Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The Road to Trust: Building Enclaves within Confidential VMs (2402.11438v3)

Published 18 Feb 2024 in cs.CR and cs.AR

Abstract: Integrity is critical for maintaining system security, as it ensures that only genuine software is loaded onto a machine. Although confidential virtual machines (CVMs) function within isolated environments separate from the host, it is important to recognize that users still encounter challenges in maintaining control over the integrity of the code running within the trusted execution environments (TEEs). The presence of a sophisticated operating system (OS) raises the possibility of dynamically creating and executing any code, making user applications within TEEs vulnerable to interference or tampering if the guest OS is compromised. To address this issue, this paper introduces NestedSGX, a framework which leverages virtual machine privilege level (VMPL), a recent hardware feature available on AMD SEV-SNP to enable the creation of hardware enclaves within the guest VM. Similar to Intel SGX, NestedSGX considers the guest OS untrusted for loading potentially malicious code. It ensures that only trusted and measured code executed within the enclave can be remotely attested. To seamlessly protect existing applications, NestedSGX aims for compatibility with Intel SGX by simulating SGX leaf functions. We have also ported the SGX SDK and the Occlum library OS to NestedSGX, enabling the use of existing SGX toolchains and applications in the system. Performance evaluations show that context switches in NestedSGX take about 32,000 -- 34,000 cycles, approximately $1.9\times$ -- $2.1\times$ higher than that of Intel SGX. NestedSGX incurs minimal overhead in most real-world applications, with an average overhead below 2% for computation and memory intensive workloads and below 15.68% for I/O intensive workloads.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. [n. d.]. Arm confidential compute architecture. https://developer.arm.com/documentation/den0125/0200/?lang=en. Referenced December 2022..
  2. [n. d.]. Intel software guard extensions overview. https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html. Referenced December 2022..
  3. 2017. The nbench benchmark ported to SGX. https://github.com/utds3lab/sgx-nbench.
  4. 2021. Core Workloads (YCSB). https://github.com/brianfrankcooper/YCSB/wiki/Core-Workloads.
  5. 2021. SQLite. https://www.sqlite.org.
  6. 2023a. OpenSSL library for SGX application. https://github.com/sparkly9399/SGX-OpenSSL.
  7. 2023. Runtime Integrity Measurement and Attestation in a Trust Domain. https://www.intel.com/content/www/us/en/developer/articles/community/runtime-integrity-measure-and-attest-trust-domain.html.
  8. 2023b. SGXGauga comprehensive benchmark suite for Intel SGX. https://github.com/sandeep007734/SGXGauge-Benchmark.
  9. 2023. TLS handshakes benchmarking tool. https://github.com/tempesta-tech/tls-perf.
  10. AMD. 2023a. AMD ESE. https://github.com/AMDESE/.
  11. AMD. 2023b. Guest Hypervisor Communication Block Standardization. https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf.
  12. AMD. 2023c. Linux SVSM (Secure VM Service Module) for secure x86 virtualization in Rust. https://github.com/AMDESE/linux-svsm.
  13. AMD. 2023d. SEV Secure Nested Paging Firmware ABI Specification. https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf. Publication # 56860.
  14. Subverting Linux’integrity measurement architecture. In Proceedings of the 15th International Conference on Availability, Reliability and Security. 1–10.
  15. SANCTUARY: ARMing TrustZone with User-space Enclaves.. In NDSS.
  16. Stephen Checkoway and Hovav Shacham. 2013. Iago attacks: Why the system call API is a bad untrusted RPC interface. ACM SIGARCH Computer Architecture News 41, 1 (2013), 253–264.
  17. AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves. In 32nd USENIX Security Symposium (USENIX Security 23). 4051–4068.
  18. Komodo: Using verification to disentangle secure-enclave hardware from software. In Proceedings of the 26th Symposium on Operating Systems Principles. 287–305.
  19. Hecate: Lifting and Shifting On-Premises Workloads to an Untrusted Cloud. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1231–1242.
  20. Kaslr is dead: long live kaslr. In Engineering Secure Software and Systems: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings 9. Springer, 161–176.
  21. Port or Shim? Stress Testing Application Performance on Intel SGX. In 2020 IEEE International Symposium on Workload Characterization (IISWC). IEEE, 123–133.
  22. Intel. [n. d.]. Intel software guard extensions developer guide. https://www.intel.com/content/www/us/en/content-details/671334/intel-software-guard-extensions-intel-sgx-developer-guide.html. Referenced December 2022..
  23. Intel. 2020a. Intel SGX SDK. https://github.com/intel/linux-sgx/.
  24. Intel. 2020b. Intel Trust Domain Extensions. https://software.intel.com/content/dam/develop/external/us/en/documents/tdxwhitepaper-v4.pdf.
  25. HyperEnclave: An Open and Cross-platform Trusted Execution Environment. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 437–454.
  26. COIN attacks: On insecurity of enclave untrusted interfaces in SGX. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 971–985.
  27. Spectre attacks: Exploiting speculative execution. Commun. ACM 63, 7 (2020), 93–101.
  28. A Comprehensive Benchmark Suite for Intel SGX. arXiv preprint arXiv:2205.06415 (2022).
  29. Last-level cache side-channel attacks are practical. In 2015 IEEE symposium on security and privacy. IEEE, 605–622.
  30. Container-IMA: A privacy-preserving Integrity Measurement Architecture for Containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 487–500.
  31. Honeycomb: Secure and Efficient GPU Executions via Static Validation. In 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). 155–172.
  32. Uwe F. Mayer. 2017. Linux/Unix nbench. https://www.math.utah.edu/~mayer/linux/bmark.html.
  33. Intel software guard extensions (Intel SGX) support for dynamic memory management inside an enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. 1–9.
  34. Remote attestation of SEV-SNP confidential VMs using e-vTPMs. In Annual Computer Security Applications Conference (ACSAC).
  35. Eleos: ExitLess OS services for SGX enclaves. In Proceedings of the Twelfth European Conference on Computer Systems. 238–253.
  36. Design and implementation of a TCG-based integrity measurement architecture. In USENIX Security symposium, Vol. 13. 223–238.
  37. AMD Sev-Snp. 2020. Strengthening VM isolation with integrity protection and more. White Paper, January (2020), 8.
  38. Occlum: Secure and efficient multitasking inside a single enclave of intel sgx. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 955–970.
  39. TZ-IMA: Supporting Integrity Measurement for Applications with ARM TrustZone. In International Conference on Information and Communications Security. Springer, 342–358.
  40. AMD SVSM. 2022. Secure VM Service Module for SEV-SNP Guests. https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf. (2022).
  41. Switchless calls made practical in Intel SGX. In Proceedings of the 3rd Workshop on System Software for Trusted Execution. 22–27.
  42. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient Out-of-Order execution. In 27th USENIX Security Symposium (USENIX Security 18). 991–1008.
  43. Telling your secrets without page faults: Stealthy page Table-Based attacks on enclaved execution. In 26th USENIX Security Symposium (USENIX Security 17). 1041–1056.
  44. RIDL: Rogue in-flight data load. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 88–105.
  45. Towards memory safe enclave programming with rust-sgx. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2333–2350.
  46. Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2421–2434.
  47. Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves. In 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA). IEEE, 81–93.
  48. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In 2015 IEEE Symposium on Security and Privacy. IEEE, 640–656.
  49. vSGX: Virtualizing SGX Enclaves on AMD SEV. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE.
  50. SecTEE: A software-based approach to secure enclave architecture using TEE. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1723–1740.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (9)
  1. Wenhao Wang (74 papers)
  2. Linke Song (2 papers)
  3. Benshan Mei (2 papers)
  4. Shuang Liu (107 papers)
  5. Shijun Zhao (15 papers)
  6. Shoumeng Yan (7 papers)
  7. Dan Meng (32 papers)
  8. Rui Hou (56 papers)
  9. Xiaofeng Wang (310 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now