Uranus: Simple, Efficient SGX Programming and its Applications

Applications written in Java have strengths to tackle diverse threats in public clouds, but these applications are still prone to privileged attacks when processing plaintext data. Intel SGX is powerful to tackle these attacks, and traditional SGX systems rewrite a Java application's sensitive functions, which process plaintext data, using C/C++ SGX API. Although this code-rewrite approach achieves good efficiency and a small TCB, it requires SGX expert knowledge and can be tedious and error-prone. To tackle the limitations of rewriting Java to C/C++, recent SGX systems propose a code-reuse approach, which runs a default JVM in an SGX enclave to execute the sensitive Java functions. However, both recent study and this paper find that running a default JVM in enclaves incurs two major vulnerabilities, Iago attacks, and control flow leakage of sensitive functions, due to the usage of OS features in JVM. In this paper, Uranus creates easy-to-use Java programming abstractions for application developers to annotate sensitive functions, and Uranus automatically runs these functions in SGX at runtime. Uranus effectively tackles the two major vulnerabilities in the code-reuse approach by presenting two new protocols: 1) a Java bytecode attestation protocol for dynamically loaded functions; and 2) an OS-decoupled, efficient GC protocol optimized for data-handling applications running in enclaves. We implemented Uranus in Linux and applied it to two diverse data-handling applications: Spark and ZooKeeper. Evaluation shows that: 1) Uranus achieves the same security guarantees as two relevant SGX systems for these two applications with only a few annotations; 2) Uranus has reasonable performance overhead compared to the native, insecure applications; and 3) Uranus defends against privileged attacks. Uranus source code and evaluation results are released on https://github.com/hku-systems/uranus.

[1]  Christof Fetzer,et al.  Pesos: policy enhanced secure object store , 2018, EuroSys.

[2]  Brent Byunghoon Kang,et al.  OpenSGX: An Open Platform for SGX Research , 2016, NDSS.

[3]  John Regehr,et al.  Provably correct peephole optimizations with alive , 2015, PLDI.

[4]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[5]  Shweta Shinde,et al.  Panoply: Low-TCB Linux Applications With SGX Enclaves , 2017, NDSS.

[6]  Brent Byunghoon Kang,et al.  Hacking in Darkness: Return-oriented Programming against Secure Enclaves , 2017, USENIX Security Symposium.

[7]  Alec Wolman,et al.  Using ARM trustzone to build a trusted language runtime for mobile applications , 2014, ASPLOS.

[8]  Lu Fang,et al.  Yak: A High-Performance Big-Data-Friendly Garbage Collector , 2016, OSDI.

[9]  Ahmad-Reza Sadeghi,et al.  JITGuard: Hardening Just-in-time Compilers with SGX , 2017, CCS.

[10]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[11]  Tulika Mitra,et al.  Automated Partitioning of Android Applications for Trusted Execution Environments , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[12]  Frank Piessens,et al.  A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes , 2019, CCS.

[13]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[14]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[15]  R. Boivie SecureBlue + + : CPU Support for Secure Execution , 2011 .

[16]  Chunxiao Xing,et al.  SGXKernel: A Library Operating System Optimized for Intel SGX , 2017, Conf. Computing Frontiers.

[17]  Qiang Yang,et al.  Differential Privacy in Telco Big Data Platform , 2015, Proc. VLDB Endow..

[18]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[19]  Gail E. Kaiser,et al.  Phosphor: illuminating dynamic data flow in commodity jvms , 2014, OOPSLA.

[20]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX Annual Technical Conference.

[21]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.

[22]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions: EPID Provisioning and Attestation Services , 2016 .

[23]  Ion Stoica,et al.  Opaque: An Oblivious and Encrypted Distributed Analytics Platform , 2017, NSDI.

[24]  Srinivas Devadas,et al.  A Formal Foundation for Secure Remote Execution of Enclaves , 2017, IACR Cryptol. ePrint Arch..

[25]  Carlos Segarra González Using Trusted Execution Environments for Secure Stream Processing of Medical Data , 2019 .

[26]  Tao Wei,et al.  Towards Memory Safe Enclave Programming with Rust-SGX , 2019, CCS.

[27]  Martin C. Rinard,et al.  Ownership types for safe region-based memory management in real-time Java , 2003, PLDI '03.

[28]  Dongsu Han,et al.  Enhancing Security and Privacy of Tor's Ecosystem by Using Trusted Execution Environments , 2017, NSDI.

[29]  Mingwei Zhang,et al.  SGXElide: enabling enclave code secrecy via self-modification , 2018, CGO.

[30]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[31]  Murat Kantarcioglu,et al.  SGX-BigMatrix: A Practical Encrypted Data Analytic Framework With Trusted Processors , 2017, CCS.

[32]  Jaehyuk Huh,et al.  ShieldStore: Shielded In-memory Key-value Storage with SGX , 2019, EuroSys.

[33]  Heming Cui,et al.  UPA: An Automated, Accurate and Efficient Differentially Private Big-Data Mining System , 2020, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[34]  Zhaoquan Gu,et al.  Kakute: A Precise, Unified Information Flow Analysis System for Big-data Security , 2017, ACSAC.

[35]  Mauro Conti,et al.  The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX , 2018, USENIX Security Symposium.

[36]  Mahadev Konar,et al.  ZooKeeper: Wait-free Coordination for Internet-scale Systems , 2010, USENIX Annual Technical Conference.

[37]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[38]  Kapil Vaswani,et al.  EnclaveDB: A Secure Database Using SGX , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[39]  Donald E. Porter,et al.  Civet: An Efficient Java Partitioning Framework for Hardware Enclaves , 2020, USENIX Security Symposium.

[40]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[41]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[42]  Latifur Khan,et al.  SGX-Log: Securing System Logs With SGX , 2017, AsiaCCS.

[43]  Zhiqiang Lin,et al.  Running Language Interpreters Inside SGX: A Lightweight,Legacy-Compatible Script Code Hardening Approach , 2019, AsiaCCS.

[44]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[45]  Yogesh Swami,et al.  Intel SGX Remote Attestation is not sufficient , 2017 .

[46]  Heming Cui,et al.  SecDATAVIEW: a secure big data workflow management system for heterogeneous computing environments , 2019, ACSAC.

[47]  Xavier Leroy,et al.  Closing the Gap – The Formally Verified Optimizing Compiler CompCert , 2017 .

[48]  Yogesh Swami SGX Remote Attestation is not Sufficient , 2017, IACR Cryptol. ePrint Arch..

[49]  Ahmad-Reza Sadeghi,et al.  SANCTUARY: ARMing TrustZone with User-space Enclaves , 2019, NDSS.

[50]  James R. Larus,et al.  Secured Routines: Language-based Construction of Trusted Execution Environments , 2019, USENIX Annual Technical Conference.

[51]  RegehrJohn,et al.  Provably correct peephole optimizations with alive , 2015 .

[52]  Ahmad-Reza Sadeghi,et al.  TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V , 2019, NDSS.

[53]  Lin Zhong,et al.  Ginseng: Keeping Secrets in Registers When You Distrust the Operating System , 2019, NDSS.

[54]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[55]  Martin C. Rinard,et al.  An Implementation of Scoped Memory for Real-Time Java , 2001, EMSOFT.

[56]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[57]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[58]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX Annual Technical Conference.

[59]  Michael J. Franklin,et al.  Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing , 2012, NSDI.

[60]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.