Secure Kernel Execution with Intel SGX

  • Bruno Meneguele UTFPR
  • Keiko Fonseca UTFPR
  • Marcelo Rosa UTFPR

Resumo


Intel SGX is not accessible from the most privileged execution level, known as ring zero, where the operating system kernel is placed. However, it is possible to split the execution responsibility between kernel and userspace by creating a dependency among these two levels that allow internal kernel data to be stored or processed within SGX private enclaves. In this paper we present SKEEN, an enhanced way to isolate internal operating system components and structures with Intel SGX technology, preventing information leak to different components of the same operating system. A proof-of-concept is provided to exemplify its usage.

Palavras-chave: Intel SGX, Operating System, Linux Kernel, Isolation.

Referências

M. K. McKusick, G. Neville-Neil, and R. N. Watson,The Design andImplementation of the FreeBSD Operating System, 2nd ed.Addison-Wesley Professional, 2014.

S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe,J. Lind, D. Muthukumaran, D. O’Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer,“SCONE: Securelinux containers with intel SGX,” in 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). Savannah,GA: USENIX Association, November 2016, pp.689–703. [Online]. Available: https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov

Red Hat Inc, “What is virtualization,” 2019. [Online]. Available:https://www.redhat.com/en/topics/virtualization/what-is-virtualization

European Union Agency for Network and Information Security, “Security aspects of virtualization,” ENISA, Tech. Rep., February 2017.

M. Sabt, M. Achemlal, and A. Bouabdallah, “Trusted execution environment: What it is, and what it is not,” in 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, Aug 2015, pp. 57–64.

Intel Corporation, Intel®64 and IA-32 Architecutres Software Developer’s Manual, Volume 3D: System Programming Guide, Part 4, October2019. [Online]. Available: https://software.intel.com/sites/default/files/managed/7c/f1/332831-sdm-vol-3d.pdf

L. Richter, J. Götzfried, and T. Müller, “Isolatingoperating systemcomponents with intel sgx,” in Proceedings of the 1st Workshop on System Software for Trusted Execution, ser. SysTEX ’16.NewYork, NY, USA: ACM, 2016, pp. 8:1–8:6. [Online]. Available:http://doi.acm.org/10.1145/3007788.3007796

F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar, “Innovative instructionsand software model for isolated execution,” in Proceedings ofthe 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, ser. HASP ’13.New York,NY, USA: ACM, 2013, pp. 10:1–10:1. [Online]. Available: http://doi.acm.org/10.1145/2487726.2488368

Intel Corporation, Intel®64 and IA-32 Architecutres Software Developer’s Manual, Volume3C: System Programming Guide, Part 3, October 2019. [Online]. Available: https://software.intel.com/sites/default/files/managed/7c/f1/326019-sdm-vol-3c.pdf

M. Jones, “Invoking user-space applications from the kernel,“ February 2010. [Online]. Available: https://developer.ibm.com/articles/l-user-space-apps

H. Raj, S.Saroiu, A. Wolman, R. Aigner, J. Cox, P. England,C. Fenner, K. Kinshumann, J. Loeser, D. Mattoon, M. Nystrom,D. Robinson, R. Spiger, S. Thom, and D. Wooten, “ftpm: A software only implementation of a tpm chip,” in USENIX Security, August 2016. [Online]. Available: https://www.microsoft.com/en-us/research/publication/ftpm-software-implementation-tpm-chip

Trusted Computing Group, “Tpm2.0-abriefintroduction,” 2019. [Online]. Available: https://trustedcomputinggroup.org/wp-content/uploads/2019TCGTPM2BriefOverviewDR02web.pdf

IMA Project, “Integrity measurement architecture wiki,” August 2020. [Online]. Available: https://sourceforge.net/p/linux-ima/wiki/Home/

Kernel.org, “Trusted and encrypted keys,” 2020. [Online]. Available: https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html

Intel Corporation,“L1 Terminal Fault,” October 2018. [Online]. Available: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

N. Brown, “Fast interprocess communication revisited,” November 2011. [Online]. Available: https://lwn.net/Articles/466304/

NetOS Group, “ipc-bench: A unix inter-process communication benchmark,” November 2019. [Online]. Available: https://www.cl.cam.ac.uk/research/srg/netos/projects/ipc-bench/

Intel Corporation, Intel® Trusted Execution Technology (Intel TXT), Software Developement Guide, Measured Launched Environment, December 2019. [Online]. Available: http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html

Kernel.org, “Linux userspace seccomp manpage,” 2019. [Online]. Available: http://man7.org/linux/man-pages/man2/seccomp.2.html
Publicado
23/11/2020
Como Citar

Selecione um Formato
MENEGUELE, Bruno; FONSECA, Keiko; ROSA, Marcelo. Secure Kernel Execution with Intel SGX. In: TRABALHOS EM ANDAMENTO - SIMPÓSIO BRASILEIRO DE ENGENHARIA DE SISTEMAS COMPUTACIONAIS (SBESC), 10. , 2020, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2020 . p. 168-173. DOI: https://doi.org/10.5753/sbesc_estendido.2020.13108.