intel® so*ware guard extensions (intel® sgx) support for ... · intel® so*ware guard extensions...
TRANSCRIPT
Intel®So*wareGuardExtensions(Intel®SGX)SupportforDynamicMemoryManagementInsideanEnclave
FrankMcKeen,IlyaAlexandrovich,IGaiAnaH,DrorCaspi,SimonJohnson,RebekahLeslie-Hurd,CarlosRozasIntelCorporaHon
SaeidMofrad
1-INTRODUCTION:
SGX:So*wareGuardExtensionsprovidesthecapabilitytoprotectspecifiedareasofanapplicaHonfromoutsideaccess.TheareaiscalledanenclaveandhardwareprovidesconfidenHalityandintegrityforthespecifiedarea.SGXallowsso*waredeveloperstobuildtrustedmodulesinsideanapplicaHontoprotectsecrets.Aso*waredeveloperspecifiesthecontentsofanenclaveandarelyingpartycanconfirmthattheareaisinstanHatedcorrectlyonaremotemachine.
ApplicaHondevelopmentconsideraHon:
ApplicaHondevelopmentconsideraHon[3]:
ApplicaHondevelopmentconsideraHon[3]:
ApplicaHondevelopmentconsideraHon[3]:
MOTIVATION OF SGX-2: THREE SHORTCOMINGS WITH THE SGX1
• Firstallenclavememorymustbecommi2edatenclavebuild4me.Thisincreasesthebuild4me.Commi\ngmemoryplacespressureontheenclavepagecache(EPC),theenclavedevelopermustallocatememoryforworst-casememoryconsumpHonofanyworkload.Otherwise,theenclavedeveloperwillneedtoreleasesenclavesdesignedfordifferentsizeworkloads.
• Thesecondshortcomingisrelatedtothemanagementofaccesspermissionsassociatedwithanenclavepage.SGXextendstheaccesspermissionmodelbyassociaHnganaddiHonalsetofaccesspermissionswithenclavepagethatarestoredinaSGXstructurecalledtheEnclavePageCacheMap(EPCM)
• ThelastshortcomingisrelatedtolibraryOSsupportwheresecureexcepHonalhandlingandlazyloadingcodeinsideanenclaveareimportantfeatures.SGX-1didn’thaveinformaHonrecordedwhenageneralprotecHonfaultorpagefaultoccursinsideanenclave
• Toaddresstheseproblemssixnewinstruc4onsandnewexcep4onbehaviorwereaddedtotheSGXarchitectureknownasSGX2
2 SGX2 CONSIDERATIONS & REQUIREMENTS: • ManipulaHngmemoryandpermissionsofanenclavemustbedonewiththeknowledgeandconsentoftheenclave.
• Ifenclavecodeischangedincorrectlyorwithoutknowledgeoftheenclave,execuHonshouldbesuspendedunHlthecondiHonisresolved.Itenablestheenclavetomanageitsownsecurity
• Thesystemresourcemanager(OSorVMM)mustbeabletomanageandallocatetheresourcesasrequestedusingstandardtechniquesandprioriHes.
• ManipulaHonofmemorypermissionsinvolvesboththesystempermissionsandtheEPCMpermissions.EPCMpermissionsallowtheenclavedevelopertospecifytherestricHonsandaccesscontrolfortheenclave
• SGX2memorymanagement->(systemmanager)whichmanagesthesystemresources
• internalenclaveresourcemanager(internalmanager)whichmanagestheenclavememoryfrominsidetheenclave.
• AprotocolwhichconsistsofcommunicaHonbetweenthesystemmanagerandaninternalmanageristhis:
• Thesystemmemorymanager• allocaHngmemory->pagingmemory->changing
permissions,->changingpagetypes.->managingthepagetableentrypermissions->iniHaHngEPCMpermissionsoftheenclaves(bycallinginstrucHon.)
• Theinternalmanager• star4ngmemorychangerequests->verifying
thatthesystemmanagerhasprocessedtherequestscorrectly.
• Theinternalmanagerdoesnothavedirectaccesstothepagetablesandmustrequestthesystemmanagertomakechangesinpagetableentry(PTE)permissions.
2.1 SECURITY CONSIDERATIONS
• Mustensurethatchangesinpermissiondonotaffectthesecurityoftheenclave.
• Whenrestrictpagepermissions->checkpermissionrestric4onsarecompleteandthepreviouscachedaddresstranslaHonsorcachedpermissionsareremoved.SGX2checksoldpermissionsareremovedfromtheTLBs
• SGX1allowsthesystemmemorymanagertoremovepagesfromanenclaveusingtheEREMOVEleaffuncHon.However,sincetheenclavedoesn’tparHcipateinthisprocessitdoesn’tknowifthepageremoved.
2.2 SOFTWARE CONSIDERATIONS
• Internalmemorymanagerwantstoreallocatethememoryresources:addathread;mustallocatedasThreadControlStructure(TCS),StateSaveArea(SSA)pages.Addmorememorytoenclave.
• Excep4onRepor4ngInsideanEnclave:forLibraryOSusage.InthiscasetheexcepHoncondiHonshouldbereportedinsidetheenclave.SGX2addsseveralexcepHoncondiHonstotheSSAframewhenexiHnganenclave.Theyincludepagefaults(#PF)andgeneralprotecHonviolaHons(#GP).
• DemandLoadingofLibraryPages:TheinternalmanagermusthaveamechanismtoloadthepagewithoutallowingaccessunHlthecopyiscomplete.SGX2addsaleaffuncHontoperformthecopysecurely.
3.1 ENCLAVE MALLOC
• Thefollowingisprotocol:
• 1.Internalmanagerrequestsmemory->enclaverunHmesystemfromitsinternalpoolofmemory.memorypoollowtheinternalmanager->requeststhesystemmanagertoallocatemorememory.
• 2.Thesystemmanagerallocatesvirtualaddressspacebutdoesnotcommitmemoryand->returnsareferencetothevirtualaddressspacetotheinternalmanager
• 3.Theenclaveinternalmanager->returnsareferencetotheenclave.Whentheenclaveaccessesthenewlyallocatedmemory,->apagefaultisgeneratedasmemoryhasnotbeencommiGed.
• 4.TheOSpagefaulthandlerdetectsthatthevirtualaddresshasbeenallocatedbutmemoryhasnotbeencommiGed.->TheOScommitsmemorybyusingEAUGandmapsthecommiGedbutpendingpageintotheenclaveaddressspace->TheOSthensendsasignaltotheenclaveinternalmanager.
• 5.Theinternalmanagerreceivesthe->TheinternalmanagerchecksthatthevirtualaddresshasbeencommiGed->theinternalmanagerexecutesEACCEPTwhichallowstheenclavetoaccessthependingpage.->ThesignalhandlerreturnsbacktotheapplicaHonwhicheventuallyresultsintheenclaveexecuHonresuming.
3.2 ENCLAVE FREE
• Thefollowingisanexampleprotocol:
• 1.Theenclavereleasesmemory->internalmanagerreleaseaddressspacebacktotheOS.
• 2.ThesystemmanagerexecutesEMODTonallpages->changethepagetypetoPT_TRIMand->cleartheEPCMaccesspermissionbits.Thisbeginstheprocessofdecommi\ngmemory.ThesystemmanagerthenexecutesETRACKontheSECSofthecallingenclaveandthensendsIPIstologicalprocessorswhichmaycontainTLBmappingstothepagesthathadbeentrimmed.
• 3.OncealllogicalprocessorsrespondedtotheIPI,controlisreturnedtotheinternalmanager.
• 4.TheinternalmanagerverifiesthatcommiGedmemoryhasbeendecommiGedbyexecuHngEACCEPTtoverifythatthepagestrimmedandallstaleTLBmappingshavebeenflushed.TheinternalmanagerneedstoupdateitstrackinginformaHonthatthevirtualaddresshasnocommiGedmemory.
• 5.ThesystemmanagercanlaterreclaimthecommiGedmemorybyexecuHngEREMOVEonthetrimmedpages.
3.3 CHANGING PAGE PERMISSIONS
• Changeispermissivethenthefollowingprotocol:
• 1.internalmanagerrunsEMODPEtoextendthepagepermissionsintheEPCM.
• 2.Theinternalmanagerrequeststhesystemmanagertoextendpagepermissionsinthepagetables.
• IfthechangeinpermissionisrestricHvethenthefollowingprotocol:
• 1.Theinternalmanagerrequeststhatthesystemmanagertorestrictpermissionsonapage.
• 2.ThesystemmanagerexecutesEMODPRandupdatespagetablepermissions.A*erpermissionshavebeenupdated,thesystemmanagerexecutesETRACKontheSECSofthecallingenclaveandsendsIPIstoallprocessorsthatmaybeexecuHnginsidetheenclavetoflushTLBmappings.
• 3.A*erallIPIshavebeenacknowledged,controlisreturnedtotheinternalmanager.TheinternalmanagerverifiesthatpagepermissionsrestrictedandTLBmappingsflushedbyexecuHngEACCEPT
3.4 THREAD CONTROL STRUCTURE ALLOCATION
• 1.InternalmanageriniHalizesfromaregularEPCpagewithappropriateTCSvalues.IftheenclavememoryhasnotbeencommiGedtheninternalmanagerwillneedtoperformarequesttoallocatememoryasdescribedinsecHon3.1.,theninternalmanagerrequeststhatthesystemmanagerconvertthepagetoaTCS.
• 2.ThesystemmanagerexecutesEMODTtosetthepagetypetoPT_TCSandtocleartheEPCMaccesspermissionbits.ThepageisalsomarkedmodifiedwhichpreventsthepagefrombeingusedasaTCS.
• 3.ThesystemmanagerthenexecutesETRACK.ThesystemmanagersendsIPIstoflushalloldmappingstothepageandreturnscontroltotheinternalmanager.
• 4.TheinternalmanagerexecutesEACCEPTonthemodifiedTCSpage.EACCEPTwillverifythatTLBmappingsflushedandperformconsistencychecksontheTCSpagethenclearingthemodifiedbitandmakingthepageavailabletoEENTER.
DYNAMIC LOADING OF MODULES
• SGX2providesEACCEPTCOPYwhichallowstheinternalmanagertoatomicallyiniHalizethecontentsandpermissionofapage.
• 1.theinternalmanagerindicatestothesystemmanagerthatavirtualaddressspaceallocatedbutnotcommiGed(sameasin3.1).
• 2.WhenanenclaveaGemptstoaccessapageinthisvirtualaddress,apagefaultisgeneratedandthesystemmanagercommitsmemorybyexecuHngEAUGandsignalstheinternalmanager.
• 3.TheinternalmanageridenHfiesthevirtualaddressasbelongingtoamodulepagetobeloaded.ThesystemmanagermayloadthecontentsofthepageintoregularmemoryortheenclaverunHmesystemmayneedtorequestthecontentbeloadedintoregularmemory.
• 4.Theinternalmanagerthencopiesthecontentsofthemoduleintoprivateenclavememory.TheinternalmanagershouldverifytheintegrityofthecontentsandapplyanyrequiredrelocaHons.Finally,theinternalmanagercopiesthecontentsandiniHalizespermissionsusingEACCEPTCOPY.
3.6 LIBRARY OS SUPPORT
1. TheprocessbeginswithanexcepHongeneratedinsideanenclave.TheprocessorrecordsexcepHoninformaHonintheSSAanddeliverstheexcepHontotheOSexcepHonhandler.
2. IftheOScannothandletheexcepHon,theOSsignalstheLibOSPAL(PlamormAdaptaHonLayer)excepHonhandler.
3. 3.TheLibOSPALexecutesEENTERtoinvoketheLibOSexcepHonhandlerinsidetheenclave.
4. 4.TheLibOSexcepHonhandlerreadstheexcepHoninformaHonthengeneratesanOSspecificexcepHoncontext,andinvokestheapplicaHonexcepHonhandlerinsidetheSGXenabledLibOS.
4.1 SGX2 ISA, ENCLS LEAF FUNCTIONS , EAUG • EAUGaugmentstheenclavewithapageofEPCmemory->associatesthatpagewithanSECSpage,andupdaHngthelinearaddressandsecurityaGributesinthepage’sEPCM->putsthepagein“Pending”state.
• twoinputparameters,apointertothedesHnaHonpageinEPC,andapointertotheenclave’sSECSpage.
• Whilein“Pending”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]thepagebeaccessibletotheenclave.
ENCLS LEAF FUNCTIONS , EMODT
• EMODTmodifiesthetypeofanEPCpageandputsthepagein“Modified”state.AllowedpagetypesarePT_TCSandPT_TRIM.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.Whilein“Modified”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]leaffuncHon,willthepagebeaccessibletotheenclave.
ENCLS LEAF FUNCTIONS , EMODPR
• EMODPRThisleaffuncHonrestrictstheaccessrightsassociatedwithanEPCpageofaniniHalizedenclaveandputsthepagein“PermissionRestricHon”state.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.TheoperaHonwillfailifitaGemptstoextendthepermissionsofthepage.Whilein“PermissionRestricHon”state,thepagecannotbeaccessedbyanyone,includingtheenclave.Onlya*ertheenclaveapprovesthepagebyusingtheENCLU[EACCEPT]leaffuncHon,willthepagebeaccessibletotheenclave.
ENCLU LEAF FUNCTIONS, EACCEPT
• ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItacceptschangestoapageintherunningenclavebyverifyingthatthesecurityaGributesspecifiedinSECINFOmatchthepage’ssecurityaGributesinEPCM.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’sapprovednewsecurityaGributes.A*erasuccessfulexecuHonofEACCEPTthepage’s“Pending”,“Modified”,or“PermissionRestricHon”stateisclearedandthepagebecomesaccessibletotheenclave.
ENCLU LEAF FUNCTIONS ,EACCEPTCOPY
• ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItcopiesthecontentsofanexisHngEPCpageintoanuniniHalizedEPCpagethatwascreatedbyEAUG.TheoperaHonreceivesthreeinputparameters,apointertothetargetpageinEPC,apointertothepage’snewsecurityaGributes,andapointertothepage’snewcontent.A*erasuccessfulexecuHonofEACCEPTCOPYthepage’s“Pending”stateisclearedandthepagebecomesaccessiblefortheenclave
ENCLU LEAF FUNCTIONS, EMODPE
• ThisleaffuncHonmustbeexecutedfromwithinanenclave.ItextendstheaccessrightsassociatedwithanexisHngEPCpageintherunningenclave.TheoperaHonreceivestwoinputparameters,apointertothetargetpageinEPC,andapointertothepage’snewsecurityaGributes.TheoperaHonwillfailifitaGemptstorestrictpermissionsofthepage.SincetheexecuHonhappensfromwithintheenclave,it’strustedandtakeseffectimmediately.
MANAGING PAGE TABLE TRANSLATIONS
ENCLAVE EXCEPTION HANDLING ENHANCEMENTS
• thecauseoftheAEXisstoredintheEXITINFOfieldintheSSA.
• IfSECS.MISCSELECT.EXINFObitissetbyenclavewriter,theprocessorsaves#PFand#GPinformaHonintotheEXINFOstructure
4.5 EPCM-INDUCED MEMORY FAULT REPORTING
• A#PFexcepHonisgenerated• AbitinthePageFaultErrorCode(PFEC)indicatesthatthepagefaultwasduetoEPCMaccesschecks.ThisbitislocatedatbitposiHon15andcalled“SGX”
SUMMARY AND RELATED WORK
• NewinstrucHonstotheSGX1providebeGerso*waredevelopmentenvironmentwhilemaintainingthesecurityoftheenclave.TheSGX2instrucHonsenablebeGerprotecHonofproprietarycodewhichcanbeloadedandthenprotectedusingtheEPCM.
• Allowfordynamicmemoryandthreadingsupport• SupportdynamicallocaHonoflibrarypagesinthelibraryOSenvironment.
EndofPresenta4on