORAM

3

Instrumented code is located in C-Tree

Foo.1

slide-79
SLIDE 79

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block Update C-Pad with new code block

4

Retrieve the block using ORAM

3

Execute new code block

5

Instrumented code is located in C-Tree

Foo.1

slide-80
SLIDE 80

C2. . Securely loading C/D-Pad

11

  • Fetch code and data using Oblivious RAM (ORAM)
  • The code and data is fetched onto C-Pad and D-Pad resp.

ORAM Bank

C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request new code block

2 1

Execute old code block Update C-Pad with new code block

4

Retrieve the block using ORAM

3

Execute new code block

5

Instrumented code is located in C-Tree

Foo.1

Side-channel-resistant ORAM scheme ensures no leakage as C/D-Pad are loaded!

slide-81
SLIDE 81

C3. . Align branches to/from C-Pad

12

slide-82
SLIDE 82

C3. . Align branches to/from C-Pad

12

  • Each instrumented code block has two branches to fixed locations
  • C-Pad οƒ  Code-Controller
  • C-Pad οƒ  Data-Controller
slide-83
SLIDE 83

C3. . Align branches to/from C-Pad

12

  • Each instrumented code block has two branches to fixed locations
  • C-Pad οƒ  Code-Controller
  • C-Pad οƒ  Data-Controller

Code execution model Data access model

C-Pad

jmp jmp Data Controller

stash

  • pos. map

Code Controller

stash

  • pos. map

add sub imul

CPU-bound instructions

slide-84
SLIDE 84

C3. . Align branches to/from C-Pad

12

  • Each instrumented code block has two branches to fixed locations
  • C-Pad οƒ  Code-Controller
  • C-Pad οƒ  Data-Controller

Code execution model Data access model

C-Pad

jmp jmp Data Controller

stash

  • pos. map

Code Controller

stash

  • pos. map
  • Src. A
  • Dst. A

add sub imul

CPU-bound instructions

  • Dst. B
  • Src. B

Fixed

  • Dst. Addr.

Fixed

  • Src. Addr.
slide-85
SLIDE 85

C3. . Align branches to/from C-Pad

12

  • Each instrumented code block has two branches to fixed locations
  • C-Pad οƒ  Code-Controller
  • C-Pad οƒ  Data-Controller

Code execution model Data access model

C-Pad

jmp jmp Data Controller

stash

  • pos. map

Code Controller

stash

  • pos. map
  • Src. A
  • Dst. A

add sub imul

CPU-bound instructions

  • Dst. B
  • Src. B

Fixed

  • Dst. Addr.

Fixed

  • Src. Addr.

C/D-Controller have no conditional branches!

slide-86
SLIDE 86

C3. . Align branches to/from C-Pad

12

  • Each instrumented code block has two branches to fixed locations
  • C-Pad οƒ  Code-Controller
  • C-Pad οƒ  Data-Controller

Code execution model Data access model

C-Pad

jmp jmp Data Controller

stash

  • pos. map

Code Controller

stash

  • pos. map
  • Src. A
  • Dst. A

add sub imul

CPU-bound instructions

  • Dst. B
  • Src. B

Fixed

  • Dst. Addr.

Fixed

  • Src. Addr.

C/D-Controller have no conditional branches!

All Obfuscuro programs execute the same sequence of branches!

slide-87
SLIDE 87

C4. . Ensuring execution time consistency

13

slide-88
SLIDE 88

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks
slide-89
SLIDE 89

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map
slide-90
SLIDE 90

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1

slide-91
SLIDE 91

Contains dummy but indistinguishable code blocks

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1 2

Retrieve the next block

slide-92
SLIDE 92

Contains dummy but indistinguishable code blocks

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1 3 2

Return to C-Pad Retrieve the next block

slide-93
SLIDE 93

Contains dummy but indistinguishable code blocks

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1 3 2 Term

Return to C-Pad Retrieve the next block

After N blocks

slide-94
SLIDE 94

Contains dummy but indistinguishable code blocks

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1 3 2 Term 4

Return to C-Pad Fetches output and exits enclave! Retrieve the next block

After N blocks

slide-95
SLIDE 95

Contains dummy but indistinguishable code blocks

C4. . Ensuring execution time consistency

13

  • The program executes fixed number of code blocks

ORAM Bank C-Tree

C-Pad 64B Code Controller

stash

  • pos. map

Request next code block

1 3 2 Term 4

Return to C-Pad Fetches output and exits enclave! Retrieve the next block

After N blocks

Execute N code blocks to ensure all programs terminate consistently!

slide-96
SLIDE 96

Faster memory store for enclaves

14

slide-97
SLIDE 97

Faster memory store for enclaves

14

  • Use AVX registers as store instead of ”Oblivious” store
slide-98
SLIDE 98

DRAM CPU

Faster memory store for enclaves

AVX registers

14

  • Use AVX registers as store instead of ”Oblivious” store

C-Pad

64B

Code Controller

stash

  • pos. map
slide-99
SLIDE 99

DRAM CPU

Faster memory store for enclaves

DRAM-based store

AVX registers

Have to sequentially access all memory indices

14

  • Use AVX registers as store instead of ”Oblivious” store

C-Pad

64B

Code Controller

stash

  • pos. map
slide-100
SLIDE 100

DRAM CPU

Faster memory store for enclaves

DRAM-based store Register-based store

AVX registers

Have to sequentially access all memory indices Can access individual registers obliviously!

14

  • Use AVX registers as store instead of ”Oblivious” store

C-Pad

64B

Code Controller

stash

  • pos. map
slide-101
SLIDE 101

DRAM CPU

Faster memory store for enclaves

DRAM-based store Register-based store

AVX registers

Have to sequentially access all memory indices Can access individual registers obliviously!

14

  • Use AVX registers as store instead of ”Oblivious” store

C-Pad

64B

Code Controller

stash

  • pos. map

AVX registers can be used as a faster,

  • blivious storage for SGX enclaves!
slide-102
SLIDE 102

Im Implementation

15

slide-103
SLIDE 103

Im Implementation

15

  • LLVM compiler suite (3117 LoC)
  • Breaks all code into similar blocks

(C1)

  • Instrument and align all control and data-flow instructions

(C3)

slide-104
SLIDE 104

Im Implementation

15

  • LLVM compiler suite (3117 LoC)
  • Breaks all code into similar blocks

(C1)

  • Instrument and align all control and data-flow instructions

(C3)

  • Runtime library (2179 LoC)
  • Initializes ORAM trees and performs secure ORAM operations

(C2)

  • Terminate program and fetch output

(C4)

slide-105
SLIDE 105

Im Implementation

15

  • LLVM compiler suite (3117 LoC)
  • Breaks all code into similar blocks

(C1)

  • Instrument and align all control and data-flow instructions

(C3)

  • Runtime library (2179 LoC)
  • Initializes ORAM trees and performs secure ORAM operations

(C2)

  • Terminate program and fetch output

(C4)

  • Intel SGX SDK (25 LoC)
  • Assign memory regions for C/D-Pad

(support)

slide-106
SLIDE 106

Performance Evaluation

16

100 200 300

16 27 68 85 121 231 Overhead (times) Programs

slide-107
SLIDE 107

Performance Evaluation

16

100 200 300

16 27 68 85 121 231 Overhead (times) Programs We ported ~10 simple applications to Obfuscuro!

slide-108
SLIDE 108

Performance Evaluation

16

100 200 300

16 27 68 85 121 231 Overhead (times) Programs Average overhead

  • bserved is 81 times over

native programs! We ported ~10 simple applications to Obfuscuro!

slide-109
SLIDE 109

Performance Evaluation

16

100 200 300

16 27 68 85 121 231 Overhead (times) Programs Average overhead

  • bserved is 81 times over

native programs! The overhead is highly dependent on input size and program type! We ported ~10 simple applications to Obfuscuro!

slide-110
SLIDE 110

Ending Remarks!

17

slide-111
SLIDE 111

Ending Remarks!

17

  • 1. Program obfuscation is a remarkable dream to achieve
slide-112
SLIDE 112

Ending Remarks!

17

  • 1. Program obfuscation is a remarkable dream to achieve
  • 2. Various software/hardware limitations hinder the realization of

program obfuscation on Intel SGX

slide-113
SLIDE 113

Ending Remarks!

17

  • 1. Program obfuscation is a remarkable dream to achieve
  • 2. Various software/hardware limitations hinder the realization of

program obfuscation on Intel SGX

  • 3. Existing solutions have a limited approach towards side-channel

mitigation in Intel SGX

slide-114
SLIDE 114

Ending Remarks!

17

  • 1. Program obfuscation is a remarkable dream to achieve
  • 2. Various software/hardware limitations hinder the realization of

program obfuscation on Intel SGX

  • 3. Existing solutions have a limited approach towards side-channel

mitigation in Intel SGX

  • 4. Obfuscuro is compiler-based scheme which addresses this issue by

ensuring all programs leak same access patterns

Adil Ahmad Contact: ahmad37@purdue.edu

slide-115
SLIDE 115

18

(Translation ~ Thanks!) ;)

slide-116
SLIDE 116

Execution Tim ime Evaluation

19

cycles Code block with instructions

  • f each type

General programs

ORAM access time dominates the time of code block execution!