CN109543401B - SGX side channel attack defense method based on control flow lock - Google Patents

SGX side channel attack defense method based on control flow lock Download PDF

Info

Publication number
CN109543401B
CN109543401B CN201811404649.4A CN201811404649A CN109543401B CN 109543401 B CN109543401 B CN 109543401B CN 201811404649 A CN201811404649 A CN 201811404649A CN 109543401 B CN109543401 B CN 109543401B
Authority
CN
China
Prior art keywords
control flow
detection
external control
pmc
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811404649.4A
Other languages
Chinese (zh)
Other versions
CN109543401A (en
Inventor
周洪伟
原锦辉
杜遵良
冯贤
李福林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811404649.4A priority Critical patent/CN109543401B/en
Publication of CN109543401A publication Critical patent/CN109543401A/en
Application granted granted Critical
Publication of CN109543401B publication Critical patent/CN109543401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes

Abstract

The invention provides an SGX side channel attack defense method based on a control flow lock. The method comprises the following steps: step 1, setting a plurality of control flow detection points at a specific position of an enclave internal instruction; step 2, detecting illegal external control flow executed by the processor according to the plurality of control flow detection points; step 3, recording the times of illegal external control transfer in the illegal external control flow in an enclave internal instruction execution cycle, and taking the times of illegal external control transfer as the times of system abnormity; step 4, if the number of times of the system abnormity exceeds a preset threshold value, considering that side channel attack occurs; and 5, when side channel attack is considered to occur, the enclave internal instruction stops running, and an attacker is prevented from snooping the enclave internal information. The invention supports the normal work of a large-volume instruction set, and the invention only inserts a small amount of instructions (namely control flow detection points) into the original target process, thereby basically not increasing the performance overhead.

Description

SGX side channel attack defense method based on control flow lock
Technical Field
The invention relates to the technical field of network security, in particular to an SGX side channel attack defense method based on a control flow lock.
Background
Sgx (software Guard extensions), a hardware feature of Intel processors, is used to enhance software security. The SGX does not identify and isolate all malware on the platform, but encapsulates the security operations of legitimate software in an enclave to protect it from being attacked by malware, and privileged or non-privileged software cannot access the enclave. That is, once software and data are located in enclave, even an operating system or VMM (also called Hypervisor) cannot affect code and data inside enclave. enclave refers to a trusted execution environment built based on SGX.
The Intel SGX can provide a secure execution environment for the process and protect process instructions and data. However, an attacker can utilize the untrusted operating system to affect the execution of the enclave internal process, guessing the internal data of the process protected by SGX through various means, thereby bypassing the SGX protection mechanism. The difficulty of the SGX side channel attack defense method is as follows: the untrusted operating system can suspend the execution of the enclave internal process at any time, so that the process execution process and the result are observed, and the legacy information of the enclave execution process is obtained from hardware.
Prior art 1: shweta Shinder et al in the literature, "preceding you fans from Telling you routers: deficiencies against Pigeon anchors" propose to achieve the goal of disturbing the attacker side channel analysis by changing the internal instruction structure of the envelope. Specifically, when a program is compiled, instructions and data needing to be protected are identified, the virtual address space layout of the instructions is changed, the instructions are rewritten according to rules to disturb the page access structure, and a side channel attacker cannot reconstruct the enclave internal information by analyzing the page access structure.
Prior art 2: researchers of Jaebaek Seo et al proposed the use of Address Space Randomization to protect against SGX side channel attacks in the document "SGX-Shield: Enabling Address Space Layout for SGX Programs". The address space randomization technology can change the structure of an access page of an enclave internal instruction to a certain extent, thereby interfering with attacker analysis to a certain extent.
Prior art 3: researchers such as Ming-Wei Shih and the like propose to utilize TSX hardware characteristics in a document T-SGX, namely, Eradicating Controlled-Channel anchors approach Programs, so as to ensure that the execution process of an Enclave internal instruction is not interrupted. Even if a system exception occurs for irresistible reasons, the system exception is processed by the TSX exception handler first, so that an attacker is prevented from observing execution of an enclave internal instruction by using the system exception.
Prior art 1 and prior art 2 are directed to a second link of side channel attack (the second link shown in fig. 7), and the T-SGX of prior art 3 is directed to a first link of side channel attack (the first link shown in fig. 7). In order to prevent the side channel attacker from utilizing means such as page exception and the like to interfere the execution of the enclave internal instruction, the T-SGX utilizes the support of the TSX hardware characteristic of the processor to prevent the side channel attacker from interrupting the execution of the enclave internal instruction. In short, the TSX hardware characteristic can be used to make the instruction execution present a transaction characteristic (i.e. not interruptible), and even after interruption, the control right is to hand over the exception handler specified by the TSX instead of the malicious program programmed by the attacker, thereby avoiding the situation that the enclave external attacker cannot obtain the enclave internal execution. Although T-SGX may prevent side channel attackers from observing inside enclaves, it requires a small amount of code to be included per transaction because it is based on the TSX hardware characteristics. To use TSX, the user must divide the original instruction into small instruction fragments. This in turn causes a new problem, the inevitable presence of data interaction with the instruction fragments, leading to increased performance overhead.
Disclosure of Invention
In order to prevent the SGX side channel attack on the basis of basically not additionally increasing the performance overhead, the invention provides a SGX side channel attack defense method based on a control flow lock to avoid the side channel attacker from further snooping the inside of the enclave.
The invention provides a SGX side channel attack defense method based on a control flow lock, which comprises the following steps:
step 1, setting a plurality of control flow detection points at a specific position of an enclave internal instruction;
step 2, detecting illegal external control flow executed by the processor according to the plurality of control flow detection points;
step 3, recording the times of illegal external control transfer in the illegal external control flow in an enclave internal instruction execution cycle, and taking the times of illegal external control transfer as the times of system abnormity;
step 4, if the number of times of the system abnormity exceeds a preset threshold value, considering that side channel attack occurs;
and 5, when side channel attack is considered to occur, the enclave internal instruction stops running, and an attacker is prevented from snooping the enclave internal information.
Further, the specific location includes: at least one of a function header, a function trailer, a function call instruction pre-stage, a function call instruction post-stage, a basic block header inside the function, and a basic block trailer inside the function.
Further, the step 2 specifically includes:
step 21, recording control transfer information of the processor in a preset time period before the current time according to the control flow detection points;
step 22, judging whether an external control flow occurs in the processor within the preset time period according to the control transfer information;
step 23, if it is determined that an external control flow occurs, distinguishing a predictable external control flow from an unpredictable external control flow in the external control flow;
and 24, judging whether the unpredictable external control flow is an illegal external control flow or not, wherein the illegal external control flow refers to a control flow containing a plurality of times of illegal external control transfer.
Further, the control flow detection points include at least one of LBR detection points and PMC detection points.
Further, if the control flow detection point is an LBR detection point, the step 21 specifically includes:
and recording control transfer information executed by the processor in a preset time period before the current moment by using the LBR according to a plurality of LBR detection points.
Further, if the control flow detection point is a PMC detection point, the step 21 specifically includes:
according to the PMC detection points, recording control transfer information of a processor in a preset time period before the current time by using the PMC, wherein the control transfer information comprises execution times of control transfer instructions and occurrence times of internal control flow;
the step 22 specifically includes:
and if the execution times of the control transfer instruction is greater than the occurrence times of the internal control flow, considering that the processor generates the external control flow in the preset time period.
Further, the step 23 specifically includes:
and if the external control flow is judged to occur, distinguishing the predictable external control flow and the unpredictable external control flow in the external control flow by adopting a black-and-white list mode or an instruction analysis mode.
Further, when detecting an illegal external control flow executed by the processor, a self-adaptive adjustment detection granularity principle is adopted, and the self-adaptive adjustment detection granularity principle specifically comprises the following steps:
if the unpredictable external control flow is found, shortening the detection period according to a detection granularity adjustment mode;
if no unpredictable external control flow is found in the m detection periods, the detection period is prolonged according to the detection granularity adjustment mode;
wherein, the detection period refers to the period from one control flow detection point to the next control flow detection point of the same type in the program execution process, and m is more than 1.
Further, the detection granularity adjustment mode specifically includes: a first detection level, a second detection level and a third detection level;
the first detection level is: implanting an LBR detection point and a PMC detection point at the head of the function, and implanting a PMC detection point at the tail of the function;
the second detection level is: implanting a PMC detection point before a function call instruction in the function, and implanting an LBR detection point and a PMC detection point after the function call instruction in the function;
the third detection level is: and (3) implanting an LBR detection point and a PMC detection point at the head of each basic block inside the function, and implanting a PMC detection point at the tail of each basic block inside the function.
The invention has the beneficial effects that:
side channel attacks are the primary attacks against SGX. An important means of defending against side channel attacks is to ensure that the target process can execute undisturbed to avoid being spied on internal information by untrusted operating systems. However, because the target process running in the enclave built based on the SGX still needs to rely on the trusted support of the untrusted operating system, the execution process of the target process may be interrupted at any point in time.
Compared with the prior art which utilizes TSX hardware characteristics (cannot support a large-volume instruction set, particularly, a target process may have a plurality of situations which need to be interrupted), the SGX side channel attack defense method based on the control flow lock supports the normal work of the large-volume instruction set, and can find external abnormal control flow in time and sense malicious attack behaviors when an attacker tries to peeld at the initial stage, so that the execution of the target process is stopped, and a control flow view which can be obtained by the attacker is locked. In addition, the invention only inserts a small amount of instructions (namely control flow detection points) into the original target process, and the performance overhead is basically not increased.
Drawings
Fig. 1 is a schematic flowchart of an SGX side channel attack defense method based on a control flow lock according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a relationship between SGX, STEE and enclave according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of an LBR-based external control flow detection method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of an external control flow detection method based on PMC according to an embodiment of the present invention;
fig. 5 is a schematic diagram of obtaining a PMC difference value according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of an SGX side channel attack defense method based on a control flow lock according to another embodiment of the present invention;
FIG. 7 is a schematic diagram of SGX side channel attack;
fig. 8 is a control flow diagram illustration between basic blocks O, A and B.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Side channel attack (side channel attack): a method of attacking an encryption device against side channel information leakage such as time consumption, power consumption, or electromagnetic radiation during operation of an electronic device is called a side channel attack.
LBR: the Intel processor has a hardware characteristic that essentially, the processor is added with a plurality of registers, and each register records a certain control transfer information executed by the latest processor. The processor organizes these registers into a circular pool of memory and loops through the method of overwriting the old value with the new value. The LBR memory capacity supported by Intel processors is limited, typically between a few to a dozen banks.
TSX: the Intel processor has a hardware characteristic that allows a user to specify a section of instruction as a transaction execution, and is characterized in that the execution process of the section of instruction is not interfered, and even if the instruction is interrupted for some irresistible reason, the abnormal processing program execution set by the user is submitted first to ensure that an attacker does not immediately obtain the execution authority so as to obtain valuable information from the transaction.
STEE (SGX-Based executed Environment): in the invention, the trusted execution environment is constructed based on SGX hardware characteristics, LBR hardware characteristics and PMC hardware characteristics.
STEE plug-in: in the present invention, the result of compiler revision is referred to. The compiler using the STEE plug-in can insert the STEE software component into the target program to achieve the purpose of side channel attack defense.
Basic blocks and control flow: during compilation, a program will view a set of instructions that are executed sequentially as a whole, i.e., as a basic block. There will be control transfer behavior from basic block to basic block, and several control transfers are treated as control flows. For example: if (Condition)
Then A
Else B
Assuming that neither A nor B has any control transfer cases, then A and B are treated as basic blocks. The code described above involves three basic blocks: o (i.e., a basic block containing whether the determination condition is satisfied), a, and B, and there is a control flow graph at this time, as shown in fig. 8.
Code pile inserting: and inserting a plurality of codes at the specific position of the source program for acquiring information in the program running process and making corresponding response according to the setting. For example: and (4) executing instrumentation at the head of the function, and checking and printing the name of the function calling the function.
LBR detection point: in the invention, during the target program recompiling process, instruction fragments for detecting external control flow based on LBR are inserted into the instruction set of the target program.
PMC detection point: in the invention, in the target program recompiling process, an instruction segment for detecting external control flow based on PMC is inserted into an instruction set of the target program.
The difficulty in defending against SGX side channel attacks is: an untrusted operating system may interrupt the execution of the target process at any time. The hardware feature TSX may well guarantee instruction execution continuity, but TSX cannot support continuous execution of large-volume instructions.
The SGX side channel attack defense method based on the control flow lock is mainly based on a trusted framework of STEE. The STEE trusted architecture adopts an architecture of hardware trusted support and software trusted extension, and mainly comprises a STEE software component, a target process and a STEE hardware component. The basic idea of STEE is: a small amount of instructions are inserted into an original program to form a new executable program, and the new executable program is executed in enclave constructed based on SGX, so that the enclave has the capability of sensing illegal peering of an untrusted operating system.
The relationship between STEE, SGX and enclave is further illustrated in conjunction with fig. 2. Constructing the STEE requires the cooperation of hardware and software support components. The STEE hardware component includes a processor supporting SGX and LBR and other necessary hardware. The STEE software component is outside the target process and refers to an instruction (namely a control flow detection function) added when a program is compiled and linked, and the STEE software component detects illegal external control flow by utilizing the LBR hardware characteristic and the PMC hardware characteristic of a processor. Once some exception occurs, the STEE software component responds to the exception and takes a corresponding action in time (dynamically adding a control flow detection instruction, or aborting SecIns execution, outputting a disturbed control flow, etc.). Based on SGX, a closed environment (namely enclave) can be constructed, and both STEE software components and target processes are active inside the enclave.
The present invention assumes: the trusted components that support STEE include only STEE hardware components (particularly processors that support SGX, LBR, and PMC hardware features) and STEE software components, and the operating system is not within the scope of the trusted components. It is reasonable in most cases to assume that the hardware is trusted. Generally, an attacker does not have physical control over the hardware and cannot directly attack it. However, since hardware is not easy to change and expand, the present invention utilizes the trusted execution environment provided by SGX to expand the functions of hardware with a small amount of software, making it more complete. Because the target is definite and the function is single, the STEE software component has small volume. From the perspective of software, the smaller the volume of software, the less the probability of security holes. It is therefore reasonable to assume that the STEE software components are authentic.
Based on the STEE trusted architecture, fig. 1 is a schematic flow diagram of an SGX side channel attack defense method based on a control flow lock according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
s101, setting a plurality of control flow detection points at a specific position of an enclave internal instruction;
specifically, the specific location includes: at least one of a function header, a function trailer, a function call instruction pre-stage, a function call instruction post-stage, a basic block header inside the function, and a basic block trailer inside the function. The control flow detection points include at least one of LBR detection points and PMC detection points.
There may be two methods for setting the control flow detection point. The first is code overwriting, i.e., directly overwriting the instructions of the target location. For example, during recompiling, a plurality of dummy instruction stubs can be inserted into a designated position, and when a detection point needs to be set at the position, the detection instruction is written into the position. The second is parameter modification, i.e. controlling the detection granularity by setting the detection intensity. The first method requires modification of instructions, and existing operating systems tend to disable instruction modification by controlling the CR0 register, and STEE modifications to CR0 may trigger a vigilance of untrusted operating systems. The second is transparent to the untrusted operating system.
S102, detecting an illegal external control flow executed by a processor according to the control flow detection points;
s103, recording the times of illegal external control transfer in the illegal external control flow in an enclave internal instruction execution cycle, and taking the times of illegal external control transfer as the times of system abnormity;
s104, if the number of times of the system abnormity exceeds a preset threshold value, considering that side channel attack occurs;
and S105, when the side channel attack is considered to occur, the enclave internal instruction stops running, and an attacker is prevented from snooping the enclave internal information.
As shown in fig. 7, the side channel attack for SGX is mainly divided into two steps: firstly, frequently pausing the execution process of the process in the enclave, and observing some external responses (such as accessing a certain page) of the execution process; and then guesses the process internal information (e.g., guessing the inputs that affect the execution results based on the page access results). The SGX side channel attack defense method based on the control flow lock provided by the embodiment of the invention mainly aims at the first step of SGX side channel attack. Because the SGX side channel attack needs to observe the execution process of the internal process in a large quantity, the SGX side channel attack can be judged to exist by finding out frequent process pause execution in time, and then the snooping of an attacker to the inside of the target process is stopped in time.
The embodiment of the invention finds that the idea of suspending the process execution of the inoperable system is as follows: any enclave external instruction can be switched to the enclave internal instruction only at a specified entry point, once the enclave external instruction is switched to the enclave internal instruction from an unknown position, the enclave external instruction is considered to have a system exception, if the system exception frequently occurs in an enclave internal instruction execution cycle, a side channel attack is considered to occur, the enclave internal instruction stops running, a control flow view of an attacker is locked, and the attacker is prevented from further snooping the enclave internal information.
The SGX side channel attack defense method based on the control flow lock provided by the embodiment of the invention does not depend on TSX hardware characteristics and does not need to limit the instruction size as TSX does. Therefore, the embodiment of the invention supports the normal work of a large-volume instruction set, and can find the external abnormal control flow in time and sense the malicious attack behavior at the initial stage of the attempt of an attacker to peek, thereby stopping the execution of the target process and locking the control flow view acquired by the attacker. When a user puts the whole target process into enclave for execution, the insertion number of the control flow detection points is increased, and the density of the control flow detection points is maintained. In addition, the invention only inserts a small amount of instructions (namely control flow detection points) into the original target process, and the performance overhead is basically not increased.
On the basis of the foregoing embodiment, the step S102 in the method specifically includes:
step S1021, recording control transfer information of the processor in a preset time period before the current time according to the control flow detection points;
step S1022, determining whether an external control flow occurs in the preset time period according to the control transfer information;
in particular, external control flow refers to the control flow that occurs at an enclave external instruction. Not all external control flows are illegal. The execution of instructions in enclave causes some necessary external control flow. For example: execution of a system call by an instruction in enclave triggers execution of the operating system kernel, thereby generating an external control flow.
According to different types of control flow detection points arranged at specific positions of enclave internal instructions, different recording modes are adopted for control transfer information of the processor, different detection modes are adopted for illegal external control flows, and the detection modes are respectively an LBR-based external control flow detection method and a PMC-based external control flow detection method.
The external control flow detection method based on the LBR comprises the following steps: and if the control flow detection points arranged at the specific positions are LBR detection points, recording control transfer information executed by the processor within a preset time period before the current moment by using the LBR according to a plurality of LBR detection points. As shown in FIG. 3, embodiments of the present invention utilize the LBR hardware characteristics of a processor to trace back control transfer conditions recently executed by the processor to determine whether an external control flow occurs. The LBR records the control transfer information recently executed by the processor by using the circular storage pool. This means that whether an enclave internal instruction or an enclave external instruction, the control transfer resulting from its execution will be recorded into the LBR. Since the enclave internal control flow is known to STEE, STEE can then treat all non-internal control flows as external control flows.
An external control flow detection method based on PMC comprises the following steps: if the control flow detection point set at a specific position is a PMC detection point, recording control transfer information of a processor in a preset time period before the current time by using a PMC according to a plurality of PMC detection points, wherein the control transfer information comprises execution times of control transfer instructions and occurrence times of internal control flow; and if the execution times of the control transfer instruction is greater than the occurrence times of the internal control flow, considering that the processor generates the external control flow in the preset time period. As shown in fig. 4, an embodiment of the present invention utilizes PMC to detect external control flow. Since the PMC records the number of times of executing the instruction of the specified type, the embodiment of the present invention uses the PMC to record the number of times of executing the control transfer instruction, so as to discover the external control flow according to the abnormal increase of the count value. As shown in fig. 4, the internal control flow causes the PMC count value to increase three times, but the count value actually increases four times (the external control flow causes an additional time). From this abnormal increase in the count value, the presence of the external control flow can be determined.
The PMC-based external control flow detection method is based on detection of a change in PMC value, and the detection principle is shown in fig. 5. To obtain the time t1And t2Difference between PMC readings, required at time t1And time t2PMC readings were taken separately. Similar to the LBR-based external control flow detection method, the PMC-based external control flow detection method still needs to distinguish between unpredictable and predictable external control flows. For predictable external control flows, embodiments of the present invention do not count their implementation. As shown in fig. 5, time t2Is predictive of external control flow initiationTime (for example, PMC register may be read before system call instruction), time t3The external control flow end time may be predicted (for example, the PMC register may be read again at the next instruction of the system call instruction), but the read value at two times is not processed.
The two detection methods (namely an LBR-based external control flow detection method and a PMC-based external control flow detection method) have different detection principles and have respective advantages. The LBR method can clearly trace back a plurality of historical control transfer records, the detection result is clear, and misjudgment does not exist. However, the LBR memory space relied on by the LBR method is limited, most Intel processors only support 16 control transfer records at most, and a considerable part of processors only support the capacity of 4 control transfer records. In order to perform the detection accurately, frequent detection is necessary. The PMC method does not have the limitation of LBR, and it uses counting method to implement detection. However, due to the complexity of the control flow graph, the PMC method is not accurate enough in judgment, but the detection efficiency is high, and frequent detection is not needed. In practical application, the two methods can be combined, and the two methods are mutually verified to jointly complete external control flow detection. Combining the two methods, the external control flow can be pre-determined by using a PMC method, and then determined by combining an LBR method.
Step S1023, if the external control flow is judged to occur, distinguishing predictable external control flow and unpredictable external control flow in the external control flow;
in particular, for both detection methods described above, STEE needs to distinguish between predictable and unpredictable external control flows. By predictable external control flow is meant an external control flow that a program can predict what is happening. The external control flow is typically foreseen as a result of the execution of the system call for which the program applies. By unpredictable external control flow is meant that the program is unable to predict the external control flow that occurs. Typically unpredictable external control flows, such as exception handling flows due to page fault interrupts, will be unpredictable by the STEE. Side channel attacks are mainly implemented using unpredictable external control flows.
And if the external control flow is judged to occur, distinguishing the predictable external control flow and the unpredictable external control flow in the external control flow by adopting a black-and-white list mode or an instruction analysis mode.
Specifically, to reduce interference of the predictable external control flow with detection of the unpredictable external control flow, the predictable external control flow may be labeled in a black and white list. For LBR, the entire external control stream cannot be reproduced completely, since LBR can only record a limited number of control transfer information. To identify the predictable external control flow, it is necessary to know the last several control transfers of the predictable external control flow. In fact, however, due to the diversity of external event handling, it is difficult to define the complete control flow graph of the external control flow, and it is also difficult to determine the last several control transitions thereof. Thus, the use of black and white lists risks identifying the predictable external control flow as an unpredictable external control flow.
As another possible implementation, the embodiment of the invention can record the predictable external control flow through instruction marking. In this way, instructions that may produce predictable external control flow may be discovered through instruction analysis. Typical instructions that may result in predictable external control flow such as system call instructions. In addition, some instructions may trigger an external control flow, such as a memory allocation function in C language, which may trigger an operating system page allocation operation, thereby causing a page exception. The invention recognizes these instructions and considers that the external control flow caused by these instructions is legal, and it should be noted that these instructions are all control transfer instructions, that is, the location where the external control flow is detected.
It should be noted that, the instruction labeling method adopted in the embodiment of the present invention enables an attacker to implement side channel attack by using predictable external control flow, but this still greatly limits the attack surface of the attacker. To ensure proper execution of the program, the existence of the predictable external control flow must be allowed so that the program can access the underlying support functions of the operating system. The instruction marking method enables an attacker to observe the execution of a legal interrupt program at the marked instruction position. But simultaneously, the method also limits the attacker to interrupt the program execution only in a limited position, and reduces the attack surface.
Step S1024, judging whether the unpredictable external control flow is an illegal external control flow, wherein the illegal external control flow refers to a control flow containing a plurality of times of illegal external control transfer.
In particular, it is unpredictable that both legitimate and illegitimate situations exist for external control flows. Legal situation: such as concurrent execution of multiple threads, may halt execution within enclave, create external control flow, and such control flow is unpredictable. But normally, this will not happen frequently, and when it happens frequently (exceeds a preset threshold in an enclave internal instruction execution cycle), it is considered as an illegal external control flow.
From the above, in the prior art, the T-SGX uses the transaction characteristics supported by the TSX hardware characteristics, but in the embodiment of the present invention, a control flow detection point is inserted into an enclave internal instruction, and the LBR hardware characteristics and the PMC hardware characteristics are used to trace back the illegal control transfer condition, which are different methods. In the embodiment of the invention, a plurality of control flow detection points are inserted in a pile insertion mode at a specific position of an enclave internal instruction, the control transfer condition recently executed by a processor is traced by utilizing the LBR hardware characteristic and the PMC hardware characteristic of the processor, and when illegal external control transfer exists, a system exception is considered to occur; and recording the number of times of system exception of an enclave internal instruction execution cycle by using an SGX internal storage space, and if the number of times exceeds a certain threshold value, determining that side channel attack occurs. The SGX internal storage space is regarded as an internal safe storage area, so that the number of system abnormity recorded in the SGX internal storage space can be selected to prevent an attacker from tampering the data.
The SGX side channel attack defense method based on the control flow lock does not require the size of an instruction set inside the enclave, so that the method supports the normal work of the instruction set with large volume, and can find external abnormal control flow in time and sense malicious attack behaviors at the initial stage of trying to peep by an attacker, thereby stopping the execution of a target process and locking a control flow view obtained by the attacker. In addition, the invention only inserts a small amount of instructions (namely control flow detection points) into the original target process, and the performance overhead is basically not increased.
On the basis of the above embodiments, the method provided by the present invention adopts a self-adaptive adjustment detection granularity principle when detecting an illegal external control flow executed by a processor, where the self-adaptive adjustment detection granularity principle specifically is: if the unpredictable external control flow is found, shortening the detection period according to a detection granularity adjustment mode; if no unpredictable external control flow is found in the m detection periods, the detection period is prolonged according to the detection granularity adjustment mode; wherein, the detection period refers to the period from one control flow detection point to the next control flow detection point of the same type in the program execution process, and m is more than 1.
Specifically, as shown in fig. 6, the embodiment of the present invention adopts a working manner of instruction recompilation and runtime dynamic deployment. In the embodiment of the invention, a compiler (for example: gcc compiler) is modified, a STEE plug-in is constructed, and a new executable program comprising STEE software components is formed after a program source code is recompiled and linked; the new executable program is loaded to the memory by the untrusted operating system and triggers the construction behavior of STEE; and constructing STEE based on a mode of SGX hardware trusted support and a small amount of software trusted extension, and providing a trusted execution environment for the target process.
In the embodiment of the present invention, the instruction recompilation is similar to the process of step S101, and is different from step S101 in that the instruction recompilation in the embodiment of the present invention is divided into two stages. The first stage labels the instruction. At this stage, the revised compiler first performs lexical and syntactic analyses, identifying instructions that may result in predictable external control flow, labeling them. The second stage is stake insertion. This stage is mainly realized by program instrumentation technology. In the embodiment of the invention, a program instrumentation method is used for implementing instrumentation at specific positions such as the head of a function, the tail of the function, a function call instruction (call instruction), the front or the back of a code basic block and the like. While the instrumentation is performed, the marked instructions need to be bypassed, so as to achieve the purpose of not detecting the generated external control flow. During instruction recompilation, two different detection points are inserted into the program. They are the LBR detection point and the PMC detection point, respectively serving two different detection methods.
The so-called runtime dynamic deployment is mainly to dynamically adjust the detection granularity. If the control flow detection is frequently carried out, the running efficiency of the software is influenced. If the detection frequency is low, part of illegal abnormality may be missed. In order to achieve comprehensive balance, the embodiment of the invention adopts a self-adaptive adjustment detection granularity principle, and the basic principle is as follows: if the unpredictable external control flow is found, increasing the detection frequency, namely shortening the detection period; if no unpredictable external control flow is found in the m detection periods, reducing the detection frequency, namely lengthening the detection period; and if the external control flow is found to be unpredictable after lasting for n detection periods, considering that the side channel attack occurs. Generally, m > n > 1.
The detection period refers to a period from a certain detection point to the next detection point of the same type in the program execution process. In practical applications, there are two detection cycles, since there may be two different types of detection points (i.e. LBR detection point and PMC detection point). The embodiment of the invention adopts two methods for simultaneously measuring the detection period, namely: in both the LBR detection period and the PMC detection period, if unpredictable external control flow is found, suspected abnormality is considered to occur, the detection granularity is adjusted, and meanwhile, the measurement is restarted in the detection period.
As an example of a detection granularity adjustment method, the adjustment method mainly sets three detection levels, which specifically includes: a first detection level, a second detection level and a third detection level; the first detection level is: implanting an LBR detection point and a PMC detection point at the head of the function, and implanting a PMC detection point at the tail of the function; the second detection level is: implanting a PMC detection point before a function call instruction in the function, and implanting an LBR detection point and a PMC detection point after the function call instruction in the function; the third detection level is: and (3) implanting an LBR detection point and a PMC detection point at the head of each basic block inside the function, and implanting a PMC detection point at the tail of each basic block inside the function.
Specifically, as shown in table 1, at the 1 st detection level, STEE implants LBR detection points only in the head of the function, and implants PMC detection points in the head and tail of the function. The 1 st detection level is a loose detection level and has minimum influence on the performance of software operation. When a suspicious abnormal condition occurs, STEE is implemented according to the 2 nd detection level, LBR detection points are implanted after a function call instruction in the function, and PMC detection points are implanted before and after the call instruction, so that the detection frequency is increased. When the suspicious abnormal condition still exists, the STEE increases the detection level, implements the strictest detection level, implants LBR detection points at the head of each basic block, and implants PMC detection points at the head and the tail of each basic block. At the 3 rd detection level, there will be no missing detection. If no abnormity occurs in a plurality of detection periods, STEE gradually reduces the deployment level, thereby reducing the influence on the software performance.
Table 1 detection level schematic
Figure BDA0001877064860000131
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (4)

1. The SGX side channel attack defense method Based on the control flow lock is characterized in that the method is Based on a STEE Trusted architecture, the STEE refers to SGX-Based Trusted Execution Environment and a Trusted Execution Environment constructed Based on SGX hardware characteristics, LBR hardware characteristics and PMC hardware characteristics, the STEE Trusted architecture comprises a STEE software component, a target process and a STEE hardware component, the STEE software component and the target process are both active inside enclaves, the STEE software component refers to control flow detection points added during program compiling and linking, and the STEE hardware component comprises a processor supporting SGX, LBR and PMC hardware characteristics; SGX refers to Software Guard Extensions; the method comprises the following steps:
step 1, setting a plurality of control flow detection points at a specific position of an enclave internal instruction, wherein the control flow detection points comprise at least one of LBR detection points and PMC detection points; the LBR detection point refers to inserting an instruction segment for detecting external control flow based on LBR in an instruction set of a target program in a target program recompiling process, the PMC detection point refers to inserting an instruction segment for detecting external control flow based on PMC in the instruction set of the target program in the target program recompiling process, and the external control flow refers to the control flow generated by an enclave external instruction; the specific location includes: at least one of a function head, a function tail, before and after a function call instruction, a head of a basic block inside the function, and a tail of the basic block inside the function;
step 2, detecting illegal external control flow executed by the processor according to the plurality of control flow detection points; the step 2 specifically comprises:
step 21, if the control flow detection points are LBR detection points, according to a plurality of LBR detection points, using an LBR to record control transfer information executed by a processor within a preset time period before the current time;
if the control flow detection point is a PMC detection point, recording control transfer information of a processor in a preset time period before the current time by using a PMC according to the PMC detection points, wherein the control transfer information comprises execution times of control transfer instructions and occurrence times of internal control flow;
step 22, judging whether an external control flow occurs in the processor within the preset time period according to the control transfer information; the method comprises the following steps: if the execution times of the control transfer instruction are larger than the occurrence times of the internal control flow, the processor is considered to generate the external control flow in the preset time period;
step 23, if it is determined that an external control flow occurs, distinguishing a predictable external control flow from an unpredictable external control flow in the external control flow;
step 24, judging whether the unpredictable external control flow is an illegal external control flow, wherein the illegal external control flow refers to a control flow containing a plurality of times of illegal external control transfer;
step 3, recording the times of illegal external control transfer in the illegal external control flow in an enclave internal instruction execution cycle, and taking the times of illegal external control transfer as the times of system abnormity;
step 4, if the number of times of the system abnormity exceeds a preset threshold value, considering that side channel attack occurs;
and 5, when side channel attack is considered to occur, the enclave internal instruction stops running, the control flow view of an attacker is locked, and the attacker is prevented from snooping the enclave internal information.
2. The method according to claim 1, wherein the step 23 is specifically:
and if the external control flow is judged to occur, distinguishing the predictable external control flow and the unpredictable external control flow in the external control flow by adopting a black-and-white list mode or an instruction analysis mode.
3. The method according to claim 2, characterized in that when detecting illegal external control flow executed by the processor, an adaptive detection granularity adjustment principle is adopted, and the adaptive detection granularity adjustment principle is specifically:
if the unpredictable external control flow is found, shortening the detection period according to a detection granularity adjustment mode;
if no unpredictable external control flow is found in the m detection periods, the detection period is prolonged according to the detection granularity adjustment mode;
wherein, the detection period refers to the period from one control flow detection point to the next control flow detection point of the same type in the program execution process, and m is more than 1.
4. The method according to claim 3, wherein the detecting granularity adjusting means specifically comprises: a first detection level, a second detection level and a third detection level;
the first detection level is: implanting an LBR detection point and a PMC detection point at the head of the function, and implanting a PMC detection point at the tail of the function;
the second detection level is: implanting a PMC detection point before a function call instruction in the function, and implanting an LBR detection point and a PMC detection point after the function call instruction in the function;
the third detection level is: and (3) implanting an LBR detection point and a PMC detection point at the head of each basic block inside the function, and implanting a PMC detection point at the tail of each basic block inside the function.
CN201811404649.4A 2018-11-23 2018-11-23 SGX side channel attack defense method based on control flow lock Active CN109543401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811404649.4A CN109543401B (en) 2018-11-23 2018-11-23 SGX side channel attack defense method based on control flow lock

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811404649.4A CN109543401B (en) 2018-11-23 2018-11-23 SGX side channel attack defense method based on control flow lock

Publications (2)

Publication Number Publication Date
CN109543401A CN109543401A (en) 2019-03-29
CN109543401B true CN109543401B (en) 2021-05-04

Family

ID=65849727

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811404649.4A Active CN109543401B (en) 2018-11-23 2018-11-23 SGX side channel attack defense method based on control flow lock

Country Status (1)

Country Link
CN (1) CN109543401B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138799B (en) * 2019-05-30 2020-07-17 东北大学 SGX-based secure cloud storage method
CN112256118B (en) * 2019-07-02 2024-04-09 中兴通讯股份有限公司 Application program freezing control method, device, terminal and readable storage medium
CN111162944A (en) * 2019-12-26 2020-05-15 广东星舆科技有限公司 Method and system for automatically diagnosing and repairing receiver fault by management platform
CN111865909B (en) * 2020-06-08 2021-05-28 西安电子科技大学 SGX side channel attack defense method, system, medium, program and application
CN112287357B (en) * 2020-11-11 2022-08-12 中国科学院信息工程研究所 Control flow verification method and system for embedded bare computer system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763291B (en) * 2009-12-30 2012-01-18 中国人民解放军国防科学技术大学 Method for detecting error of program control flow
CN103345445A (en) * 2013-07-02 2013-10-09 华中科技大学 Security chip design method based on control flow detection and resistant to error injection attack
CN105022956B (en) * 2015-08-14 2018-11-09 中国科学院计算技术研究所 A method of resisting code reuse attack

Also Published As

Publication number Publication date
CN109543401A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109543401B (en) SGX side channel attack defense method based on control flow lock
US10803180B2 (en) Deterministic method for detecting and blocking of exploits on interpreted code
Chen et al. Detecting privileged side-channel attacks in shielded execution with Déjá Vu
Mushtaq et al. Nights-watch: A cache-based side-channel intrusion detector using hardware performance counters
Shanbhogue et al. Security analysis of processor instruction set architecture for enforcing control-flow integrity
KR102307534B1 (en) Systems and methods for tracking malicious behavior across multiple software entities
JP6116697B2 (en) Method, program, system, and machine-readable storage medium for protecting electronic devices
Irazoqui et al. MASCAT: Stopping microarchitectural attacks before execution
US7594111B2 (en) Secure execution of a computer program
US10049211B1 (en) Hardware-accelerated prevention of code reuse attacks
US7603704B2 (en) Secure execution of a computer program using a code cache
Wagner et al. High system-code security with low overhead
CN111865909B (en) SGX side channel attack defense method, system, medium, program and application
Irazoqui et al. Mascat: Preventing microarchitectural attacks before distribution
US20100064367A1 (en) Intrusion detection for computer programs
US10650147B2 (en) Method and apparatus for ensuring control flow integrity
US10467410B2 (en) Apparatus and method for monitoring confidentiality and integrity of target system
Rauti et al. Diversification of system calls in linux binaries
US10885184B1 (en) Rearranging executables in memory to prevent rop attacks
Ruan et al. Survey of return‐oriented programming defense mechanisms
Oliveira et al. Hardware-software collaboration for secure coexistence with kernel extensions
Oliveira et al. Ianus: Secure and holistic coexistence with kernel extensions-a immune system-inspired approach
US20240095360A1 (en) Risc-v and o-cfi mechanism-based defense method and apparatus for code reuse attacks
Khan et al. A compiler assisted scheduler for detecting and mitigating cache-based side channel attacks
Wang et al. A survey of return-oriented programming attack, defense and its benign use

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant