opensgx an open platform for
play

OpenSGX: An Open Platform for SGX Research Prerit Jain, Soham Desai, - PowerPoint PPT Presentation

Aug 13, 2022 •518 likes •1.27k views

OpenSGX: An Open Platform for SGX Research Prerit Jain, Soham Desai, Seongmin Kim* , Ming-Wei Shih, JaeHyuk Lee, Changho Choi, Youjung Shin, Taesoo Kim, Brent Byunghoon Kang, Dongsu Han 1 Trusted Execution Environment (TEE) Hardware

  1. OpenSGX: An Open Platform for SGX Research Prerit Jain, Soham Desai, Seongmin Kim* , Ming-Wei Shih, JaeHyuk Lee, Changho Choi, Youjung Shin, Taesoo Kim, Brent Byunghoon Kang, Dongsu Han 1

  2. Trusted Execution Environment (TEE) • Hardware technologies for trusted computing – Isolated execution: integrity of code, confidentiality – To protect application from untrusted platform 2

  3. Trusted Execution Environment (TEE) • Hardware technologies for trusted computing – Isolated execution: integrity of code, confidentiality – To protect application from untrusted platform 3

  4. Trusted Execution Environment (TEE) • Hardware technologies for trusted computing – Isolated execution: integrity of code, confidentiality – To protect application from untrusted platform 4

  5. Trusted Execution Environment (TEE) • Hardware technologies for trusted computing – Isolated execution: integrity of code, confidentiality – To protect application from untrusted platform 5

  6. Trusted Execution Environment (TEE) • Hardware technologies for trusted computing – Isolated execution: integrity of code, confidentiality – To protect application from untrusted platform • Practical limitations of TEEs – Trusted Platform Module (TPM) : Poor performance – ARM TrustZone : Compatibility (only for embedded devices) 6

  7. Intel SGX • An extension of x86 Instruction Set Architecture (ISA) – Offers native performance, Compatibility with x86 – Application keeps its data/code inside the “ enclave ” Enclave Application (untrusted) Operating System (untrusted) Skylake CPU 7

  8. Intel SGX • An extension of x86 Instruction Set Architecture (ISA) – Offers native performance, Compatibility with x86 – Application keeps its data/code inside the “ enclave ” Data Code Enclave Application (untrusted) Operating System (untrusted) Skylake CPU 8

  9. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave EPC Encrypted code/data 9

  10. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave EPC Encrypted code/data Memory Encryption Engine (MEE) 10

  11. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave EPC Encrypted code/data Memory Encryption Engine (MEE) 11

  12. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave Processor Key EPC Encrypted code/data Memory Encryption Engine (MEE) 12

  13. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave Processor Key EPC Encrypted Snooping code/data Memory Encryption Engine (MEE) 13

  14. Intel SGX 101: Isolated Execution • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software Physical Address Memory Space CPU Package Enclave Processor Key EPC Access from Encrypted Snooping OS/VMM code/data Memory Encryption Engine (MEE) 14

  15. Intel SGX 101: Remote attestation • Attest an application on remote platform – Check the integrity of enclave (hash of code/data pages) – Verify whether enclave is running on real SGX CPU – Can establish a “ secure channel ” between enclaves User platform Remote platform 1. Request Application Challenger Enclave Application Enclave 4. Send Ephemeral QUOTE 2. Create REPORT 5. Verify 3. Sign with Quoting Attestation EPID group key Enclave Verification (Create QUOTE) EPID key 15 15

  16. Intel SGX 101: Remote attestation • Attest an application on remote platform – Check the integrity of enclave (hash of code/data pages) – Verify whether enclave is running on real SGX CPU – Can establish a “ secure channel ” between enclaves User platform Remote platform Intel SGX brings new opportunities for 1. Request Application enhancing security of applications Challenger Enclave Application Enclave 4. Send Ephemeral QUOTE 2. Create REPORT 5. Verify 3. Sign with Quoting Attestation EPID group key Enclave Verification (Create QUOTE) EPID key 16 16

  17. SGX Research: Current Status • Pioneering research: Adopting SGX on cloud computing (Haven [OSDI14], VC3 [S&P15]) • Confidentiality verification of SGX program (Moat [CCS15]) • Adopts SGX on networking [HotNets15] 17

  18. SGX Research: Current Status • However, software technologies for SGX lag behind their hardware counterpart SGX CPU and SDK is now available! But.. • Specification for SGX [revision 1 & 2] is not fully available on the SGX hardware (only functionalities in revision 1) • SGX technology has a complex license model 18

  19. OpenSGX: Design Goal • Offers a complete platform for SGX research – To explore software and hardware design space of SGX – To develop and evaluate SGX-enabled applications 19

  20. OpenSGX: Design Goal • Offers a complete platform for SGX research – To explore software and hardware design space of SGX – To develop and evaluate SGX-enabled applications • Fills non-trivial issues on SGX software components – Support for system software and user-level APIs – Familiar programming model and interface – Secure design to defend against potential attack vectors (e.g., Iago attacks) 20

  21. OpenSGX: Design Goal • Offers a complete platform for SGX research – To explore software and hardware design space of SGX – To develop and evaluate SGX-enabled applications • Fills non-trivial issues on SGX software components – Support for system software and user-level APIs – Familiar programming model and interface – Secure design to defend against potential attack vectors (e.g., Iago attacks) • Non goal : security guarantee 21

  22. OpenSGX: Approach • Using userspace emulation of QEMU – Binary translation to support SGX instructions – QEMU helper routine to implement complex instructions Host (single address space) QEMU Entry point EPC Code RIP Lib EPC Binary enclu(){ … Helper routine … … Translation EPC Data asm (“.byte 0x0f ” if(opcode == - Set registers “.byte 0x01 ” … 0x0f01d7) { “.byte 0xd7 ” - Operates “ rax =entry” Stack EPC helper_enclu(); SGX instructions … } EPC } Heap … Enclave Wrapper 22

  23. OpenSGX: Approach • Using userspace emulation of QEMU – Binary translation to support SGX instructions – QEMU helper routine to implement complex instructions Host (single address space) QEMU Entry point EPC Code RIP Lib EPC Binary enclu(){ … Helper routine … … Translation EPC Data asm (“.byte 0x0f ” if(opcode == - Set registers “.byte 0x01 ” … 0x0f01d7) { “.byte 0xd7 ” - Operates “ rax =entry” Stack EPC helper_enclu(); SGX instructions … } EPC } Heap … Enclave Wrapper 23

  24. OpenSGX: Component Overview • Emulated SGX hardware SGX QEMU (HW emulation) 24

  25. OpenSGX: Component Overview • Emulated SGX hardware • OS emulation layer SGX OS Emulation SGX QEMU (HW emulation) 25

  26. OpenSGX: Component Overview • Emulated SGX hardware • OS emulation layer • OpenSGX user library SGX Libraries Trampoline Stub SGX OS Emulation SGX QEMU (HW emulation) 26

  27. OpenSGX: Component Overview • Emulated SGX hardware • OS emulation layer • OpenSGX user library • OpenSGX toolchain SGX Libraries Trampoline Stub SGX OS Emulation OpenSGX toolchain SGX QEMU (HW emulation) 27

  28. OpenSGX: Component Overview • Emulated SGX hardware • Enclave loader • OS emulation layer • OpenSGX user library • OpenSGX toolchain SGX Libraries Enclave Runtime Trampoline loader library Stub SGX OS Emulation OpenSGX toolchain SGX QEMU (HW emulation) 28

  29. OpenSGX: Component Overview • Emulated SGX hardware • Enclave loader • Performance monitor • OS emulation layer • Enclave debugger • OpenSGX user library • OpenSGX toolchain SGX Libraries Enclave Enclave Runtime Debugger Trampoline loader library Stub Performance Monitor SGX OS Emulation OpenSGX toolchain SGX QEMU (HW emulation) 29

  30. OpenSGX: Component Overview • Emulated SGX hardware • Enclave loader • Performance monitor • OS emulation layer • Enclave debugger • OpenSGX user library • OpenSGX toolchain Enclave Program SGX Libraries Enclave Enclave Runtime Debugger Trampoline loader library Stub Performance Monitor SGX OS Emulation OpenSGX toolchain SGX QEMU (HW emulation) 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did

Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did

Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did we develop the Open Smart Grid Platform? The Open Smart Grid Platform architecture Use cases: Applications Smart Lighting Application

488 views • 9 slides
open platform, open tools and open data for an open Internet Tiziana Refice (tiziana@google.com)

open platform, open tools and open data for an open Internet Tiziana Refice (tiziana@google.com)

open platform, open tools and open data for an open Internet Tiziana Refice (tiziana@google.com) ISMA 2012 What & who is M-Lab? Measurement Lab (M-Lab) is a collaborative, researcher-driven effort to empower Internet users , researchers ,

483 views • 17 slides
OPEN SCHOOL: An Open E-Learning Platform for Khmer-speaking Users Sokunthearith Makara Learning

OPEN SCHOOL: An Open E-Learning Platform for Khmer-speaking Users Sokunthearith Makara Learning

OPEN SCHOOL: An Open E-Learning Platform for Khmer-speaking Users Sokunthearith Makara Learning Design and Technology Problem Access to quality education Solution Purpose statement: Develop and evaluate the ease of use of an open

1.02k views • 90 slides
Introduction: Open Web Platform and Automotive Philipp Hoschka<ph@w3.org> This project is

Introduction: Open Web Platform and Automotive Philipp Hoschka<ph@w3.org> This project is

Introduction: Open Web Platform and Automotive Philipp Hoschka<ph@w3.org> This project is funded by the European Union through the Seventh Framework Programme (FP7/2010-2012) under grant Webinos Why This Workshop? Motivation: Open

345 views • 13 slides
GlobalSight is an open-source translation management platform that manages the end-to-end

GlobalSight is an open-source translation management platform that manages the end-to-end

GlobalSight is an open-source translation management platform that manages the end-to-end localization process . GlobalSight provides a robust, easy-to- access platform for managing, translating and delivering global content.

72 views • 6 slides
Open Election Data (OED), Electoral Violence Education and Resolution (EVER) Platform OED-EVER

Open Election Data (OED), Electoral Violence Education and Resolution (EVER) Platform OED-EVER

LAM-TECH Consulting Enterprises Open Election Data (OED), Electoral Violence Education and Resolution (EVER) Platform OED-EVER Platform LAMTECH.SL Version 0.3 | Wednesday, 3 rd , December 2018 Introduction What is elec elector oral al

583 views • 44 slides
TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard Contactless App Data Payment MaaS Journey Platform Operator Planner aggregator facilitator Service planner Open data feeds Platform

339 views • 7 slides
The African Open Science Platform ICT Infrastructure in Support of Data Sharing Presented by Ina

The African Open Science Platform ICT Infrastructure in Support of Data Sharing Presented by Ina

The African Open Science Platform ICT Infrastructure in Support of Data Sharing Presented by Ina Smith Project Manager African Open Science Platform Academy of Science of South Africa (ASSAf) WACREN 2018 Conference, 15 March 2018 Data Driven

390 views • 35 slides
Introducing Open Platform for NFV Dirk Kutscher Chief Researcher NEC

Introducing Open Platform for NFV Dirk Kutscher Chief Researcher NEC

Introducing Open Platform for NFV Dirk Kutscher Chief Researcher NEC Laboratories Europe Please direct any questions or comments to info@opnfv.org 1 OPNFV is a carrier- grade, integrated, open source reference

576 views • 13 slides
Introduction of an open-source, multi-material bioprinting platform 3D bioprinting conference -

Introduction of an open-source, multi-material bioprinting platform 3D bioprinting conference -

Introduction of an open-source, multi-material bioprinting platform 3D bioprinting conference - 26 January 2016 - Maastricht Overview www.teamhelloworld.com 1.CANTER at a glance 2.AM in medicine 3.Open issue 4.Why open-source?

690 views • 22 slides
TOWARDS OPEN ORGANIZATIONS V4.2 6/12/18 MISSION A few days; rapid technical guidance; you

TOWARDS OPEN ORGANIZATIONS V4.2 6/12/18 MISSION A few days; rapid technical guidance; you

TOWARDS OPEN ORGANIZATIONS V4.2 6/12/18 MISSION A few days; rapid technical guidance; you handle the Platform. Presans is an open-innovation platform whose mission is to inject Light Speed on-demand expertise into industrial Insights

388 views • 12 slides
Open311 A Platform for a Participatory Civic Infrastructure Toward an open standard 311 is an

Open311 A Platform for a Participatory Civic Infrastructure Toward an open standard 311 is an

Open311 A Platform for a Participatory Civic Infrastructure Toward an open standard 311 is an access point for non-emergency city services Cities support 311 to varying degrees with a wide range of services and methods of access Open Data

311 views • 20 slides
OPAVES An open platform for autonomous vehicle tinkerers Fabien Chouteau Embedded Software

OPAVES An open platform for autonomous vehicle tinkerers Fabien Chouteau Embedded Software

OPAVES An open platform for autonomous vehicle tinkerers Fabien Chouteau Embedded Software Engineer at AdaCore Twitter : @DesChips GitHub : Fabien-Chouteau Hackaday.io: Fabien.C 1 What is this project? Open Platform for Autonomous

482 views • 24 slides
Evaluation of Park Harrison Brown for R244 Park: An Open Platform for Learning- Augmented

Evaluation of Park Harrison Brown for R244 Park: An Open Platform for Learning- Augmented

Adding the packet classification problem Evaluation of Park Harrison Brown for R244 Park: An Open Platform for Learning- Augmented Platform for researchers to experiment with RL 12 systems problems with an easy to use interface

100 views • 9 slides
Towards an Open Mobile Measurement Platform David Choffnes University of Washington Along with

Towards an Open Mobile Measurement Platform David Choffnes University of Washington Along with

Towards an Open Mobile Measurement Platform David Choffnes University of Washington Along with University of Michigan and Google Thursday, February 7, 13 1 Mobile Internet can be terrible Open Platform for Mobile Measurement 2 Thursday,

195 views • 15 slides
The Power of Platform Technology Adapting to change using open, integrated systems 1 Webinar

The Power of Platform Technology Adapting to change using open, integrated systems 1 Webinar

The Power of Platform Technology Adapting to change using open, integrated systems 1 Webinar overview 01. Brief Introduction 02. Current state of Technology in the Construction industry 03. Benefits of Platform technology 04. Key insights

1.27k views • 31 slides
compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall

compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall

compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall 2019. Lecture 16 0 Finish up stochastic block model. Efficient algorithms for SVD/eigendecomposition. Iterative methods: power method,

824 views • 68 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
BIOSKILLS ONE THE TRICUSPID AND MITRAL VALVE COMPARATIVE ANATOMY MARK REISMAN, MD

BIOSKILLS ONE THE TRICUSPID AND MITRAL VALVE COMPARATIVE ANATOMY MARK REISMAN, MD

UW MEDICINE TITLE OR EVENT BIOSKILLS ONE THE TRICUSPID AND MITRAL VALVE COMPARATIVE ANATOMY MARK REISMAN, MD REISMANM@UW.EDU Disclosure Statement of Financial Interest I, Mark Reisman, MD, DO NOT have a financial interest/arrangement or

332 views • 21 slides
GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose

GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose

GPD a GPD at t COMP COMPASS ASS at C t CERN ERN 1- DVCS CS 2- HEMP HEMP Nicole dHose CEA Universit Paris-Saclay 1 Deeply virtual Compton scattering (DVCS) D. Mueller et al , Fortsch. Phys. 42 (1994) X.D. Ji , PRL 78

588 views • 31 slides
Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X , July 18, 2014 1/32 Outline Introduction Proof Systems Proof Search Proof Formats Proof Production Proof Consumption Applications Conclusions

574 views • 36 slides
Hash-routing Schemes for Information Centric Networking Lorenzo Saino, Ioannis Psaras, George

Hash-routing Schemes for Information Centric Networking Lorenzo Saino, Ioannis Psaras, George

Hash-routing Schemes for Information Centric Networking Lorenzo Saino, Ioannis Psaras, George Pavlou Communications and Information Systems Group Department of Electrical and Electronics Engineering University College London

349 views • 33 slides
Op#mizing DNS Authority Server Placement Ning Kong, Guangqing

Op#mizing DNS Authority Server Placement Ning Kong, Guangqing

Op#mizing DNS Authority Server Placement Ning Kong, Guangqing Deng IETF 90, DNSOP Background DNS system is s#ll in an expanding period Universal

625 views • 16 slides
Parallel 3D-FFTs for multi-core nodes on a mesh communication network Joachim Hein 1,2 , Heike

Parallel 3D-FFTs for multi-core nodes on a mesh communication network Joachim Hein 1,2 , Heike

Parallel 3D-FFTs for multi-core nodes on a mesh communication network Joachim Hein 1,2 , Heike Jagode 3,4 , Ulrich Sigrist 2 , Alan Simpson 1,2 , Arthur Trew 1,2 1 HPCX Consortium 2 EPCC, The University of Edinburgh 3 The University of Tennessee

416 views • 24 slides

More recommend