Mingyu Wu,Zhe Li,Haibo Chen,Binyu Zang,Shaojun Wang,Lei Yu,Sanhong Li,Haitao Song

DOI: https://doi.org/10.1109/tc.2023.3318400

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Hardware enclaves assist in constructing a trusted execution environment (TEE) to store private code and data and thus become an appealing solution to enhance applications' security. Nevertheless, state-of-the-art enclave implementations like Intel Software Guard Extensions (SGX) have severe performance issues and hinder the deployment of more complicated applications, especially those written in high-level languages like Java. To reduce the performance overhead, prior work has partitioned applications or rebuilt lightweight language runtimes, but they either require manual labor from developers or fail to provide full-fledged support for existing applications. This work instead provides SAJ, a runtime built upon a full-fledged Java virtual machine (JVM) and thus requires no modifications to applications. SAJ first analyzes the performance of vanilla JVMs running in enclaves and finds that the memory management overhead and boot phase are culprits for performance slowdown. For memory management, SAJ introduces SGX-aware heap layout and garbage collector, which reduces both GC and application execution time. As for the boot phase, SAJ introduces an address-conscious launching mechanism to improve the boot performance. The evaluation under representative Java applications shows that SAJ can reduce the overall GC pause time, application time, and boot time by 2.93x, 2.58x, and 2.73x on average, respectively.

Wenhao Wang,Linke Song,Benshan Mei,Shuang Liu,Shijun Zhao,Shoumeng Yan,XiaoFeng Wang,Dan Meng,Rui Hou

2024-05-31

Abstract:Integrity is critical for maintaining system security, as it ensures that only genuine software is loaded onto a machine. Although confidential virtual machines (CVMs) function within isolated environments separate from the host, it is important to recognize that users still encounter challenges in maintaining control over the integrity of the code running within the trusted execution environments (TEEs). The presence of a sophisticated operating system (OS) raises the possibility of dynamically creating and executing any code, making user applications within TEEs vulnerable to interference or tampering if the guest OS is compromised. To address this issue, this paper introduces NestedSGX, a framework which leverages virtual machine privilege level (VMPL), a recent hardware feature available on AMD SEV-SNP to enable the creation of hardware enclaves within the guest VM. Similar to Intel SGX, NestedSGX considers the guest OS untrusted for loading potentially malicious code. It ensures that only trusted and measured code executed within the enclave can be remotely attested. To seamlessly protect existing applications, NestedSGX aims for compatibility with Intel SGX by simulating SGX leaf functions. We have also ported the SGX SDK and the Occlum library OS to NestedSGX, enabling the use of existing SGX toolchains and applications in the system. Performance evaluations show that context switches in NestedSGX take about 32,000 -- 34,000 cycles, approximately $1.33\times$ -- $1.54\times$ higher than that of Intel SGX. NestedSGX incurs minimal overhead in most real-world applications, with an average overhead below 2% for computation and memory intensive workloads and below 15.68% for I/O intensive workloads.

Cryptography and Security,Hardware Architecture

Mohammad Hasanzadeh Mofrad,Adam Lee

DOI: https://doi.org/10.48550/arXiv.1705.04706

2018-04-03

Abstract:Enforcing integrity and confidentiality of users' application code and data is a challenging mission that any software developer working on an online production grade service is facing. Since cryptology is not a widely understood subject, people on the cutting edge of research and industry are always seeking for new technologies to naturally expand the security of their programs and systems. Intel Software Guard Extension (Intel SGX) is an Intel technology for developers who are looking to protect their software binaries from plausible attacks using hardware instructions. The Intel SGX puts sensitive code and data into CPU-hardened protected regions called enclaves. In this project we leverage the Intel SGX to produce a secure cryptographic library which keeps the generated keys inside an enclave restricting use and dissemination of confidential cryptographic keys. Using enclaves to store the keys we maintain a small Trusted Computing Base (TCB) where we also perform computation on temporary buffers to and from untrusted application code. As a proof of concept, we implemented hashes and symmetric encryption algorithms inside the enclave where we stored hashes, Initialization Vectors (IVs) and random keys and open sourced the code (<a class="link-external link-https" href="https://github.com/hmofrad/CryptoEnclave" rel="external noopener nofollow">this https URL</a>).

Cryptography and Security

Dominic P. Mulligan,Gustavo Petri,Nick Spinale,Gareth Stockwell,Hugo J. M. Vincent

DOI: https://doi.org/10.1109/seed51797.2021.00025

2021-09-01

Abstract:The semiconductor industry is witnessing a nascent security paradigm shift in the rise of Confidential Computing. Driven by the need to protect computations delegated to co-tenanted machines operated by Cloud Computing services, mainstream instruction set architectures are gradually introducing novel features that can be used to establish protected isolates offering strong integrity and confidentiality guarantees to code and data contained within. Coupled with a Remote Attestation protocol, a third-party may request the launch of an isolate on an otherwise untrusted machine and know—with a high degree of assurance—that a payload of code and data was indeed loaded into a legitimate isolate with a particular configuration. We argue that this ability to reliably establish a safe “beach-head” on an untrusted third-party’s machine has far-reaching consequences with applications beyond protecting workloads delegated to Cloud Computing services. In a future world where facilities for Confidential Computing are widely deployed and used, we imagine a utopia where inadvertent data leakage is a curiosity of a bygone age, with encrypted data moving from isolate to isolate and never resting in plaintext. Moreover, data is only released in explicitly delimited ways for processing, with systems and individuals exhibiting fine-grained control over data. We report on recent activities within Arm in attempting to realize this vision, and hope that this paper acts as a “call to arms” to others to join with us in fully exploring the potential of these emerging technologies.

Haibo Chen,Mingyu Li,Yubin Xia,Bojun Zhu,Wentai Li,Jinyu Gu

Abstract:The monolithic programming model has been favored for high compatibility and easing the programming for SGX en-claves, i.e., running the secure code with all dependent libraries or even library OSes (LibOSes). Yet, it inevitably bloats the trusted computing base (TCB) and thus deviates from the goal of high security. Introducing fine-grained isolation can effectively mitigate TCB bloating while existing solutions face performance issues. We observe that the off-the-shelf Intel MPK is a perfect match for efficient intra-enclave isolation. Nonetheless, the trust models between MPK and SGX are incompatible by design. We hence propose L IGHT - E NCLAVE , which embraces non-intrusive extensions on existing SGX hardware to incorporate MPK securely and allows multiple light-enclaves isolated within one enclave. Experiments show that L IGHT E NCLAVE incurs up to 4% overhead when separating secret SSL keys for server applications and can significantly improve the performance of Graphene-SGX and Occlum by reducing the communication and runtime overhead, respectively.

Computer Science,Engineering

Jinyu Gu,Bojun Zhu,Yubin Xia,Binyu Zang,Haibing Guan,Haibo Chen,Xinyu Wu

DOI: https://doi.org/10.1109/tc.2020.3019704

IF: 3.183

2020-01-01

IEEE Transactions on Computers

Abstract:The releases of Intel SGX and AMD SEV mark the transition of hardware-based enclaves from research prototypes to mainstream products. These two paradigms of secure enclaves are attractive to both the cloud providers and tenants, since security is one of the key pillars of cloud computing. However, it is found that current hardware-defined enclaves are not flexible and efficient enough for the cloud. For example, although SGX can provide strong memory protection with both confidentiality and integrity, the size of secure memory is tightly restricted. On the contrary, SEV enables enclaves to use more memory but has critical security flaws due to no memory integrity protection. Meanwhile, both types of enclaves have relatively long booting latency, which makes them not suitable for short-term tasks like serverless workloads. After an in-depth analysis, we find that there are some intrinsic tradeoffs between security and performance due to the limitation of architectural designs. In this article, we investigate a novel hardware-software co-design of enclaves to meet the requirements of cloud by placing a part of the logic of the enclave mechanism into a lightweight software layer, named Enclavisor, to achieve a balance between security, performance, and flexibility. Specifically, our implementation is based on AMD's SEV and, Enclavisor is placed in the guest kernel mode of SEV's secure virtual machines. Enclavisor inherently supports memory encryption with no memory limitation and also achieves efficient booting, multiple enclave granularities, and post-launch remote attestation. Meanwhile, we also propose hardware/software solutions to mitigate the security flaws caused by the lack of memory integrity. We implement a prototype of Enclavisor on an AMD SEV server. The experiments on both micro-benchmarks and application benchmarks show that enclaves on Enclavisor can have close-to-native performance.

engineering, electrical & electronic,computer science, hardware & architecture

Yuan Chen,Jiaqi Li,Guorui Xu,Yajin Zhou,Zhi Wang,Cong Wang,Kui Ren

2022-01-01

Abstract:Since its debut, SGX has been used to secure various types of applications. However, existing systems usually assume a trusted enclave and ignore the security issues caused by an untrusted enclave. For instance, a vulnerable (or even malicious) third-party enclave can be exploited to attack the host application and the rest of the system. In this paper, we propose an efficient mechanism to confine an untrusted enclave's behaviors. In particular, the threats of an untrusted enclave come from the enclave-host asymmetries, which can be abused to access arbitrary memory regions of its host application, jump to any code location after leaving the enclave and forge the stack register to manipulate the saved context. Our solution breaks such asymmetries and establishes mutual distrust between the host application and the enclave. Specifically, it leverages Intel MPK for efficient memory isolation and the x86 single-step debugging mechanism to capture the exiting event of the enclave. Then it performs the integrity check of the jump target and the stack pointer. We have implemented a prototype system and solved two practical challenges. The evaluation with multiple micro-benchmarks and representative real-world applications demonstrated the effectiveness and the efficiency of our system, with less than 4% performance overhead.

Yaxing Chen,Qinghua Zheng,Dan Liu,Zheng Yan,Wenhai Sun,Ning Zhang,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.48550/arxiv.1912.08454

2019-01-01

Abstract:While the security of the cloud remains a concern, a common practice is to encrypt data before outsourcing them for utilization. One key challenging issue is how to efficiently perform queries over the ciphertext. Conventional crypto-based solutions, e.g. partially/fully homomorphic encryption and searchable encryption, suffer from low performance, poor expressiveness and weak compatibility. An alternative method that utilizes hardware-assisted trusted execution environment, i.e., Intel SGX, has emerged recently. On one hand, such work lacks of supporting scalable access control over multiple data users. On the other hand, existing solutions are subjected to the key revocation problem and knowledge extractor vulnerability. In this work, we leverage the newly hardware-assisted methodology and propose a secure, scalable and efficient SQL-like query framework named QShield. Building upon Intel SGX, QShield can guarantee the confidentiality and integrity of sensitive data when being processed on an untrusted cloud platform. Moreover, we present a novel lightweight secret sharing method to enable multi-user access control in QShield, while tackling the key revocation problem. Furthermore, with an additional trust proof mechanism, QShield guarantees the correctness of queries and significantly alleviates the possibility to build a knowledge extractor. We implemented a prototype for QShield and show that QShield incurs minimum performance cost.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Dahan Pan,Jianqiang Wang,Yingpeng Chen,Donghui Yu,Wenbo Yang,Yuanyuan Zhang

DOI: https://doi.org/10.1109/cscloud62866.2024.00029

2024-01-01

Abstract:Cloud-native-based software development is in trend now. The end-users use the cloud services to save the local computation resources for other intensive tasks. Compiling is one of the vital required services. The compiling-on-the-cloud service like CloudCompiling or CityCloud requires the user to upload their source code for online compiling. However, the latest online compiling service can neither protect the users' source code privacy nor prove the integrity of the whole compiling process. To fill this gap, we designed COM URICE to provide a user-transparent, secure compiling service employing the trusted execution environment (TEE) to enforce security by blocking all the attempts in code or data theft during the compiling procedure. COM URICE leverages the hardware security feature of TEE to prevent the compiling process from malicious access and modification while encrypting the communication channel to protect the integrity and privacy of the source code. The challenges in realizing COM URICE lie in porting a fully functional compiler such as GCC or LLVM and designing an efficient compiling service to minimize the performance lag brought by confidential computing. According to the characteristics of the compiling process, it consists of several routines, pre-processing, compiling/obfuscation, and linking. The division of the routines requires multiple enclaves to run simultaneously. In the experiment, we compare COM URICE'S compiling service with nativeLLVM, SCONELLVM, and GrapheneLLVM. From a performance perspective, COM URICE pays a fair cost for security. Generally, a project compiling with COM URICE suffers 1–2 times more performance loss than nativeLLVM. Compared to other confidential compiling techniques like GrapheneLLVM or SCONELLVM, COM URICE is up to 20 times faster when compiling the same projects.

Ketong Shang,Jiangnan Lin,Yu Qin,Muyan Shen,Hongzhan Ma,Wei Feng,Dengguo Feng

2024-12-05

Abstract:Confidential Computing has emerged to address data security challenges in cloud-centric deployments by protecting data in use through hardware-level isolation. However, reliance on a single hardware root of trust (RoT) limits user confidence in cloud platforms, especially for high-performance AI services, where end-to-end protection of sensitive models and data is critical. Furthermore, the lack of interoperability and a unified trust model in multi-cloud environments prevents the establishment of a cross-platform, cross-cloud chain of trust, creating a significant trust gap for users with high privacy requirements. To address the challenges mentioned above, this paper proposes CCxTrust (Confidential Computing with Trust), a confidential computing platform leveraging collaborative roots of trust from TEE and TPM. CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible white-box RoT of TPM to establish a collaborative trust framework. The platform implements independent Roots of Trust for Measurement (RTM) for TEE and TPM, and a collaborative Root of Trust for Report (RTR) for composite attestation. The Root of Trust for Storage (RTS) is solely supported by TPM. We also present the design and implementation of a confidential TPM supporting multiple modes for secure use within confidential virtual machines. Additionally, we propose a composite attestation protocol integrating TEE and TPM to enhance security and attestation efficiency, which is proven secure under the PCL protocol security model. We implemented a prototype of CCxTrust on a confidential computing server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the TPM and guest Linux kernel. The composite attestation efficiency improved by 24% without significant overhead, while Confidential TPM performance showed a 16.47% reduction compared to standard TPM.

Cryptography and Security

Youren Shen,Hongliang Tian,Yu Chen,Kang Chen,Runji Wang,Yi Xu,Yubin Xia,Shoumeng Yan

DOI: https://doi.org/10.1145/3373376.3378469

2020-01-01

Abstract:Intel Software Guard Extensions (SGX) enables user-level code to create private memory regions called enclaves, whose code and data are protected by the CPU from software and hardware attacks outside the enclaves. Recent work introduces library operating systems (LibOSes) to SGX so that legacy applications can run inside enclaves with few or even no modifications. As virtually any non-trivial application demands multiple processes, it is essential for LibOSes to support multitasking. However, none of the existing SGX LibOSes support multitasking both securely and efficiently. This paper presents Occlum, a system that enables secure and efficient multitasking on SGX. We implement the LibOS processes as SFI-Isolated Processes (SIPs). SFI is a software instrumentation technique for sandboxing untrusted modules (called domains). We design a novel SFI scheme named MPX-based, Multi-Domain SFI (MMDSFI) and leverage MMDSFI to enforce the isolation of SIPs. We also design an independent verifier to ensure the security guarantees of MMDSFI. With SIPs safely sharing the single address space of an enclave, the LibOS can implement multitasking efficiently. The Occlum LibOS outperforms the state-of-the-art SGX LibOS on multitasking-heavy workloads by up to 6, 600x on micro-benchmarks and up to 500x on application benchmarks.

Aritra Dhar,Clément Thorens,Lara Magdalena Lazier,Lukas Cavigelli

2024-07-17

Abstract:Cloud workloads have dominated generative AI based on large language models (LLM). Specialized hardware accelerators, such as GPUs, NPUs, and TPUs, play a key role in AI adoption due to their superior performance over general-purpose CPUs. The AI models and the data are often highly sensitive and come from mutually distrusting parties. Existing CPU-based TEEs such as Intel SGX or AMD SEV do not provide sufficient protection. Device-centric TEEs like Nvidia-CC only address tightly coupled CPU-GPU systems with a proprietary solution requiring TEE on the host CPU side. On the other hand, existing academic proposals are tailored toward specific CPU-TEE platforms. To address this gap, we propose Ascend-CC, a confidential computing architecture based on discrete NPU devices that requires no trust in the host system. Ascend-CC provides strong security by ensuring data and model encryption that protects not only the data but also the model parameters and operator binaries. Ascend-CC uses delegation-based memory semantics to ensure isolation from the host software stack, and task attestation provides strong model integrity guarantees. Our Ascend-CC implementation and evaluation with state-of-the-art LLMs such as Llama2 and Llama3 shows that Ascend-CC introduces minimal overhead with no changes in the AI software stack.

Cryptography and Security

Christian Priebe,Divya Muthukumaran,Joshua Lind,Huanzhou Zhu,Shujie Cui,Vasily A. Sartakov,Peter Pietzuch

DOI: https://doi.org/10.48550/arXiv.1908.11143

2019-08-29

Operating Systems

Abstract:Hardware support for trusted execution in modern CPUs enables tenants to shield their data processing workloads in otherwise untrusted cloud environments. Runtime systems for the trusted execution must rely on an interface to the untrusted host OS to use external resources such as storage, network, and other functions. Attackers may exploit this interface to leak data or corrupt the computation. We describe SGX-LKL, a system for running Linux binaries inside of Intel SGX enclaves that only exposes a minimal, protected and oblivious host interface: the interface is (i) minimal because SGX-LKL uses a complete library OS inside the enclave, including file system and network stacks, which requires a host interface with only 7 calls; (ii) protected because SGX-LKL transparently encrypts and integrity-protects all data passed via low-level I/O operations; and (iii) oblivious because SGX-LKL performs host operations independently of the application workload. For oblivious disk I/O, SGX-LKL uses an encrypted ext4 file system with shuffled disk blocks. We show that SGX-LKL protects TensorFlow training with a 21% overhead.

Benshan Mei,Saisai Xia,Wenhao Wang,Dongdai Lin

2024-07-18

Abstract:Confidential computing safeguards sensitive computations from untrusted clouds, with Confidential Virtual Machines (CVMs) providing a secure environment for guest OS. However, CVMs often come with large and vulnerable operating system kernels, making them susceptible to attacks exploiting kernel weaknesses. The imprecise control over the read/write access in the page table has allowed attackers to exploit vulnerabilities. The lack of security hierarchy leads to insufficient separation between untrusted applications and guest OS, making the kernel susceptible to direct threats from untrusted programs. This study proposes Cabin, an isolated execution framework within guest VM utilizing the latest AMD SEV-SNP technology. Cabin shields untrusted processes to the user space of a lower virtual machine privilege level (VMPL) by introducing a proxy-kernel between the confined processes and the guest OS. Furthermore, we propose execution protection mechanisms based on fine-gained control of VMPL privilege for vulnerable programs and the proxy-kernel to minimize the attack surface. We introduce asynchronous forwarding mechanism and anonymous memory management to reduce the performance impact. The evaluation results show that the Cabin framework incurs a modest overhead (5% on average) on Nbench and WolfSSL benchmarks.

Cryptography and Security

Taegyeong Lee,Zhiqi Lin,Saumay Pushp,Caihua Li,Yunxin Liu,Youngki Lee,Fengyuan Xu,Chenren Xu,Lintao Zhang,Junehwa Song

DOI: https://doi.org/10.1145/3300061.3345447

2019-01-01

Abstract:Deep-learning (DL) is receiving huge attention as enabling techniques for emerging mobile and IoT applications. It is a common practice to conduct DNN model-based inference using cloud services due to their high computation and memory cost. However, such a cloud-offloaded inference raises serious privacy concerns. Malicious external attackers or untrustworthy internal administrators of clouds may leak highly sensitive and private data such as image, voice and textual data. In this paper, we propose Occlumency, a novel cloud-driven solution designed to protect user privacy without compromising the benefit of using powerful cloud resources. Occlumency leverages secure SGX enclave to preserve the confidentiality and the integrity of user data throughout the entire DL inference process. DL inference in SGX enclave, however, impose a severe performance degradation due to limited physical memory space and inefficient page swapping. We designed a suite of novel techniques to accelerate DL inference inside the enclave with a limited memory size and implemented Occlumency based on Caffe. Our experiment with various DNN models shows that Occlumency improves inference speed by 3.6x compared to the baseline DL inference in SGX and achieves a secure DL inference within 72% of latency overhead compared to inference in the native environment.

Rodolfo Silva,Pedro Barbosa,Andrey Brito

DOI: https://doi.org/10.48550/arXiv.1710.11423

2017-10-31

Abstract:Intel(R) Software Guard eXtensions (SGX) is a hardware-based technology for ensuring security of sensitive data from disclosure or modification that enables user-level applications to allocate protected areas of memory called enclaves. Such memory areas are cryptographically protected even from code running with higher privilege levels. This memory protection can be used to develop secure and dependable applications, but the technology has some limitations: ($i$) the code of an enclave is visible at load time, ($ii$) libraries used by the code must be statically linked, and ($iii$) the protected memory size is limited, demanding page swapping to be done when this limit is exceeded. We present DynSGX, a privacy preserving tool that enables users and developers to dynamically load and unload code to be executed inside SGX enclaves. Such a technology makes possible that developers use public cloud infrastructures to run applications based on sensitive code and data. Moreover, we present a series of experiments that assess how applications dynamically loaded by DynSGX perform in comparison to statically linked applications that disregard privacy of the enclave code at load time.

Cryptography and Security

Abhiroop Sarkar,Alejandro Russo

2024-01-17

Abstract:Confidential computing is a security paradigm that enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs). By integrating TEEs with a Remote Attestation protocol, confidential computing allows a third party to establish the integrity of an \textit{enclave} hosted within an untrusted cloud. However, TEE solutions, such as Intel SGX and ARM TrustZone, offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. Moreover, the toolchains involve complex multi-project hierarchies and the deployment of hand-written attestation protocols for verifying \textit{enclave} integrity.

Cryptography and Security,Programming Languages

Marcus Birgersson,Cyrille Artho,Musard Balliu

2024-10-14

Abstract:Many applications benefit from computations over the data of multiple users while preserving confidentiality. We present a solution where multiple mutually distrusting users' data can be aggregated with an acceptable overhead, while allowing users to be added to the system at any time without re-encrypting data. Our solution to this problem is to use a Trusted Execution Environment (Intel SGX) for the computation, while the confidential data is encrypted with the data owner's key and can be stored anywhere, without trust in the service provider. We do not require the user to be online during the computation phase and do not require a trusted party to store data in plain text. Still, the computation can only be carried out if the data owner explicitly has given permission. Experiments using common functions such as the sum, least square fit, histogram, and SVM classification, exhibit an average overhead of $1.6 \times$. In addition to these performance experiments, we present a use case for computing the distributions of taxis in a city without revealing the position of any other taxi to the other parties.

Cryptography and Security