s gx e lide enabling enclave code secrecy via self
play

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification - PowerPoint PPT Presentation

Dec 17, 2023 •339 likes •1.08k views

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 , Mingwei Zhang 2 , Zhiqiang Lin 1 , 3 1 University of Texas at Dallas 2 Intel Labs 3 The Ohio State University CGO 2018 Introduction Background and

  1. S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 , Mingwei Zhang 2 , Zhiqiang Lin 1 , 3 1 University of Texas at Dallas 2 Intel Labs 3 The Ohio State University CGO 2018

  2. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX 2 / 23

  3. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Intel SGX Provides secure enclaves 3 / 23

  4. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Intel SGX Provides secure enclaves Memory regions isolated from all other code 3 / 23

  5. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Intel SGX Provides secure enclaves Memory regions isolated from all other code Cannot be accessed by OS or hypervisor 3 / 23

  6. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX App App App Operating System Hypervisor Hardware Trusted 4 / 23

  7. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX App App App Operating System Hypervisor Hardware Trusted 4 / 23

  8. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Disk Enclave Code Data 5 / 23

  9. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Enclave Code Data Disk Enclave Code Data 5 / 23

  10. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave Code Data Disk Enclave Code Data 5 / 23

  11. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave Code Data Disk Data Integrity Enclave Code Data 5 / 23

  12. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave Code Data Disk Data Integrity Enclave Code Integrity Code Data 5 / 23

  13. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave Secret Code Data Data Disk Data Integrity Enclave Code Integrity Code Data 5 / 23

  14. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave Secret Secret Code Data Data Data Disk Data Integrity Enclave Code Integrity Data Confidentiality Code Data 5 / 23

  15. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave ? Secret Secret Code Data Data Code Disk Data Integrity Enclave Code Integrity Data Confidentiality Code Data 5 / 23

  16. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX Client Application Attest Enclave ? Secret Secret Code Data Data Code Disk Data Integrity Enclave Code Integrity Data Confidentiality Code Data Code Confidentiality 5 / 23

  17. Introduction Background and Overview Design and Implementation Evaluation Conclusion Intel SGX “The enclave file can be disassembled, so the algorithms used by the enclave developer will not remain secret.” –SGX SDK Manual 6 / 23

  18. Introduction Background and Overview Design and Implementation Evaluation Conclusion S GX E LIDE Definition Elide: To leave out or omit 7 / 23

  19. Introduction Background and Overview Design and Implementation Evaluation Conclusion Challenges Enclaves must be signed and unmodified until initialization 8 / 23

  20. Introduction Background and Overview Design and Implementation Evaluation Conclusion Challenges Enclaves must be signed and unmodified until initialization The entire enclave cannot be encrypted 8 / 23

  21. Introduction Background and Overview Design and Implementation Evaluation Conclusion Challenges Enclaves must be signed and unmodified until initialization The entire enclave cannot be encrypted Any secrets cannot be stored in the enclave 8 / 23

  22. Introduction Background and Overview Design and Implementation Evaluation Conclusion Challenges Enclaves must be signed and unmodified until initialization The entire enclave cannot be encrypted Any secrets cannot be stored in the enclave There should be minimal toolchain changes 8 / 23

  23. Introduction Background and Overview Design and Implementation Evaluation Conclusion Main Idea Redact (or sanitize ) secrets and restore at runtime 9 / 23

  24. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist 10 / 23

  25. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) 10 / 23

  26. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted 10 / 23

  27. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer 10 / 23

  28. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes 10 / 23

  29. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes Whitelist 10 / 23

  30. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes Whitelist Only specify code that must not be redacted 10 / 23

  31. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes Whitelist Only specify code that must not be redacted Applicable to any enclave 10 / 23

  32. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes Whitelist Only specify code that must not be redacted Applicable to any enclave No need for developer to mark secrets 10 / 23

  33. Introduction Background and Overview Design and Implementation Evaluation Conclusion Blacklist vs. Whitelist Blacklist User specifies secrets (e.g. annotations) Minimizes code that must be encrypted Burden of annotating secrets on developer Risk of mistakes Whitelist Only specify code that must not be redacted Applicable to any enclave No need for developer to mark secrets More code must be encrypted 10 / 23

  34. Introduction Background and Overview Design and Implementation Evaluation Conclusion Our Solution Sign sanitized enclave and restore secrets after initializing 11 / 23

  35. Introduction Background and Overview Design and Implementation Evaluation Conclusion Our Solution Sign sanitized enclave and restore secrets after initializing Encrypt all nonessential functions 11 / 23

  36. Introduction Background and Overview Design and Implementation Evaluation Conclusion Our Solution Sign sanitized enclave and restore secrets after initializing Encrypt all nonessential functions Use remote attestation 11 / 23

  37. Introduction Background and Overview Design and Implementation Evaluation Conclusion Our Solution Sign sanitized enclave and restore secrets after initializing Encrypt all nonessential functions Use remote attestation Use both local and remote storage 11 / 23

  38. Introduction Background and Overview Design and Implementation Evaluation Conclusion S GX E LIDE Overview dummy Compiler, dummy.so enclave Enclave Linker code sanitized.so Runtime secret.so Dummy Enclave Code Generation Sanitizer secret Restorer data Compiler, secret secret.so enclave Linker code Runtime Secret Enclave Code Restoration Normal Enclave Code Generation 12 / 23

  39. Introduction Background and Overview Design and Implementation Evaluation Conclusion Remote vs. Local Data Secret Data 13 / 23

  40. Introduction Background and Overview Design and Implementation Evaluation Conclusion Remote vs. Local Data Secret Data 13 / 23

  41. Introduction Background and Overview Design and Implementation Evaluation Conclusion Remote vs. Local Data Secret Key Secret Data 14 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
LIDE SLIDES SOLUTION MANUAL AND LIBRARYACCESS50 PDF You will be glad to know that right now lide

LIDE SLIDES SOLUTION MANUAL AND LIBRARYACCESS50 PDF You will be glad to know that right now lide

Reviewed by Lisandro Loggia For your safety and comfort, read carefully e-Books lide slides solution manual and libraryaccess50 PDF this Our Library Download File Free PDF Ebook. Thanks your visit fromlide slides solution manual and libraryaccess50

215 views • 3 slides
Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop (OSEW 2019) Berkeley, July 2019 https://mesatee.org Rust and Keystone Enclave Open-Source Enclave (RISC-V Hardware/Keystone Enclave) :

662 views • 32 slides
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure users code and data in the cloud

1.07k views • 27 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems , Bell Systems Technical Journal, Vol. 28, pp. 656715, 1948. Eli Biham - May 3, 2005 c 54 Shannons Theory of Secrecy Systems (2)

584 views • 14 slides
Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of

Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of

Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of Secrecy Paradigms of Secrecy Max Weber: The Official (Office) Secret Michael Taussig: The Public Secret Franz Boas: The Secret is

296 views • 15 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Open Source Enclave Workshop July 2019 Berkeley, CA Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, Xi Wang University of Washington, Columbia University, Microsoft Research 1

435 views • 14 slides
Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy: Secret-Sharing Secrecy Secrecy Cryptography is all about controlling access to information Access to learning and/or influencing

2.01k views • 171 slides
Enabling Transparent Asynchronous I/O using Background Threads HPC I/O Synchronous

Enabling Transparent Asynchronous I/O using Background Threads HPC I/O Synchronous

Enabling Transparent Asynchronous I/O using Background Threads HPC I/O Synchronous Code executes in sequence. Computation is blocked by I/O, waste system resources. Asynchronous Code may execute out of order.

351 views • 22 slides
Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew

Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew

Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew Baumann, Microsoft Research Mark Silberstein, Technion Public cloud computing Enclave Enclave Enclave Sensitive data 29-Apr-20 Meni Orenbach,

971 views • 29 slides
Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal

Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal

Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal Credit Union Key Takeaways After this webinar, participants should be able to understand why the Bank Secrecy Act exists Identify the

1.11k views • 51 slides
Return on Equity (ROE) Item Nos: E-7, E-8, E-9, E-10, E-11, E-12, E-24 Meeting Date: June

Return on Equity (ROE) Item Nos: E-7, E-8, E-9, E-10, E-11, E-12, E-24 Meeting Date: June

S lide 1 Return on Equity (ROE) Item Nos: E-7, E-8, E-9, E-10, E-11, E-12, E-24 Meeting Date: June 19, 2014 Good morning, Madame Chairman and Commissioners. S lide 2 E-7 Draft Order on Initial Decision in Docket No. EL11-66-001

565 views • 5 slides
The Ramses Code for Numerical Astrophysics: Toward Full GPU Enabling Claudio Gheller (ETH Zurich

The Ramses Code for Numerical Astrophysics: Toward Full GPU Enabling Claudio Gheller (ETH Zurich

The Ramses Code for Numerical Astrophysics: Toward Full GPU Enabling Claudio Gheller (ETH Zurich - CSCS) Giacomo Rosilho de Souza (EPF Lausanne) Marco Sutti (EPF Lausanne) Romain Teyssier (University of Zurich) Simulations in

371 views • 22 slides
This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert,

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert,

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Drmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy Overview ?!

355 views • 18 slides
Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and

Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and

Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and Engineering, University of California Merced Director, California Advanced Solar Technologies Institute (UC Solar) rwinston@ucmerced.edu

1.63k views • 115 slides
Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its

Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its

Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its 2009-2010 outburst Tao Chen Overview Observation and Data Reduction Results Timing analysis Spectral analysis Connection between

673 views • 23 slides
r t ssr

r t ssr

r t ssr rstr tss t rtt

739 views • 60 slides
Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can Win AdKDD2017 Yeming Shi, Claudia Perlich, Ori Stitelman yshi, claudia, ostitelman@dstillery.com Dstillery, Inc. Outline Introduction

635 views • 17 slides
This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker Malcolm Atkinson School of Informatics School of Computer Science School of Informatics University of Edinburgh University of St Andrews University

443 views • 26 slides
into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL Outlines Introduction

into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL Outlines Introduction

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense RAJSHAKHAR PAUL Outlines Introduction Motivation Background Threat Model Data Analysis Conclusion Outlines Introduction Motivation

717 views • 32 slides

More recommend