We're hiring new talents!

Contents

How does Intel SGX enclave tech­nol­o­gy work?

“There’s no sil­ver bul­let solu­tion with cyber­se­cu­ri­ty, a lay­ered approach is the only viable defence.”
— James Scott, Insti­tute for Crit­i­cal Infra­struc­ture Technology

TL;TR

This blog entry aims at answer­ing fol­low­ing questions:

  • What is an enclave and how does it work
  • How is my sen­si­ble data kept con­fi­den­tial and integri­ty protected?
  • Why is my sen­si­ble data safe from unau­tho­rized access and modification?

Intro­duc­tion

While the dan­ger from inside the inter­net gets big­ger and big­ger, attacks on uncrit­i­cal as well as on crit­i­cal sys­tems get more com­mon, its dai­ly busi­ness in the present world. As long as you or your com­pa­ny are inter­est­ed in long term safety.

If your boss doesn’t want to spend a few dol­lars for IT-Secu­ri­ty with the rea­son that you can sim­ply unplug the eth­er­net cable from the crit­i­cal sys­tems in the com­pa­ny, you’re fine. It’s the ulti­mate way on the low­est lay­er to make your sys­tem secure. If that’s not the case, feel free to use this guide on why and how to use Intel’s Secu­ri­ty Guard Exten­sion for your pro­gram­ming projects to ensure secu­ri­ty from the hard­ware lay­er on. You’re welcome.

Intel intro­duced the Secu­ri­ty Guard Exten­sions (SGX) in the 3rd quar­ter of 2015 togeth­er with the start of the new Sky­lake proces­sor series. The focus of SGX is to pro­tect sen­si­tive data against untrust­ed user, even on already com­pro­mised sys­tems, with the help of hard imple­ment­ed secu­ri­ty and cryp­to mech­a­nism inside the CPU. New instruc­tions and mem­o­ry access changes mak­ing it pos­si­ble for the soft­ware devel­op­er to cre­ate encrypt­ed enclaves con­tain­ing sen­si­ble data from bank­ing apps or key wal­lets while retain­ing con­fi­den­tial­i­ty and integri­ty. These enclaves are only acces­si­ble from inside itself and plain text is only vis­i­ble while it is processed inside the CPU, keep­ing the stored infor­ma­tion safe, even from priv­i­leged soft­ware like VMM’s, BIOS or OS’.

About apps and enclaves

The secu­ri­ty goals of SGX are to pro­tect the con­fi­den­tial­i­ty and integri­ty of its enclaves. This means untrust­ed par­ties like appli­ca­tions or sys­tem soft­ware should not be able to gain infor­ma­tion from the enclave or manip­u­late the enclaves data and code. We start with infor­ma­tion of the data struc­ture and the gen­er­al archi­tec­ture of SGX, which lead to the desired safety.

In the SGX mod­el an app is divid­ed into a trust­ed and an untrust­ed part. The untrust­ed part is the one com­mu­ni­cat­ing with the rest of the sys­tem as well as cre­at­ing the enclave, which is con­sid­ered as the safe part of the app. Inside the enclave the sen­si­ble data is stored. Fixed start­ing posi­tions inside the enclave ensure the cor­rect exe­cu­tion inside the enclave. To enter this enclaves, the CPU has to be in enclave mode, which acts like a switch into the safe world.

Fur­ther enclave instances are iso­lat­ed from each oth­er, so they can only inter­act through their untrust­ed part. A spe­cif­ic enclave can only be addressed by its trust­ed app part. This makes it even impos­si­ble for mali­cious pro­grams to get into an enclave, when the CPU is in enclave mode, but the access com­mand comes from an (for the enclave) untrust­ed mem­o­ry address.

The enclave bunker

Enclaves are stored in the Enclave Page Cache (EPC). Fol­low­ing fig­ure shows the spe­cif­ic SGX struc­tures, includ­ing data used to secu­ri­ty check and man­age the enclave entry points. These are, besides the SIGSTRUCT and the Ver­sion Page Array, enclave relat­ed ele­ments. Each enclave has its own SECS, one or more TCS’ and cor­re­spond­ing SSA’s. The EPC in gen­er­al has it’s SIGSTRUCT and VA Page.

Fur­ther the Enclave Page Cache Map (EPCM) is used to man­age the secu­ri­ty attrib­ut­es of the Enclave Pages. The EPCM con­tains fur­ther infor­ma­tion for each page list­ed in the EPC. The fig­ure below lists the data acquired for each page.

The EPC is locat­ed inside the Proces­sor Reserved Mem­o­ry (PRM) inside the DRAM, the EPCM is a look-up table inside the CPU with enclave relat­ed data.
Since we store our data out­side the CPU in the PRM, we must ensure its safe­ness by encrypt­ing it with the help of the Mem­o­ry Encryp­tion Engine (MEE). This way the data in the PRM is noth­ing more than noise to oth­er par­ties, only the MEE is capa­ble to real time decrypt the data inside the CPU. There­fore, the CPU is the only place in the sys­tem capa­ble of read­ing the clear data stored inside the enclaves.

The CPU as our doorman

As we have seen before, the only par­tic­i­pant priv­i­leged to enter the EPC, respec­tive­ly the PRM, is the CPU. The method of decid­ing whether the proces­sor can enter this secure area depends on the mode, the CPU is run­ning at. SGX imple­ments an Enclave Mode, which the CPU must enter to get spe­cif­ic mem­o­ry access seman­tics.
This mode gets enabled, once inter­nal enclave code wants to run inside its spe­cif­ic enclave area in the EPC. To sum up, there are three require­ments an access must ful­fil to get pro­tect­ed mem­o­ry access: the proces­sor runs in enclave mode, the request­ed page is part of the same enclave the access has been request­ed and the page access must be through the right spe­cif­ic vir­tu­al address.

If a run­ning enclave is stopped or inter­rupt­ed, any con­text infor­ma­tion like reg­is­ters are removed from the CPU, there­fore by inter­rupt­ing the enclave an attack­er can­not gain any in-for­ma­tion from the enclave. But before this hap­pens, relat­ed reg­is­ters are evac­u­at­ed into their explic­it enclave, where they are saved in an encrypt­ed state in the EPC in the PRM on the DRAM.

Blue line: Enclave 1 can access every page inside its own enclave. Addi­tion­al­ly, it can access non PRM mem­o­ry. That means, that only our enclave can run com­mands inside itself. Fur­ther the enclave can run com­mands out­side its safe space trough the untrust­ed side of its app. Access from the PRM into the enclave is only pos­si­ble through defined call func­tion­al­i­ties for enter­ing an enclave trough the untrust­ed app side, there is no oth­er way enter­ing an enclave.

Red line: If code inside a page from e.g. enclave n wants to enter a page of enclave 1, it gets redi­rect­ed to a nonex­is­tent mem­o­ry. This is backed by the vir­tu­al mem­o­ry address check of the MMU. If an access is tried from a vir­tu­al address out­side the explic­it enclaves’ vir­tu­al address, it gets either redi­rect­ed to nonex­is­tent mem­o­ry or it throws a sig­nal fault. This behav­iour pre­vents attack­ers enter­ing from the safe PRM area to neigh­bour­ing enclaves, just because of the point, that the CPU is run­ning in enclave mode. Enter­ing from the non PRM area is gen­er­al­ly blocked by the cir­cum­stance, that the CPU isn’t run­ning in enclave mode.

More detailed infor­ma­tion for SGX struc­tures avail­able at Intel, Inno­v­a­tive Instruc­tions and Soft­ware Mod­el for Iso­lat­ed Exe­cu­tion.

Facebook
Twitter
LinkedIn
WhatsApp
XING

Leave a Reply

Your email address will not be published.

Contact sales

Cookie Consent with Real Cookie Banner