SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , - - PowerPoint PPT Presentation
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii , Oleksii Oleksenko , Sergei Arnautov , Bohdan Trach , Pramod Bhatotia * , Pascal Felber , Christof Fetzer TU Dresden, * The University of Edinburgh,
Eurosys 2017
Dmitrii Kuvaiskii †, Oleksii Oleksenko †, Sergei Arnautov †, Bohdan Trach †, Pramod Bhatotia *, Pascal Felber ‡, Christof Fetzer †
† TU Dresden, * The University of Edinburgh, ‡ University of Neuchâtel
Eurosys 2017
Security in the Cloud
1
Eurosys 2017
Security in the Cloud
1
Eurosys 2017
Security in the Cloud
1
➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities
Eurosys 2017
Security in the Cloud
Shielded execution (SGX Enclave) Malicious OS
Virtual Address Space
1
➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities
Eurosys 2017
Security in the Cloud
Shielded execution (SGX Enclave)
Virtual Address Space
1
➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities
Eurosys 2017
Security in the Cloud
Shielded execution (SGX Enclave)
Virtual Address Space
1
Heartbleed Cloudbleed
➥ Malicious host (e.g., cloud provider) ➥ Software vulnerabilities
Eurosys 2017
Protecting against Attacks
2
(malicious host)
Eurosys 2017
Protecting against Attacks
2
(malicious host) (vulnerabilities)
Eurosys 2017
Protecting against Attacks
AddressSanitizer
(software-based)
Intel MPX
(hardware-based)
2
(malicious host) (vulnerabilities)
Eurosys 2017
Protecting against Attacks
2
(malicious host) (vulnerabilities) AddressSanitizer
(software-based)
Intel MPX
(hardware-based)
Eurosys 2017
State-of-the-Art: SQLite example
3
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
3
(malicious host) (vulnerabilities)
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
lower better
3
State-of-the-Art: SQLite example
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
☹ Increased latency of memory accesses Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
Enclave Page Cache (94MB) CPU Cache (8MB) DRAM (64GB)
☹ Increased latency of memory accesses
Physical Address Space
Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
Enclave Page Cache (94MB) CPU Cache (8MB) DRAM (64GB)
☹ Increased latency of memory accesses
MEE encryption (1-12x)
Physical Address Space
Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
Enclave Page Cache (94MB) CPU Cache (8MB) DRAM (64GB)
☹ Increased latency of memory accesses
MEE encryption (1-12x) EPC paging (2-2000x)
Physical Address Space
Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
Constraints of SGX Enclaves
Shielded execution (SGX Enclave)
Virtual Address Space
4
Enclave Page Cache (94MB) CPU Cache (8MB) DRAM (64GB)
☹ Increased latency of memory accesses ☹ Limited enclave memory (4GB)
MEE encryption (1-12x) EPC paging (2-2000x)
4GB Physical Address Space
Why AddressSanitizer and Intel MPX perform poorly under SGX?
Eurosys 2017
State-of-the-Art: Metadata Layout
5
Assumptions of AddressSanitizer and Intel MPX violated in SGX!
Eurosys 2017
State-of-the-Art: Metadata Layout
5
Assumptions of AddressSanitizer and Intel MPX violated in SGX!
red zone
512MB
shadow object
red zone
pointer pointer
Bounds Directory
Bounds Table 1
AddressSanitizer Intel MPX
Eurosys 2017
State-of-the-Art: Metadata Layout
5
☹ Fast accesses to metadata ☹ Almost endless memory Assumptions of AddressSanitizer and Intel MPX violated in SGX!
red zone
512MB
shadow object
red zone
pointer pointer
Bounds Directory
Bounds Table 1
AddressSanitizer Intel MPX
Eurosys 2017
State-of-the-Art: Metadata Layout
5
☹ Fast accesses to metadata ≠ increased latency ☹ Almost endless memory ≠ limited enclave memory Assumptions of AddressSanitizer and Intel MPX violated in SGX!
red zone
512MB
shadow object
red zone
pointer pointer
Bounds Directory
Bounds Table 1
AddressSanitizer Intel MPX
Eurosys 2017
State-of-the-Art: Metadata Layout
5
☹ Fast accesses to metadata ≠ increased latency ☹ Almost endless memory ≠ limited enclave memory Assumptions of AddressSanitizer and Intel MPX violated in SGX!
red zone
512MB
shadow object
red zone
pointer pointer
Bounds Directory
Bounds Table 1
AddressSanitizer Intel MPX
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
SGXBounds: Metadata Layout
6
Memory contraints of SGX dictated design of SGXBounds
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata Memory contraints of SGX dictated design of SGXBounds
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
pointer
31 63
SGXBounds
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
pointer
31 63
SGXBounds
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
pointer UB
31 63
LB
SGXBounds
4B
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
pointer UB
31 63
SGXBounds
4B
– Upper bound (UB) in pointer – Lower bound (LB) per object
LB
Eurosys 2017
SGXBounds: Metadata Layout
6
☺ Increased latency → minimize accesses to metadata ☺ Limited enclave memory → minimize space of metadata Memory contraints of SGX dictated design of SGXBounds
pointer UB
31 63
SGXBounds
4B
– Upper bound (UB) in pointer – Lower bound (LB) per object – Out-of-the-box multithreading (unlike MPX)
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB
☹ Data leak through write(socket, pointer, objlen)
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB
☹ Data leak through write(socket, pointer, objlen)
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB
Bounds-check before each memory access:
LB ≤ pointer ≤ UB
☹ Data leak through write(socket, pointer, objlen) ☺ Protect using effjcient bounds checks
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB embedded in tagged pointer
Bounds-check before each memory access:
LB ≤ pointer ≤ UB
☹ Data leak through write(socket, pointer, objlen) ☺ Protect using effjcient bounds checks
LB
Eurosys 2017
SGXBounds: Detecting Vulnerabilities
7
How SGXBounds detects vulnerabilities like Heartbleed?
pointer UB
SGXBounds password
LB loaded from memory based on UB embedded in tagged pointer
Bounds-check before each memory access:
LB ≤ pointer ≤ UB
☹ Data leak through write(socket, pointer, objlen) ☺ Protect using effjcient bounds checks
LB
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
SGXBounds: Implementation
8
SGXBounds (LLVM pass)
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Shielded app (e.g., SCONE) Source code
8
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Operating System Shielded app (e.g., SCONE) Source code CPU RAM
SGX
8
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Operating System Shielded app (e.g., SCONE) Source code CPU RAM
SGX
Advanced features:
8
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Operating System Shielded app (e.g., SCONE) Source code CPU RAM
SGX
Advanced features:
➥ Tolerating errors with boundless memory ➥ Metadata management support ➥ Compile-time optimizations
8
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Operating System Shielded app (e.g., SCONE) Source code CPU RAM
SGX
Advanced features:
➥ Tolerating errors with boundless memory ➥ Metadata management support ➥ Compile-time optimizations
See paper for details
8
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
➥ Benchmark suites ➥ Case studies ➥ Security
Eurosys 2017
9
Benchmark Suites
Eurosys 2017
9
Benchmark Suites
Eurosys 2017
Benchmark Suites
* some programs failed due to insuffjcient memory
9
Eurosys 2017
Benchmark Suites
* some programs failed due to insuffjcient memory
9
Eurosys 2017
10
Case Studies
Eurosys 2017
Case Studies
10
Eurosys 2017
Case Studies
10
Eurosys 2017
Case Studies ☹ MPX: EPC thrashing on Memcached
10
Eurosys 2017
Case Studies ☹ MPX: EPC thrashing on Memcached ☹ ASan: metadata overload on Nginx
10
Eurosys 2017
Case Studies ☹ MPX: EPC thrashing on Memcached ☹ ASan: metadata overload on Nginx ☺ SGXBounds: no corner cases
10
Eurosys 2017
Security guarantees
11
Eurosys 2017
Security guarantees ☺ RIPE synthetic benchmark:
➥ Similar guarantees as ASan and MPX
11
Eurosys 2017
Security guarantees ☺ RIPE synthetic benchmark:
➥ Similar guarantees as ASan and MPX
☺ Real-world vulnerabilities detected and tolerated:
➥ Memcached denial-of-service ➥ Nginx stack bufger overfmow ➥ Apache Heartbleed
11
Eurosys 2017
– Motivation – Constraints of SGX enclaves – Design of SGXBounds – Implementation of SGXBounds – Evaluation
Eurosys 2017
Conclusion
12
Eurosys 2017
Conclusion
12
➥ Use shielded execution with Intel SGX
Eurosys 2017
Conclusion
12
➥ Use shielded execution with Intel SGX
➥ Use memory defense like ASan and MPX
Eurosys 2017
Conclusion
➥ Use shielded execution with Intel SGX
➥ Use memory defense like ASan and MPX
➥ Their memory assumptions are violated in SGX
12
Eurosys 2017
Conclusion
➥ Use shielded execution with Intel SGX
➥ Use memory defense like ASan and MPX
➥ Their memory assumptions are violated in SGX
12
Eurosys 2017
Conclusion
➥ Use shielded execution with Intel SGX
➥ Use memory defense like ASan and MPX
➥ Their memory assumptions are violated in SGX
12
dmitrii.kuvaiskii@tu-dresden.de https://github.com/tudinfse/sgxbounds
Eurosys 2017
Backup slides
Eurosys 2017
Intel SGX and SCONE
SGX Enclave (legacy app with SCONE) Asynchronous syscalls
Virtual Address Space – V. Costan, S. Devadas. „Intel SGX Explained“. IACR Cryptology ePrint Archive '16 – S. Arnautov et al. „SCONE: Secure linux containers with Intel SGX“. OSDI'16 Application Libraries Network shield FS shield M:N user threading Modifjed Musl C library
SCONE
Eurosys 2017
SGXBounds: Implementation
a = add x, i store 42, a x = specify_bounds(x, x+N) a = add x, i aptr = extract_ptr(a) UB = extract_upper_bound(a) LB = load_lower_bound(UB) if (aptr < LB or aptr >= UB): handle_error(aptr) store 42, a
Native SGXBounds
SGXBounds (LLVM pass)
Operating System Application Source code CPU RAM
SGX
Eurosys 2017
Related Work (SPEC CPU2006 outside of SGX enclave)
Perf Mem Comments
Intel MPX 146% 116% FP/FN for multithreaded AddressSanitizer 38% 292% – BaggyBounds1 70% 12% Not publicly available Low-Fat Pointers2 54% 12% Not publicly available SGXBounds 55% 0% (this work)
1 P. Akritidis et al. „Baggy Bounds Checking: An effjcient and backwards-compatible
defense against out-of-bounds errors“. Usenix Security'09
2 G. Duck et al. „Stack Bounds Protection with Low Fat Pointers“. NDSS'17
Eurosys 2017
SGXBounds: Implementation
SGXBounds (LLVM pass)
Operating System App (in SCONE) Source code CPU RAM
SGX
Instrumentation:
data: lower bound metadata after each allocated object pointers: upper bound metadata in each data pointer code: bounds-check before each memory access
Eurosys 2017
Security guarantees
MPX ASan SGXBounds
RIPE benchmark 2/16 8/16 8/16 Memcached CVE-2011-4971
Nginx CVE-2013-2028
Apache Heartbleed
D detected? T tolerated?
Eurosys 2017
Case Studies: Full Picture
Eurosys 2017
Classes of Defenses against Attacks
CF – control fmow hijack, DO – data-only attack, IL – information leak
Eurosys 2017
SGXBounds and Boundless Memory
UB pointer p LRU cache victim object LB referent object
*(p+offset)
access chunk chunk chunk redirect access
mapping: aligned(p) -> chunk Lower Bound (LB) Upper Bound (UB) 31 63 (p+offset) < LB (p+offset) ≥ UB
bounds
rcx
1 M. Rinard et al. „A dynamic technique for eliminating bufger overfmow vulnerabilities (and
Eurosys 2017
SGXBounds: Outside of Enclaves