CN110532767B - Internal isolation method for SGX (secure gateway) security application - Google Patents
Internal isolation method for SGX (secure gateway) security application Download PDFInfo
- Publication number
- CN110532767B CN110532767B CN201910765428.8A CN201910765428A CN110532767B CN 110532767 B CN110532767 B CN 110532767B CN 201910765428 A CN201910765428 A CN 201910765428A CN 110532767 B CN110532767 B CN 110532767B
- Authority
- CN
- China
- Prior art keywords
- enclave
- sgx
- page table
- program
- thread
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Abstract
The invention provides an internal isolation method facing SGX security application, which utilizes an internal isolation system facing SGX security application, wherein the system can realize a set system library comprising one or more enclaves; the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread; recording an operating system for running enclave as an untrusted operating system; the method has the advantages that MPK performance sacrifice is almost zero, the memory area can be divided, the trusted computing base of an enclave internal program is further reduced, and the safety requirement of the current cloud computing service application can be met.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to an internal isolation method for SGX security application.
Background
A Trusted Computing Base (TCB) refers to all collections of components, including firmware, hardware, software, etc., that are designed to ensure that a computer system is operating securely.
A security system for connecting TCB components as disclosed in patent document CN101635016B, the system comprising: the application layer TCB component is used for implementing the security policy set by each trusted software; an operating system layer TCB component for enforcing security policies set by the information system; and a pipeline established between the application layer TCB component and the operating system layer TCB component for enabling trusted message passing between the trusted component and the trusted component. The application also discloses a safety guarantee method for connecting the TCB component, which comprises the following steps: an application layer TCB security guarantee step, which is used for implementing the security policy set by each trusted software; an operating system layer TCB security guarantee step, which is used for implementing the security policy set by the information system; and a pipeline message transmission step, namely establishing a pipeline between the application layer TCB component and the operating system layer TCB component, and performing trusted message transmission between the trusted component and the trusted component.
With respect to the prior art based on TCB like the above, once there is a security risk or a program error in the trusted computing base, the security of the entire system is compromised. On the contrary, if the part outside the TCB has a bug, the bug will not cause a significant influence on the whole system and the running programs of the system. Currently, most programs run on their trusted computing bases, which include CPU hardware, BIOS firmware, operating system, and code of the program itself. With the continuous development of hardware and software, the code amount of the above trusted computing base is already very large, for example, the number of lines of the Linux kernel code is already in the order of tens of millions. As the amount of trusted computing base code increases, the potential for bugs and bugs increases accordingly. Once these vulnerabilities are exploited by malicious attackers, it becomes possible to attack computer user programs. Currently, in the mobile internet age and the big data information age, the processing and calculation of various information needs to be assisted by a computer. If a vulnerability in a huge trusted computing base is utilized by a malicious attacker and sensitive data of a computer user, such as business secrets, health data and the like, are stolen, immeasurable loss is brought to the computer user.
In response to the above problems, the research and industry have proposed many software and hardware approaches to reduce the trusted computing base. Intel sgx technology is one of them. With this technique, user mode applications can create a private memory area, called enclave. The data in enclave is stored in the memory in an encrypted form, the processor decrypts the enclave only when the process in the enclave accesses the enclave, and other parts except the enclave, including an operating system with higher operating authority, cannot acquire plaintext data. By using the SGX technology, in the running process of an enclave program, the trusted computing base of the enclave program only comprises an Intel processor and enclave self codes thereof, and does not comprise other parts except the enclave, such as an operating system and the like, so that the trusted computing base of the program in running is greatly reduced.
The SGX technology can effectively reduce the size of a trusted computing base of the application program, so that the safety of the application program is greatly improved. How to develop programs by utilizing the enclave abstraction provided by the SGX becomes key. On one hand, when the program in enclave needs to complete the corresponding function by means of an enclave external program, operations such as entering and exiting the enclave can be generated, and certain performance overhead is brought. On the other hand, with the rapid development of hardware, the secure memory capacity of enclave will also increase greatly in the future. For performance considerations, putting entire applications, even libOS applications directly into enclave, is a trend in SGX development. However, this increases the size of the application's trusted computing base.
Meanwhile, in the rising period of development of big data and cloud computing, a large amount of data computing needs to be performed in the cloud. In order to reduce the trusted computing base and achieve the purpose of security, most of the application programs providing services in the cloud server need to be executed in an enclave environment. If a plurality of users request the same service from the cloud, the application program in one enclave in the cloud is shared by the plurality of users at the same time. Data between users cannot be shared because users cannot trust, and isolation needs to be performed inside enclave at the moment. In summary, no matter the enclave trusted computing base is reduced, or the current development requirements of big data and cloud computing are met, isolation inside enclave is necessary.
If the enclave internal isolation is performed by using a Software method, such as SFI (Software-based fault isolation) technology, the performance will be subjected to non-negligible loss; if the relevant hardware technology realizes isolation, such as intel mpk support, good effect can be obtained.
The IntelMPK technology can divide the memory page used by a process into different memory regions, and specify the access right of the currently running process to each memory region by setting the value of the PKRU register in the CPU. The process can change the access rights of different memory regions by directly modifying the PKRU register without the need for expensive modification of page table operations. By utilizing the IntelMPK technology, the memory area of the application process in enclave can be divided into different memory page groups, different access rights to different memory page groups are provided for different threads when the threads run by specifying the value of a PKRU, and therefore each thread in the enclave can have a private address space area which cannot be accessed by other threads. Different from the common method of using page tables for isolation, different threads use the same page table, and performance loss such as TLB cache invalidation and the like cannot be caused in the process of thread scheduling and switching. Therefore, by using the Intel MPK technology, the enclave internal isolation can be realized on the basis that the performance sacrifice is almost zero.
However, the trusted computing base in MPK technology is not compatible with the trusted computing base in SGX technology. In the MPK technology, page table entries are modified for programs and memory page groups are correctly divided by the help of an operating system, so that the operating system belongs to a trusted computing base; while the operating system in SGX technology belongs to the untrusted computing base. Therefore, it becomes critical to ensure that an untrusted operating system can correctly set page table entries for an application program in enclave before the enclave program runs, and that relevant page table entries are not modified by a potential attacker including the untrusted operating system during the execution of the enclave program.
Intel rtm technology is a solution for hardware transactional memory. Transactional memory is a transactional functional programming abstraction provided for program developers. With RTM technology, a program developer can mark a critical path through two instructions, xbain and Xend, which the CPU sees as a transaction that guarantees atomicity, consistency and isolation when the critical path code executes. If data read and used during execution of a transaction is modified by other transactions, this behavior can be captured by hardware and the transaction interrupted. The invention can ensure that the related page table entries are not modified in the execution process of the enclave program by utilizing the RTM technology.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide an internal isolation method for SGX security application.
According to the internal isolation method for the SGX security application, provided by the invention, an internal isolation system for the SGX security application is utilized; the internal isolation system facing the SGX security application can realize a set system library, and comprises one or more enclaves;
the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread;
recording an operating system for running enclave as an untrusted operating system;
the internal isolation method facing the SGX security application comprises a security isolation step;
a safety isolation step: the MPK technology is used for realizing the inter-thread safety isolation mechanism in enclave, namely, the MPK technology is used for dividing the memory of enclave into different memory page groups in enclave, and the PKRU register is set to enable different threads in enclave to have different access rights to the related memory page groups, so that the inter-thread safety isolation is realized.
Preferably, the internal isolation method for SGX-oriented security applications further includes a page table entry confirmation step;
confirming page table entries: waiting for the untrusted operating system to set page table entries for the enclave program, and displaying the content of the corresponding page table entries to the enclave program, wherein the enclave program confirms that the corresponding page table entries are correctly set.
Preferably, the page table entry confirmation step includes an access bit verification step and/or a dirty bit verification step;
an access bit verification step: setting an access bit in a page table entry to indicate whether a memory page indicated by the page table entry is accessed in a process executing process, wherein an initial value of the access bit is 0, if data in the memory page is accessed in the process executing process, the access bit is automatically set to 1 by hardware, otherwise, the initial value is maintained;
verifying dirty bits: setting a dirty bit in a page table entry to indicate whether a memory page indicated by the page table entry is modified in the process of executing the process, wherein the initial value of the dirty bit is 0, if the data of the memory page is modified in the process of executing, the dirty bit can be automatically set to 1 by hardware, otherwise, the dirty bit keeps the initial value.
Preferably, the internal isolation method for the SGX security application further includes an SSA structure determining step;
and SSA structure judging step: in the checking process, whether interruption occurs in the checking process is judged by reading the SSA structural body, so that whether an untrusted operating system intervenes in the checking process is known;
and the execution times of the SSA structural body judgment step is more than one time.
Preferably, the internal isolation method facing the SGX secure application further includes an RTM protection step;
RTM protection step: the application program in enclave ensures that the page table mapping cannot be modified by a potential attacker including an untrusted operating system in the execution process by using RTM;
wherein the RTM technique declares the start and end of a transaction by Xbegin and Xend instructions. Between Xbox and Xend, the content read or modified by the transaction, if modified by other processes, can be captured by hardware, and the transaction will be terminated; otherwise, the execution is continued.
Preferably, the internal isolation method for SGX-oriented security applications further comprises a binary check step;
binary checking: and ensuring that the enclave program runs in a set path by using a binary check method before the program runs.
Preferably, said binary scanning step comprises a WRPKRU checking sub-step;
WRPKRU checking sub-step: the method of binary check before program running guarantees that except the code of WRPKRU appearing at the value of PKRU register of initialization setting thread, the WRPKRU instruction and its corresponding instruction code can not appear in other parts.
Preferably, the binary scanning step comprises a ROP checking sub-step and/or a RTM bypass checking sub-step;
ROP checking substep: ensuring that no program control flow change instruction exists between Xend and Xbox by using a binary check method before program operation;
RTM bypasses the checking sub-step: the method of binary check before program operation guarantees that binary codes between Xbox and Xend can not spell two instructions of Xbox and Xend.
According to the internal isolation method for the SGX security application, provided by the invention, an internal isolation system for the SGX security application is utilized; the internal isolation system facing the SGX security application can realize a set system library, and comprises one or more enclaves;
the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread;
recording an operating system for running enclave as an untrusted operating system;
the internal isolation method facing the SGX security application comprises a security isolation step;
a safety isolation step: an inter-thread security isolation mechanism is realized in enclave through an MPK (multi-purpose hardware) technology, namely, the memory of enclave is divided into different memory page groups by utilizing the MPK technology in enclave, and the access rights of different threads in enclave to related memory page groups are different by setting a PKRU (public key infrastructure) register, so that the inter-thread security isolation is realized;
the internal isolation method facing the SGX security application further comprises a page table item confirmation step;
confirming page table entries: waiting for an untrusted operating system to set a page table entry for an enclave program, and displaying the content of the corresponding page table entry to the enclave program, wherein the enclave program confirms that the corresponding page table entry is correctly set;
the page table entry confirmation step comprises an access bit verification step and/or a dirty bit verification step;
an access bit verification step: setting an access bit in a page table entry to indicate whether a memory page indicated by the page table entry is accessed in a process executing process, wherein an initial value of the access bit is 0, if data in the memory page is accessed in the process executing process, the access bit is automatically set to 1 by hardware, otherwise, the initial value is maintained;
verifying dirty bits: setting a dirty bit in a page table entry to indicate whether a memory page indicated by the page table entry is modified in a process executing process, wherein an initial value of the dirty bit is 0, if data of the memory page is modified in the process executing process, the dirty bit can be automatically set to 1 by hardware, otherwise, the dirty bit keeps the initial value;
the internal isolation method facing the SGX security application further comprises an SSA structural body judgment step;
and SSA structure judging step: in the checking process, whether interruption occurs in the checking process is judged by reading the SSA structural body, so that whether an untrusted operating system intervenes in the checking process is known;
the execution times of the SSA structural body judgment step is more than one time;
the internal isolation method facing the SGX security application further comprises an RTM protection step;
RTM protection step: the application program in enclave ensures that the page table mapping cannot be modified by a potential attacker including an untrusted operating system in the execution process by using RTM;
wherein the RTM technique declares the start and end of a transaction by Xbegin and Xend instructions. Between Xbox and Xend, the content read or modified by the transaction, if modified by other processes, can be captured by hardware, and the transaction will be terminated; otherwise, continuing to execute;
the internal isolation method facing the SGX security application further comprises a binary check step;
binary checking: ensuring that the enclave program runs in a set path by using a binary check method before the program runs;
the binary scanning step comprises a WRPKRU checking sub-step;
WRPKRU checking sub-step: the method of binary check before program operation is utilized to ensure that except the code of WRPKRU appearing at the value of the PKRU register of the initialization setting thread, the WRPKRU instruction and the corresponding instruction code cannot appear at other parts;
the binary scanning step comprises a ROP check sub-step and/or a RTM bypass check sub-step;
ROP checking substep: ensuring that no program control flow change instruction exists between Xend and Xbox by using a binary check method before program operation;
RTM bypasses the checking sub-step: the method of binary check before program operation guarantees that binary codes between Xbox and Xend can not spell two instructions of Xbox and Xend.
According to the present invention, a computer readable storage medium is provided, in which a computer program is stored, which, when being executed by a processor, implements the steps of the above-mentioned internal isolation method for SGX-oriented security applications.
Compared with the prior art, the invention has the following beneficial effects:
1. the internal isolation method for the SGX safety application has the advantages of good isolation effect, high reliability and strong universality;
2. the internal isolation method for SGX safety application provided by the invention utilizes technical support of MPK and RTM and combines with SGX technology, and provides and realizes an enclave internal high-efficiency isolation method;
3. according to the internal isolation method for the SGX security application, provided by the invention, the advantage that MPK performance sacrifice is almost zero is utilized, and memory area division can be carried out on the enclave internal application program, so that the thread has the memory area which cannot be accessed by other threads, the trusted computing base of the enclave internal program is further reduced, and the security requirement of the current cloud computing service application can be met.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a schematic diagram of illegal modification of a PKRU register using a WRPKRU instruction;
FIG. 2 is a schematic diagram of the architecture of a system in an example of the invention;
FIG. 3 is a schematic of enclave internal isolation;
FIG. 4 is a flow chart illustrating the process from creation to running of the enclave program in the embodiment of the invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Abbreviations and key terms involved in the present invention are defined as follows:
-TCB: trusted Computing Base, Trusted Computing Base;
-SGX: software Guard Extension, Software protection Extension;
MPK Memory Protection Key, Memory Protection technology;
RTM: Restricted Transactional Memory, hardware Transactional Memory technology;
SSA State Save Area, State Save Area.
According to the internal isolation method for the SGX security application, provided by the invention, an internal isolation system for the SGX security application is utilized; the internal isolation system facing the SGX security application can realize a set system library, and comprises one or more enclaves;
the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread;
recording an operating system for running enclave as an untrusted operating system;
the internal isolation method facing the SGX security application comprises a security isolation step;
a safety isolation step: an inter-thread security isolation mechanism is realized in enclave through an MPK (multi-purpose hardware) technology, namely, the memory of enclave is divided into different memory page groups by utilizing the MPK technology in enclave, and the access rights of different threads in enclave to related memory page groups are different by setting a PKRU (public key infrastructure) register, so that the inter-thread security isolation is realized;
the internal isolation method facing the SGX security application further comprises a page table item confirmation step;
confirming page table entries: waiting for an untrusted operating system to set a page table entry for an enclave program, and displaying the content of the corresponding page table entry to the enclave program, wherein the enclave program confirms that the corresponding page table entry is correctly set;
the page table entry confirmation step comprises an access bit verification step and/or a dirty bit verification step;
an access bit verification step: setting an access bit in a page table entry to indicate whether a memory page indicated by the page table entry is accessed in a process executing process, wherein an initial value of the access bit is 0, if data in the memory page is accessed in the process executing process, the access bit is automatically set to 1 by hardware, otherwise, the initial value is maintained;
verifying dirty bits: setting a dirty bit in a page table entry to indicate whether a memory page indicated by the page table entry is modified in a process executing process, wherein an initial value of the dirty bit is 0, if data of the memory page is modified in the process executing process, the dirty bit can be automatically set to 1 by hardware, otherwise, the dirty bit keeps the initial value;
the internal isolation method facing the SGX security application further comprises an SSA structural body judgment step;
and SSA structure judging step: in the checking process, whether interruption occurs in the checking process is judged by reading the SSA structural body, so that whether an untrusted operating system intervenes in the checking process is known;
the execution times of the SSA structural body judgment step is more than one time;
the internal isolation method facing the SGX security application further comprises an RTM protection step;
RTM protection step: the application program in enclave ensures that the page table mapping cannot be modified by a potential attacker including an untrusted operating system in the execution process by using RTM;
wherein the RTM technique declares the start and end of a transaction by Xbegin and Xend instructions. Between Xbox and Xend, the content read or modified by the transaction, if modified by other processes, can be captured by hardware, and the transaction will be terminated; otherwise, continuing to execute;
the internal isolation method facing the SGX security application further comprises a binary check step;
binary checking: ensuring that the enclave program runs in a set path by using a binary check method before the program runs;
the binary scanning step comprises a WRPKRU checking sub-step;
WRPKRU checking sub-step: the method of binary check before program operation is utilized to ensure that except the code of WRPKRU appearing at the value of the PKRU register of the initialization setting thread, the WRPKRU instruction and the corresponding instruction code cannot appear at other parts;
the binary scanning step comprises a ROP check sub-step and/or a RTM bypass check sub-step;
ROP checking substep: ensuring that no program control flow change instruction exists between Xend and Xbox by using a binary check method before program operation;
RTM bypasses the checking sub-step: the method of binary check before program operation guarantees that binary codes between Xbox and Xend can not spell two instructions of Xbox and Xend.
According to the present invention, a computer readable storage medium is provided, in which a computer program is stored, which, when being executed by a processor, implements the steps of the above-mentioned internal isolation method for SGX-oriented security applications.
Further, the method provided by the invention mainly solves the following problems:
1. how can page table entries set by an untrusted operating system be checked? How to ensure that such checks are not intercepted and bypassed by untrusted operating systems?
2. How to ensure that relevant page table entries are not modified by potential attackers, including untrusted operating systems, during enclave execution?
The technical point of the invention is as follows:
the invention comprises the following technical points:
1. an MPK (multi-path keying) technology is utilized to realize an inter-thread security isolation mechanism in enclave, namely, the MPK technology is utilized to divide the memory of the enclave into different memory page groups in the enclave, and a PKRU (public key infrastructure) register is arranged to ensure that different threads in the enclave have different access rights to the related memory page groups, so that the isolation effect is achieved;
2. after the untrusted operating system sets the page table entry for the enclave program, the corresponding page table entry content needs to be displayed to the enclave program, and the enclave program confirms that the corresponding page table entry is correctly set, and the specific technical method is as follows: the enclave program needs to read and write the corresponding memory randomly, and judges whether the page table entry is real or not according to whether the access/dirty bit in the page table entry is changed or not;
3. in order to prevent an untrusted operating system from intercepting the read-write behavior of enclave and modifying an access/dirty bit of a false page table in the checking process, whether interruption occurs in the checking process is judged by reading an SSA structure in the checking process so as to know whether the untrusted operating system intervenes in the checking process; in order to prevent other untrusted threads from modifying corresponding page table bits in cooperation with the untrusted operating system during the checking process, the checking needs to be performed multiple times;
4. after the validity of the page table is checked, an application program in enclave ensures that the page table mapping in execution cannot be modified by a potential attacker including an untrusted operating system by using RTM;
5. the binary check method before the program runs is utilized to ensure that the enclave program does not modify the value of the register PKRU in the running process; meanwhile, the RTM can not be bypassed by ROP attack.
The following is a supplementary explanation of the above technical points:
because the instruction WRPKRU for modifying the PKRU register can be randomly called in a user mode and any interruption and exception cannot be triggered, the untrusted thread in the enclave program has the opportunity to modify the value of the PKRU by calling the instruction in the execution process, and the purpose of modifying the access authority of the related memory page and stealing sensitive data of the trusted thread is achieved. As shown in fig. 1, due to the characteristic that the X86 architecture has an instruction with an indefinite length, if an instruction code of the WRPKRU is present at an illegal location in the code segment (0X0f01ef), although the relevant binary code segment will not be translated into the WRPKRU instruction in the normal execution process of the CPU, an attacker may perform an ROP attack by using a bug of the program, jump to the beginning of 0X0f01ef in the code segment, and the CPU will interpret the instruction as the WRPKRU instruction, thereby achieving the purpose of illegally modifying the PKRU register. Therefore, before the enclave program runs, it needs to be ensured that the WRPKRU instruction and the corresponding instruction encoding (0x0f01ef) cannot occur in other parts except the code of the WRPKRU which occurs at the value of the PKRU register of the initialization setting thread.
The initial value of the access/dirty bit in the page table entry is 0. The access bit indicates whether the memory page indicated by the page table entry has been accessed during the process execution, and if the data in the memory page is accessed during the process execution, the access bit is automatically set to 1 by the hardware. The Dirty bit indicates whether there is modification operation on the memory page indicated by the page table entry in the process execution process, and if the data of the memory page is modified in the process execution process, the Dirty bit is automatically set to 1 by hardware.
The page table is possibly tampered between the time the page table validity is checked and the time the enclave program is executed. Since the untrusted operating system and other untrusted processes in enclave cannot know when the page table validity check ends, there is little chance that the untrusted operating system will tamper with the page table between the enclave program passing through the page table validity check and the enclave executing using RTM. Meanwhile, the enclave program can read the SSA value to judge whether the untrusted operating system is involved or not when the RTM starts. Wherein, the SSA is designed by the SGX technology for saving enclave application program interrupt context. When an interrupt occurs in the enclave application program execution process, the running state of the enclave application program at the interrupt time, including the interrupt instruction address, is saved in the SSA of the enclave by the SGXCPU.
RTM technology declares the start and end of a transaction by the xbox and Xend instructions. Between Xbox and Xend, the contents of a transaction read or modified, if modified by another process, can be captured by hardware and the transaction terminated. If enclave execution protected by RTM is not terminated, the corresponding page table entry is not tampered by a potential attacker including an untrusted operating system in the execution process, and the execution environment of enclave is safe.
In order to reduce the probability of transaction interruption, codes protected by Xbagin and Xend are not suitable to be too long, so the enclave code consists of a plurality of Xbagin and Xend pairs. An attacker can change program control flow by using instructions such as jmp and the like through ROP attack, jump is carried out after Xend, and continuous Xbagin and Xend are jumped out; or jumping to a code segment between Xbox and Xend in the execution process, and using the characteristic of the indefinite length of the X86 instruction, the CPU interprets the instruction into an instruction different from that defined by a program developer, such as an Xend instruction, ends a transaction, and bypasses RTM to protect the set page table entry. Meanwhile, the binary codes corresponding to the Xbagin and the Xend in the binary codes can be interpreted into other instructions, so that program developers later realize all the Xbagin and Xend instructions which are well defined, the protection of page table entries is invalid, and the purpose of tampering the page table entries without being discovered is achieved.
Therefore, before enclave is created, binary scanning needs to be carried out on the program code in the enclave, on one hand, the WRPKRU instruction and the position where the instruction coding of the WRPKRU instruction appears are guaranteed to be legal, on the other hand, a jmp instruction does not exist between Xend and Xnegin, and meanwhile, the binary code between Xnegin and Xend cannot spell out the two instructions of Xnegin and Xend.
FIG. 2 is an architectural diagram of a system in an example of the invention. The architecture is basically consistent with the framework of the application program applying the SGX technology. Each enclave program is linked with a system library realized by the invention and runs on an untrusted operating system, and application programs in the enclave are multi-threaded. Because the value of each thread PKRU register in the enclave program is different, each thread in the enclave program can have a private address space region, and can only be accessed by the thread and cannot be accessed by other threads, so that the effect of the internal isolation of the enclave is realized. As shown in fig. 3, taking thread 1 and thread 2 as an example, although two threads use the same page table, thread 1 cannot access the contents of all memory pages in memory page group 2 and thread 2 cannot access the contents of all memory pages in memory page group 1 because of the different values of the PKRU registers in the thread contexts.
Fig. 4 is a flowchart of the process from creation to execution of the enclave program in the embodiment of the present invention, and the specific steps are as follows:
1. a user inputs an instruction to run an enclave program, the SGX drives to create an enclave, and relevant codes are loaded;
2. the system library checks the enclave program binary code. The following two points are ensured: except for the code that appears at the value of the PKRU register of the initialization setting thread, the WRPKRU instruction and its corresponding instruction encoding cannot appear elsewhere (0x0f01 ef); jump instructions such as jmp and the like do not exist in codes after Xend and before Xbox, and the jump instructions are utilized by an attacker to carry out ROP attack, and meanwhile binary codes between Xbox and Xend cannot spell Xbox and Xend instructions;
3. the method comprises the steps that a system library establishes threads, an MPK related interface is called, page table items of memory pages are requested to be set from an untrusted operating system and are divided into corresponding memory page groups, and meanwhile, the value of a PKRU is set for the threads, so that each thread is guaranteed to have a private memory area;
4. the system library requests the untrusted operating system to set a related page table item, and maps the page table page where the set page table item is located to a specified address;
5. after the page table entry of the enclave program is set by the untrusted operating system, the content of the enclave program is mapped to the specified address, and the enclave program performs corresponding check;
and 6, the enclave program randomly carries out read-write operation on different memory addresses, checks whether the value of the access/dirty bit in the corresponding page table entry is correct or not after the read-write operation is finished, and reads the SSA to ensure that the behavior of the untrusted operating system is not interrupted and sunk in the process. Repeating the check for multiple times to ensure that the memory mapping of the page table entry is the same after each reading, simultaneously placing an access/dirty position of the corresponding page table entry after the enclave performs the reading/writing operation, and if the enclave is incorrect once, indicating that the page table entry is forged and the enclave exits;
7. after the validity check of the page table entry is passed, the application program in enclave starts to execute. The application program in enclave ensures that the corresponding page table entry is not changed in the execution process by using the hardware support of the RTM.
Still further, according to a preferred embodiment of the present invention, there is provided a method for efficient isolation inside an Intel SGX, comprising:
1. a safety isolation mechanism between threads is provided, and MPK technology is utilized to realize high-efficiency isolation in SGX, so that the function that the threads have private memory areas which cannot be accessed by other threads is realized efficiently;
2. in order to verify that the untrusted operating system correctly sets an MPK related page table for an enclave program, the invention provides a method for checking whether an access/dirty bit in a page table entry is set after the enclave program randomly reads and writes a related memory page, and reading an SSA structure to judge whether the untrusted operating system intervenes in the verification process;
3. the RTM technology is used for protecting the relevant page table entries from being modified in the enclave program operation process;
4. in order to prevent the enclave program from calling WRPRKU to tamper the value of a PKRU register in the running process and prevent RTM protection, the binary code of the enclave program is detected by using a binary scanning method before the enclave program runs, the code which does not meet the requirement is subjected to binary rewriting, and the encodings of WRPRRU, Xbox and Xend which do not meet the requirement of the enclave program are prevented;
5. the invention provides a complete system architecture suitable for mainstream, and an internal high-efficiency isolation method for SGX.
In the description of the present application, it is to be understood that the terms "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience in describing the present application and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (9)
1. An internal isolation method facing SGX security application is characterized in that an internal isolation system facing SGX security application is utilized; the internal isolation system facing the SGX security application can realize a set system library, and comprises one or more enclaves;
the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread;
recording an operating system for running enclave as an untrusted operating system;
the internal isolation method facing the SGX security application comprises a security isolation step;
a safety isolation step: an inter-thread security isolation mechanism is realized in enclave through an MPK (multi-purpose hardware) technology, namely, the memory of enclave is divided into different memory page groups by utilizing the MPK technology in enclave, and the access rights of different threads in enclave to related memory page groups are different by setting a PKRU (public key infrastructure) register, so that the inter-thread security isolation is realized;
the internal isolation method facing the SGX security application further comprises an RTM protection step;
RTM protection step: the application program in enclave ensures that the page table mapping cannot be modified by a potential attacker including an untrusted operating system in the execution process by using RTM;
the RTM technology declares the beginning and the end of a transaction through Xbox and Xend instructions, the content read or modified by the transaction is between Xbox and Xend, and if the transaction is modified by other processes, the instructions declare that the behavior of the transaction can be captured by hardware and the transaction is terminated; otherwise, the execution is continued.
2. The internal isolation method for SGX-oriented security applications according to claim 1, wherein said internal isolation method for SGX-oriented security applications further comprises a page table entry validation step;
confirming page table entries: waiting for the untrusted operating system to set page table entries for the enclave program, and displaying the content of the corresponding page table entries to the enclave program, wherein the enclave program confirms that the corresponding page table entries are correctly set.
3. The internal isolation method for SGX-oriented security applications according to claim 2, wherein said page table entry validation step comprises an access bit verification step and/or a dirty bit verification step;
an access bit verification step: setting an access bit in a page table entry to indicate whether a memory page indicated by the page table entry is accessed in a process executing process, wherein an initial value of the access bit is 0, if data in the memory page is accessed in the process executing process, the access bit is automatically set to 1 by hardware, otherwise, the initial value is maintained;
verifying dirty bits: setting a dirty bit in a page table entry to indicate whether a memory page indicated by the page table entry is modified in the process of executing the process, wherein the initial value of the dirty bit is 0, if the data of the memory page is modified in the process of executing, the dirty bit can be automatically set to 1 by hardware, otherwise, the dirty bit keeps the initial value.
4. The internal isolation method for the SGX security applications according to claim 1, further comprising an SSA structure determining step;
and SSA structure judging step: in the checking process, whether interruption occurs in the checking process is judged by reading the SSA structural body, so that whether an untrusted operating system intervenes in the checking process is known;
and the execution times of the SSA structural body judgment step is more than one time.
5. The internal isolation method for SGX-oriented security applications according to claim 1, wherein said internal isolation method for SGX-oriented security applications further comprises a binary check step;
binary checking: and ensuring that the enclave program runs in a set path by using a binary check method before the program runs.
6. The SGX security application-oriented internal isolation method of claim 5, wherein the binary check step comprises a WRPKRU check sub-step;
WRPKRU checking sub-step: the method of binary check before program running guarantees that except the code of WRPKRU appearing at the value of PKRU register of initialization setting thread, the WRPKRU instruction and its corresponding instruction code can not appear in other parts.
7. Internal isolation method towards SGX security applications according to claim 5, characterized in that said binary check step comprises a ROP check sub-step and/or a RTM bypass check sub-step;
ROP checking substep: ensuring that no program control flow change instruction exists between Xend and Xbox by using a binary check method before program operation;
RTM bypasses the checking sub-step: the method of binary check before program operation guarantees that binary codes between Xbox and Xend can not spell two instructions of Xbox and Xend.
8. An internal isolation method facing SGX security application is characterized in that an internal isolation system facing SGX security application is utilized; the internal isolation system facing the SGX security application can realize a set system library, and comprises one or more enclaves;
the enclave comprises one or more threads; each thread in the enclave comprises a PKRU register, and the values of the PKRU registers of each thread in the enclave are different from each other, so that each thread in the enclave can have a private address space region and can only be accessed by the thread;
recording an operating system for running enclave as an untrusted operating system;
the internal isolation method facing the SGX security application comprises a security isolation step;
a safety isolation step: an inter-thread security isolation mechanism is realized in enclave through an MPK (multi-purpose hardware) technology, namely, the memory of enclave is divided into different memory page groups by utilizing the MPK technology in enclave, and the access rights of different threads in enclave to related memory page groups are different by setting a PKRU (public key infrastructure) register, so that the inter-thread security isolation is realized;
the internal isolation method facing the SGX security application further comprises a page table item confirmation step;
confirming page table entries: waiting for an untrusted operating system to set a page table entry for an enclave program, and displaying the content of the corresponding page table entry to the enclave program, wherein the enclave program confirms that the corresponding page table entry is correctly set;
the page table entry confirmation step comprises an access bit verification step and/or a dirty bit verification step;
an access bit verification step: setting an access bit in a page table entry to indicate whether a memory page indicated by the page table entry is accessed in a process executing process, wherein an initial value of the access bit is 0, if data in the memory page is accessed in the process executing process, the access bit is automatically set to 1 by hardware, otherwise, the initial value is maintained;
verifying dirty bits: setting a dirty bit in a page table entry to indicate whether a memory page indicated by the page table entry is modified in a process executing process, wherein an initial value of the dirty bit is 0, if data of the memory page is modified in the process executing process, the dirty bit can be automatically set to 1 by hardware, otherwise, the dirty bit keeps the initial value;
the internal isolation method facing the SGX security application further comprises an SSA structural body judgment step;
and SSA structure judging step: in the checking process, whether interruption occurs in the checking process is judged by reading the SSA structural body, so that whether an untrusted operating system intervenes in the checking process is known;
the execution times of the SSA structural body judgment step is more than one time;
the internal isolation method facing the SGX security application further comprises an RTM protection step;
RTM protection step: the application program in enclave ensures that the page table mapping cannot be modified by a potential attacker including an untrusted operating system in the execution process by using RTM;
the RTM technology declares the beginning and the end of a transaction through Xbox and Xend instructions, the content read or modified by the transaction is between Xbox and Xend, and if the transaction is modified by other processes, the instructions declare that the behavior of the transaction can be captured by hardware and the transaction is terminated; otherwise, continuing to execute;
the internal isolation method facing the SGX security application further comprises a binary check step;
binary checking: ensuring that the enclave program runs in a set path by using a binary check method before the program runs;
the binary checking step comprises a WRPKRU checking sub-step;
WRPKRU checking sub-step: the method of binary check before program operation is utilized to ensure that except the code of WRPKRU appearing at the value of the PKRU register of the initialization setting thread, the WRPKRU instruction and the corresponding instruction code cannot appear at other parts;
the binary checking step comprises a ROP checking sub-step and/or a RTM bypass checking sub-step;
ROP checking substep: ensuring that no program control flow change instruction exists between Xend and Xbox by using a binary check method before program operation;
RTM bypasses the checking sub-step: the method of binary check before program operation guarantees that binary codes between Xbox and Xend can not spell two instructions of Xbox and Xend.
9. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps of the internal isolation method for SGX-oriented security applications of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910765428.8A CN110532767B (en) | 2019-08-19 | 2019-08-19 | Internal isolation method for SGX (secure gateway) security application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910765428.8A CN110532767B (en) | 2019-08-19 | 2019-08-19 | Internal isolation method for SGX (secure gateway) security application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110532767A CN110532767A (en) | 2019-12-03 |
| CN110532767B true CN110532767B (en) | 2021-06-11 |
Family
ID=68663772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910765428.8A Active CN110532767B (en) | 2019-08-19 | 2019-08-19 | Internal isolation method for SGX (secure gateway) security application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110532767B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110909391A (en) * | 2019-12-04 | 2020-03-24 | 四川虹微技术有限公司 | RISC-V based safe storage method |
| CN112182560B (en) * | 2020-09-17 | 2022-04-26 | 上海交通大学 | Efficient isolation method, system and medium for Intel SGX interior |
| CN113220469B (en) * | 2021-03-23 | 2024-04-16 | 黑芝麻智能科技(上海)有限公司 | Inter-process communication method, inter-process communication device, computer equipment and computer readable medium |
| CN114168936A (en) * | 2021-11-24 | 2022-03-11 | 浙江大学 | Enclave sandbox system based on Intel MPK and single step mode |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10783272B2 (en) * | 2017-12-08 | 2020-09-22 | Nec Corporation | Method and system of preserving privacy for usage of lightweight blockchain clients |
| CN109840410B (en) * | 2017-12-28 | 2021-09-21 | 中国科学院计算技术研究所 | Method and system for isolating and protecting data in process |
| CN109002706B (en) * | 2018-06-08 | 2021-04-06 | 中国科学院计算技术研究所 | In-process data isolation protection method and system based on user-level page table |
| CN109359487B (en) * | 2018-10-09 | 2022-02-18 | 湖北文理学院 | Extensible security shadow storage and tag management method based on hardware isolation |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
-
2019
- 2019-08-19 CN CN201910765428.8A patent/CN110532767B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110532767A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110532767B (en) | Internal isolation method for SGX (secure gateway) security application | |
| JP5000573B2 (en) | Protected function call | |
| US20210124824A1 (en) | Securing secret data embedded in code against compromised interrupt and exception handlers | |
| JP4989543B2 (en) | Security control in data processing system based on memory domain | |
| JP4302641B2 (en) | Controlling device access to memory | |
| JP4823481B2 (en) | System and method for executing instructions to initialize a secure environment | |
| JP4759059B2 (en) | Page coloring that maps memory pages to programs | |
| CN107003936B (en) | Memory protection with non-readable pages | |
| CN109840410A (en) | The method and system of data isolation and protection in a kind of process | |
| CN104520867A (en) | Methods, systems, and computer readable medium for active monitoring, memory protection and integrity verification of target devices | |
| KR20130036189A (en) | Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag | |
| EP3961446B1 (en) | Method and apparatus for securely entering trusted execution environment in hyper-threading scenario | |
| US8839237B2 (en) | Method and apparatus for tamper resistant communication in a virtualization enabled platform | |
| KR20150059564A (en) | Method for integrity verification of electronic device, machine-readable storage medium and electronic device | |
| Qiang et al. | PrivGuard: Protecting sensitive kernel data from privilege escalation attacks | |
| US20220366037A1 (en) | Domain transition disable configuration parameter | |
| JP2022503899A (en) | Validating the stack pointer | |
| US9398019B2 (en) | Verifying caller authorization using secret data embedded in code | |
| Oliveira et al. | Hardware-software collaboration for secure coexistence with kernel extensions | |
| CN112948863B (en) | Sensitive data reading method and device, electronic equipment and storage medium | |
| EP4073635B1 (en) | Intermodal calling branch instruction | |
| WO2023209323A1 (en) | Exception return state lock parameter | |
| Ahmad | Defeating Critical Threats to Cloud User Data in Trusted Execution Environments | |
| TW202409842A (en) | Exception return state lock parameter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |