Intel SGX
Mengjia YanFall 2020
Based on slides of Intel SGX Tutorial
Recap: Address Translation
6.888 L3 - Intel SGX 2
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Page Table per process
Recap: Address Translation
6.888 L3 - Intel SGX 3
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Page Table per process
System software handles “page fault”
4KB
4KB
Recap: Process Isolation
6.888 L3 - Intel SGX 4
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB
VA
PA
Page Table per processProcess 1
Process 2
4KB
4KB
Page De-duplication and Copy-on-write
6.888 L3 - Intel SGX 5
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB
VA
PA
Page Table per processProcess 1
Process 2
4KB
If two pages have the same content, use page de-duplication to reduce memory footprint.
4KB (CoW)
Page De-duplication and Copy-on-write
6.888 L3 - Intel SGX 6
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB (CoW)
VA
PA
Page Table per processProcess 1
Process 2
4KB
Upon write access, copy the page and change the mapping.
4KB (copied)
4KB
Recap: Secure Boot
7
• Static root of trust for measurement (SRTM)
Compared to expected values locally or submitted to a remote attestor.
TPM + firmware
Boot Loader
OS kernel
1. Measure(hash)
2. Report (extend)
3. load
PCR: platform configuration register
Software Attestation• Defend against replay attack: Freshness
6.888 L2 - Secure Processors in Industry 8
Processor Chip(w/ BIOS, OS, Apps)
TPM
Verifier
Measurement List + nonceKpri
Kpubsign
nonce
How to know this key belongs to a specific TPM?
Software Attestation• Need public key infrastructure
6.888 L2 - Secure Processors in Industry 9
Processor Chip(w/ BIOS, OS, Apps)
TPM
AIKpri
Verifier
AIKpub
sign
Measurement List + nonce
sign
Chip ManufactoryRKpri RKpub
Root Key
Works as Certificate Agent
Attestation Identity Key
Send AIKpri to TPM using secure communication protocol
Intel TXT, AMD PSP, Google Titan
6.888 L2 - Secure Processors in Industry 10
Intel TXT Dynamic trust of measurement
from https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf
Security Vulnerabilities of Using TPM
• Vulnerable to bus tapping attacks
• TPM Reset attacks• SW reports hash values
• Bugs in the trusted software
6.888 L2 - Secure Processors in Industry 11
TPM + firmware
Boot Loader
OS kernel
1. Measure(hash)
2. Report (extend)
3. load
Han et al. A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping. Usenix Security’18Wojtczuk et al. Attacking Intel TXT® via SINIT code execution hijacking. 2011
Measure
So Far ……
6.888 L2 - Secure Processors in Industry 12
Guest OS
App
Hypervisor
SMM (firmware)
Guest OS
Ring 3
Ring 0Guest OS
App
Guest OS
Trusted
Hardware
Guest OS
App
Host OS
Ring 3
Ring 0
Hardware
SMM
The trend: shrink TCB. Why?
Ring -1
Ring -2
Why Shrink TCB?
• Software bugs• SMM-based rootkits• Xen 150K LOC, 40+ vulnerabilities per year• Monolithic kernel, e.g., Linux, 17M LOC, 100+
vulnerabilities per year
• Remote Computing• Remote computer and software stack owned by an
untrusted party• Examples
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Shrink HW TCB?6.888 L3 - Intel SGX 13
Secure Remote Computing
• Example: Video processing
6.888 L3 - Intel SGX 14
Remote Computermanaged by untrusted infrastructure provider
Software ProviderData Owner
Container runs trusted software
Private data
Private result
Shrink Trusted Computing Base (TCB)
6.888 L2 - Secure Processors in Industry 15
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
AMD SEV
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Intel SGX
enclaveTrusted
Guest OS
App
Guest OS
Ring 3
Ring 0
Hardware
Arm TrustZone
SMM
Arm TrustZone
6.888 L2 - Secure Processors in Industry 16
from Hua et al. vTZ: Virtualizing ARM TrustZone. Usenix’17
Recommend not to have secret data in DRAM.
But just recommendation.
Cache is dynamically partitioned by tagging each cache line with a security bit.
Privileged Software Attacks
• Manipulate everything
• Directly see and modify application code and dataà Need to encrypt secret data à Need to verify integrity (software attestation)
• Mess up with• Address translation• Process initialization and context switch • Interrupts, I/Os• etc.
6.888 L3 - Intel SGX 17
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Intel SGX
enclave
Enclave High-level View• Goal: A protected environment that contains the code and data of a
security-sensitive computation.
6.888 L3 - Intel SGX 18
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave
Processor ReservedMemory (PRM)
Problem: How to handle address translation, context switch, etc.?
Isolation
SGX HW TCB
6.888 L3 - Intel SGX 19
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
System Bus (logically)
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM) other I/O DevicesNon-volatilestorage device
Integrated Memory Controller
Memory Management Unit (MMU)
Low impact on chip’s HW design
Intel SGX Security Mechanisms
6.888 L3 - Intel SGX 20
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave
Processor ReservedMemory (PRM)
Isolation Attestation DRAM ProtectionProcessor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM)
Integrated Memory Controller
SGX Access Control• Assume software attestation is done• Can have multiple enclaves
6.888 L3 - Intel SGX 21
Guest OS
App 1
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave 1
App 2
Enclave 2
Guest OS
App 3
Enclave 3
Processor ReservedMemory (PRM)
Performance issues.
PRM size is 128MB in SGX V1.0All enclaves loaded at the same time cannot exceed said ~90MB
Enclave Address Translation
6.888 L3 - Intel SGX 22
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
This is what we want.But OS is not trustable.
Page Table per process
Malicious Address Translation
6.888 L3 - Intel SGX 23
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
Page Table per process
if (PA belongs to PRM) {check whether in enclave modeif (NOT enclave access) {
return a value 0xfffff} }
Easy to implement in MMU
Malicious Address Translation
6.888 L3 - Intel SGX 24
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
4KB
Page Table per process
if (in enclave mode) {compare PA with RPM rangeif (NOT in RPM) {
#Signal Fault } }
Also Easy to implement in MMU
Malicious Address Translation
6.888 L3 - Intel SGX 25
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
4KB (belong to a different enclave)
Page Table per process
How to block such attacks?
SGX Memory Organization
• Keep page mapping metadata in PRM• MMU performs extra checks
6.888 L3 - Intel SGX 26
4KB
Processor Reserved Memory (PRM)
Physical Address Space(limited by DRAM size)
• Enclave pages (code, data)• Meta data per enclave
• enclave page mapping information, enclave thread context information, etc.
Enclave Page Mapping Information
6.888 L3 - Intel SGX 27
Virtual Address Space (Programmer's View) Physical Address Space(limited by DRAM size)
4KB 4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB4KB
Page Table per process
Enclave Page Cache Mapping (EPCM)
Stored in PRM{PA, VA,Enclave ID}
if (PA belongs to PRM) {compare VA in EPCMif (NOT match) {
#Signal Fault} }
Enclave Page Mapping Information
6.888 L3 - Intel SGX 28
Virtual Address Space (Programmer's View) Physical Address Space(limited by DRAM size)
4KB 4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB4KB
Page Table per process
Enclave Page Cache Mapping (EPCM)
Stored in PRM{PA, VA,Enclave ID}
Problem: pages are allocated and selected by system software.
So far ……
• Once the enclave is initialized correctly, it can be isolated from system software using • Hardware access control (supported by MMU)• Hardware support for secure context switch
• How to ensure the initialization is correct?• Software Attestation (similar to secure boot)
6.888 L3 - Intel SGX 29
Enclave Initialization
• BIOS setup PRM region
6.888 L3 - Intel SGX 30
Physical Address Space
PRM
Enclave Initialization
• Enclave creation (ECREATE)
6.888 L3 - Intel SGX 31
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
Enclave Initialization
• Add page (EADD)
• Measure (EEXTEND)
6.888 L3 - Intel SGX 32
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
Plaintext Code/Data
copy
Code/DataPlaintext Code/Data
Update mapping information in EPCM
Enclave Measurement• Hardware generates a cryptographic log of the build process
• Code, data, stack, and heap contents• Location of each page within the enclave• Security attributes (e.g., page permissions) and enclave capabilities
• Enclave identity (MRENCLAVE) is a 256-bit digest of the log that represents the enclave
6.888 L3 - Intel SGX 33
Enclave Initialization
• Add page (EADD)
• Measure (EEXTEND)
• Init (EINIT)• Finalize measurement
• Active (EENTER)• Switch to enclave mode
6.888 L3 - Intel SGX 34
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
Plaintext Code/Data
copy
Code/Data Plaintext Code/DataUpdate mapping information in EPCM
Problem: No measurement after EINIT
Enclave Attestation and Sealing
• HW based attestation provides evidence that “this is the right application executing on an authentic platform” (approach similar to secure boot attestation)
6.888 L3 - Intel SGX 35
HW-signed blob that includes enclave identity information
trusted communication channel
EREPORT
Protect Memory
6.888 L3 - Intel SGX 36
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
System Bus (logically)
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM) other I/O DevicesNon-volatilestorage device
Integrated Memory Controller
Confidentiality Protection with Encryption
• Secret key is stored inside chip• For freshness, encrypt with nonce (counter)• {nonce, ciphertext} per cache block are stored externally in DRAM
6.888 L3 - Intel SGX 37
Integrity Protection with Hash
• For each cache line: {ciphertext + nonce + hash}• Problem:• Need to store hashes or nonces on-chip à high on-chip storage requirement• Too much storage requirement (~64bits / block) à high off-chip storage
requirement
• General solution:• Integrity Tree (Merkle tree)
6.888 L3 - Intel SGX 38
Otherwise?
Operations on Merkle Tree
• Only need to store the root node on chip• How to verify block B1?• Write to block B3?
6.888 L3 - Intel SGX 39
Next Lecture:Side Channel Introduction