demonstration

Bring the Missing Jigsaw Back: TrustedClock for SGX Enclaves

Authors:

Hongliang Liang,

Mingyu LiAuthors Info & Claims

EuroSec'18: Proceedings of the 11th European Workshop on Systems Security

Article No.: 8, Pages 1 - 6

https://doi.org/10.1145/3193111.3193119

Published: 23 April 2018 Publication History

Abstract

Intel SGX provisions shielded executions for security-sensitive computation, but has to rely on untrusted system services, such as clock, network and filesystem. This makes enclaves vulnerable to Iago attacks [5]. For example, current SGX programs cannot obtain a trusted clock to fulfill its purposes. To mitigate this problem, we present TrustedClock, which brings high-precision, low-latency and attack-aware absolute clock into the SGX ecosystem. Our experimental results show that TrsutedClock outperforms existing clock services with its design goals.

References

[1]

Adil Ahmad. 2018. OBLIVIATE: A Data Oblivious File System for Intel SGX. (2018). https://lifeasageek.github.io/papers/ahmad:obliviate.pdf

[2]

Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, and Nathan C. Skalsky. 2010. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4--8, 2010. 38--49.

Digital Library

[3]

Andrew Baumann, Marcus Peinado, and Galen C. Hunt. 2015. Shielding Applications from an Untrusted Cloud with Haven. ACM Trans. Comput. Syst. 33, 3 (2015), 8:1--8:26.

Digital Library

[4]

bl4ck5un. 2017. mbedtls-SGX: a SGX-friendly TLS stack. (2017). https://github.com/bl4ck5un/mbedtls-SGX

[5]

Stephen Checkoway and Hovav Shacham. 2013. Iago attacks: why the system call API is a bad untrusted RPC interface. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '13, Houston, TX, USA - March 16 - 20, 2013, Vivek Sarkar and Rastislav Bodík (Eds.). ACM, 253--264.

Digital Library

[6]

Sanchuan Chen, Xiaokuan Zhang, Michael K. Reiter, and Yinqian Zhang. 2017. Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2--6, 2017. 7--18.

Digital Library

[7]

Intel Corporation. 2016. IntelÂő 64 and IA-32 Architectures Software DeveloperâĂ&Zacute;s Manual, Volume 3D. (2016).

[8]

Intel 2007. Intel Âő Integrated Performance Primitives Cryptography (2 ed.). Intel.

[9]

Intel. 2016. Intel BIOS Implementation Test Suite. (2016). https://downloadcenter.intel.com/download/19763/BIOS-Implementation-Test-Suite-BITS

[10]

Intel. 2016. Intel SgxSSL Library. (2016). http://math.tntech.edu/rafal/cliff11/index.html

[11]

Intel. 2016. Trusted Time and Monotonic Counters with Intel SGX Platform Services. (2016). https://software.intel.com/sites/default/files/managed/1b/a2/Intel-SGX-Platform-Services.pdf

[12]

intel. 2017. Qemu with KVM SGX virtualization support. (2017). https://github.com/intel/qemu-sgx

[13]

Intel. 2017. TaLoS: Secure and Transparent TLS Termination inside SGX Enclaves. (2017). https://www.doc.ic.ac.uk/research/technicalreports/2017/DTRS17-5.pdf

[14]

Intel. 2018. CreDB: A high integrity datastore. (2018). https://credb.systems/

[15]

jedisct1. 2017. libsodium: A modern and easy-to-use crypto library. (2017). https://github.com/jedisct1/libsodium

[16]

Seong Min Kim, Juhyeng Han, Jaehyeong Ha, Taesoo Kim, and Dongsu Han. 2017. Enhancing Security and Privacy of Tor's Ecosystem by Using Trusted Execution Environments. In 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017, Boston, MA, USA, March 27--29, 2017. 145--161. https://www.usenix.org/conference/nsdi17/technical-sessions/presentation/kim-seongmin

Digital Library

[17]

Kevin Leach, Fengwei Zhang, and Westley Weimer. 2017. Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage. In Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18--20, 2017, Proceedings (Lecture Notes in Computer Science), Marc Dacier, Michael Bailey, Michalis Polychronakis, and Manos Antonakakis (Eds.), Vol. 10453. Springer, 403--424.

[18]

Hongliang Liang, Mingyu Li, Qiong Zhang, Yue Yu, Lin Jiang, and Yixiu Chen. 2018. Aurora: Providing Trusted System Services for Enclaves On an Untrusted System. (2018). https://arxiv.org/pdf/1802.03530.pdf

[19]

Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. ROTE: Rollback Protection for Trusted Execution. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 1289--1306. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/matetic

[20]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In HASP 2013, The Second Workshop on Hardware and Architectural Support for Security and Privacy, Tel-Aviv, Israel, June 23--24, 2013, Ruby B. Lee and Weidong Shi (Eds.). ACM, 10.

Digital Library

[21]

Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena. 2017. Panoply: Low-TCB Linux Applications with SGX Enclaves. Internet Society.

[22]

Bohdan Trach, Alfred Krohmer, Sergei Arnautov, Franz Gregor, Pramod Bhatotia, and Christof Fetzer. 2017. Slick: Secure Middleboxes using Shielded Execution. CoRR abs/1709.04226 (2017). arXiv:1709.04226 http://arxiv.org/abs/1709.04226

[23]

Chia-che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In 2017 USENIX Annual Technical Conference, USENIX ATC 2017, Santa Clara, CA, USA, July 12--14, 2017. 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai

Digital Library

[24]

Jiang Wang, Angelos Stavrou, and Anup K. Ghosh. 2010. HyperCheck: A Hardware-Assisted Integrity Monitor. In Recent Advances in Intrusion Detection, 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15--17, 2010. Proceedings. 158--177.

Digital Library

[25]

Rafal Wojtczuk and Joanna Rutkowska. 2009. Attacking SMM Memory via IntelÂő CPU Cache Poisoning. http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf. (2009).

[26]

Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. 2016. Town Crier: An Authenticated Data Feed for Smart Contracts. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016. 270--282.

Digital Library

[27]

Fengwei Zhang, Kevin Leach, Kun Sun, and Angelos Stavrou. 2013. SPECTRE: A dependable introspection framework via System Management Mode. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Budapest, Hungary, June 24--27, 2013. IEEE Computer Society, 1--12.

Digital Library

[28]

Fengwei Zhang, Kevin Leach, Haining Wang, and Angelos Stavrou. 2015. Trust-Login: Securing Password-Login on Commodity Operating Systems. ACM Press, 333--344.

Digital Library

[29]

Fengwei Zhang, Haining Wang, Kevin Leach, and Angelos Stavrou. 2014. A Framework to Secure Peripherals at Runtime. In Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7--11, 2014. Proceedings, Part I (Lecture Notes in Computer Science), Miroslaw Kutylowski and Jaideep Vaidya (Eds.), Vol. 8712. Springer, 219--238.

Cited By

Nasrullah AAnwar F(2024)Trusted Timing Services with Timeguard2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00009(1-14)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00009
Ishiguro JShinjo YSoyama A(2024)Controlled Copying of Persistent Data Between end Users' SGX Enclaves over an Untrusted Network2024 International Symposium on Parallel Computing and Distributed Systems (PCDS)10.1109/PCDS61776.2024.10743591(1-10)Online publication date: 21-Sep-2024
https://doi.org/10.1109/PCDS61776.2024.10743591
Yaoyong WGongxuan Z(2024)An Embedded System I/O Isolation Technology for Raspberry Pi2024 4th International Conference on Intelligent Technology and Embedded Systems (ICITES)10.1109/ICITES62688.2024.10777465(15-20)Online publication date: 20-Sep-2024
https://doi.org/10.1109/ICITES62688.2024.10777465
Show More Cited By

Index Terms

Bring the Missing Jigsaw Back: TrustedClock for SGX Enclaves
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation
      1. Hardware-based security protocols

Recommendations

Cache Attacks on Intel SGX
EuroSec'17: Proceedings of the 10th European Workshop on Systems Security

For the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert'...
Shielding Applications from an Untrusted Cloud with Haven

Today’s cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider’s staff and its globally distributed software/hardware platform not to expose any of their private data.

We introduce the notion of shielded ...
SGX-Bomb: Locking Down the Processor via Rowhammer Attack
SysTEX'17: Proceedings of the 2nd Workshop on System Software for Trusted Execution

Intel Software Guard Extensions (SGX) provides a strongly isolated memory space, known as an enclave, for a user process, ensuring confidentiality and integrity against software and hardware attacks. Even the operating system and hypervisor cannot ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec'18: Proceedings of the 11th European Workshop on Systems Security

April 2018

53 pages

ISBN:9781450356527

DOI:10.1145/3193111

Copyright © 2018 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2018

Check for updates

Author Tags

Qualifiers

Demonstration
Research
Refereed limited

Conference

EuroSys '18

Sponsor:

SIGOPS

EuroSys '18: Thirteenth EuroSys Conference 2018

April 23 - 26, 2018

Porto, Portugal

Acceptance Rates

EuroSec'18 Paper Acceptance Rate 8 of 19 submissions, 42%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
542
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nasrullah AAnwar F(2024)Trusted Timing Services with Timeguard2024 IEEE 30th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS61025.2024.00009(1-14)Online publication date: 13-May-2024
https://doi.org/10.1109/RTAS61025.2024.00009
Ishiguro JShinjo YSoyama A(2024)Controlled Copying of Persistent Data Between end Users' SGX Enclaves over an Untrusted Network2024 International Symposium on Parallel Computing and Distributed Systems (PCDS)10.1109/PCDS61776.2024.10743591(1-10)Online publication date: 21-Sep-2024
https://doi.org/10.1109/PCDS61776.2024.10743591
Yaoyong WGongxuan Z(2024)An Embedded System I/O Isolation Technology for Raspberry Pi2024 4th International Conference on Intelligent Technology and Embedded Systems (ICITES)10.1109/ICITES62688.2024.10777465(15-20)Online publication date: 20-Sep-2024
https://doi.org/10.1109/ICITES62688.2024.10777465
Bayreuther SBerger RDörre FMechler JMüller-Quade J(2024)Hidden $$\varDelta $$-Fairness: A Novel Notion for Fair Secure Two-Party ComputationInformation Security and Privacy10.1007/978-981-97-5028-3_17(330-349)Online publication date: 16-Jul-2024
https://doi.org/10.1007/978-981-97-5028-3_17
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Huh SShim MLee JWoo SKim HLee H(2023)DID We Miss Anything?: Towards Privacy-Preserving Decentralized ID ArchitectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323595120:6(4881-4898)Online publication date: Nov-2023
https://doi.org/10.1109/TDSC.2023.3235951
Dong CShen QDing XYu DLuo WWu PWu Z(2023)T-Counter: Trustworthy and Efficient CPU Resource Measurement Using SGX in the CloudIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314581420:1(867-885)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2022.3145814
Hamidy GPhilippaerts PJoosen W(2023)T3E: A Practical Solution to Trusted Time in Secure EnclavesNetwork and System Security10.1007/978-3-031-39828-5_17(305-326)Online publication date: 7-Aug-2023
https://doi.org/10.1007/978-3-031-39828-5_17
Andrade DSilva JCorreia M(2022)SRX–Secure Data Backup and Recovery for SGX ApplicationsIEEE Access10.1109/ACCESS.2022.316248910(35901-35918)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3162489
Liang HLi MChen YYang TXie ZJiang L(2021)Architectural Protection of Trusted System Services for SGX Enclaves in Cloud ComputingIEEE Transactions on Cloud Computing10.1109/TCC.2019.28924499:3(910-922)Online publication date: 1-Jul-2021
https://doi.org/10.1109/TCC.2019.2892449
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten