Secure Kernel Execution with Intel SGX
Intel SGX is not accessible from the most privileged execution level, known as ring zero, where the operating system kernel is placed. However, it is possible to split the execution responsibility between kernel and userspace by creating a dependency among these two levels that allow internal kernel data to be stored or processed within SGX private enclaves. In this paper we present SKEEN, an enhanced way to isolate internal operating system components and structures with Intel SGX technology, preventing information leak to different components of the same operating system. A proof-of-concept is provided to exemplify its usage.
S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe,J. Lind, D. Muthukumaran, D. O’Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer,“SCONE: Securelinux containers with intel SGX,” in 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). Savannah,GA: USENIX Association, November 2016, pp.689–703. [Online]. Available: https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov
Red Hat Inc, “What is virtualization,” 2019. [Online]. Available:https://www.redhat.com/en/topics/virtualization/what-is-virtualization
European Union Agency for Network and Information Security, “Security aspects of virtualization,” ENISA, Tech. Rep., February 2017.
M. Sabt, M. Achemlal, and A. Bouabdallah, “Trusted execution environment: What it is, and what it is not,” in 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, Aug 2015, pp. 57–64.
Intel Corporation, Intel®64 and IA-32 Architecutres Software Developer’s Manual, Volume 3D: System Programming Guide, Part 4, October2019. [Online]. Available: https://software.intel.com/sites/default/files/managed/7c/f1/332831-sdm-vol-3d.pdf
L. Richter, J. Götzfried, and T. Müller, “Isolatingoperating systemcomponents with intel sgx,” in Proceedings of the 1st Workshop on System Software for Trusted Execution, ser. SysTEX ’16.NewYork, NY, USA: ACM, 2016, pp. 8:1–8:6. [Online]. Available:http://doi.acm.org/10.1145/3007788.3007796
F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar, “Innovative instructionsand software model for isolated execution,” in Proceedings ofthe 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, ser. HASP ’13.New York,NY, USA: ACM, 2013, pp. 10:1–10:1. [Online]. Available: http://doi.acm.org/10.1145/2487726.2488368
Intel Corporation, Intel®64 and IA-32 Architecutres Software Developer’s Manual, Volume3C: System Programming Guide, Part 3, October 2019. [Online]. Available: https://software.intel.com/sites/default/files/managed/7c/f1/326019-sdm-vol-3c.pdf
M. Jones, “Invoking user-space applications from the kernel,“ February 2010. [Online]. Available: https://developer.ibm.com/articles/l-user-space-apps
H. Raj, S.Saroiu, A. Wolman, R. Aigner, J. Cox, P. England,C. Fenner, K. Kinshumann, J. Loeser, D. Mattoon, M. Nystrom,D. Robinson, R. Spiger, S. Thom, and D. Wooten, “ftpm: A software only implementation of a tpm chip,” in USENIX Security, August 2016. [Online]. Available: https://www.microsoft.com/en-us/research/publication/ftpm-software-implementation-tpm-chip
Trusted Computing Group, “Tpm2.0-abriefintroduction,” 2019. [Online]. Available: https://trustedcomputinggroup.org/wp-content/uploads/2019TCGTPM2BriefOverviewDR02web.pdf
IMA Project, “Integrity measurement architecture wiki,” August 2020. [Online]. Available: https://sourceforge.net/p/linux-ima/wiki/Home/
Kernel.org, “Trusted and encrypted keys,” 2020. [Online]. Available: https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html
Intel Corporation,“L1 Terminal Fault,” October 2018. [Online]. Available: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
N. Brown, “Fast interprocess communication revisited,” November 2011. [Online]. Available: https://lwn.net/Articles/466304/
NetOS Group, “ipc-bench: A unix inter-process communication benchmark,” November 2019. [Online]. Available: https://www.cl.cam.ac.uk/research/srg/netos/projects/ipc-bench/
Intel Corporation, Intel® Trusted Execution Technology (Intel TXT), Software Developement Guide, Measured Launched Environment, December 2019. [Online]. Available: http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html
Kernel.org, “Linux userspace seccomp manpage,” 2019. [Online]. Available: http://man7.org/linux/man-pages/man2/seccomp.2.html