rust sgx sdk towards memory safety in intel sgx
play

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan - PowerPoint PPT Presentation

Nov 19, 2022 •651 likes •1.17k views

Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei CONTENTS 3 1 2 PART ONE PART TWO PART THREE Why SGX Why Rust Rust SGX SDK PART 1 Why SGX Why SGX War in memory Ring

  1. Rust SGX SDK: Towards Memory Safety in Intel SGX Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei

  2. CONTENTS 3 1 2 PART ONE PART TWO PART THREE Why SGX ? Why Rust ? Rust SGX SDK

  3. PART 1 Why SGX?

  4. Why SGX War in memory • Ring 3 vs Ring 0 • Ring 0 vs Hypervisor (Ring -1) • Hypervisor vs SMM (Ring -2) • SMM vs AMT/ME (Ring -3)

  5. Why SGX War in memory

  6. Why SGX Hardware based trusted execution environment Intel System Management Mode • Intel Management Engine • Trusted Platform Module (TPM) • AMD Platform Security Processor • DRTM (Dynamic Root of Trust for Measurement) • ARM Trustzone • Intel Trusted Execution Technology • Intel SGX •

  7. Why SGX:Memory Encryption Engine Without SGX SGX Enforced Figures are from Intel ISCA'15 SGX Turtorial

  8. Why SGX:Root of Trust • Hardware Enforced Security: MEE • Remote Attestation Support: Build trust with Intel • Data Sealing: Transfer/store data

  9. PART 2 Why Rust?

  10. Why Rust:Rust Programming Language Endorsed by Mozilla, competing with Go and Swift Guarantees memory safety • No data racing • Blazingly fast • Masterpieces in Rust Redox: A Rust Operating System https://www.redox-os.org • The Servo Browser Engine https://servo.org •

  11. Why Rust:Excellent Performance

  12. Why Rust:Strong Checkers • Borrow 、 Ownership 、 Lifetime fn main() { let a = String::from("book"); // a owns "book" let b = a ; // transfer ownership println!("a = {}", a); // Error! a is not owner } • “One writer, or multiple reader” guaranteed by Rust • Keep each variable's ownership 、 lifetime in mind — Fight against borrow checker

  13. PART 3 Rust SGX SDK

  14. SGX Needs Memory Safety Guarantees Intel SGX is designed to protect secret data Private keys • User privacy (health data/personal data etc.) • Raw Blu-ray video stream • DRM enforcement • But, only C/C++ SDK is available. Should be very very very careful when writing SGX enclaves in C/C++ Buffer overflow … Yes! • Unauthorized Return-oriented-programming … Yes! • Mem Access Intel SGX Use-after-free … Yes! • Enclave Data racing … Yes! • Malformed Input Memory bugs are exploitable!

  15. SGX Needs Memory Safety Guarantees Code in Trusted Execution Engine may be vulnerable Memory corruption vulnerability is exploitable • Code needs to be audited • To better protect secrets in SGX, we need memory safety Provide best security guarantees • Provide latest SGX APIs by Intel • Our Solution : Intel SGX + Rust Programming Language • Use Intel SGX for data protection • Develop Intel SGX enclaves in Rust • Develop Intel SGX untrusted components in Rust * • More details in https://github.com/baidu/rust-sgx-sdk

  16. Hybrid Memory-Safe Architecture: Rules-of-thumb Goals Memory safety guarantees • Good functionality • Challenges Intel SGX library is written in C/C++ • Memory safety rule-of-thumb for hybrid memory-safe architecture designing 1. Unsafe components should be appropriately isolated and modularized, and the size should be small (or minimized). 2. Unsafe components should not weaken the safe, especially, public APIs and data structures. 3. Unsafe components should be clearly identified and easily upgraded.

  17. Overview without Rust SGX SDK Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  18. Rust SGX SDK:v0.1.0, v0.2.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  19. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  20. Rust SGX SDK:An Overview

  21. Rust SGX SDK:Hello the world • Untrusted part • Enclave

  22. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  23. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  24. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  25. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  26. Rust SGX SDK:v0.9.0 Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar) EDL File

  27. Rust SGX SDK:Partition Question: Which part of a program should be inside SGX enclave? Decryption/Encryption using private key • Seal data/Unseal data • Analysis on secret data • … • However, most SGX developers are not SGX experts, not experienced in partition an SGX app.

  28. Good and NG Examples node-secureworker, wolfSSL SGX Samples Node-secureworker [GOOD] • In-enclave DukTape Javascript engine • Remote Attestation on bootstrap • Seal all outputs WolfSSL SGX Sample [NG] Tamper the ctx pointer may: • In-enclave SSL connection 1) misguide app • Pass in-enclave pointer as argument 2) cause DOS WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx);

  29. Rust SGX SDK:Partition by SDK Our Goals • Partition basic libraries correctly • Provide an easy-to-use interface • Let developers feel easy in programming Intel SGX enclaves

  30. Rust SGX SDK:Short summary 1. The Memory safety is necessary to Intel SGX enclaves. 2. Rust SGX SDK is valuable and promising Allows to programming Intel SGX Enclaves in Rust. • Intends to build up a hybrid memory-safe architecture with Rust and • Intel SGX libraries. Provides a series of crates (libraries), such as Rust-style std, alloc etc, • and Intel-SGX-style crypto, seal, protected_fs etc. Partitions the basic libraries correctly. •

  31. Challenges What we do?

  32. Intel SGX : Limitations Dynamic loading? NO! Static linking! System call? NO! We need partition! Threading model? Different! Redefine thread/sync! Exception/Signal? New! Reimplement exception/signal! CPUID instruction? NO in SGXv1 RDTSC instruction? NO in SGXv1

  33. Rust SGX SDK : Dependency Rust binaries depends on libc by default (linux-x86_64, dynamic loading) Intel provides static trusted libc (tlibc.a) for Intel SGX enclave SGX features are provided in other static libraries • Rust SGX SDK statically link to Intel SGX libraries

  34. Rust SGX SDK : Partition and Interacting with OS Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar)

  35. Rust SGX SDK : Partition and Interacting with OS Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar) OCALL Feature function

  36. Rust SGX SDK : Partition and Interacting with OS Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar) OCALL Feature function Feature function definition in EDL

  37. Rust SGX SDK : Partition and Interaction with OS Enclave Untrusted ECALL GATE ecall(foo) ECALL GATE ECALL GATE SGX context switch OCALL GATE OCALL GATE OCALL GATE ocall(bar) OCALL Feature function Rust style API Feature function definition in EDL

  38. Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … u_stdout_ocall(&mut result as * mut isize as * mut usize, data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))};

  39. Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … Defined in u_stdout_ocall(&mut result as * mut isize as * mut usize, EDL file data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))};

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me Sofuware developer PhD student in post-quantum cryptography at IAIK 1 Speaker at RustGraz (twitter @RustGraz) What is rust? What is rust?

1.47k views • 82 slides
Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020 Last lecture Ryan told us

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020 Last lecture Ryan told us

Memory Safety in Rust Ryan Eberhardt and Armin Namavari April 7, 2020 Last lecture Ryan told us the bad news about C and C++ This lecture, Im going to tell you how Rust addresses some of those issues Disclaimer: you can still write buggy

490 views • 35 slides
OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system

OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University Rusts rich type system and ownership model guarantee memory-safety and thread-safety enabling you to eliminate many classes of bugs at compile-time. the

1.27k views • 89 slides
LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION JIT page To achieve code execution,

327 views • 32 slides
TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware

TESTING IN RUST A PRIMER IN TESTING AND MOCKING @donald_whyte FOSDEM 2018 ABOUT ME Soware Engineer @ Engineers Gate Real-time trading systems Scalable data infrastructure Python/C++/Rust developer MOTIVATION Rust focuses on memory

1.47k views • 100 slides
Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

http://talks.edunham.net/scale15x Rust 101 E. Dunham @qedunham Intro Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust Improve Rust E. Dunham @qedunham March 5, 2017

865 views • 75 slides
MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel

MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel

MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel Presentations Memory Two levels of memory for KNL Main memory KNL has direct access to all of main memory Similar latency/bandwidth as

507 views • 21 slides
The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You

The Rust Programming Language Ben Goldberg Rust A Programming Language for the Future Thank You Thank you to rust-lang.org for providing content and examples! Overview The sales pitch Use cases The Rust language Other Languages

1.18k views • 63 slides
Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019

Institute of Operating Systems and Computer Networks Themis: An Efficient and Memory-Safe BFT Framework in Rust SERIAL Workshop, December 9, 2019 Signe Rsch, Kai Bleeke, Rdiger Kapitza ruesch@ibr.cs.tu-bs.de Technische Universitt

1.94k views • 32 slides
Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc

Rust: Systems Programming for Everyone Felix Klock ( @pnkfelix ), Mozilla space : next slide; esc : overview; arrows navigate http://bit.ly/1LQM3PS Why ...? Why use Rust? Fast code, low memory footprint Go from bare metal (assembly; C FFI)

1.41k views • 113 slides
Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us

Tremor How Rust killed thousands of cores and TB of memory at Wayfair Agenda A bit about us What is tremor Tremor Script &lt;3 OSS What is Wayfair? Sells rugs (and couches!) Large online retailer for furniture

851 views • 46 slides
Polar Coding for Processes with Memory glu 1 Ido Tal 2 Eren S a so 1 Intel 2 Technion 1 /

Polar Coding for Processes with Memory glu 1 Ido Tal 2 Eren S a so 1 Intel 2 Technion 1 /

Polar Coding for Processes with Memory glu 1 Ido Tal 2 Eren S a so 1 Intel 2 Technion 1 / 17 Well known: polarization occurs for a memoryless process Our setting: a process with memory Mild assumption: ( -mixing, 0 &lt;

570 views • 17 slides
www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29,

www.rust-lang.org An Overview of the Rust Programming Language Jim Royer CIS 352 April 29, 2019 CIS 352 Rust Overview 1 / 1 CIS 352 Rust Overview 2 / 1 References Sample code: Factorial, 1 The Rust Programming Language by S. Klabnik and

589 views • 7 slides
Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit,

Using Rust on RIOT OS Christian M. Ams uss &lt;ca@etonomy.org&gt; 2019-09-05 RIOT Summit, Helsinki Outline The Rust language and ecosystem Rust on embedded systems Rust on RIOT Simple things: functions and variables fn

804 views • 24 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Integration Tests with Super Powers And even more... Alexandre Figura Site Reliability

Integration Tests with Super Powers And even more... Alexandre Figura Site Reliability

Integration Tests with Super Powers And even more... Alexandre Figura Site Reliability Engineer @ SysEleven GmbH A Brillant Masterpiece Irresistibly Entertaining The Python Magazine Edinburgh Times

346 views • 22 slides
Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video

Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video

Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video Games Both CDs and DVDs have replaced cartridges High Definition Movies Blu-Ray replaced DVD Computers Both CDs and DVDs have floppy disks

287 views • 10 slides
Challenges in Con erting the Challenges in Converting the National Crime Victimization Survey to

Challenges in Con erting the Challenges in Converting the National Crime Victimization Survey to

Challenges in Con erting the Challenges in Converting the National Crime Victimization Survey to Blaise Charlie Carter Roberto Picha Technologies Management Office 1 Introduction The National Crime Victimization Survey is one of many

348 views • 24 slides
Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed

Indexed Files : Outline ! Introduction ! Indexed Files ! Full Index Organization ! Indexed Sequential Files ! Multilevel Indexes ! Overflow Management ! Performance Analysis rasitjutrakul Indexed Files Ordered Random access sequential

536 views • 22 slides
Introduction To Java Larry Stead, Instructor lss2168@columbia.edu cell 973-932-3147 Office

Introduction To Java Larry Stead, Instructor lss2168@columbia.edu cell 973-932-3147 Office

Introduction To Java Larry Stead, Instructor lss2168@columbia.edu cell 973-932-3147 Office Hours Monday afternoon, also around Tues and Thurs Pooja Bepin Shah, TA Sunday 4pm office hour Course survey https:/ /www.surveymonkey.com/s/8X5QPGB

733 views • 45 slides
Whats cooking in GStreamer FOSDEM, Brussels 1 February 2014 Tim-Philipp Mller

Whats cooking in GStreamer FOSDEM, Brussels 1 February 2014 Tim-Philipp Mller

Whats cooking in GStreamer FOSDEM, Brussels 1 February 2014 Tim-Philipp Mller &lt;tim@centricular.com&gt; Sebastian Drge &lt;sebastian@centricular.com&gt; Introduction who are we ? what is GStreamer ? What is GStreamer ?

419 views • 26 slides
CS-5630 / CS-6630 Visualization Alexander Lex alex@sci.utah.edu [xkcd] visualization pictures

CS-5630 / CS-6630 Visualization Alexander Lex alex@sci.utah.edu [xkcd] visualization pictures

CS-5630 / CS-6630 Visualization Alexander Lex alex@sci.utah.edu [xkcd] visualization pictures The purpose of computing is insight, not numbers. - Richard Wesley Hamming - Card, Mackinlay, Shneiderman Banana M. acuminata Date P. dactylifera

1.06k views • 81 slides
Information Transmission Chapter 3, image and video OVE EDFORS ELECTRICAL AND INFORMATION

Information Transmission Chapter 3, image and video OVE EDFORS ELECTRICAL AND INFORMATION

Information Transmission Chapter 3, image and video OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY Learning outcomes Understanding raster image formats and what determines quality, video formats and what determines quality, and

1.39k views • 24 slides

More recommend