[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3168833acmconferencesArticle/Chapter ViewAbstractPublication PagescgoConference Proceedingsconference-collections
research-article
Public Access

SGXElide: enabling enclave code secrecy via self-modification

Published: 24 February 2018 Publication History

Abstract

Intel SGX provides a secure enclave in which code and data are hidden from the outside world, including privileged code such as the OS or hypervisor. However, by default, enclave code prior to initialization can be disassembled and therefore no secrets can be embedded in the binary. This is a problem for developers wishing to protect code secrets. This paper introduces SGXElide, a nearly-transparent framework that enables enclave code confidentiality. The key idea is to treat program code as data and dynamically restore secrets after an enclave is initialized. SGXElide can be integrated into any enclave, providing a mechanism to securely decrypt or deliver the secret code with the assistance of a developer-controlled trusted remote party. We have implemented SGXElide atop a recently released version of the Linux SGX SDK, and our evaluation with a number of programs shows that SGXElide can be used to protect the code secrecy of practical applications with no overhead after enclave initialization.

References

[1]
https://github.com/kokke/tiny-AES128-C.
[2]
https://github.com/tarequeh/DES.
[3]
https://tools.ietf.org/html/rfc3174.
[4]
https://tools.ietf.org/html/rfc6234.
[5]
https://github.com/poupou9779/z2048.
[6]
http://mordred.dir.bg/biniax/download2.html.
[7]
https://exploit.ph/reverse-engineering/2014/05/11/an-easy-linux-crackme/.
[8]
https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/624878.
[9]
Intel software guard extensions sdk for linux os. https://download.01.org/intel-sgx/linux-1.6/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.6_Open_Source.pdf.
[10]
Upx: the ultimate packer for executables. http://upx.sourceforge.net/.
[11]
Intel software guard extensions programming reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf, Oct. 2014.
[12]
Intel sgx for linux. https://github.com/01org/linux-sgx, June 2016.
[13]
I. Anati, S. Gueron, S. Johnson, and V. Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, page 10, 2013.
[14]
S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, M. Stillwell, et al. Scone: Secure linux containers with intel sgx. In OSDI, pages 689-703, 2016.
[15]
E. Bauman and Z. Lin. A case for protecting computer games with sgx. In Proceedings of the 1st Workshop on System Software for Trusted Execution (SysTEX'16), Trento, Italy, December 2016.
[16]
A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.
[17]
A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS), 33(3):8, 2015.
[18]
S. Chandra, V. Karande, Z. Lin, L. Khan, M. Kantarcioglu, and B. Thuraisingham. Securing data analytics on sgx with randomization. In Proceedings of the 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 2017.
[19]
C. S. Collberg and C. Thomborson. Watermarking, tamper-proofing, and obfuscation-tools for software protection. IEEE Transactions on software engineering, 28(8):735-746, 2002.
[20]
Y. Fu, E. Bauman, R. Quinonez, and Z. Lin. Sgx-lapd: Thwarting controlled side channel attacks via enclave verifiable page faults. In Proceedings of the 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'17), Atlanta, Georgia. USA, September 2017.
[21]
D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. Strong and efficient cache side-channel protection using hardware transactional memory. In 26th USENIX Security Symposium (USENIX Security 17), pages 217-233, Vancouver, BC, 2017. USENIX Association.
[22]
M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP), pages 1s8, Tel-Aviv, Israel, 2013.
[23]
G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. Addison-Wesley Professional, 2007.
[24]
D. Kuvaiskii, O. Oleksenko, S. Arnautov, B. Trach, P. Bhatotia, P. Felber, and C. Fetzer. Sgxbounds: Memory safety for shielded execution. In Proceedings of the Twelfth European Conference on Computer Systems, pages 205-221. ACM, 2017.
[25]
T. László and Á. Kiss. Obfuscating c++ programs via control flow flattening. Annales Universitatis Scientarum Budapestinensis de Rolando Eötvös Nominatae, Sectio Computatorica, 30:3-19, 2009.
[26]
J. Lind, C. Priebe, D. Muthukumaran, D. Keeffe, P.-L. Aublin, F. Kelbert, T. Reiher, D. Goltzsche, D. Eyers, R. Kapitza, et al. Glamdring: Automatic application partitioning for intel sgx. In 2017 USENIX Annual Technical Conference (USENIX ATC 17), Santa Clara, CA, 2017.
[27]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM conference on Computer and communications security, pages 290-299. ACM, 2003.
[28]
A. Majumdar, C. Thomborson, and S. Drape. A survey of control-flow obfuscations. In International Conference on Information Systems Security, pages 353-356. Springer, 2006.
[29]
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP), pages 1-8, Tel-Aviv, Israel, 2013.
[30]
T. Mudge, C.-C. Lee, and S. Sechrest. Correlation and aliasing in dynamic branch predictors. In Computer Architecture, 1996 23rd Annual International Symposium on, pages 22-22. IEEE, 1996.
[31]
I. V. Popov, S. K. Debray, and G. R. Andrews. Binary obfuscation using signals. In Usenix Security, 2007.
[32]
W. Rosenblatt, S. Mooney, and W. Trippe. Digital rights management: business and technology. John Wiley & Sons, Inc., 2001.
[33]
F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: Trustworthy Data Analytics in the Cloud using SGX. 2015.
[34]
J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. Sgx-shield: Enabling address space layout randomization for sgx programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2017.
[35]
J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. Sgx-shield: Enabling address space layout randomization for sgx programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2017.
[36]
F. Shaon, M. Kantarcioglu, Z. Lin, and L. Khan. A practical encrypted data analytic framework with trusted processors. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS'17), Dallas, TX, November 2017.
[37]
M.-W. Shih, S. Lee, T. Kim, and M. Peinado. T-sgx: Eradicating controlled-channel attacks against enclave programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2017.
[38]
C.-C. Tsai, D. E. Porter, and M. Vij. Graphene-sgx: A practical library os for unmodified applications on sgx. In 2017 USENIX Annual Technical Conference (USENIX ATC), 2017.
[39]
Y. Xu, W. Cui, and M. Peinado. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 640-656. IEEE, 2015.

Cited By

View all
  • (2023)All Your PC Are Belong to Us: Exploiting Non-control-Transfer Instruction BTB Updates for Dynamic PC ExtractionProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589100(1-14)Online publication date: 17-Jun-2023
  • (2023)ErrHunter: Detecting Error-Handling Bugs in the Linux Kernel Through Systematic Static AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2022.316015549:2(684-698)Online publication date: 1-Feb-2023
  • (2023)Interface-Based Side Channel in TEE-Assisted Networked ServicesIEEE/ACM Transactions on Networking10.1109/TNET.2023.329401932:1(613-626)Online publication date: 17-Jul-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CGO '18: Proceedings of the 2018 International Symposium on Code Generation and Optimization
February 2018
377 pages
ISBN:9781450356176
DOI:10.1145/3179541
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication Notes

Badge change: Article originally badged under Version 1.0 guidelines https://www.acm.org/publications/policies/artifact-review-badging

Publication History

Published: 24 February 2018

Permissions

Request permissions for this article.

Check for updates

Badges

Author Tags

  1. SGX
  2. code obfuscation
  3. self-modifying code

Qualifiers

  • Research-article

Funding Sources

Conference

CGO '18
Sponsor:

Acceptance Rates

Overall Acceptance Rate 312 of 1,061 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)138
  • Downloads (Last 6 weeks)21
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)All Your PC Are Belong to Us: Exploiting Non-control-Transfer Instruction BTB Updates for Dynamic PC ExtractionProceedings of the 50th Annual International Symposium on Computer Architecture10.1145/3579371.3589100(1-14)Online publication date: 17-Jun-2023
  • (2023)ErrHunter: Detecting Error-Handling Bugs in the Linux Kernel Through Systematic Static AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2022.316015549:2(684-698)Online publication date: 1-Feb-2023
  • (2023)Interface-Based Side Channel in TEE-Assisted Networked ServicesIEEE/ACM Transactions on Networking10.1109/TNET.2023.329401932:1(613-626)Online publication date: 17-Jul-2023
  • (2023)Fuzzing SGX Enclaves via Host Program Mutations2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00035(472-488)Online publication date: Jul-2023
  • (2022)Pagoda: Towards Binary Code Privacy Protection with SGX-based Execute-Only Memory2022 IEEE International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED55351.2022.00019(133-144)Online publication date: Sep-2022
  • (2021)SGX -Capsule: A Confidential Execution Engine for Unmodified Libraries on SGX Enclave2021 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E52221.2021.00045(276-277)Online publication date: Oct-2021
  • (2021)Practical and Efficient in-Enclave Verification of Privacy Compliance2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00052(413-425)Online publication date: Jun-2021
  • (2020)Employment of Secure Enclaves in Cheat Detection HardeningTrust, Privacy and Security in Digital Business10.1007/978-3-030-58986-8_4(48-62)Online publication date: 14-Sep-2020
  • (2019)S-FaaSProceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop10.1145/3338466.3358916(185-199)Online publication date: 11-Nov-2019
  • (2019)Running Language Interpreters Inside SGXProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329848(114-121)Online publication date: 2-Jul-2019
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media