MPTEE: Bringing Flexible and Efficient Memory Protection to Intel
Total Page:16
File Type:pdf, Size:1020Kb
MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao Kangjie Lu* Yong Qi* Saiyu Qi Xi’an Jiaotong University University of Minnesota Xi’an Jiaotong University Xidian University University of Minnesota Abstract code, emerge in today’s market. In particular, Intel has pro- Intel Software Guard eXtensions (SGX), a hardware-based vided SGX in its commodity processors, which supports a se- Trusted Execution Environment (TEE), has become a promis- cure region, namely enclave, to protect the internally loaded ing solution to stopping critical threats such as insider attacks code and data. Given its important and practical protection, and remote exploits. SGX has recently drawn extensive re- SGX has been extensively studied and used in practice. For search in two directions—using it to protect the confidentiality example, SCONE [1] uses it to effectively enhance the secu- and integrity of sensitive data, and protecting itself from at- rity of containers with low overhead. JITGuard [17] leverages tacks. Both the applications and defense mechanisms of SGX it to protect the security-critical just-in-time compiler oper- have a fundamental need—flexible memory protection that ations. SGXCrypter[49] utilizes it to securely unpack and updates memory-page permissions dynamically and enforces execute Windows binaries. There are many other useful appli- the least-privilege principle. Unfortunately, SGX does not pro- cations [35], [34], [31],[6], which confirm the practical and vide such a memory-protection mechanism due to the lack of promising applications of SGX. hardware support and the untrustedness of operating systems. Another line of research is to protect SGX itself from at- This paper proposes MPTEE, a memory-protection mech- tacks. While being useful and practical, SGX still suffers anism that provides flexible and efficient enforcement of from a variety of attacks [5, 7–11, 24, 25, 36, 52, 54]. It memory-page permissions in SGX. The enforcement relies is not only vulnerable to various side-channel attacks [8– on our elastic cross-region bound check technique which 11, 25, 36, 52, 54], but also traditional memory-corruption uses only three bound registers but provides six memory per- attacks [5, 24] because the code inside SGX may still be vul- missions. To defend MPTEE against potential attacks, we nerable. To defend against these attacks, researchers have further develop an efficient mechanism that exploits the in- attempted to harden SGX [22, 37, 45, 46]. For example, place bound-check technique to ensure the integrity of the SGX-Shield [37] designs a memory-randomization scheme memory protection. With MPTEE, developers can enhance for SGX environments, and SGXBOUNDS [22] provides an the protection for data and code in SGX enclaves and enforce efficient memory-safety approach for the security of objects the least-privilege principle such as Execute-no-Read mem- in SGX. ory readily. We have implemented MPTEE and extensively Both the SGX applications and the defense mechanisms evaluated its effectiveness, utility, and performance. The re- have a fundamental need—flexibly and securely enforcing sults show that MPTEE incurs a performance overhead of memory-page permissions, such as write (W), read (R), and only 2%–8%, and is effective in ensuring memory protection execute (X), in a least-privilege manner. For example, SGX- and in defending against potential attacks. ELIDE [3] and SGXCrypter [49] ensure enclave-code confi- dentiality with code packing or encryption. Code generation at runtime thus requires to remove the W permission for code 1 Introduction pages—code pages must be non-writable to be compatible Hardware-based trusted execution environments (TEEs), as with the NX enforcement. On the other hand, defense mecha- a way to protect the confidentiality and integrity of data and nisms for SGX also require changes to memory permissions. For example, SGX-Shield requires to remove the W permission *Co-corresponding author. of code pages after randomization. This way, it can ensure that it would not introduce the traditional code-injection at- Permission to make digital or hard copies of part or all of this work for tacks [29]. Overall, a flexible and secure memory-permission personal or classroom use is granted without fee provided that copies are not control is required to enforce the least-privilege principle and made or distributed for profit or commercial advantage and that copies bear to prevent attacks. this notice and the full citation on the first page. Copyrights for third-party While flexible memory-permission enforcement is impor- components of this work must be honored. For all other uses, contact the owner/author(s). tant, SGX, unfortunately, does not provide such a mechanism EuroSys ’20, April 27–30, 2020, Heraklion, Greece due to two main reasons. First, Intel provides very limited © 2020 Copyright held by the owner/author(s). hardware support due to security considerations. The current ACM ISBN 978-1-4503-6882-7/20/04. SGX does not provide instructions for modifying the permis- https://doi.org/10.1145/3342195.3387536 1 sions of the Enclave Page Cache (EPC) after the enclave has provides only four registers, but a flexible memory protection been initialized [14][32]. This is to prevent the untrusted OS requires at least six permission combinations. Spilling bounds from changing the access permissions of EPC to facilitate from registers to memory will significantly incur performance attacks at runtime. Second, permissions for memory pages overhead and require the integrity protection for the bounds of an SGX program are statically decided by the GCC com- in memory. To address these problems, we propose a novel piler which however does not support flexible permissions cross-over memory-layout design that uses only three bound such as execute-only memory. One cannot modify the per- registers to offer the six common memory permissions (e.g., mission configuration of the generated SGX program dueto execute-only or read-only memory) efficiently. We name the the signature-verification mechanism. The signature [33] is design elastic cross-region bound check (CRBC). CRBC is computed for the content and the layout of enclave memory, generic; it is also applicable to embedded systems that lack and its page security properties at build time. The SGX loader the Memory Management Unit (MMU) but require flexible will check the signature at load-time and reject the program memory protection. if the signature cannot be verified. Since the memory-protection mechanism runs in the same As SGX does not support the change of memory permis- address space as the potentially vulnerable SGX code, a re- sions, existing applications have attempted multiple solu- maining problem with MPTEE is that adversaries may abuse tions which are however insecure or inefficient. Specifically, the mechanism to maliciously change memory permissions, SGX-Shield [37] uses software-based DEP to create an NRW invalidating the permission enforcement. We thus further boundary (i.e., non-readable and -writable boundary) to re- provide the enforcement integrity technique which employs move the R and W permissions for code pages. While wasting memory isolation and control-data integrity (CDI) to protect the R15 register, it also incurs an extra overhead for comput- the memory permission enforcement mechanism from attacks. ing the range to check. Meanwhile, the NRW boundary using Note that, while memory isolation and CDI are well studied, a general register can be shifted [5]. SGXELIDE [3] modi- MPTEE exploits the in-place CRBC technique to further fies the p_flags field in the program header entry to make improve their performance and security. With MPTEE, de- the section writable throughout the enclave’s lifetime. This velopers can readily enforce memory permissions flexibly, is insecure because code pages are subject to code-injection efficiently, and securely. attacks after adding writable permission. SGXCrypter [49] We have implemented a prototype of MPTEE and eval- relies on the OS page table to remove the W permission, which uated its security, effectiveness, utility, and performance us- is incompatible with the SGX security model, namely the ing representative SGX programs. The evaluation results fact that the page table is managed by the untrusted OS. In show that the MPTEE can provide efficient permission summary, all of these works are only for a single permission settings to prevent existing known attacks, and can resist change, and their designs waste registers, incur a significant against potential attacks that try to bypass or abuse MPTEE. performance overhead, or introduce security issues. MPTEE’s protection has a small runtime performance aver- Supporting a flexible, efficient, and secure memory pro- age overhead—6.6% for SQLite and 2.18% for Memcached. tection mechanism for SGX is in fact challenging for two Moreover, the enforcement-integrity mechanism, which in- reasons. R1. Limited hardware support. SGX currently does cludes memory isolation and control-data integrity, incurs not have hardware support for flexible memory-permission less than 1% runtime performance overhead, benefiting from enforcement. Although it is possible to implement the en- the in-place CRBC technique. We believe that MPTEE is a forcement with a software-based solution, the runtime and practical and secure memory-protection mechanism that is memory overheads tend to be significant, needless to mention, ready for protecting SGX applications and SGX itself. the size of the code running in SGX will also be significantly We have the following research contributions in this paper. increased. R2. Strong adversary. The security model of SGX assumes that the privileged software (e.g., OS, hypervisor) is untrusted. We thus cannot simply ask the OS or hypervisor to • The novel cross-region bound check technique. We pro- change the memory permissions. In addition, SGX programs pose a new technique to flexibly and dynamically enforce themselves might be vulnerable and thus subject to a variety six common memory permissions of SGX using only three of attacks that may abuse the permission changes.