System for Intel SGX Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq - - PowerPoint PPT Presentation

system for intel sgx
SMART_READER_LITE
LIVE PREVIEW

System for Intel SGX Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq - - PowerPoint PPT Presentation

Nov 27, 2023 46 likes •1.06k views

Obliviate: A Data Oblivious File System for Intel SGX Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee 1 Clouds? The Ultimate Dream? User Clouds 2 Clouds? The Ultimate Dream? User Clouds 2 Clouds? The Ultimate

slide-1
SLIDE 1

Obliviate: A Data Oblivious File System for Intel SGX

Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee

1

slide-2
SLIDE 2

Clouds? The Ultimate Dream?

Clouds User

2

slide-3
SLIDE 3

Clouds? The Ultimate Dream?

Clouds User

2

slide-4
SLIDE 4

Clouds? The Ultimate Dream?

Clouds User Hmm, SGX?? 

2

slide-5
SLIDE 5

Clouds? The Ultimate Dream?

Clouds User Hmm, SGX?? 

2

slide-6
SLIDE 6

Clouds? The Ultimate Dream?

Clouds User Hmm, SGX?? 

2

slide-7
SLIDE 7

Clouds? The Ultimate Dream?

Clouds User Hmm, SGX??  Thanks, SGX?! ☺

2

slide-8
SLIDE 8

Clouds? The Ultimate Dream?

Clouds User Hmm, SGX??  Thanks, SGX?! ☺

2

The real world is a bit more complicated!

slide-9
SLIDE 9

The sorcery behind SGX

Program’s Address Space

3

slide-10
SLIDE 10

The sorcery behind SGX

Program’s Address Space Non- Enclave Enclave

3

Confidentiality and integrity- protected T rusted execution region

slide-11
SLIDE 11

The sorcery behind SGX

Program’s Address Space Non- Enclave Enclave System Components Restricted by the processor

3

Confidentiality and integrity- protected T rusted execution region

slide-12
SLIDE 12

Possible SGX File Systems

Disk

4

slide-13
SLIDE 13

Possible SGX File Systems

Disk

Enclaves are ring-3

4

slide-14
SLIDE 14

Possible SGX File Systems

Disk

Enclaves are ring-3 Rely on OS for ring-0 ops Operating System

4

slide-15
SLIDE 15

Possible SGX File Systems

Disk

Enclaves are ring-3

1.

  • pen(“a.txt”);

2. read(2, 0x1000, 4096); 3. ….

Rely on OS for ring-0 ops Operating System

4

slide-16
SLIDE 16

Possible SGX File Systems

Disk

Enclaves are ring-3

1.

  • pen(“a.txt”);

2. read(2, 0x1000, 4096); 3. ….

Rely on OS for ring-0 ops Operating System Allow OS to handle file buffer (native)

4

slide-17
SLIDE 17

Possible SGX File Systems

Disk

Enclaves are ring-3

1.

  • pen(“a.txt”);

2. read(2, 0x1000, 4096); 3. ….

Rely on OS for ring-0 ops Operating System Allow OS to handle file buffer (native) Buffer the file within the enclave (in-memory)

4

slide-18
SLIDE 18

Side-channel attacks against in-memory FS

Operating System Enclave

Page table attacks against SGX

[S&P14, SEC17] Cache attacks against SGX [DIMVA17, WOOT17, EuroSec17]

5

Data.txt

slide-19
SLIDE 19

Side-channel attacks against in-memory FS

Access Frame #

0x1000 0x1001 0x1002 0x1003 0x1004

Page T able

Operating System Enclave Accessed by the enclave

Page table attacks against SGX

[S&P14, SEC17] Cache attacks against SGX [DIMVA17, WOOT17, EuroSec17]

5

Data.txt

slide-20
SLIDE 20

Side-channel attacks against in-memory FS

Access Frame #

0x1000 0x1001 0x1002 0x1003 0x1004

Page T able

Operating System Enclave Accessed by the enclave

1 0x1000 1 0x1003

Page table attacks against SGX

[S&P14, SEC17] Cache attacks against SGX [DIMVA17, WOOT17, EuroSec17]

5

Data.txt

slide-21
SLIDE 21

Side-channel attacks against in-memory FS

Access Frame #

0x1000 0x1001 0x1002 0x1003 0x1004

Page T able

Operating System Enclave Accessed by the enclave

1 0x1000 1 0x1003

Page table attacks against SGX

[S&P14, SEC17] cache-set 0 cache-set 1 cache-set 2 cache-set 3

Cache

Cache attacks against SGX [DIMVA17, WOOT17, EuroSec17]

5

Data.txt

slide-22
SLIDE 22

Side-channel attacks against in-memory FS

Access Frame #

0x1000 0x1001 0x1002 0x1003 0x1004

Page T able

Operating System Enclave Accessed by the enclave

1 0x1000 1 0x1003

Page table attacks against SGX

[S&P14, SEC17] cache-set 0 cache-set 1 cache-set 2 cache-set 3

Cache

cache-set 0 cache-set 3 Cache attacks against SGX [DIMVA17, WOOT17, EuroSec17]

5

Data.txt

slide-23
SLIDE 23

Case Study: Attacking SQlite

Doctor Cloud

6

slide-24
SLIDE 24

Case Study: Attacking SQlite

Doctor Doctor attempts to access a patient’s history Cloud

6

slide-25
SLIDE 25

Case Study: Attacking SQlite

Query1: Bob’s heart history Doctor Doctor attempts to access a patient’s history Cloud

6

Query2: Alice’s heart history

slide-26
SLIDE 26

Case Study: Attacking SQlite

Query1: Bob’s heart history Doctor SGX-protected SQLite Doctor attempts to access a patient’s history Cloud

6

Query2: Alice’s heart history

slide-27
SLIDE 27

Case Study: Attacking SQlite

Name Lungs Condition Heart condition

Query1: Bob’s heart history Doctor SGX-protected SQLite Doctor attempts to access a patient’s history Cloud

6

Query2: Alice’s heart history

slide-28
SLIDE 28

What the attacker sees?

med.db

Name

Bob

Lung Condition

Heart condition

… … …

Alice

Eve

… … …

slide-29
SLIDE 29

What the attacker sees?

med.db

Query1: Bob’s heart history

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

slide-30
SLIDE 30

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

slide-31
SLIDE 31

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Page T able Attack

Time Address

slide-32
SLIDE 32

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Page T able Attack Query1

Time Address

slide-33
SLIDE 33

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Alice

Page T able Attack

Time Address

Query2: Alice’s heart history

slide-34
SLIDE 34

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768); 1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,40960);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Alice

Page T able Attack

Time Address

Query2: Alice’s heart history

slide-35
SLIDE 35

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768); 1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,40960);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Alice

Page T able Attack

Time Address

Query2 Query2: Alice’s heart history

slide-36
SLIDE 36

What the attacker sees?

med.db

Query1: Bob’s heart history

1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,32768); 1.

  • pen(”med.db”

, ..); 2. pread64(…,4096,0); 3. pread64(…,4096,4096); 4. pread64(…,4096,40960);

Syscall Snooping Attack

Name

Bob

Lung Condition

Heart condition

… … …

Bob

Alice

Eve

… … …

Alice

Page T able Attack

Time Address

Query2 Query2: Alice’s heart history

Predictable access patterns in file operations leak sensitive information!

slide-37
SLIDE 37

What should we do?

8

slide-38
SLIDE 38

What should we do?

Masking individual memory side-channels is risky

8

slide-39
SLIDE 39

What should we do?

Masking individual memory side-channels is risky Memory side-channels rely on predictable access patterns

8

slide-40
SLIDE 40

What should we do?

Masking individual memory side-channels is risky Memory side-channels rely on predictable access patterns How to provide strong protection despite memory traces?

8

slide-41
SLIDE 41

What should we do?

Masking individual memory side-channels is risky Memory side-channels rely on predictable access patterns How to provide strong protection despite memory traces?

8

Oblivious RAM is one possible solution to this problem

slide-42
SLIDE 42

Oblivious RAM

User Clouds

B D E C F A

User’s goal:

Securely access data stored in the cloud

Attacker’s goal:

Figure out what data-block is being accessed

9

slide-43
SLIDE 43

Path ORAM

Improved variant of Oblivious RAM [Stephanov et. al, CCS12]

d d C A B d D

Server

A 00 B 01 C 10 D 11

Position Map

Client

Stash

stores position

  • f block

stores acquired blocks holds encrypted real blocks and dummy blocks

ORAM T ree

1 1 1

d

dummy

A

real

Legend

10

slide-44
SLIDE 44

11

slide-45
SLIDE 45

11

slide-46
SLIDE 46

OBLIVIA TE!

11

slide-47
SLIDE 47

OBLIVIA TE!

11

slide-48
SLIDE 48

Obliviate: memory charm against the OS ☺

Obliviate

Filesystem Enclave Application Enclave

Disk

12

slide-49
SLIDE 49

Obliviate: memory charm against the OS ☺

Obliviate

Filesystem Enclave Application Enclave

Disk

12

(Init) load all files into ORAM T ree(s)

ORAM Trees

C A B D

slide-50
SLIDE 50

Obliviate: memory charm against the OS ☺

T rusted Proxy

  • 1. FS Syscall

Interceptor

Obliviate

Filesystem Enclave Application Enclave

Disk

12

ORAM Trees

C A B D

slide-51
SLIDE 51

Obliviate: memory charm against the OS ☺

T rusted Proxy

Obliviate

  • 2. Encrypted

Channel

Filesystem Enclave Application Enclave

Disk

12

ORAM Trees

C A B D

slide-52
SLIDE 52

Obliviate: memory charm against the OS ☺

T rusted Proxy

Obliviate

Filesystem Enclave Application Enclave

Disk

12

ORAM Trees

C A B D

  • 3. Data Oblivious

Metadata Handling

slide-53
SLIDE 53

Obliviate: memory charm against the OS ☺

T rusted Proxy

Obliviate

Filesystem Enclave Application Enclave

Disk

12

ORAM Trees

C A B D

  • 4. Asynchronous

ORAM Operation

slide-54
SLIDE 54

Obliviate: memory charm against the OS ☺

T rusted Proxy

Obliviate

Filesystem Enclave Application Enclave

Disk

  • 5. Extended

Secure Region

12

ORAM Trees

C A B D

slide-55
SLIDE 55

Decoupling file system support

Disk

Application Enclaves Obliviate

13

slide-56
SLIDE 56

Decoupling file system support

Disk

Application Enclaves Obliviate

Pass all FS syscalls using encrypted channel

13

slide-57
SLIDE 57

Decoupling file system support

Allow Obliviate to worry about securing file access

Disk

Application Enclaves Obliviate

Pass all FS syscalls using encrypted channel

13

slide-58
SLIDE 58

Decoupling file system support

Allow Obliviate to worry about securing file access

Disk

Application Enclaves Obliviate

Pass all FS syscalls using encrypted channel

13

Separation of functions facilitates development!

slide-59
SLIDE 59

Legacy application support

Application

14

slide-60
SLIDE 60

Legacy application support

Intercept FS syscalls and encrypt

T rusted Proxy

Application

14

slide-61
SLIDE 61

Legacy application support

Intercept FS syscalls and encrypt

T rusted Proxy

Exit-less message queue

(SCONE [OSDI16], ELEOS [EuroSys17]) Application

Oblivate

Disk

14

slide-62
SLIDE 62

Legacy application support

Intercept FS syscalls and encrypt

T rusted Proxy

Exit-less message queue

(SCONE [OSDI16], ELEOS [EuroSys17]) Application

Oblivate

Disk

14

No changes from the app developer!

slide-63
SLIDE 63

Securing ORAM

Obliviate

Disk

15

Application

slide-64
SLIDE 64

Securing ORAM

Obliviate

Disk

Position Map Stash

ORAM client

15

Need to store metadata in enclave

Application

slide-65
SLIDE 65

Securing ORAM

Obliviate

Disk

Position Map Stash

ORAM client

Obliviate’s enclave is not side-channel free

15

Application

slide-66
SLIDE 66

Securing ORAM

Position Map

Obliviate

Disk

Position Map Stash

ORAM client

15

Application

slide-67
SLIDE 67

Securing ORAM

Position Map

Load from index

Obliviate

Disk

Position Map Stash

ORAM client

15

Application

slide-68
SLIDE 68

Securing ORAM

Position Map

Access Frame #

0x1000 0x1001 0x1002 0x1003

Page T able

cache-set 0 cache-set 1 cache-set 2

cache-set 3

Last-Level Cache

1 0x1003

Obliviate

Disk

Position Map Stash

ORAM client

15

Application

slide-69
SLIDE 69

Securing ORAM

Position Map

Use Conditional Move (CMOV)

Access Frame #

0x1000 0x1001 0x1002 0x1003

Page T able

cache-set 0 cache-set 1 cache-set 2

cache-set 3

Last-Level Cache

1 0x1003

Obliviate

Disk

Position Map Stash

ORAM client

15

Application

slide-70
SLIDE 70

Securing ORAM

Position Map

Use Conditional Move (CMOV)

Access Frame #

0x1000 0x1001 0x1002 0x1003

Page T able

cache-set 0 cache-set 1 cache-set 2

cache-set 3

Last-Level Cache

cache-set 0 cache-set 1 cache-set 2

1 0x1003 1 0x1000 1 0x1001 1 0x1002

Obliviate

Disk

Position Map Stash

ORAM client

15

Application

slide-71
SLIDE 71

Securing ORAM

Position Map

Use Conditional Move (CMOV)

Access Frame #

0x1000 0x1001 0x1002 0x1003

Page T able

cache-set 0 cache-set 1 cache-set 2

cache-set 3

Last-Level Cache

cache-set 0 cache-set 1 cache-set 2

1 0x1003 1 0x1000 1 0x1001 1 0x1002

Obliviate

Disk

Position Map Stash

ORAM client

15

The attacker cannot distinguish CMOV from MOV

Application

slide-72
SLIDE 72

Securing ORAM

Position Map

Use Conditional Move (CMOV)

Access Frame #

0x1000 0x1001 0x1002 0x1003

Page T able

cache-set 0 cache-set 1 cache-set 2

cache-set 3

Last-Level Cache

cache-set 0 cache-set 1 cache-set 2

1 0x1003 1 0x1000 1 0x1001 1 0x1002

Obliviate

Disk

Position Map Stash

ORAM client

15

The attacker cannot distinguish CMOV from MOV

Application

Side-channel resistant ORAM implementation!

slide-73
SLIDE 73

Extending Enclave Memory

16

Obliviate Disk

slide-74
SLIDE 74

Extending Enclave Memory

16

EPC Physical Memory Program

Obliviate Disk

Large enclaves degrade performance

slide-75
SLIDE 75

Extending Enclave Memory

Metadata (small) inside enclave ORAM Trees (large) outside enclave

16

EPC Physical Memory Program

Obliviate Disk

Encrypted ORAM Trees

C A B D

Position Map Stash

ORAM Client

Large enclaves degrade performance

slide-76
SLIDE 76

Extending Enclave Memory

Metadata (small) inside enclave ORAM Trees (large) outside enclave

16

EPC Physical Memory Program

Obliviate Disk

Encrypted ORAM Trees

C A B D

Position Map Stash

ORAM Client

Large enclaves degrade performance

Encrypted ORAM trees outside enclave!

slide-77
SLIDE 77

Leveraging asynchronicity

Communication Thread Operation Thread

Obliviate

17

Disk

Encrypted ORAM Trees

C A B D

Application

slide-78
SLIDE 78

Leveraging asynchronicity

Communication Thread Operation Thread

Obliviate

17

Disk

Encrypted ORAM Trees

C A B D

Application

(a) read(1, 0x18289, 4096)

slide-79
SLIDE 79

Leveraging asynchronicity

Communication Thread Operation Thread

Obliviate

17

Disk

Encrypted ORAM Trees

C A B D

(b) Read(A)

Application

(a) read(1, 0x18289, 4096)

slide-80
SLIDE 80

Leveraging asynchronicity

Communication Thread Operation Thread

Obliviate

17

(c) Reply to the request

Disk

Encrypted ORAM Trees

C A B D

(c) Write-back(A) (b) Read(A)

Application

(a) read(1, 0x18289, 4096)

slide-81
SLIDE 81

Leveraging asynchronicity

Communication Thread Operation Thread

Obliviate

17

(c) Reply to the request

Disk

Encrypted ORAM Trees

C A B D

(c) Write-back(A) (b) Read(A)

Application

(a) read(1, 0x18289, 4096)

Perform Asynchronous ORAM write-back!

slide-82
SLIDE 82

Implementation

1. Obliviate runs using Intel SGX SDK Library 2. Graphene-SGX integration to run “heavyweight” applications, e.g., SQLite and Lighttpd

18

slide-83
SLIDE 83

Performance Evaluation

Evaluated filesystems:

  • 1. Native Filesystem (Non-SGX)
  • 2. In-memory Filesystem (SGX, based on Graphene-SGX)
  • 3. Obliviate (SGX, based on Intel SGX SDK)

19

slide-84
SLIDE 84

Iozone Benchmarks

a) Sequential Reads (Bytes/sec) b) Sequential Writes (Bytes/sec)

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

20

slide-85
SLIDE 85

Iozone Benchmarks

a) Sequential Reads (Bytes/sec) b) Sequential Writes (Bytes/sec)

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

2-3x overhead over the in-memory FS

20

slide-86
SLIDE 86

Iozone Benchmarks

a) Sequential Reads (Bytes/sec) b) Sequential Writes (Bytes/sec) In-memory FS exerts a lot of pressure on EPC

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

2-3x overhead over the in-memory FS

20

slide-87
SLIDE 87

Iozone Benchmarks

a) Sequential Reads (Bytes/sec) b) Sequential Writes (Bytes/sec) Comparable performance for smaller file sizes In-memory FS exerts a lot of pressure on EPC

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

1 10 100 1000 10000 100000 1000000 10000000

2M 128M 512M 1G

Native FS In-memory FS Obliviate

2-3x overhead over the in-memory FS

20

slide-88
SLIDE 88

Macro-Benchmarks

a) SQLite Response Times (milli-sec) b) Lighttpd Throughput (Req/s)

100 1000 10000

1K 16K 128K 1M

In-memory FS Obliviate

500 1000 1500 2000 2500

INSERT SELECT

In-memory FS Obliviate

21

slide-89
SLIDE 89

Macro-Benchmarks

a) SQLite Response Times (milli-sec) b) Lighttpd Throughput (Req/s) ~2x overhead over in-memory FS

100 1000 10000

1K 16K 128K 1M

In-memory FS Obliviate

500 1000 1500 2000 2500

INSERT SELECT

In-memory FS Obliviate

21

slide-90
SLIDE 90

Conclusion

22

slide-91
SLIDE 91

Conclusion

  • 1. All existing SGX filesystems are vulnerable to side-channels

22

slide-92
SLIDE 92

Conclusion

  • 1. All existing SGX filesystems are vulnerable to side-channels
  • 2. File system operations can leak sensitive information about program

execution.

22

slide-93
SLIDE 93

Conclusion

  • 1. All existing SGX filesystems are vulnerable to side-channels
  • 2. File system operations can leak sensitive information about program

execution.

  • 3. Obliviate provides theoretically-strong defense against side-

channels.

22

slide-94
SLIDE 94

Conclusion

  • 1. All existing SGX filesystems are vulnerable to side-channels
  • 2. File system operations can leak sensitive information about program

execution.

  • 3. Obliviate provides theoretically-strong defense against side-

channels.

22

Opensource: https://github.com/adilahmad17/Obliviate Contact: ahmad37@purdue.edu

slide-95
SLIDE 95

Thanks! Merci! Shukriya!

23

slide-96
SLIDE 96

Extra Slides

24

slide-97
SLIDE 97

Securing file system

25

slide-98
SLIDE 98

Securing file system

c a b d

25

slide-99
SLIDE 99

Securing file system

c a b d

Single ORAM Tree protects file offset

25

slide-100
SLIDE 100

Securing file system

c a b d c a b d c a b d c a b d c a b d c a b d c a b d

Hierarchical ORAM Trees can protect files Single ORAM Tree protects file offset

25

slide-101
SLIDE 101

Securing file system

c a b d c a b d c a b d c a b d c a b d c a b d c a b d

Hierarchical ORAM Trees can protect files Single ORAM Tree protects file offset

Protect both file and file offset!

25