CN112182560A - Efficient isolation method, system and medium for Intel SGX interior - Google Patents
Efficient isolation method, system and medium for Intel SGX interior Download PDFInfo
- Publication number
- CN112182560A CN112182560A CN202010982399.3A CN202010982399A CN112182560A CN 112182560 A CN112182560 A CN 112182560A CN 202010982399 A CN202010982399 A CN 202010982399A CN 112182560 A CN112182560 A CN 112182560A
- Authority
- CN
- China
- Prior art keywords
- enclave
- memory page
- memory
- module
- sgx
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention provides a method, a system and a medium for high-efficiency isolation of an Intel SGX interior, which comprise the following steps: step S1, dividing an internal memory area of the Enclave into a credible area and a plurality of distrustful areas, and efficiently isolating the credible areas by utilizing an Intel MPK technology, wherein the Enclave resource management module runs in the credible area; and step S2, expanding an Enclave security starting mechanism in the SGX, and incorporating the memory page group information of the memory page into calculation and generation of an Enclave security verification code in the process of security starting. The invention solves the problem of incompatibility of threat models using MPK and SGX, and realizes lightweight high-efficiency isolation of user application and other modules depended by the user application in the same envelope by utilizing the hardware characteristic of MPK.
Description
Technical Field
The invention relates to the technical field of computer technology and information security, in particular to a method, a system and a medium for efficiently isolating an Intel SGX interior.
Background
Abbreviations and key term definitions:
-SGX: software protection Extensions, Software Guard Extensions
-MPK: memory Protection Keys, Memory Protection technology
Trusted Computing Base, Trusted Computing Base
EPC, envelope Page Cache, trusted memory pages
A Trusted Computing Base (TCB) refers to all sets of programs that are closely associated with their security when running. Including hardware, firmware, software modules, and the like. The program developer needs to ensure that the trusted computing base is error-free in the development process, otherwise, the security of the whole program can be threatened. Even if a module except the trusted computing base has a bug and even is malicious, the module does not substantially influence the safety of the program. With the increasing maturity of cloud computing and big data technology, users often need to process a large amount of data by means of the powerful computing power of the cloud computing platform. In the running process of the program running in the cloud, a large amount of software and hardware are often relied on to provide support and service for the program, including but not limited to hardware such as processors, memories, I/O devices, etc., modules with high authority levels such as virtual machine monitors and operating systems, and other application programs providing service with the same authority level. The Linux kernel has tens of millions of lines of codes, and it is difficult to guarantee that the codes are completely correct. If the vulnerabilities existing in these software and hardware are exploited by attackers, the security of the user program will face a serious threat.
Aiming at the problem of overlarge credibility of a user program, a plurality of solutions are provided by the research and industrial fields. One of them is the Intel SGX technology. By using the technology, the application program in the user mode only needs to trust the code and the CPU, thereby greatly reducing TCB. Wherein, the application program in user mode can possess a private security space, called Enclave. In Enclave, an application can have a private memory area. The physical page allocated on this memory area is called EPC. Data on the EPC can only be accessed by code running in Enclave, and if the code running outside the Enclave is accessed, a hardware error is triggered. Meanwhile, the data is stored in an encrypted form in a memory area, and is decrypted into a plain text to be loaded into a cache of the CPU if and only if the code of the Enclave is accessed.
As described above, the running of the cloud user program is often multitask, that is, depends on many other modules or is a background resident program. For example, in order to support HTTPS or TLS protocols, a network server often introduces an OpenSSL library, and database software often needs a key value pair storage program, a login management program, a logging program, and other service programs to perform cooperative services. These programs providing services are often not developed by application developers, and cover a lot of code, and it is difficult for the application developers to fully guarantee their correctness. On the other hand, since the development under SGX is a new programming model, if native applications are to be run, they need to be adapted by means of many libraries, such as LibOS, etc., which also introduces a lot of code.
To maintain the size of the TCB, further isolation of the user program from other modules is required. One way is to separate the above modules and user programs to run in a number of different envlaves. Since communication between different enclaves needs to pass through the shared memory of the untrusted area, an operation of encrypting and decrypting communication information is needed in the communication process between modules. Meanwhile, when communication is performed between modules, program control flow needs to enter and exit the Enclave frequently, which brings large performance overhead.
On the other hand, the user program and other modules can be placed in the same Enclave, and the Intel MPK technology is used for isolation. Intel MPK is a lightweight memory isolation technique. The techniques enable memory pages of a process to be partitioned into different sets of memory pages. When the program runs, the authority of the program to access each memory page is specified by setting the value of the register PRKU. When the access right of the current process context to the memory page groups needs to be changed, only the WRPKRU instruction needs to be called to modify the value of the PKRU, and expensive operation of modifying page table entries is not needed. Therefore, when the program control flow is switched among different modules, only the value of the PKRU needs to be modified to specify the access authority of the different modules to the memory page, and therefore the efficient and lightweight Enclave internal isolation mechanism is achieved.
However, the scenarios and threat models used by MPK and SGX techniques conflict with each other. MPK relies on the operating system to correctly set up page table entries for user processes, requiring trust in the operating system. While the threat model of SGX technology does not require trust in the operating system. Therefore, it is critical to ensure that the page table of the internal memory page of the user program Enclave is correctly set on the basis of not trusting the operating system.
Therefore, in view of the above-mentioned drawbacks of the prior art, the following technical problems need to be solved:
1. how to ensure that the Enclave can judge that the operating system sets a correct memory page group for the memory page before starting to run;
2. how to ensure that the memory page group information in the Enclave is not modified in the running process;
3. how to ensure that an untrusted module in the Enclave cannot randomly call a WRPKRU instruction to modify the value of a PKRU register in the running process;
4. how to ensure that the correct memory page group is set for a new memory page in the process of allocating memory resources for Enclave by an operating system.
Aiming at the problem of how to isolate modules in an SGX user application multitask mode, a plurality of solutions are provided by the research field and the industrial field. The Ryoan system and the Graphene system provide code base support on software, development and deployment under an SGX multi-task mode are facilitated, but excessive performance overhead generated by communication between modules is not optimized by the methods. The Occlum system places different modules in a multitask mode in the same Enclave, and isolates the different modules by using the hardware characteristics of MPX. Compared with the method provided by the invention, the Ocplus system needs MPX boundary check at the memory access and control flow jump, and the performance cost is overlarge. The Nested archive system provides a concept of hierarchical archive, and supports division of authority domains with finer granularity in the archive on the basis of providing hardware change. Compared with the method provided by the invention, the hardware change provided by the Nested Enable System is overlarge, and the hardware change provided by the invention has high matching degree with the design of the current CPU and stronger feasibility.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a method, a system and a medium for efficiently isolating the interior of an Intel SGX.
According to the invention, the method for efficiently isolating the interior of the Intel SGX comprises the following steps:
step S1, dividing an internal memory area of the Enclave into a credible area and a plurality of distrustful areas, and efficiently isolating the credible areas by utilizing an Intel MPK technology, wherein the Enclave resource management module runs in the credible area;
step S2, expanding an Enclave security starting mechanism in SGX, and in the process of security starting, incorporating memory page group information to which a memory page belongs into calculation and generation of an Enclave security verification code;
step S3, expanding an Enclave security verification mechanism in the SGX, and adding memory page group information to which the Enclave memory page belongs to check in the processes of local verification and remote verification of the SGX;
step S4, expanding EPC protection mechanism in SGX operation process, adding information of memory page group to which the Enclave memory page belongs into structure of reverse mapping table of SGX, ensuring that in Enclave operation process, untrusted operation system can not modify information of memory page group to which the Enclave memory page belongs;
step S5, calling the switching function of authority domain, including the safe saving of register state, the identity verification of caller and the mechanism that the safety check can not be bypassed;
step S6, the Enclave resource management module can safely and dynamically allocate the memory for the untrusted module through the mechanism of the internal dynamic allocation of the memory of the Enclave;
and step S7, ensuring that the ENCLU and WRPKRU instructions can only appear in the Enclave resource management module through a binary scanning mechanism, and the untrusted module can not freely switch the authority domain and illegally allocate the dynamic memory.
Preferably, the step S2:
SGX calculates corresponding security verification codes by mapping the physical address of the EPC to the virtual address, the authority of the EPC and the content information of the memory page through a cryptographic method, and then stores the security verification codes in a specific area;
and subsequent verification operation can judge whether the SGX driver correctly loads related codes and data for the user or not according to the security verification code, and correctly sets the authority.
Preferably, the step S4:
each physical page in the Enclave corresponds to a reverse mapping entry in an Enclave reverse mapping structure;
recording the authority of the page and corresponding virtual address information in the reverse mapping item;
when the CPU translates the virtual address to the physical address, whether the page table mapping information set for the Enclave by the structure operating system is legal or not can be judged.
And adding the information of the memory page group into the reverse mapping structure to ensure that an operating system cannot randomly modify the information of the memory page group.
Preferably, the authority domain switching function in step S5 ensures that a module can only switch the authority domain by calling the designated authority domain function, so as to communicate with the specific module.
Preferably, the call flow of the authority domain switching function is as follows:
the authority domain switching function is called;
the authority domain switching function sets an export secret key for a specific register, wherein the export secret key is set for the register in an immediate number mode in the process, and an untrusted module cannot obtain the value of the export secret key;
judging whether the identity of the caller is legal or not according to the value of the current PKRU register, and if the identity of the caller is illegal, terminating the current execution;
calling a WRPKRU instruction to modify the value of the current PKRU, wherein the step switches the authority domain;
checking whether the previous step is executed or not according to the comparison of the values of the specific register and the export secret key, preventing the untrusted module from bypassing the checking illegal switching authority domain through hijacking program control flow, and terminating the current execution if the checking is not passed;
clearing the specific register to prevent the export secret key from being leaked to the untrusted module;
the program control flow switches to another rights domain module for execution.
Preferably, in step S6, the mechanism for dynamically allocating memory inside the Enclave:
binary scanning, expansion of SGX secure memory dynamic allocation instructions and an ENCLU barrier function are adopted, so that the memory page information of MPK can be correctly set in the dynamic memory allocation process.
Preferably, the mechanism for dynamically allocating memory inside the Enclave includes:
firstly, calling a right domain switching function by an untrusted module to request an Enclave resource management module to allocate a memory page;
after receiving the request, the resource management module forwards the request to the SGX driving module;
the SGX driving module receives the request, calls an ENCLS [ EAUG ] instruction to add the memory page into the EPC, and then returns the memory page to the envelope resource management module, wherein the state of the memory page is a state to be accepted at the moment;
the resource management module of Enclave needs to ensure that the authority of the memory page cannot be writable and executable at the same time, otherwise, the resource management module triggers an exception, and the program terminates execution; initializing the memory page in different modes according to whether the permission of the memory page is executable or not;
if the authority of the memory is unexecutable, the resource management module of the Enclave calls an ENCLU [ EACCEPT ] instruction to initialize the memory page;
if the memory right is executable, the untrusted module that requests the memory page usually needs to dynamically load the code into the archive and then jump to execute. In order to ensure that the commands of the ENCLU and the WRPRKU do not appear in the memory, the Enclose resource management module firstly prepares memory pages with the same content in the authority domain of the Enclose resource management module, and then performs binary scanning on the memory pages to ensure that the content of the memory pages does not appear in binary codes related to the ENCLU and the WRPKRU
Then, calling an ENCLU [ EACCEPTCOPY ] instruction, and automatically copying the contents of the memory page to a target memory page;
finally, calling a right domain switching function to return the memory page to the untrusted module;
preferably, the ENCLU checkpoint function: the exit key is used for ensuring that the checking process of the checkpoint function cannot be bypassed, and meanwhile, the identity of a caller is determined by judging the value of the current PKRU;
the process of calling the ENCLU level function is as follows:
the resource management module calls an ENCLU level function, and control flow is switched to the level function;
setting an export secret key for a specific register by the level function, wherein the export secret key is set for the register in an immediate number mode in the process, and storing a corresponding code in a memory area inaccessible by the untrusted module;
the level function judges the identity of the caller according to the current PRKU value, if the caller is an untrusted module, the level function reports an error, and the execution is terminated; if the check is passed, entering the next step;
calling an ENCLU instruction by the level function;
the checkpoint function judges whether the value of the specific register is equal to the export secret key or not, the check is to ensure that the steps cannot be bypassed by a control flow hijacking method, if the check does not pass, the checkpoint function reports an error and terminates execution; if the check is passed, the next step is carried out;
the checkpoint function clears the value of the specific register to prevent the export secret key from leaking;
and after the checkpoint function is executed, switching the control flow back to the resource management module.
According to the invention, the internal efficient isolation system for the Intel SGX comprises:
a module S1, namely, dividing an internal memory area of the Enclave into a credible area and a plurality of distrustful areas, and efficiently isolating the credible areas by utilizing an Intel MPK technology, wherein the Enclave resource management module runs in the credible area;
a module S2, which is used for expanding an Enclave security boot mechanism in the SGX, and during a security boot process, includes memory page group information to which a memory page belongs in calculation and generation of an Enclave security verification code;
a module S3, which is to extend an Enclave security verification mechanism in the SGX, and add information of a memory page group to which an Enclave memory page belongs to check in the processes of local verification and remote verification of the SGX;
module S4, expanding the EPC protection mechanism during SGX operation, adding information of the memory page group to which the Enclave memory page belongs to a structure of a reverse mapping table of the SGX, so as to ensure that an untrusted operating system cannot modify the information of the memory page group to which the Enclave memory page belongs during the Enclave operation;
a module S5, which is to call an authority domain switching function, wherein the authority domain switching function comprises the safe saving of the register state, the caller identity authentication and the mechanism that the safety check cannot bypass;
module S6, the Enclave resource management module can safely and dynamically allocate the memory for the untrusted module through the mechanism of dynamically allocating the memory inside the Enclave;
the module S7 ensures that ENCLU and WRPKRU instructions can only appear in the Enclave resource management module through a binary scanning mechanism, and the untrusted module cannot freely switch the authority domain and illegally allocate dynamic memory.
According to the present invention, there is provided a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps of any of the above-mentioned methods for efficient isolation within an Intel SGX.
Compared with the prior art, the invention has the following beneficial effects:
aiming at the characteristic that the SGX user application generally operates in a multitask mode at present, the invention solves the problem of incompatibility of MPK and SGX threat models on the basis of providing a small amount of hardware modification, so that the light-weight efficient isolation of the user application and other modules depending on the user application in the same Enclave can be realized by utilizing the hardware characteristic of the MPK. Compared with the traditional isolation mode of the SGX user in the multitask mode, the method provided by the invention greatly improves the communication efficiency between the modules in the multitask mode.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
fig. 1 is an expanded schematic diagram of the secure boot mechanism provided in the present invention.
Fig. 2 is a schematic diagram of an Enclave reverse mapping structure provided by the present invention.
Fig. 3 is a schematic diagram of an Enclave resource management module internally divided into multiple untrusted execution domains and trusted Enclave domains according to the present invention.
Fig. 4 is a schematic flow chart of the authority domain switching function provided by the present invention.
Fig. 5 is a schematic diagram of a process of allocating memory pages by the Enclave resource management module according to the present invention.
Fig. 6 is a schematic diagram of a process for calling an ENCLU barrier function according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The present invention will be described more specifically with reference to examples.
Example 1:
the invention comprises the following technical points:
1. the memory area inside the Enclave is divided into a credible area and a plurality of incredible areas. These regions are referred to herein as rights domains. The trusted area runs a module for managing the Enclave resources, and a plurality of areas which are not trusted mutually can run the application programs of the users and the service modules which depend on the application programs. The isolation among the areas is realized by MPK technology;
2. and expanding the mechanism of Enclave safe starting. The invention expands the security starting mechanism of the Enclave, and the memory page group information of each memory page in the Enclave is added into the calculation and generation of the Enclave security verification code;
3. the Enclave secure page table mapping mechanism is expanded. Adding memory page group information to which a memory page belongs into a reverse mapping structure maintained by a CPU for the Enclave, and ensuring that modules such as an operating system and the like running at a higher authority level can not modify the memory page group information of the Enclave at will;
4. an authority domain switching function is designed, the PKRU value is correctly modified only at a specific code, and resources such as an Enclave memory page and the like can be managed only by a trusted resource management module;
5. a mechanism is proposed to use a binary check before the program runs to ensure that the ENCLU instruction can only appear in the module running in the trusted zone.
6. A mechanism for dynamically allocating memory inside an Enclave based on MPK is provided, and the mechanism adopts the technologies of binary scanning, expansion of SGX secure memory dynamic allocation instructions, an ENCLU checkpoint function and the like. By using the mechanism, the memory page information of the MPK can be correctly set in the dynamic memory allocation process.
The following is a supplementary explanation of the above technical points:
the Enclave program needs to rely on the driver of the SGX to call ENCLS [ EADD ] and ENCLS [ EEXTEND ] instructions to add a new memory page to the EPC at startup. As shown in fig. one, in this process, the SGX calculates a corresponding security verification code by using a cryptographic method according to information such as mapping of a physical address to a virtual address of the EPC, authority of the EPC, and contents of a memory page, and then stores the security verification code in a specific area. And subsequent verification operation can judge whether the SGX driver correctly loads related codes and data for the user or not according to the security verification code, and correctly sets the authority. The gray part in fig. 1 is an extension of the secure boot mechanism in the present invention, and in the above process, the memory page group information of the EPC is added to the calculation and generation of the secure verification code, so as to ensure that the user can determine whether the operating system and the SGX driver set a correct memory page group for the EPC before the Enclave starts to run.
In order to ensure that modules with higher authority levels, such as an operating system, and the like, randomly modify the mapping from the virtual address to the physical address of the Enclave memory page or the authority of the memory page in the process of program operation, so as to attack the Enclave, the SGX maintains a reverse mapping structure for the Enclave program. As shown in fig. 2, each physical page in Enclave corresponds to a reverse mapping entry in the Enclave reverse mapping structure. The reverse mapping entry records information such as the authority of the page, the corresponding virtual address and the like. When the CPU translates the virtual address to the physical address, whether the page table mapping information set for the Enclave by the structure operating system is legal or not can be judged. The invention provides that the information of the memory page group, namely the gray part in the graph, is added into the structure of the reverse mapping, so that an operating system can not modify the information of the memory page group at will.
The WRPKRU needs to be invoked to modify the value of the PKRU register when control flow enters and exits modules that are not trusted by each other. In order to ensure the correctness of the process, the invention designs an authority domain switching function for switching between different modules in the Enclave. The Enclave is internally divided into a plurality of untrusted execution domains and trusted Enclave resource management modules as shown in fig. 3. The memory area accessible by one module and the code area executable by the module become the authority domain. The authority domain switching function can ensure that a certain module can only switch the authority domain by calling the appointed authority domain function, thereby communicating with a specific module.
As shown in fig. 4, the specific operation of the authority domain switching function is as follows:
1. the authority domain switching function is called;
2. the authority domain switching function sets an export secret key for a specific register, wherein the export secret key is set for the register in an immediate number mode in the process, and an untrusted module cannot obtain the value of the export secret key;
3. judging whether the identity of the caller is legal or not according to the value of the current PKRU register, and if the identity of the caller is illegal, terminating the current execution;
4. calling a WRPKRU instruction to modify the value of the current PKRU, wherein the step switches the authority domain;
5. checking whether the previous step is executed or not according to the comparison of the values of the specific register and the export secret key, preventing the untrusted module from bypassing the checking illegal switching authority domain through hijacking program control flow, and terminating the current execution if the checking is not passed;
6. clearing the specific register to prevent the export secret key from being leaked to the untrusted module;
7. the program control flow switches to another rights domain module for execution.
Because the SGX supports dynamic allocation of the EPC after starting, the invention also supports a dynamic allocation process of EPC security. The native EPC dynamic allocation process is as follows: the SGX driver allocates a corresponding memory page for the Enclave internal program, then calls an ENCLS [ EAUG ] instruction to add the memory page into the EPC, and then the Enclave internal program needs to call an ENCLU [ EACCEPT ] or an ENCLU [ EACCEPTCOPY ] instruction to accept the memory page. If the EPC dynamic allocation process is not redesigned, the untrusted module inside the Enclave and the untrusted operating system may join the memory page with readable and executable rights inside the Enclave in combination. And then an untrusted module inside the Enclave can write a code containing a WRPKRU instruction into the memory page, jump and execute, randomly switch the authority domain and access sensitive private data in other authority domains.
In order to defend the attack, the invention provides a method adopting binary scanning to prevent the ENCLU instruction from appearing outside the credible area. And meanwhile, the Enclave resource management function in the trusted area rejects dynamically adding the memory pages with readable and executable authorities for other untrusted areas. If a memory page with executable authority needs to be added to the memory page, binary scanning is needed to ensure that an ENCLU instruction does not exist in the corresponding memory page.
As shown in fig. 5, the process of allocating memory pages for the Enclave resource management module:
1. firstly, calling a right domain switching function by an untrusted module to request an Enclave resource management module to allocate a memory page;
2. after receiving the request, the resource management module forwards the request to the SGX driving module;
3, the SGX driving module receives the request, calls an ENCLS [ EAUG ] instruction to add the memory page into the EPC, and then returns the memory page to the Enclose resource management module, wherein the state of the memory page is a state to be accepted at the moment;
the resource management module of the Enclave needs to ensure that the authority of the memory page cannot be writable and executable at the same time, otherwise, the resource management module triggers an exception, and the program terminates the execution; initializing the memory page in different modes according to whether the permission of the memory page is executable or not;
5. if the memory authority is not executable, the resource management module of the Enclave calls
The ENCLU [ EACCEPT ] instruction initializes the memory page;
6. if the memory right is executable, the untrusted module that requests the memory page usually needs to dynamically load the code into the archive and then jump to execute. In order to ensure that the commands of the ENCLU and the WRPRKU do not appear in the memory, the Enclose resource management module firstly prepares memory pages with the same content in the authority domain of the Enclose resource management module, and then performs binary scanning on the memory pages to ensure that the content of the memory pages does not appear in binary codes related to the ENCLU and the WRPKRU
7. Then, calling an ENCLU [ EACCEPTCOPY ] instruction, and automatically copying the contents of the memory page to a target memory page;
8. and finally, calling a right domain switching function to return the memory page to the untrusted module.
On the other hand, a potential attacker in the untrusted module may preset the values of the relevant parameters and registers by hijacking the control flow, and then jump to the ENCLU instruction for execution. In order to defend the attack, the invention designs an ENCLU checkpoint function. Similar to the authority domain conversion function, the ENCLU level function ensures that the checking process of the level function cannot be bypassed by using the export key, and simultaneously determines the identity of the caller by judging the value of the current PKRU.
As shown in fig. 6, for the procedure of calling the ENCLU barrier function:
1. the resource management module calls an ENCLU level function, and control flow is switched to the level function;
2. setting an export secret key for a specific register by the level function, wherein the export secret key is set for the register in an immediate number mode in the process, and storing a corresponding code in a memory area inaccessible by the untrusted module;
3. the level function judges the identity of the caller according to the current PRKU value, if the caller is an untrusted module, the level function reports an error, and the execution is terminated; if the check is passed, entering the next step;
4. calling an ENCLU instruction by the level function;
5. the checkpoint function judges whether the value of the specific register is equal to the export secret key or not, the check is to ensure that the steps cannot be bypassed by a control flow hijacking method, if the check does not pass, the checkpoint function reports an error and terminates execution; if the check is passed, the next step is carried out;
6. the checkpoint function clears the value of the specific register to prevent the export secret key from leaking;
7. and after the checkpoint function is executed, switching the control flow back to the resource management module.
Example 2:
an internal efficient isolation method for an Intel SGX comprises the following technical points:
partitioning of an Enclave internal memory area. Dividing a trusted area and a plurality of untrusted areas from a memory area inside the Enclave, and efficiently isolating the trusted area and the untrusted areas by using an Intel MPK technology, wherein an Enclave resource management module runs in the trusted area;
extension of the Enclave secure boot mechanism in SGX. In the process of safe starting, memory page group information of a memory page is included in the calculation and generation of an Enclave safe verification code;
and 3, expanding an enclave security verification mechanism in the SGX. In the process of local verification and remote verification of the SGX, adding memory page group information to which an Enclave memory page belongs to check;
and 4, expanding an EPC protection mechanism in the SGX operation process. Adding information of a memory page group to which an Enclave memory page belongs into a structure of a reverse mapping table of an SGX, and ensuring that an untrusted operating system cannot randomly modify the information of the memory page group to which the Enclave memory page belongs in the Enclave operation process;
5. a rights domain switching function. The method comprises the steps of safe storage of register state, caller identity authentication and a security check non-circumventable mechanism;
a mechanism for dynamic allocation of memory within Enclave. By utilizing the mechanism provided by the patent, the envelope resource management module can safely and dynamically allocate the memory for the untrusted module;
7. a mechanism for binary scanning. Ensuring that the ENCLU and WRPKRU instructions can only appear in the Enclose resource management module, and the untrusted module can not freely switch the authority domain and illegally allocate the dynamic memory.
The above seven technical points are actually several important technical points related to the invention in the whole life cycle of the SGX enclave. They are in a cooperative relationship.
The security procedure initiated in the SGX usage scenario is called enclave,
in order to ensure the safe starting and operation of enclave, a corresponding mechanism is used for ensuring in the starting and operation process.
Native SGX technology cannot be combined with MPK technology because hardware and software cannot make corresponding guarantees.
Therefore, the patent provides a corresponding technical method on the basis of the original technology, so that the MPK technology and the SGX technology can be well combined.
The technical points corresponding to the sequence of secure startup and operation of the Enclave program should be as follows:
technical point 7: firstly, a file of an application program is taken, and then binary scanning is carried out on a code of the application program to ensure that some dangerous behaviors cannot exist in the program code;
technical point 2: and taking the file which passes the binary scanning check as data, and handing the data to SGX hardware to start enclave. The patent proposes to add MPK configuration information in the starting process into calculation and generation of security verification codes of SGX for combination of SGX technology and MPK technology
Technical point 3: the native SGX technology has a security verification process (local or remote), which ensures that untrusted applications do not have an unsafe effect on enclave during the start of enclave. In the patent, for the combination of the SGX technology and the MPK technology, the security verification mechanism is expanded, and it is ensured that a verifier can obtain configuration information of a memory page of the MPK in enclave.
Technical point 4: enclave is started and enters an operating state after verification, and the native SGX needs to ensure that memory page mapping information of enclave in the operating process is not modified by other untrusted modules in the operating process of the computer at will. The above process is implemented by a reverse mapping table. The patent proposes the technical point for ensuring that MPK memory page information is not randomly modified as well
Technical points 1, 5, and 6: how to carry out authority domain switching and dynamic memory allocation in the running process of an enclave program of the MPK technology is introduced.
Wherein, technical point 1 introduces the rule of region division in the enclave application program. The method comprises the following steps that a trusted area and a plurality of non-mutually-untrusted areas need to be divided, and MPK technology is utilized for isolation;
technical point 5 introduces how program control flow can be switched safely and efficiently in the different privilege domains mentioned in technical point 1;
in technical point 6, the SGX native application program supports dynamic allocation of enclave program secure memory, which introduces how to combine SGX dynamic secure memory allocation with MPK technology in this process, so that it ensures correctness of memory page information of MPK during memory allocation.
In the description of the present application, it is to be understood that the terms "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience in describing the present application and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (10)
1. An internal efficient isolation method for an Intel SGX, comprising:
step S1, dividing an internal memory area of the Enclave into a credible area and a plurality of distrustful areas, and efficiently isolating the credible areas by utilizing IntelMPK technology, wherein the Enclave resource management module runs in the credible area;
step S2, expanding an Enclave security starting mechanism in SGX, and in the process of security starting, incorporating memory page group information to which a memory page belongs into calculation and generation of an Enclave security verification code;
step S3, expanding an Enclave security verification mechanism in the SGX, and adding memory page group information to which the Enclave memory page belongs to check in the processes of local verification and remote verification of the SGX;
step S4, expanding EPC protection mechanism in SGX operation process, adding information of memory page group to which the Enclave memory page belongs into structure of reverse mapping table of SGX, ensuring that in Enclave operation process, untrusted operation system can not modify information of memory page group to which the Enclave memory page belongs;
step S5, calling the switching function of authority domain, including the safe saving of register state, the identity verification of caller and the mechanism that the safety check can not be bypassed;
step S6, the Enclave resource management module can safely and dynamically allocate the memory for the untrusted module through the mechanism of the internal dynamic allocation of the memory of the Enclave;
and step S7, ensuring that the ENCLU and WRPKRU instructions can only appear in the Enclave resource management module through a binary scanning mechanism, and the untrusted module can not freely switch the authority domain and illegally allocate the dynamic memory.
2. The method for Intel SGX internal efficient isolation according to claim 1, wherein said step S2:
SGX calculates corresponding security verification codes by mapping the physical address of the EPC to the virtual address, the authority of the EPC and the content information of the memory page through a cryptographic method, and then stores the security verification codes in a specific area;
and subsequent verification operation can judge whether the SGX driver correctly loads related codes and data for the user or not according to the security verification code, and correctly sets the authority.
3. The method for Intel SGX internal efficient isolation according to claim 1, wherein said step S4:
each physical page in the Enclave corresponds to a reverse mapping entry in an Enclave reverse mapping structure;
recording the authority of the page and corresponding virtual address information in the reverse mapping item;
when the CPU translates the virtual address to the physical address, whether the page table mapping information set for the Enclave by the structure operating system is legal or not can be judged.
And adding the information of the memory page group into the reverse mapping structure to ensure that an operating system cannot randomly modify the information of the memory page group.
4. The method for efficient isolation within an Intel SGX of claim 1, wherein the permission domain switching function in step S5 ensures that a module can only switch permission domains by calling a specific permission domain function, thereby communicating with a specific module.
5. The method of claim 4, wherein the procedure for invoking the rights domain switching function is as follows:
the authority domain switching function is called;
the authority domain switching function sets an export secret key for a specific register, wherein the export secret key is set for the register in an immediate number mode in the process, and an untrusted module cannot obtain the value of the export secret key;
judging whether the identity of the caller is legal or not according to the value of the current PKRU register, and if the identity of the caller is illegal, terminating the current execution;
calling a WRPKRU instruction to modify the value of the current PKRU, wherein the step switches the authority domain;
checking whether the previous step is executed or not according to the comparison of the values of the specific register and the export secret key, preventing the untrusted module from bypassing the checking illegal switching authority domain through hijacking program control flow, and terminating the current execution if the checking is not passed;
clearing the specific register to prevent the export secret key from being leaked to the untrusted module;
the program control flow switches to another rights domain module for execution.
6. The method according to claim 1, wherein said step S6 is a mechanism for dynamically allocating memory inside said Enclave:
binary scanning, expansion of SGX secure memory dynamic allocation instructions and an ENCLU barrier function are adopted, so that the memory page information of MPK can be correctly set in the dynamic memory allocation process.
7. The method of claim 6, wherein said mechanism for dynamically allocating memory within an Enclave comprises:
firstly, calling a right domain switching function by an untrusted module to request an Enclave resource management module to allocate a memory page;
after receiving the request, the resource management module forwards the request to the SGX driving module;
the SGX driving module receives the request, calls an ENCLS [ EAUG ] instruction to add the memory page into the EPC, and then returns the memory page to the envelope resource management module, wherein the state of the memory page is a state to be accepted at the moment;
the resource management module of Enclave needs to ensure that the authority of the memory page cannot be writable and executable at the same time, otherwise, the resource management module triggers an exception, and the program terminates execution; initializing the memory page in different modes according to whether the permission of the memory page is executable or not;
if the authority of the memory is unexecutable, the resource management module of the Enclave calls an ENCLU [ EACCEPT ] instruction to initialize the memory page;
if the memory right is executable, the untrusted module that requests the memory page usually needs to dynamically load the code into the archive and then jump to execute. In order to ensure that the commands of the ENCLU and the WRPRKU do not appear in the memory, the Enclose resource management module firstly prepares memory pages with the same content in the authority domain of the Enclose resource management module, and then performs binary scanning on the memory pages to ensure that the content of the memory pages does not appear in binary codes related to the ENCLU and the WRPKRU
Then, calling an ENCLU [ EACCEPTCOPY ] instruction, and automatically copying the contents of the memory page to a target memory page;
and finally, calling a right domain switching function to return the memory page to the untrusted module.
8. The method for Intel SGX internal efficient isolation of claim 7, wherein the ENCLU checkpoint function: the exit key is used for ensuring that the checking process of the checkpoint function cannot be bypassed, and meanwhile, the identity of a caller is determined by judging the value of the current PKRU;
the process of calling the ENCLU level function is as follows:
the resource management module calls an ENCLU level function, and control flow is switched to the level function;
setting an export secret key for a specific register by the level function, wherein the export secret key is set for the register in an immediate number mode in the process, and storing a corresponding code in a memory area inaccessible by the untrusted module;
the level function judges the identity of the caller according to the current PRKU value, if the caller is an untrusted module, the level function reports an error, and the execution is terminated; if the check is passed, entering the next step;
calling an ENCLU instruction by the level function;
the checkpoint function judges whether the value of the specific register is equal to the export secret key or not, the check is to ensure that the steps cannot be bypassed by a control flow hijacking method, if the check does not pass, the checkpoint function reports an error and terminates execution; if the check is passed, the next step is carried out;
the checkpoint function clears the value of the specific register to prevent the export secret key from leaking;
and after the checkpoint function is executed, switching the control flow back to the resource management module.
9. An internal efficient isolation system for an Intel SGX, comprising:
a module S1, namely, dividing an internal memory area of the Enclave into a trusted area and a plurality of untrusted areas, and efficiently isolating the trusted area and the untrusted areas by utilizing an IntelMPK technology, wherein the Enclave resource management module operates in the trusted area;
a module S2, which is used for expanding an Enclave security boot mechanism in the SGX, and during a security boot process, includes memory page group information to which a memory page belongs in calculation and generation of an Enclave security verification code;
a module S3, which is to extend an Enclave security verification mechanism in the SGX, and add information of a memory page group to which an Enclave memory page belongs to check in the processes of local verification and remote verification of the SGX;
module S4, expanding the EPC protection mechanism during SGX operation, adding information of the memory page group to which the Enclave memory page belongs to a structure of a reverse mapping table of the SGX, so as to ensure that an untrusted operating system cannot modify the information of the memory page group to which the Enclave memory page belongs during the Enclave operation;
a module S5, which is to call an authority domain switching function, wherein the authority domain switching function comprises the safe saving of the register state, the caller identity authentication and the mechanism that the safety check cannot bypass;
module S6, the Enclave resource management module can safely and dynamically allocate the memory for the untrusted module through the mechanism of dynamically allocating the memory inside the Enclave;
the module S7 ensures that ENCLU and WRPKRU instructions can only appear in the Enclave resource management module through a binary scanning mechanism, and the untrusted module cannot freely switch the authority domain and illegally allocate dynamic memory.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, performs the steps of the method for Intel SGX internal efficient isolation of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010982399.3A CN112182560B (en) | 2020-09-17 | 2020-09-17 | Efficient isolation method, system and medium for Intel SGX interior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010982399.3A CN112182560B (en) | 2020-09-17 | 2020-09-17 | Efficient isolation method, system and medium for Intel SGX interior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112182560A true CN112182560A (en) | 2021-01-05 |
| CN112182560B CN112182560B (en) | 2022-04-26 |
Family
ID=73921611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010982399.3A Active CN112182560B (en) | 2020-09-17 | 2020-09-17 | Efficient isolation method, system and medium for Intel SGX interior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182560B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989319A (en) * | 2021-05-12 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method, device, electronic equipment and storage medium for realizing trusted computing |
| CN114168936A (en) * | 2021-11-24 | 2022-03-11 | 浙江大学 | Enclave sandbox system based on Intel MPK and single step mode |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
| CN108595950A (en) * | 2018-04-18 | 2018-09-28 | 中南大学 | A kind of safe Enhancement Methods of SGX of combination remote authentication |
| CN109002706A (en) * | 2018-06-08 | 2018-12-14 | 中国科学院计算技术研究所 | Data isolation guard method and system in a kind of process based on user class page table |
| CN109359487A (en) * | 2018-10-09 | 2019-02-19 | 湖北文理学院 | A kind of expansible safe shadow storage and label management method based on hardware isolated |
| CN109947666A (en) * | 2019-02-27 | 2019-06-28 | 余炀 | Credible performing environment caching partition method and device, electronic equipment and storage medium |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110532767A (en) * | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
-
2020
- 2020-09-17 CN CN202010982399.3A patent/CN112182560B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105389513A (en) * | 2015-11-26 | 2016-03-09 | 华为技术有限公司 | Trusted execution method and apparatus for virtual trusted platform module (vTPM) |
| CN108595950A (en) * | 2018-04-18 | 2018-09-28 | 中南大学 | A kind of safe Enhancement Methods of SGX of combination remote authentication |
| CN109002706A (en) * | 2018-06-08 | 2018-12-14 | 中国科学院计算技术研究所 | Data isolation guard method and system in a kind of process based on user class page table |
| CN109359487A (en) * | 2018-10-09 | 2019-02-19 | 湖北文理学院 | A kind of expansible safe shadow storage and label management method based on hardware isolated |
| CN109947666A (en) * | 2019-02-27 | 2019-06-28 | 余炀 | Credible performing environment caching partition method and device, electronic equipment and storage medium |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110532767A (en) * | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
Non-Patent Citations (4)
| Title |
|---|
| GU JINYU,ET AL: "Secure Live Migration of SGX Enclaves on Untrusted Cloud", 《2017 47TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN)》 * |
| 夏虞斌等: "计算机系统隔离研究", 《上海交通大学学报》 * |
| 石培涛等: "基于虚拟化内存隔离的 Rowhammer 攻击防护机制", 《信息安全学报》 * |
| 郑显义等: "系统安全隔离技术研究综述", 《计算机学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989319A (en) * | 2021-05-12 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Method, device, electronic equipment and storage medium for realizing trusted computing |
| CN112989319B (en) * | 2021-05-12 | 2021-08-31 | 支付宝(杭州)信息技术有限公司 | Method, device, electronic equipment and storage medium for realizing trusted computing |
| CN114168936A (en) * | 2021-11-24 | 2022-03-11 | 浙江大学 | Enclave sandbox system based on Intel MPK and single step mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112182560B (en) | 2022-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210194696A1 (en) | System and method for high performance secure access to a trusted platform module on a hardware virtualization platform | |
| Jang et al. | Heterogeneous isolated execution for commodity gpus | |
| CN109086100B (en) | High-security credible mobile terminal security system architecture and security service method | |
| Mofrad et al. | A comparison study of Intel SGX and AMD memory encryption technology | |
| Strackx et al. | Efficient isolation of trusted subsystems in embedded systems | |
| CN111651778B (en) | Physical memory isolation method based on RISC-V instruction architecture | |
| US10114958B2 (en) | Protected regions | |
| Koeberl et al. | TrustLite: A security architecture for tiny embedded devices | |
| CN110612512B (en) | Protecting virtual execution environments | |
| US8839239B2 (en) | Protection of virtual machines executing on a host device | |
| US20090125974A1 (en) | Method and system for enforcing trusted computing policies in a hypervisor security module architecture | |
| JP2016129071A (en) | System and method for kernel rootkit protection in hypervisor environment | |
| US10192067B2 (en) | Self-described security model for resource access | |
| CN104318182A (en) | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension | |
| JP2009521033A (en) | How to authenticate a computer system application | |
| EP3961446B1 (en) | Method and apparatus for securely entering trusted execution environment in hyper-threading scenario | |
| US10108800B1 (en) | ARM processor-based hardware enforcement of providing separate operating system environments for mobile devices with capability to employ different switching methods | |
| CN112182560B (en) | Efficient isolation method, system and medium for Intel SGX interior | |
| Zhao et al. | Minimal kernel: an operating system architecture for {TEE} to resist board level physical attacks | |
| Zegzhda et al. | Use of Intel SGX to ensure the confidentiality of data of cloud users | |
| Sensaoui et al. | An in-depth study of MPU-based isolation techniques | |
| Strackx et al. | Salus: Kernel support for secure process compartments | |
| KR20200041639A (en) | In-vehicle software update system and method for controlling the same | |
| CN115422554B (en) | Request processing method, compiling method and trusted computing system | |
| Bousquet et al. | Mandatory access control for the android dalvik virtual machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |