Skip to main content
SpringerLink
Log in

Informer: Protecting Intel SGX from Cross-Core Side Channel Threats

  • Conference paper
  • First Online:
Book cover Information and Communications Security (ICICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12918))

Included in the following conference series:

Abstract

As one of the major threats facing Intel SGX, side-channel attacks have been widely researched and disclosed as actual vulnerabilities in recent years, which can severely harm the integrity and confidentiality of programs protected by SGX. Most existing defense schemes are built based on the assumption that the adversary launches attacks from the same core as the victim, which however have been proved insufficient by newly-emerged cross-core side-channel attacks (e.g. CrossTalk). We present Informer, a defensive approach for SGX against side-channel attacks launched from any location, whether the adversary resides in the same physical CPU core as the victim or not. Informer achieves this goal by creating dummy threads that temporarily monopolize all CPU cores when security-critical codes are being executed, which breaks the essential concurrent execution condition of side-channel attacks. A key challenge is to ensure all those threads are scheduled exclusively to occupy all CPU cores even within an untrusted OS. Informer can defend against side-channel attacks from any core, and only incurs 22% performance overhead in OpenSSL. An additional mechanism is designed to reduce the impact on the operating system, as well as an optional extension to reduce the performance overhead brought to other programs.

This work was supported by the National Key R&D Program of China (Award No. 2020YFB1005800) and National Natural Science Foundation of China (Grant No. 61772518).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions, p. 11 (2013)

    Google Scholar 

  2. McKeen, F., et al.: Innovative instructions and software model for isolated execution. In: HASP@ ISCA 10 (2013)

    Google Scholar 

  3. Costan, V., Devadas, S.: Intel SGX explained. IACR Crypt. ePrint Arch. 2016, 86 (2016)

    Google Scholar 

  4. Lipp, M., et al.: Meltdown. ArXiv e-prints (2018)

    Google Scholar 

  5. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. ArXiv e-prints (2018)

    Google Scholar 

  6. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: eradicating controlled-channel attacks against enclave programs. In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)

    Google Scholar 

  7. Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., Costa, M.: Strong and efficient cache side-channel protection using hardware transactional memory. In: USENIX Security Symposium (2017)

    Google Scholar 

  8. Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with Déjá Vu. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 7–18. ACM (2017)

    Google Scholar 

  9. Kuvaiskii, D., et al.: SGXBOUNDS: memory safety for shielded execution. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 205–221. ACM (2017)

    Google Scholar 

  10. Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS, pp. 8–11 (2015)

    Google Scholar 

  11. Seo, J., et al.: Sgx-shield: enabling address space layout randomization for sgx programs. In: Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (2017)

    Google Scholar 

  12. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on aes, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)

    Article  MathSciNet  Google Scholar 

  13. Oleksenko, O., Trach, B., Krahn, R., Silberstein, M., Fetzer, C.: Varys: protecting SGX enclaves from practical side-channel attacks. In: 2018 USENIX Annual Technical Conference, USENIX ATC 2018, Boston, MA, USA, 11–13 July 2018, pp. 227–240 (2018). https://www.usenix.org/conference/atc18/presentation/oleksenko

  14. Chen, G., et al.: Racing in hyperspace: closing hyper-threading side channels on SGX with contrived data races. In: 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, San Francisco, California, USA, 21–23 May 2018, pp. 178–194. IEEE Computer Society (2018). https://doi.org/10.1109/SP.2018.00024

  15. Lang, F., et al.: E-SGX: effective cache side-channel protection for intel SGX on untrusted OS. In: Wu, Y., Yung, M. (eds.) Inscrypt 2020. LNCS, vol. 12612, pp. 221–243. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-71852-7_15

    Chapter  Google Scholar 

  16. CrossTalk. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543

  17. Intel: Intel Software Guard Extensions Programming Reference (2014). reference no. 329298–002US

    Google Scholar 

  18. Guide, P.: Intel® 64 and ia-32 architectures software developer’s manual (2016)

    Google Scholar 

  19. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical, p. 33. arXiv preprint arXiv:1702.07521 (2017)

  20. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware guard extension: Using SGX to conceal cache attacks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_1

    Chapter  Google Scholar 

  21. Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on intel sgx (2017)

    Google Scholar 

  22. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: Usenix Conference on Security Symposium (2014)

    Google Scholar 

  23. Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+flush: a fast and stealthy cache attack. In: Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, San Sebastián, Spain, 7–8 July 2016, Proceedings, pp. 279–299 (2016). https://doi.org/10.1007/978-3-319-40667-1_14

  24. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006, San Jose, CA, USA, 13–17 February 2006, Proceedings, pp. 1–20 (2006). https://doi.org/10.1007/11605805_1

  25. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 640–656. IEEE (2015)

    Google Scholar 

  26. Wang, W., Chen, G., Pan, X., Zhang, Y., Wang, X., Bindschaedler, V.: Leaky cauldron on the dark land: Understanding memory side-channel hazards in sgx. In: Conference on Computer and Communications Security: Proceedings of the Conference on Computer and Communications Security. ACM Conference on Computer and Communications Security (2019)

    Google Scholar 

  27. Schwarz, M., et al.: Zombieload: cross-privilege-boundary data sampling. In: The 2019 ACM SIGSAC Conference (2019)

    Google Scholar 

  28. van Schaik, S., et al.: RIDL: rogue in-flight data load. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, 19–23 May 2019, pp. 88–105. IEEE (2019). https://doi.org/10.1109/SP.2019.00087

  29. van Schaik, S., Minkin, M., Kwong, A., Genkin, D., Yarom, Y.: Cacheout: leaking data on intel cpus via cache evictions. CoRR abs/2006.13353 (2020). https://arxiv.org/abs/2006.13353

  30. Bulck, J.V., et al.: Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 991–1008 (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/bulck

  31. van Schaik, S., Kwong, A., Genkin, D., Yarom, Y.: Sgaxe: how sgx fails in practice (2020). http://cacheoutattack.com/files/SGAxe.pdf

  32. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 605–622. IEEE Computer Society, Los Alamitos (2015). https://doi.org/10.1109/SP.2015.43

  33. Disselkoen, C., Kohlbrenner, D., Porter, L., Tullsen, D.M.: Prime+abort: a timer-free high-precision L3 cache attack using intel TSX. In: 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 51–67 (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/disselkoen

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100089, China

    Fan Lang, Wei Wang, Lingjia Meng, Qiongxiao Wang & Li Song

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100089, China

    Fan Lang, Lingjia Meng, Qiongxiao Wang & Li Song

  3. Data Assurance and Communication Security Research Center, CAS, Beijing, 10089, China

    Wei Wang

  4. School of Cyber Security, University of Science and Technology of China, Hefei, 230027, Anhui, China

    Jingqiang Lin

  5. Bejing Institute, University of Science and Technology of China, Bejing, China

    Jingqiang Lin

Authors
  1. Fan Lang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lingjia Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qiongxiao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jingqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Li Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Wang .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Debin Gao

  2. Tsinghua University, Beijing, China

    Qi Li

  3. Xi'an Jiaotong University, Xi'an, China

    Xiaohong Guan

  4. Chongqing University, Chongqing, China

    Xiaofeng Liao

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lang, F., Wang, W., Meng, L., Wang, Q., Lin, J., Song, L. (2021). Informer: Protecting Intel SGX from Cross-Core Side Channel Threats. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86890-1_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86889-5

  • Online ISBN: 978-3-030-86890-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation