







# Autarky: Closing controlled channels with self-paging enclaves

Meni Orenbach, Technion

Andrew Baumann, Microsoft Research

Mark Silberstein, Technion

### Public cloud computing



#### Intel SGX

- Isolated user-mode environment
- Commodity CPUs
- Small trusted computing base
  - CPU
  - Enclave's code and data
    - Confidentiality
    - Integrity



Operating System

#### Page fault side-channel attack

- OS-level attacker
  - Induces page faults
  - Tracks faulted address
  - Infer secrets content that depends on page access patterns
    - Control-dependent accesses
    - Data-dependent accesses



Xu, Y., Cui, W. and Peinado, M., 2015.

Controlled-Channel Attacks:

Deterministic Side Channels for
Untrusted Operating Systems.

#### Controlled-channel attack



- Precursor to other attacks
  - Foreshadow [Usenix Security'18]
  - Sgxspectre [arXiv'18]
  - LVI [IEEE S&P'20]
  - Microscope [ISCA'19]
  - Zombieload [CCS'19]



- Attacker controls the channel
- Precise
- No noise

#### Agenda

Background **Controlled-Channel Attack Self-Paging Enclaves Evaluation** 

#### SGX virtual memory protection

SGX validates the OS does not insert spurious mappings



SGX does not validate the prescence of expected mappings

#### The missing component



Validate presence of expected mappings

Validate mapping

#### Implication: Controlled channel attack



#### **Existing Software Mitigations**

- Detect attack due to high frequency of exceptions
  - Restrict demand-paging
  - False positive occurrence
- Provably obfuscate all memory accesses
  - Orders of magnitude performance impact

[1] Ming-Wei Shih, San

[2] Oleksii Oleksenko, E In USENIX ATC'2018.

[3] Sanchuan Chen, Xia Asia CCS'2017.

#### Software mitigations are limited

rams. In NDSS'2017. al side-channel attacks.

ution with Déjá Vu. In

[4] Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. ZeroTrace: Oblivious memory primitives from Intel SGX. In NDSS'2018.

#### Existing Hardware Mitigations

Private enclave page tables



Requires major changes to SGX internals since SGX is entangled with the x86 architecture

[1] Victor Costan

[2] Dayeol Lee, D

[3] Shaizeen Aga

2016.

#### Our solution: Autarky

- Minimal extension to SGX OS-hardware interface
  - Backward-compatible with SGX
  - Validate presence of expected mappings



#### Agenda

Background

**Controlled-Channel Attack** 

**Self-Paging Enclaves** 

**Evaluation** 

#### Design principles

Force the OS to call the enclave on every page fault



Give enclave power to control all page faults



Enclave-OS cooperative paging



Hide fault information from the OS



Enclave can enforce its own paging policy

Secure demand-paging

#### Design overview



#### Self-Paging Enclaves



### Self-Paging Enclaves





Enclave can protect against spurious page faults

Original attack required millions of page faults.

Removing control is a huge improvement

### Support for legitimate page faults



Paging policy:
part of the
enclave's
runtime

Control the leakage



### Agenda

Background **Controlled-Channel Attack** Self-Paging Enclaves Paging policies Evaluation

#### Rate-limiting policy

- Used by state-of-the-art software mitigations
  - Put a limit on the rate of exceptions
  - Low security guarantees



<sup>[1]</sup> Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. T-SGX: eradicating controlled-channel attacks against enclave programs. In NDSS'2017.

<sup>[2]</sup> Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. Varys: Protecting SGX enclaves from practical side-channel attacks. In USENIX ATC'2018.

<sup>[3]</sup> Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, and Yinqian Zhang. Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In Asia CCS'2017.

#### **ORAM** policy

- Provably obfuscates distribution of memory accesses
- Prior solutions show substantial performance cost
- Autarky is order-of-magnitude faster and makes it practical
  - Invoke ORAM only for paging



#### See paper for more details

[1] Sajin Sasy, Sergey Gorbunov, and Christopher W. Fletcher. ZeroTrace: Oblivious memory primitives from Intel SGX. In NDSS'2018.

[2] Meni Orenbach, Yan Michalevsky, Christof Fetzer, and Mark Silberstein. CoSMIX: A compiler-based system for secure memory instrumentation and execution in enclaves. In Usenix ATC'2019.

#### Novel page clusters policy

Some applications do not need oblivious paging across all pages Page clusters: cooperative paging for all pages in the cluster Actual faulted address is hidden from the OS Actual page access is not leaked



#### Page clusters policy use cases



#### More details

- SGX1 and SGX2 cooperative paging mechanisms
- Eliminate accessed, dirty bit leakage
- **Practical optimizations**
- Remove extra enclave crossing on page faults
- Remove all enclave crossings on page faults

#### Autarky: Closing controlled channels with self-paging enclaves

Andrew Baumann Microsoft Research

As the first widely-deployed secure enclave hardware, Intel SGX shows promise as a practical basis for confidential cloud

on encuave page raums express a songasanung architectural side channel and still lacks effective mitigation.

We propose Auturky, a set of minor, backward-compatible We propose Autarky: a set of minor, oackward-companion modifications to the SGX ISA that hide an enclave's page access trace from the host, and give the enclave full control over its page faults. A trusted library OS implements an

We prototype Autarsy on current SSA naturate and time.
Graphene library OS, implementing three paging schemes: a fast software oblivious RAM system made practical by eraging the proposed ISA, a novel page cluster abstraction r application-aware secure self-paging, and a rate-limiting not application-aware secure sen-paging, and a mechanism paging mechanism for unmodified binaries. Overall, Autarky uig mechanism for unmounted binaries, cyceran, Autainsy vides a comprehensive defense for controlled-channel tacks which supports efficient secure demand paging, and adds no overheads in page-fault free execution.

Meni Orenhach, Andrew Baumann, and stark autoexsetti. 2020, lifteenth European Conference on Computer Systems (Eurobys 20), pril 27–30, 2020, Heruklion, Greece. ACM, New York, NY, USA.

Enclave execution environments, and in particular lines SGX [40], aim to make confidential cloud computing praction by removing trust from the cloud [6]. Major cloud tical by removing trust from the cioud [9]. Major cloud providers have already deployed SGX [2, 34, 53], and an

ther is developing a platform to support it [49]. other is developing a plastorm to support it [497].

However, side channels weaken the security of SGX. In this paper, we tackle the longstanding controlled-channel atnack on enciave page tables (39, 87, 72, 70) that skill lacks a general, practical mitigation. Controlled-channel attacks ploit the separation of concerns in SGX between enclave text, which is protected by the CPU, and re-

In particular, the OS manages the enclave's address and performs paging from and to its encrypted memor Control over the enclave's page tables enables an OS-leve adversary to trace the enclave's page access pattern in noise-free manner by inducing page faults of her choice [76] or by monitoring page table access bits [67, 72]. As long a or by monitoring page table access bits [01, 72]. As ion, the enclave performs secret-dependent memory accesse. distinct pages, the attack can breach enclave confidentia spell-checked text [72, 76].

SGX does not defend against controlled-char tacks [28]; Intel's stance is that "preventing side-channe attacks is a matter for the enclave developer, [30]. How attacks is a matter for the enclave developer [30], flow ever, it is not practical to avoid secret-dependent memor, accesses for all but the simplest enclaves [59]. For example accesses for an out the simplest enclaves [59]. For example, the Opaque data analytics platform [78] requires an obliv our Openius was analysis planorii [75] requires an only our scratchpad memory, that SGX currently cannot provid Moreover, existing software-only defenses [46, 58] sufference on the second sec from significant practical limitations: they incur substantia performance overhead, prevent the use of demand pagin performance overneau, prevent use use or ususman paging and/or suffer from false positives in detecting the attack. In and/or sunter from talse positives in detecting the attack, in portantly, they require recompilation or even manual codportancy, they require recompliant of even manual coc-changes, which limits their use in large enclaves running changes, which limits their use in targe enclaves runnin-unmodified software [6, 50, 65]. On the other hand, propose architectural defenses [1] require intrusive hardware modif arcintectural derenses [1] require intrusive naruware mount cations such as oblivious RAM-based paging. Thus, despit. cations such as oblivious RAM-based paging, 1 mis, despit it being the earliest known SGX-specific side channel, th controlled-channel attack still poses a threat to practical

enclave security. against SGX. These are primarily the consequence of sha ing an internal CPU state across software trust domains [ ing an internal Cr ⊖ state across sortware trust contains [ 44, 55, 72]. Coupled with speculative execution side char nels (now mitigated by microcode updates and silicon fixes these attacks enabled the extraction of attestation signing keys [1, 56], register values [70] and even full enclave men keys [11, 56], register values [70] and even rull enclave men ory [68]. While devastating, these microarchitectural attack ory [68]. Write devastating, these microarenteetural actions are highly sensitive to the (unpublished) properties of a spacific CPU microarchitecture. Moreover, they are often noisy as they exploit subtle timing fluctuations to infer the vic as they expron subtle tuning fluctuations to meet the vir tim's access pattern to hardware resources shared with th

The controlled-channel attack is an architectural attac The controlled-channel attack is an architectural attack that does not suffer from these limitations: OS tracing o enclave page accesses is guaranteed by the Intel architecture. specification [29]. Thus, the attack is noise-free, determini

### Agenda

Background

**Controlled-Channel Attack** 

**Self-Paging Enclaves** 

Evaluation

## Memcached stores > 2x available memory Issuing random 1KB GET requests



#### Conclusion

- Autarky mitigates the controlled-channel attack
  - Practical modifications to the architecture
  - Runtime with a secure paging policy
- Maintains backward compatibility
  - Operating system
  - Demand-paging
- Attack is not unique to SGX enclaves
  - Retrofit Autarky for other enclave environments!

