Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intel® Software Guard Extensions (Intel® SGX)

Published byMoris Ward Modified over 8 years ago

Similar presentations

Presentation on theme: "Intel® Software Guard Extensions (Intel® SGX)"— Presentation transcript:

1 Intel® Software Guard Extensions (Intel® SGX)
Dror Caspi Intel April 21, 2015 * Based on a presentation by Frank McKeen, Intel Labs Copyright © 2015 Intel Corporation. All rights reserved.

2 Legal Disclaimers The comments and statements are mine and not necessarily Intel’s Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer. No computer system can be absolutely secure. 

3 Outline Problem Statement Attack Surface and Overview
Programming environment System programming view Day in the life of an enclave SGX Access Control & Off Chip protections Attestation and Sealing Developing with SGX Summary

4 The Basic Issue: Why Aren’t Compute Devices Trustworthy?
Protected Mode (rings) protects OS from apps … App App Malicious App X X X Info Attack Bad Code Bad Code OK Privileged Code Privileged Code attack Rings worked well before the internet Platform owner and app developers were aligned Code was not downloaded from unknown sources Need additional protection from unknown sources which are not aligned with the platform owner on program behavior … and apps from each other … … UNTIL a malicious app exploits a flaw to gain full privileges and then tampers with the OS or other apps Apps not protected from privileged code attacks

5 Scalable security within mainstream environment
Reduced attack surface with SGX Application gains ability to defend its own secrets Smallest attack surface (app + processor) Malware that subverts OS/VMM, BIOS, Drivers etc. cannot steal app secrets Familiar development/debug Single application environment Build on existing ecosystem expertise Familiar deployment model Platform integration not a bottleneck to deployment of trusted apps Attack surface with Enclaves Attack surface today App Proxy App Proxy App Proxy X X OS VMM (Hypervisor) Hardware Reference talk on applications for development environment Attack Surface Scalable security within mainstream environment

6 SGX Programming Environment
Trusted execution environment embedded in a process OS With its own code and data Enclave Code Provide Confidentiality Enclave Data Provide integrity Enclave Enclave With controlled entry points App Data TCS (*n) TCS (*n) Supporting multiple threads TCS (*n) App Code With full access to app memory User Process Enclave 6

7 SGX High-level HW/SW Picture
Enclave Enclave Instructions EEXIT EGETKEY EREPORT EENTER ERESUME Application Environment SGX User Runtime SGX User Runtime Instructions ECREATE EADD EEXTEND EINIT EBLOCK ETRACK EWB ELD EPA EREMOVE Privileged Environment SGX Module Page Tables Platform Exposed Hardware Hdw Data Structure Hardware EPC EPCM Runtime Application OS Data structure 7 7

8 Life Cycle of An Enclave
Build Life Cycle of An Enclave Virtual Addr Space Physical Addr Space System Memory Plaintext Code/Data Load Code/Data Plaintext Code/Data Code/Data Code/Data Code/Data Code/Data MRENCLAVE MRENCLAVE Update PTE Enclave Page Cache (EPC) EPCM ECREATE (Range) ECREATE (Range) Invalid EADD (Copy Page) EADD (Copy Page) EEXTEND EEXTEND Plaintext Code/Data Plaintext Code/Data Valid,ID, LA Invalid EINIT EINIT Plaintext Code/Data Valid,ID, LA Invalid EENTER EENTER Plaintext Code/Data EEXIT EEXIT EREMOVE EREMOVE SECS Invalid Valid,SECS 8

9 Traditional IA Page Table Replace Address With Abort
SGX Access Control Non-Enclave Access Linear Address Physical Address Traditional IA Page Table Checks Enclave Access? No Address in EPC? Enclave Access Yes Yes Address in EPC? Replace Address With Abort Page No No Yes Signal Fault Check EPCM Checks Pass ? Yes Allow Memory Access No

10 Protection vs. Memory Snooping Attacks
Non-Enclave Access CPU Package CPU Package Security perimeter is the CPU package boundary Data and code unencrypted inside CPU package Data and code outside CPU package is encrypted and/or integrity checked External memory reads and bus snoops see only encrypted data System Memory Cores Cache Jco3lks937weu0cwejpoi9987v80we Snoop AMEX: Snoop

11 Outline Problem Statement Attack Surface and Overview
Programming environment System programming view Day in the life of an enclave SGX Access Control & Off Chip protections Attestation and Sealing Developing with SGX Summary

12 The Challenge: Provisioning Secrets to the Enclave
An enclave is in the clear before instantiation Sections of code and data could be encrypted, but their decryption key can’t be pre-installed Secrets come from outside the enclave Keys Passwords Sensitive data The enclave must be able to convince a 3rd party that it’s trustworthy and can be provisioned with the secrets Subsequent runs should be able to use the secrets that have already been provisioned

13 Trustworthiness A service provider should vet the enclave’s Trusted Computing Base (TCB) before it should trust it and provide secrets to it The enclave’s software The CPU’s hardware & firmware Intel® SGX provides the means for an enclave to securely prove to a 3rd party: What software is running inside the enclave Which execution environment the enclave is running at Which Sealing Identity will be used by the enclave What’s the CPU’s security level

14 Attestation: Software TCB
When building an enclave, Intel® SGX generates a cryptographic log of all the build activities Content: Code, Data, Stack, Heap Location of each page within the enclave Security flags being used MRENCLAVE (“Enclave Identity”) is a 256-bit digest of the log Represents the enclave’s software TCB A software TCB verifier should: Securely obtain the enclave’s software TCB Securely obtain the expected enclave’s software TCB Compare the two values

15 Local Attestation “Local attestation”: The process by which one enclave attests its TCB to another enclave on the same platform Using Intel® SGX’s EREPORT and EGETKEY instructions EREPORT generates a cryptographic REPORT that binds MRENCLAVE to the target enclave’s REPORT KEY EGETKEY provides the REPORT KEY to verify the REPORT TCB component Attestation CPU Firmware & hardware Symmetric - CPU REPORT KEY Software MRENCLAVE

16 Local Attestation - Flow
Processor Client Application Client Application Reporting Enclave Verifying Enclave MRENCLAVE REPORT MAC EGETKEY EREPORT MRENCLAVE Verifying enclave sends its MRENCLAVE to reporting enclave Reporting enclave creates a cryptographic REPORT that includes its MRENCLAVE Verifying enclave obtains its REPORT key and verifies the authenticity of the REPORT

17 Remote Attestation “Remote attestation”: The process by which one enclave attests its TCB to another entity outside of the platform Intel® SGX Extends Local attestation by allowing a Quoting Enclave (QE) to use Intel® EPID to create a QUOTE out of a REPORT Intel® EPID is a group signature scheme TCB component Attestation CPU Firmware & hardware Asymmetric - Intel® EPID Software MRENCLAVE

18 Remote Attestation - Flow
Platform Remote Platform Verifying Application Enclave QUOTE REPORT Quoting Enclave MRENCLAVE EPID MAC Verifying enclave becomes the Quoting Enclave (QE). After verifying the REPORT the, QE signs the REPORT with the EPID private key and converts it into a QUOTE Remote platform verifies the QUOTE with the EPID public key and verifies MRENCLAVE against the expected value

19 Sealing Authority Every enclave has an Enclave Certificate (SIGSTRUCT) which is signed by a Sealing Authority Typically the enclave writer SIGSTRUCT includes: Enclave’s Identity (represented by MRENCLAVE) Sealing Authority’s public key (represented by MRSIGNER) EINIT verifies the signature over SIGSTRUCT prior to enclave initialization

20 Sealing “Sealing”: Cryptographically protecting data when it leaves the enclave. Enclaves use EGETKEY to retrieve an enclave, platform persistent key and encrypts the data EGETKEY uses a combination of enclave attributes and platform unique key to generate keys Enclave Sealing Authority Enclave Product ID Enclave Product Security Version Number (SVN)

21 Example: Secure Transaction
Remote Platform Client Application 1 Enclave QE EPID 2 3 4 Enclave built & measured against ISV’s signed certificate Enclave calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) REPORT & user data sent to Quoting Enclave who signs the REPORT with an EPID private key QUOTE sent to server & verified Ephemeral key used to create a trusted channel between enclave and remote server Secret provisioned to enclave Enclave calls EGETKEY to obtain the SEAL KEY Secret is encrypted using SEAL KEY & stored for future use

22 Example: Secure Transaction
Remote Platform Client Application 1 Enclave QE 5 Authenticated Channel EPID 2 4 3 Enclave built & measured against ISV’s signed certificate Enclave calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) REPORT & user data sent to Quoting Enclave who signs the REPORT with an EPID private key QUOTE sent to server & verified Ephemeral key used to create a trusted channel between enclave and remote server Secret provisioned to enclave Enclave calls EGETKEY to obtain the SEAL KEY Secret is encrypted using SEAL KEY & stored for future use

23 Authenticated Channel
Example: Secure Transaction Remote Platform Client Application 1 Enclave 5 6 Authenticated Channel 5 4 2 3 Enclave built & measured against ISV’s signed certificate Enclave calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) REPORT & user data sent to Quoting Enclave who signs the REPORT with an EPID private key QUOTE sent to server & verified Ephemeral key used to create a trusted channel between enclave and remote server Secret provisioned to enclave Enclave calls EGETKEY to obtain the SEAL KEY Secret is encrypted using SEAL KEY & stored for future use

24 Authenticated Channel
Example: Secure Transaction Remote Platform Client Application 1 Enclave 5 Authenticated Channel 5 7 4 2 6 3 Enclave built & measured against ISV’s signed certificate Enclave calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) REPORT & user data sent to Quoting Enclave who signs the REPORT with an EPID private key QUOTE sent to server & verified Ephemeral key used to create a trusted channel between enclave and remote server Secret provisioned to enclave Enclave calls EGETKEY to obtain the SEAL KEY Secret is encrypted using SEAL KEY & stored for future use 8

25 Intel® SGX Software Development
SGX SDK Tools Trusted Application Software Developer decides which components should execute within an enclave Development Environment allows the Developer to quickly develop enclave enabled binaries Including support for common software libraries, exporting interfaces, and support for provisioning Windows DLL / Enclave App Code Processing Component SGX SDK Libraries Glue Code Glue Code SGX SDK Libraries Processing Component Architectural Enclaves Architectural Enclaves Architectural Enclaves Intel SGX enabled CPU

26 SGX Technical Summary Provides any application the ability to keep a secret Provide capability using new processor instructions Application can support multiple enclaves Provides integrity and confidentiality Resists hardware attacks Prevent software access, including privileged software and SMM Applications run within OS environment Low learning curve for application developers Open to all developers Resources managed by system software How do you sell a minimum TCB? Provide provable/dependable integrity & confidentiality

27 Links Intel’s SGX Page (Programming Reference, white papers & blogs): Joint research poster session: Public Cloud Paper using SGX2: HASP Workshop: ISCA 2015 Tutorial:

28 Thank You

29 Backup

30 SGX Paging Introduction
Requirement: Remove an EPC page and place into unprotected memory. Later restore it. Page must maintain same security properties (confidentiality, anti- replay, and integrity) when restored Instructions: EWB: Evict EPC page to main memory with cryptographic protections ELDB/ELDU: Load page from main memory to EPC with cryptographic protections EPA: Allocate an EPC page for holding versions EBLOCK: Declare an EPC page ready for eviction ETRACK: Ensure address translations have been cleared

31 Page-out Example EWB Parameters: EWB Operation
BUILD Page-out Example EWB EPC System Memory EWB Parameters: Pointer to EPC page that needs to be paged out Pointer to empty version slot Pointers outside EPC location EWB Operation Remove page from the EPC Populate version slot Write encrypted version to outside Write meta-data, PCMD All pages, including SECS and Version Array can be paged out SECS Enclave Page VER VA Page Enclave Page Encrypted Page PCMD Enclave Page

32 Page-in Example ELD Parameters: ELD Operation Encrypted page
BUILD Page-in Example ELD EPC System Memory ELD Parameters: Encrypted page Free EPC page SECS (for an enclave page) Populated version slot ELD Operation Verify and decrypt the page using version Populate the EPC slot Make back-pointer connection (if applicable) Free-up version slot SECS Enclave Page VA Page VER Encrypted Page Free Enclave Page Enclave Page MD Enclave Page

Download ppt "Intel® Software Guard Extensions (Intel® SGX)"

Similar presentations

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.

1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.
Vpn-info.com.

Vpn-info.com.
Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.

1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.
Implementing an Untrusted Operating System on Trusted Hardware.

Implementing an Untrusted Operating System on Trusted Hardware.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI 2014. Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.

Shielding Applications from an Untrusted Cloud Andrew Baumann, Marcus Peinado, and Galen Hunt. OSDI Fall 2014 Presenter: Kun Sun, Ph.D. Most slides.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”

Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Similar presentations

Ads by Google