# Intel SGX

Mengjia Yan Fall 2020

Based on slides of Intel SGX Tutorial















#### **Recap: Process Isolation**













#### **Recap: Secure Boot**



• Static root of trust for measurement (SRTM)



• Defend against replay attack: Freshness



• Defend against replay attack: Freshness



How to know this key

• Need public key infrastructure



6.888 L2 - Secure Processors in Industry

• Need public key infrastructure









# Intel TXT, AMD PSP, Google Titan



Intel TXT Dynamic trust of measurement





from https://www.hotchips.org/hc30/1conf/1.14\_Google\_Titan\_GoogleFinalTitanHotChips2018.pdf

# **Security Vulnerabilities of Using TPM**

- Vulnerable to bus tapping attacks
- TPM Reset attacks
  - SW reports hash values
- Bugs in the trusted software



Han et al. A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping. Usenix Security'18 Wojtczuk et al. Attacking Intel TXT<sup>®</sup> via SINIT code execution hijacking. 2011

#### So Far .....

Trusted





# Why Shrink TCB?

#### • Software bugs

- SMM-based rootkits
- Xen 150K LOC, 40+ vulnerabilities per year
- Monolithic kernel, e.g., Linux, 17M LOC, 100+ vulnerabilities per year
- Remote Computing
  - Remote computer and software stack owned by an untrusted party
  - Examples



# Why Shrink TCB?

#### Software bugs

- SMM-based rootkits
- Xen 150K LOC, 40+ vulnerabilities per year
- Monolithic kernel, e.g., Linux, 17M LOC, 100+ vulnerabilities per year
- Remote Computing
  - Remote computer and software stack owned by an untrusted party
  - Examples



# **Secure Remote Computing**



Trusted



Trusted



#### Arm TrustZone

Trusted





#### Arm TrustZone



from Hua et al. vTZ: Virtualizing ARM TrustZone. Usenix'17

#### Arm TrustZone



from Hua et al. vTZ: Virtualizing ARM TrustZone. Usenix'17

#### Arm TrustZone



from Hua et al. vTZ: Virtualizing ARM TrustZone. Usenix'17

# **Privileged Software Attacks**

• Manipulate everything





# **Privileged Software Attacks**

- Manipulate everything
- Directly see and modify application code and data





# **Privileged Software Attacks**

- Manipulate everything
- Directly see and modify application code and data
  - $\rightarrow$  Need to encrypt secret data
  - $\rightarrow$  Need to verify integrity (software attestation)



# **Privileged Software Attacks**

- Manipulate everything
- Directly see and modify application code and data
  - $\rightarrow$  Need to encrypt secret data
  - $\rightarrow$  Need to verify integrity (software attestation)
- Mess up with
  - Address translation
  - Process initialization and context switch
  - Interrupts, I/Os
  - etc.













#### SGX HW TCB



#### SGX HW TCB







#### **Intel SGX Security Mechanisms**



#### **SGX Access Control**

- Assume software attestation is done
- Can have multiple enclaves



#### **SGX Access Control**

- Assume software attestation is done
- Can have multiple enclaves













Virtual Address Space (Programmer's View)



6.888 L3 - Intel SGX







# **SGX Memory Organization**

- Keep page mapping metadata in PRM
- MMU performs extra checks

Physical Address Space (limited by DRAM size)



# **SGX Memory Organization**

- Keep page mapping metadata in PRM
- MMU performs extra checks

Physical Address Space (limited by DRAM size)











## So far .....

- Once the enclave is initialized correctly, it can be isolated from system software using
  - Hardware access control (supported by MMU)
  - Hardware support for secure context switch
- How to ensure the initialization is correct?

## So far .....

- Once the enclave is initialized correctly, it can be isolated from system software using
  - Hardware access control (supported by MMU)
  - Hardware support for secure context switch
- How to ensure the initialization is correct?
  - Software Attestation (similar to secure boot)

• BIOS setup PRM region

Physical Address Space



(ECREATE)



(EADD)

• Measure



 Add page (EADD)

 Measure (EEXTEND)



 Add page (EADD)

• Measure (EEXTEND)



 Add page (EADD)

 Measure (EEXTEND)



#### **Enclave Measurement**

- Hardware generates a cryptographic log of the build process
  - Code, data, stack, and heap contents
  - Location of each page within the enclave
  - Security attributes (e.g., page permissions) and enclave capabilities
- Enclave identity (MRENCLAVE) is a 256-bit digest of the log that represents the enclave



## **Enclave Initialization**

- Add page (EADD)
- Measure (EEXTEND)
- Init (EINIT)
  - Finalize measurement
- Active (EENTER)
  - Switch to enclave mode



## **Enclave Initialization**



#### **Enclave Attestation and Sealing**

• HW based attestation provides evidence that "this is the right application executing on an authentic platform" (approach similar to secure boot attestation)



#### **Enclave Attestation and Sealing**

• HW based attestation provides evidence that "this is the right application executing on an authentic platform" (approach similar to secure boot attestation)



#### **Protect Memory**



# **Confidentiality Protection with Encryption**

- Secret key is stored inside chip
- For freshness, encrypt with nonce (counter)
- {nonce, ciphertext} per cache block are stored externally in DRAM



## **Integrity Protection with Hash**

• For each cache line: {ciphertext + nonce + hash}

### **Integrity Protection with Hash**

• For each cache line: {ciphertext + nonce + hash}

Otherwise?

- Problem:
  - Need to store hashes or nonces on-chip  $\rightarrow$  high on-chip storage requirement
  - Too much storage requirement (~64bits / block) → high off-chip storage requirement

### **Integrity Protection with Hash**

• For each cache line: {ciphertext + nonce + hash}

Otherwise?

- Problem:
  - Need to store hashes or nonces on-chip  $\rightarrow$  high on-chip storage requirement
  - Too much storage requirement (~64bits / block) → high off-chip storage requirement
- General solution:
  - Integrity Tree (Merkle tree)

## **Operations on Merkle Tree**

• Only need to store the root node on chip



# **Operations on Merkle Tree**

- Only need to store the root node on chip
- How to verify block B1?
- Write to block B3?



# Next Lecture: Side Channel Introduction



