MPTEE: Bringing Flexible and Efficient Memory Protection to Intel - - PowerPoint PPT Presentation

mptee bringing flexible and efficient memory protection
SMART_READER_LITE
LIVE PREVIEW

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel - - PowerPoint PPT Presentation

Aug 05, 2023 104 likes •630 views

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu 2 , Yong Qi 1 , Sqiyu Qi 3 1 Xian Jiaotong University, China 2 University of Minnesota, USA 3 Xidian University, China EuroSys'20, April 2730,

slide-1
SLIDE 1

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX

Wenjia Zhao1,2, Kangjie Lu2, Yong Qi1, Sqiyu Qi3

1Xi’an Jiaotong University, China 2University of Minnesota, USA 3Xidian University, China

EuroSys'20, April 27–30, 2020

slide-2
SLIDE 2

Intel Software eXecute Guard (SGX)

  • Hardware-based trusted execution environment
  • Provide secure region, namely enclave
  • Enhance Application Security

Digital Wallet Blockchain Edge Computing Secure Cloud Services

slide-3
SLIDE 3

Two types of SGX Research

Applications (to protect data/code)

  • VC3 [OAKLAND’15]
  • SCONE [OSDI’16]
  • JITGuard [CCS’17]
  • SGXCrypter [ASP-DAC’17]

Protection/attack to SGX itself

  • Page Fault [OAKLAND’15]
  • SGX-Shield [NDSS’17]
  • SGXBOUNDS [EUROSYS’17]
  • Side-channel [OAKLAND’18, SECURITY’17]
slide-4
SLIDE 4

Examples and current disadvantages

SGXCrypter protects code by unpacking the packed code in enclave.

  • relies on the OS page table to remove the W perm of unpacked code
  • is incompatible with the SGX security model

SGX-Shield protects SGX code itself through randomization

  • uses software-based DEP to create an Non-RW boundary(R15)
  • wastes the R15 register
  • NRW boundary using a general register can be shifted[security’18]
slide-5
SLIDE 5

Two types of SGX Research

Applications (to protect data/code)

  • VC3 [OAKLAND’15]
  • SCONE [OSDI’16]
  • JITGuard [CCS’17]
  • SGXCrypter [ASP-DAC’17]

Protection/attack to SGX itself

  • Page Fault [OAKLAND’15]
  • SGX-Shield [NDSS’17]
  • SGXBOUNDS [EUROSYS’17]
  • Side-channel [OAKLAND’18, SECURITY’17]

flexibly and securely enforcing memory-page permissions

slide-6
SLIDE 6

Unfortunately, the feature is missing

slide-7
SLIDE 7

Unfortunately, the feature is missing Why?

slide-8
SLIDE 8

Unfortunately, the feature is missing

Why?

Security considerations (untrusted os) Permissions are statically decided (sign-verify)

slide-9
SLIDE 9

Challenges

Strong adversary Limited hardware support

slide-10
SLIDE 10

Challenges

Strong adversary Limited hardware support

A software-based solution, significant performance overhead

slide-11
SLIDE 11

Challenges

Strong adversary Limited hardware support

The privileged software (e.g., OS, hypervisor) is untrusted and SGX programs themselves might be vulnerable

slide-12
SLIDE 12

Challenges

Strong adversary Limited hardware support

A hardware-assisted solution

slide-13
SLIDE 13

Challenges

Strong adversary Limited hardware support

A hardware-assisted solution low overhead

slide-14
SLIDE 14

Challenges

Strong adversary Limited hardware support

A hardware-assisted solution low overhead

slide-15
SLIDE 15

Region Attack Enforcement integrity Code Permission enforcement R/W/X

MPTEE: memory permission protection

Flexible, efficient, and isolated memory permission enforcement for SGX.

  • Flexible and Efficient Memory-Permission Enforcement
  • Enforcement Integrity
slide-16
SLIDE 16

Region Attack Enforcement integrity Code Permission enforcement R/W/X

MPTEE: memory permission protection

Flexible, efficient, and isolated memory permission enforcement for SGX.

  • Flexible and Efficient Memory-Permission Enforcement
  • Enforcement Integrity
slide-17
SLIDE 17

Region Attack Enforcement integrity Code Permission enforcement R/W/X

MPTEE: memory permission protection

Flexible, efficient, and isolated memory permission enforcement for SGX.

  • Flexible and Efficient Memory-Permission Enforcement
  • Enforcement Integrity
slide-18
SLIDE 18

Memory-Permission Enforcement

Basic idea Use hardware-assisted technique(MPX) to bound-check access Elastic Cross-Region Bound Check(CRBC)

slide-19
SLIDE 19

bnd0.lb bnd0.ub

fun: : ……

Elastic Cross-Region Bound Check(CRBC)

Memory Protection Extension(MPX)

  • New instructions, bndcu, bndcl, bndmk…
  • Four dedicated bound registers (BND0∼BND3)
slide-20
SLIDE 20

Elastic Cross-Region Bound Check(CRBC)

Memory Protection Extension(MPX)

  • New instructions, bndcu, bndcl, bndmk…
  • Four dedicated bound registers (BND0∼BND3)
  • More bounds will be stored in a bound table in memory

Significant performance overhead (over 60%)

slide-21
SLIDE 21

Elastic Cross-Region Bound Check(CRBC)

OS kernel env,argv,argc Heap .data .bss .text RW X Stack .data .bss .text X RW program dynamic libraries ...

region1 region4 region5 region3 region2 region0

slide-22
SLIDE 22

Elastic Cross-Region Bound Check(CRBC)

OS kernel env,argv,argc Heap .data .bss .text RW X Stack .data .bss .text X RW program dynamic libraries ...

region1 region4 region5 region3 region2 region0

Bound Directory Bound Table0 Bound Table1 UBound LBound

bnd regs

Bound tables impose high

  • verhead
slide-23
SLIDE 23

Elastic Cross-Region Bound Check(CRBC)

How can we use limited number

  • f bound registers to protect

multiple memory region access?

slide-24
SLIDE 24

Elastic Cross-Region Bound Check(CRBC)

The same permission memory range is continuous in an enclave Key observation

slide-25
SLIDE 25

Elastic Cross-Region Bound Check(CRBC)

The same permission memory range is continuous in an enclave Key observation

Because All required libraries must be statically linked in the target enclave program

slide-26
SLIDE 26

Elastic Cross-Region Bound Check(CRBC)

Permission change Continuous à Non-continuous

.text,.rodata,... .got,.bss,.data,...

...

Heap R W X

Enclave memory layout

Thread context

Exceeded the number of MPX registers

slide-27
SLIDE 27

Elastic Cross-Region Bound Check(CRBC)

.text,.rodata,... .got,.bss,.data,...

...

Heap R W X

Enclave memory layout

Thread context

Unpack code/randomize code

Remove W

slide-28
SLIDE 28

.text,.rodata,... .got,.bss,.data,...

...

Heap W X

Enclave memory layout

Thread context

Unpack code/randomize code

X W R

Elastic Cross-Region Bound Check(CRBC)

Remove W

3 regions à 5 regions

slide-29
SLIDE 29

.text,.rodata,... .got,.bss,.data,...

...

Heap W X

Enclave memory layout

Thread context

Unpack code/randomize code

X W R

Elastic Cross-Region Bound Check(CRBC)

Remove W

3 regions à 5 regions

4 MPX registers are not enough

slide-30
SLIDE 30

.text,.rodata,... .got,.bss,.data,...

...

Heap W X

Enclave memory layout

Thread context

Unpack code/randomize code

X W R

Elastic Cross-Region Bound Check(CRBC)

Remove W

We design a new layout

slide-31
SLIDE 31

Elastic Cross-Region Bound Check(CRBC)

.text,.rodata,... .got,.bss,.data,...

...

Heap R W X

Enclave memory layout

Thread context

.text,.rodata,… (RX) .got,.bss,.data,heap (RW) R X non-permission

New memory layout with CRBC

W

slide-32
SLIDE 32

Elastic Cross-Region Bound Check(CRBC)

.text,.rodata,... .got,.bss,.data,...

...

Heap R W X

Enclave memory layout

Thread context

.text,.rodata,… (RX) .got,.bss,.data,heap (RW) R X non-permission

New memory layout with CRBC

W

slide-33
SLIDE 33

Elastic Cross-Region Bound Check(CRBC)

.text,.rodata,… (RX) .got,.bss,.data,heap (RW)

R(BND2) X(BND0)

non-permission

New memory layout with CRBC

W(BND1)

Non-perm. (ImageBase, BND0.LB) X (BND0.LB, BND2.LB) RX (BND2.LB, BND1.LB) RWX (BND1.LB, BND0.UB) RW (BND0.UB, BND1.UB) R (BND1.UB, BND2.UB)

slide-34
SLIDE 34

Elastic Cross-Region Bound Check(CRBC)

.text,.rodata,… (RX) .got,.bss,.data,heap (RW)

R(BND2) X(BND0)

non-permission

New memory layout with CRBC

W(BND1)

Non-perm. (ImageBase, BND0.LB) X (BND0.LB, BND2.LB) RX (BND2.LB, BND1.LB) RWX (BND1.LB, BND0.UB) RW (BND0.UB, BND1.UB) R (BND1.UB, BND2.UB)

Only three registers to offer six regions Continuous after permission change

slide-35
SLIDE 35

Elastic Cross-Region Bound Check(CRBC)

Remove W

R X non-permission W

Generated code fragment0

JIT code generator

R X non-permission W

Reserved area

slide-36
SLIDE 36

Elastic Cross-Region Bound Check(CRBC)

R X non-permission W

Generated code fragment0

JIT code generator

R X non-permission W

Generated code fragment0 Generated code fragment1

Remove W Remove W

slide-37
SLIDE 37

R X non-permission W

Elastic Cross-Region Bound Check(CRBC)

R X non-permission W

Generated code fragment0

JIT code generator

Generated code fragment0 Generated code fragment1

Remove W Remove W

slide-38
SLIDE 38

Elastic Cross-Region Bound Check(CRBC)

  • Initializing the bounds
  • Updating the bounds
  • Permission enforcement using CRBC
  • Four APIs, mpt_mmap, mpt_mremap, mpt_uunmap, mpt_write
  • Improving EPC usage
  • Optimizing CRBC: Adaptive Permission Enforcement

More details in the paper

slide-39
SLIDE 39

Elastic Cross-Region Bound Check(CRBC)

  • CRBC leverages MPX to efficiently bound-check multiple regions with

different boundary registers.

  • Use only regs, bnd0, bnd1, and bnd2
  • Provide six different permission regions
  • Allow the flexible changes of the ranges of

memory regions at runtime

slide-40
SLIDE 40

Elastic Cross-Region Bound Check(CRBC)

  • CRBC leverages MPX to efficiently bound-check multiple regions with

different boundary registers

  • Use only regs, bnd0, bnd1, and bnd2
  • Provide six different permission regions
  • Allow the flexible changes of the ranges of

memory regions at runtime Without using MPX bound table to avoid the high performance overhead

slide-41
SLIDE 41

CRBC may be attacked

Check-skipping attacks

  • Control-flow attacks that bypass the bound checks and abuse the permission

control Unaligned call without check

slide-42
SLIDE 42

CRBC may be attacked

Bound-manipulating attacks

  • Data-flow attacks that manipulate bounds

Bndmk is called maliciously

slide-43
SLIDE 43

Enforcement Integrity

control-data integrity + memory isolation

slide-44
SLIDE 44

Enforcement Integrity

Control-data integrity

  • Indirect calls/jumps

Trampolines table Function A_Addr Function B_Addr Function A Function B ptr = IndexA; check ptr < table size; Call *(base+ptr*8);

slide-45
SLIDE 45

Enforcement Integrity

Control-data integrity

  • Indirect calls/jumps

Trampolines table Function A_Addr Function B_Addr Function A Function B ptr = IndexA; check ptr < table size; Call *(base+ptr*8);

slide-46
SLIDE 46

Enforcement Integrity

Control-data integrity

  • Indirect calls/jumps
  • Return Address
  • SafeStack [OSDI’14]
slide-47
SLIDE 47

Enforcement Integrity

Memory isolation

ret addr Trampoline table

X(BND0)

Indirect calls

Non-permission *ptrA = *ptrB + V modify_bndregisters(*ptrA) ptrA/ptrB No additional

  • verhead
slide-48
SLIDE 48

Evaluation

Hardware platform

  • Intel Xeon E3-1225v5
  • 8GB memory

Software environments

  • Ubuntu 16.04 Server
  • SGX SDK v2.0
  • SGX driver v0.10
  • LLVM v6.0
slide-49
SLIDE 49

Macro-benchmark

SQLite

  • Overhead from 2% to 8%
  • Average overhead 6.6%

Memcached

  • Average overhead 2.2%
slide-50
SLIDE 50

Micro-benchmark and Case Studies

  • Nbench
  • Protecting SGXELIDE code
  • Protecting SGX-Shield code

More details in the paper

slide-51
SLIDE 51

Conclusions

MPTEE provides a flexible, isolated, and efficient memory permission protection mechanism

  • Three bound registers offer six permission regions
  • Efficient enforcement integrity
  • Control data integrity with efficient trampoline table
  • No additional overhead of isolation beyond the CRBC

Flexible and efficient memory permission protection for SGX