CCS’17 Tutorial: SGX Shielding Frameworks and Development Tools Chia-Che Tsai Stony Brook University / UC Berkeley
CCS’17 Tutorial:SGX Shielding Frameworks and
Development Tools
Chia-Che TsaiStony Brook University / UC Berkeley
Legal Notices & Disclaimer
• This presentation contains the general insights and opinions of Intel Corporation (“Intel”). The information in this presentation is provided for information only and is not to be relied upon for any other purpose than educational. Use at your own risk! Intel makes no representations or warranties regarding the accuracy or completeness of the information in this presentation. Intel accepts no duty to update this presentation based on more current information. Intel is not liable for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of the information in this presentation.
• Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer.
• No computer system can be absolutely secure.
• No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.
• Intel, the Intel Core, and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
• *Other names and brands may be claimed as the property of others.
• © 2017 Intel Corporation.
CCS'17 Tutorial: SGX Security and Privacy 2
Developing a SGX Application
• SDK model: build your own SGX applications
• Porting an existing application
• Limitation 1: needs a signed, static image
• Limitation 2: virtualized ISA (no CPUID/RDTSC)
• Limitation 3: no trusted OS services
• Requires defenses against untrusted OSes
CCS'17 Tutorial: SGX Security and Privacy 3
Choose Porting Strategy
• How much OS functionality is needed?
• Little (e.g., crypto functions) SDK
• Medium (e.g., microservices) Shielding layers
• Heavy (e.g., language runtimes) Library OSes
• Always ensure a secure enclave interface
• Performance is a critical factor
CCS'17 Tutorial: SGX Security and Privacy 4
Topics
• Porting challenges and OS attack vectors
• Library OS: Graphene-SGX
• System interface shield layers: SCONE, Panoply
• Dynamic page management on SGX2
• Exit-less enclaves with Eleos
CCS'17 Tutorial: SGX Security and Privacy 5
For Each Framework
• What are the target applications?
• What are the key concepts?
• What to expect? How to use?
• Where to obtain the software?
CCS'17 Tutorial: SGX Security and Privacy 6
SGX Porting Challenges
• Satisfying enclave requirements
• Defending against untrusted OS services
• Improving performance factors
CCS'17 Tutorial: SGX Security and Privacy 7
SGX Application Requirements
CCS'17 Tutorial: SGX Security and Privacy 8
UntrustedOS
Untrusted App
SGX instructions(ECREATE,EINIT)
“Enclave”
Signed App
Sensitive Data
Completelyisolatedfrom OS
Initial image,security measurement
SGX Application Requirements
CCS'17 Tutorial: SGX Security and Privacy 9
1. Static initial image
2. No system calls
3. Check for untrusted inputs
Most Linux applications:(1) Dynamic linked(2) Built-in syscall usageUntrusted
OS
Untrusted App
“Enclave”
Signed App
Sensitive Data
Porting a Legacy Application
CCS'17 Tutorial: SGX Security and Privacy 10
Apache Web Server
libc
mod_auth
mod_mime
mod_ssl
modules
libcrypt
libpcre
libxml2
libraries
lipreadlibm
libsgx
2. Bypassing instructions(CPUID/RDTSC)
1. Statically linkingall binaries
read() clone()
Exit enclave
read()/clone()
3. Exiting enclave for system calls
Security Challenge!
SGX Porting Challenges
• Satisfying enclave requirements
• Defending against untrusted OS services
• Improving performance factors
CCS'17 Tutorial: SGX Security and Privacy 11
Attack Vectors from Untrusted OS
CCS'17 Tutorial: SGX Security and Privacy 12
Apache Web Server
Untrusted Linux
Iago Attacks[Checkoway, ASPLOS 13]
read()
read()
Exit enclave
Untrusted Host OS
failed to correctly check syscall results
Manipulate results to attack enclavedata, size
Iago Attacks In A Nutshell
• Semantic attacks by manipulating syscall results
• Application-specific
• Bugs that do not exist on a trusted OS
CCS'17 Tutorial: SGX Security and Privacy 13
Iago Attack Example:SSL Random Generator Seed
CCS'17 Tutorial: SGX Security and Privacy 14
int ssl_rand_seed(…){
…if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
struct {time_t t;pid_t pid;
} my_seed;
l = sizeof(my_seed);RAND_seed((unsigned char *)&my_seed, l);
}
my_seed.t = time(NULL);my_seed.pid = getpid();
mod_ssl (Apache)
OS can give the same pid and time
SGX Shielding Frameworks
• Several work address the problem of SGX porting
• (1) Defenses against Iago attacks
• (2) Performance optimization
• (3) Compatibility features (e.g., cross compilers)
• Two approaches:
• (1) Library OSes
• (2) Shielding layers
CCS'17 Tutorial: SGX Security and Privacy 15
Key Factors
• Shielding mechanisms (especially Iago attacks)
• Attack surface
• Trusted computing base (TCB)
• OS functionality
CCS'17 Tutorial: SGX Security and Privacy 16
Library OSes
• OS components in enclave
• Define small enclave interface
with security in mind
• Example:
Haven [OSDI’14]
Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 17
Untrusted Host OS
LibOS
Application
Libraries
System API
Enclave Interface
Shielding Layers
• Shielding each API
• Avoid library OS overheads
• Small TCB
• Example: SCONE, Panoply
CCS'17 Tutorial: SGX Security and Privacy 18
Untrusted Host OS
Shim
Application
Libraries
System API
Comparison
CCS'17 Tutorial: SGX Security and Privacy 19
Approach Library OS Shielding Layers
Enclave interface
Fixed interfaces(regardless of libOS
functionality)
Equals the system APIneeded by the application
Graphene-SGX SCONE Panoply
Trusted Computing Base
CCS'17 Tutorial: SGX Security and Privacy 20
The choice of Libc is the highest-order bits
LibOS/Shielding
Layer53 kLoC 97 kLoC 10kLoC
Libc optionGLIBC
(1.1 MLoC)MUSL
(88 kLoC)No Libc
in enclave
Graphene-SGX SCONE Panoply
SGX Porting Challenges
• Satisfying enclave requirements
• Defending against untrusted OS services
• Improving performance factors
CCS'17 Tutorial: SGX Security and Privacy 21
Performance Factors
• Enclave creation time
• Correlated with enclave memory size (1GB requires ~3s)
• Memory access overheads
• LLC misses up to 10X
• EPC paging: 128MB shared among all enclaves40,000 cycles for page-out and page-in
• Enclave exits
• 7,000~8,000 cycles for exit and re-enter
CCS'17 Tutorial: SGX Security and Privacy 22
Performance improvement
• Enclave creation time: EDMM on SGX2
• Dynamically adding pages at run time
• Reduce explicit & implicit exits: Eleos
• Completely exit-less enclaves
• Pinning EPC pages with software-based paging
CCS'17 Tutorial: SGX Security and Privacy 23
Topics
• Porting challenges and OS attack vectors
• Library OS: Graphene-SGX
• System interface shields: SCONE, Panoply
• EDMM on SGX2
• Exit-less enclaves with Eleos
CCS'17 Tutorial: SGX Security and Privacy 24
Graphene-SGX:A LibOS for Unmodified Applications
• Servers, Command-line, Runtimes:
Apache, NGINX, GCC, R, Python, OpenJDK, etc
• Multi-process APIs: fork, exec, IPC, etc
• Not perfect, but a quick, practical porting option
CCS'17 Tutorial: SGX Security and Privacy 25
The Graphene LibOS Project [Eurosys14]
• Open library OS for reusing Linux applications
(github.com/oscarlab/graphene)
• Inspired by Drawbridge [ASPLOS11]
and Haven [OSDI14]
• Under active development
CCS'17 Tutorial: SGX Security and Privacy 26
Unmodified Application
Process Process
LibOS LibOS
145 system calls (still growing)
Easy to port to new OS/platform
Applications in Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 27
UntrustedOS
1. Static initial image
2. No system calls
3. Check for untrusted inputs
Graphene Loader
$ SGX=1 ./pal_loader httpd [args]
Applications in Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 28
UntrustedOS
Graphene LibOS
Modified GLIBC
Application Libraries
ApplicationLibraries
Modified GLIBCManifest
Graphene-SGXSigning Tool
Enclavemeasurement
Manifest
1. Static initial image
2. No system calls
3. Check for untrusted inputs
✓
Trusted Host
Applications in Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 29
UntrustedOS
Graphene LibOS
Modified GLIBC
Application Libraries
Linux system calls
Enclave Interface (28 calls)
Manifest
1. Static initial image
2. No system calls
3. Check for untrusted inputs
System callsredirected
into library OS
✓
✓
Fixed interface to check
Checking Enclave Interface
• Reduce enclave interface to 28 calls
• Design defense for each call
• Define explicit semantics knowing exactly what/how to check
• Crypto techniques
• Examples:
• Accessing integrity-sensitive files (binaries / configs)
• Process creation (see paper)
CCS'17 Tutorial: SGX Security and Privacy 30
Ex: File Integrity Check
• Ask for exact file
content
• Verify by checksums
CCS'17 Tutorial: SGX Security and Privacy 31
UntrustedOS
LibOS
Enclave Interfaces
GLIBC
Application Libraries
read mmap dlopen
FileMap(file,off,size)
FileChunk
Check-sums
Manifest
Linux system calls
Checking All 28 Enclave Calls
Examples # Result Explanation
(1) Reading a file(2) Inter-proc
coordination18
FullyChecked
(1) File checksums(2) CPU attestation + crypto:
inter-proc TLS connection
CCS'17 Tutorial: SGX Security and Privacy 32
Yielding a thread 6 Benign Do not take any input
(1) Polling(2) File attributes
4 Unchecked May cause DoS; Future work
Apache (5 Procs w/ IPC Semaphore)
CCS'17 Tutorial: SGX Security and Privacy 33
0
2
4
6
0 2 4 6 8 10 12
Ave
rage
Re
spo
nse
Ti
me
(S)
Throughput (k.req/S)
Linux
30%loss
Graphene:little impact (~5%)on top throughput
Graphene-SGX:Impact by enclave exits & checking OS inputs
R Benchmarks
CCS'17 Tutorial: SGX Security and Privacy 34
Ove
rhe
ad t
o L
inu
x
Workloads
Linux Graphene (without SGX) Graphene-SGX
10x
0%
~1xoverhead
Graphene-SGX:Memory-intensive workloads
are expensive
Graphene-SGX Features
• Current features
• Use GLIBC by default; can use MUSL if acceptable
• A wide range of servers, command-lines, language runtimes tested
• Static binary support
• Limitations: cannot support shared memory
CCS'17 Tutorial: SGX Security and Privacy 35
Demo: GCC on Graphene-SGX
• Multi-process: gcccc1collect2ld
• Turn on DEBUG=1
• Attack: Try to modify the GCC binary
CCS'17 Tutorial: SGX Security and Privacy 36
Demo: GCC on Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 37
GSC: Graphene Secure Container
• Docker images enclaves
• Dockerfilesmanifests
• Graphene-SGX runs in container
• Mutual isolation betweenOS and application
CCS'17 Tutorial: SGX Security and Privacy 38
DockerEngine
Hardware
VMM
OS
Docker Container
Application
Libraries
Graphene-SGX
Enclave
BootStrapper
GSC: Graphene Secure Container
CCS'17 Tutorial: SGX Security and Privacy 39
DockerEngine
Hardware
VMM
OS
Docker Container
Application
Libraries
Graphene-SGX
Enclave
BootStrapper
DockerImage
GSC Engine (GSCE)
Conversion
Libraries
Application Developer
GSC Image
Libraries
Graphene-SGX
BootStrapper
Application
Application
Demo: Graphene-SGX Container
CCS'17 Tutorial: SGX Security and Privacy 40
CCS'17 Tutorial: SGX Security and Privacy 41
Availability
• Open-source at
http://github.com/oscarlab/graphene
• Currently under GPLv3, switching to LGPL soon
• Contact:
• https://graphene-libraryos.slack.com (contact me for invitation)
CCS'17 Tutorial: SGX Security and Privacy 42
SCONE: A Lightweight Layer for SGX
• An enhanced C library with file and network shields
• Strictly requires no library OS
• Optimized syscall performance for enclaves
CCS'17 Tutorial: SGX Security and Privacy 43
SCONE Architecture
CCS'17 Tutorial: SGX Security and Privacy 44
SCONE C library (based on MUSL)
Asynchronous system calls
M:N threading
Network shield File system shield
Libraries
Application
SCONE module Intel SGX driver
Container (cgroups)
Inside enclave(trusted)
Host OS kernel(untrusted)
SCONE Architecture
• Network and FS shields:
encrypting and authenticating
network and file contents
• MUSL: small TCB (88KLoC)
• Asynchronous system calls:
avoid enclave exits
• SCONE module (optional):
improve performance
CCS'17 Tutorial: SGX Security and Privacy 45
SCONE C library (based on MUSL)
Asynchronous system calls
M:N threading
Network shield File system shield
Libraries
Application
SCONE module Intel SGX driver
Container (cgroups)
System Call Overheads
CCS'17 Tutorial: SGX Security and Privacy 46
1
10
100
1,000
10,000
100,000
1 2 4 8
syst
em
cal
l fre
qu
en
cy
(10
00
s/se
con
d)
Threads
synchronousenclave exits
native
• pwrite() with 32 byte buffer• 4 cores with hyper threading
Asynchronous System Calls
CCS'17 Tutorial: SGX Security and Privacy 47
1
10
100
1,000
10,000
100,000
1 2 3 4 5 6 7 8
Syst
em
cal
l fre
qu
en
cy
(10
00
s/se
con
d)
Threads
async
sync
nativeasync with 1 threadachieves 80%
Apache Throughput
CCS'17 Tutorial: SGX Security and Privacy 48
0
1
2
3
4
0 15,000 30,000 45,000 60,000
Late
ncy
(se
con
ds)
Throughput (requests / second)
nativeasyncsync
Memcached Throughput
CCS'17 Tutorial: SGX Security and Privacy 49
0
0.75
1.5
2.25
3
3.75
0 75000 150000 225000 300000
Late
ncy
(m
s)
Throughput (operations / second)
glibc + stunnel asyncsync
inline encryption has less overhead than TLS proxy
• YCSB workload A (50/50)• Data fits into EPC
SCONE Language Support
• Cross compiler for several languages
• C and C++
• GO
• Rust
• Python
• PHP
• Java (partial support, still work in progress)
CCS'17 Tutorial: SGX Security and Privacy 50
Demo: SCONE Cross Compiler
CCS'17 Tutorial: SGX Security and Privacy 51
SCONE Features
• Current SCONE features
• Support static and dynamic linking
• Unmodified binaries must be position independent (built with –fPIC)
• Compatible with MUSL
• No multi-processing (fork / execve)
CCS'17 Tutorial: SGX Security and Privacy 52
SCONE Docker Integration
• SCONE supports (extended) Docker compose files
• Transparent attestation of services
• Transparent configurations
• Unmodified Docker Engine
• Docker engine runs outside enclave
CCS'17 Tutorial: SGX Security and Privacy 53
Availability
• Commercially available via SCONTAIN
• Acquire the software: www.scontain.com
• Contact: [email protected]
CCS'17 Tutorial: SGX Security and Privacy 54
Panoply: POSIX API with Small TCB
• A POSIX library without Libc in enclave
• Placing applications and libraries into separate
enclaves
• 10kLoC TCB in Panoply shim library
CCS'17 Tutorial: SGX Security and Privacy 55
Panoply Architecture
CCS'17 Tutorial: SGX Security and Privacy 56
Panoply expels GLIBC outside of the enclave
Enclave-bound Logic
Panoply Shim Lib Trusted SGX Lib
GLIBCNon-enclave
LogicUntrusted
SGX Lib
Linux User-level Process
Inside enclave(Trusted)
Outside enclave(Untrusted)
“Micron”
Panoply Architecture
• Micron can be an application or a library
• Multi-enclave collaboration:
CCS'17 Tutorial: SGX Security and Privacy 57
Web Server SSL Library
Operating System
Micron Generation
CCS'17 Tutorial: SGX Security and Privacy 58
Panoply cross-compiler
(1) Compilerinstrumentation (2) Creating enclaves
E1
E2
Add calls to Panoply API
Adding flow checks
Source code
Annotations
IntelSDK
PanoplyShim
Enclave-bound code
Panoplyapplication
Ap
E1
E3
E2
Attacks on Multi-Enclave Applications
CCS'17 Tutorial: SGX Security and Privacy 59
SSL LibraryEnclave
WebserverEnclave
session_t session;certificate_credentials_t xcred;
/* Specify callback function*/
/* Initialize TLS session */init (&session, TLS_CLIENT);
certificate_set_verify_function (...);
Set SSL Callback
OS
[SSL Lib]
Securing Multi-Enclave Applications
CCS'17 Tutorial: SGX Security and Privacy 60
Enclave 2Enclave 1
OS
Enclave Identity
Call Ack
Pair-wise Nonce
Attack Defenses
Spoofing Sender / Receiver Authentication
Replay Message Freshness
Silent Drops Reliable Delivery
Performance Overview
CCS'17 Tutorial: SGX Security and Privacy 61
App PanoplyEmpty
enclaveOverhead
OpenSSL 3.16 2.79 13%
H2O 8.79 6.56 34%
FreeTDS 8.74 8.60 1%
Tor 6.72 4.54 48%
Panoply Features
• Currently support 254 POSIX API
• 91 guarantee to preserve API semantics
• Multi-process: fork and exec
CCS'17 Tutorial: SGX Security and Privacy 62
Availability
• Open-source at
https://shwetasshinde24.github.io/Panoply/
• Apache 2.0 License
• Contact: [email protected]
CCS'17 Tutorial: SGX Security and Privacy 63
EDMM:Enclave Dynamic Memory Mgmt
• Current SGX: fixed enclave memory and threads
• SGX2: adding pages at run time
• Reduce initial enclave memory size
• Dynamic thread creation
• Dynamic page protection (for dynamic loading / JIT)
• Supported in future Graphene-SGX
CCS'17 Tutorial: SGX Security and Privacy 64
Current SGX Limitations
• For integrity, each enclave
has a static memory layout
• Signed by users
• Initialized at loading time
• Reserved heap for malloc()
• # TCS = # Threads
CCS'17 Tutorial: SGX Security and Privacy 65
Enclave
App data
App code
Enclavecode
Enclavedata
SECS
TCS (*n)TCS (*n)TCS (*n)
Preservedheap
EDMM on SGX2
• Adding and protecting
enclave pages at run time
• Page adding semantics:
• Normal or TCS pages
• Must be zeroed
• “Approved” by enclave
CCS'17 Tutorial: SGX Security and Privacy 66
Enclave
App data
App code
Enclavecode
Enclavedata
SECS
TCS (*n)TCS (*n)TCS (*n)
New page
EDMM Support in Graphene-SGX
• Compatibility and performance features
• Largely reduce startup time
• Dynamic thread creation
• Protect pages after finishing dynamic loading
• Support mprotect()
CCS'17 Tutorial: SGX Security and Privacy 67
Demo: Graphene-SGX with EDMM
CCS'17 Tutorial: SGX Security and Privacy 68
CCS'17 Tutorial: SGX Security and Privacy 69
Availability
• SGX2 release date expected in 1~2 years
• EDMM support will be open-sourced as part of
Graphene
• http://github.com/oscarlab/graphene
CCS'17 Tutorial: SGX Security and Privacy 70
Eleos: Exit-less Enclaves
• Avoids enclave exits and EPC paging
• Combined w/ SDK: Generating RPC-based interface
• Software-based paging: SUVM
CCS'17 Tutorial: SGX Security and Privacy 71
Direct Enclave Costs
• Enclave enter / exit: vs System call:
3,300 / 3,800 cycles 250 cycles
• LLC misses: 5.6~9.5 X
• EPC paging: 40,000 cycles for evict and page-in
CCS'17 Tutorial: SGX Security and Privacy 72
Indirect Cost: LLC Pollution
CCS'17 Tutorial: SGX Security and Privacy 73
LLC pollution causes up to 2X slowdown
0
0.5
1
1.5
2
2.5
1 32,768 65,546 131,072 262,144 524,288
Slo
wd
ow
n f
acto
r
Number of keys per request
KVS serverwith batched requests
Indirect Cost: TLB Pollution
CCS'17 Tutorial: SGX Security and Privacy 74
TLB Flushes at every exits cause up to 6X slowdown
0123456
1 2 4 8 16 32
Slo
wd
ow
n f
acto
r
Number of keys per request
Open addressing Separate chainingKVS server with different collision resolution:
(insensitive to TLB flushes)
RPC-based Enclave Interfaces
CCS'17 Tutorial: SGX Security and Privacy
75
Inside enclave (Trusted)Outside enclave (Untrusted)
EnclaveSoftware
“Client”
RPCThread Pool
“Server”
RPC Queue
untrusted_call()
Spinlock
Pass request
Execute
Unlock
SUVM: Secure User-Space Paging
CCS'17 Tutorial: SGX Security and Privacy 76
Eleos keeps EPC footprint static, to avoid fault-based exits
s_ptr<int> p = suvm_malloc(1024);…
SoftwareAddress Translation
Page table
*p = 1;
Swap out
Encrypted
Enclavememory
(Decrypted)
Fault Handler
Demo: Memcached on Native SGX
CCS'17 Tutorial: SGX Security and Privacy 77
Demo: Memcached with Eleos (RPC)
CCS'17 Tutorial: SGX Security and Privacy 78
Demo:Memcached with Eleos (RPC+SUVM)
CCS'17 Tutorial: SGX Security and Privacy 79
Memcached Performance
CCS'17 Tutorial: SGX Security and Privacy 80
PRC improves 23%, RPC+SUVM improves 51%
134.9165.3
203.0
0
50
100
150
200
250
Native SGX Eleos RPC EleosRPC+SUVM
Ban
dw
idth
(M
/s)
Availability
• Open-source available at:
http://github.com/acsl-technion/eleos
• Contact: [email protected]
CCS'17 Tutorial: SGX Security and Privacy 81
Acknowledgement
Assistance from the following individuals:
• Christof Fetzer (TU Dresden)
• Li Lei (Intel Labs)
• Meni Orenbach (Technion)
• Donald E. Porter (UNC at Chapel Hill / Fortanix)
• Shweta Shinde (Natl. Univ. of Singapore)
• Mark Silberstein (Technion)
• Mona Vij (Intel Labs)
CCS'17 Tutorial: SGX Security and Privacy 82