CN114168936A - Enclave sandbox system based on Intel MPK and single step mode - Google Patents
Enclave sandbox system based on Intel MPK and single step mode Download PDFInfo
- Publication number
- CN114168936A CN114168936A CN202111407270.0A CN202111407270A CN114168936A CN 114168936 A CN114168936 A CN 114168936A CN 202111407270 A CN202111407270 A CN 202111407270A CN 114168936 A CN114168936 A CN 114168936A
- Authority
- CN
- China
- Prior art keywords
- enclave
- wrpkru
- instruction
- mpk
- intel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 32
- 238000001514 detection method Methods 0.000 claims abstract description 56
- 238000005516 engineering process Methods 0.000 claims abstract description 5
- 238000000034 method Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 17
- 238000012546 transfer Methods 0.000 claims description 13
- 230000002452 interceptive effect Effects 0.000 claims description 4
- 102100035971 Molybdopterin molybdenumtransferase Human genes 0.000 claims description 3
- 101710119577 Molybdopterin molybdenumtransferase Proteins 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 description 7
- 238000011056 performance test Methods 0.000 description 5
- 238000002955 isolation Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 1
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
Abstract
The invention discloses an Enclose sandbox system based on an Intel MPK and single step mode, which comprises three modules of data access limitation, control flow skip limitation, WRPKRU instruction occurrence detection and the like. Any data access capability and any control flow jump capability of the Enclave to the host program are respectively limited by utilizing the existing MPK and single step mode hardware characteristics in the Intel processor. Meanwhile, the WRPKRU instruction occurrence detection module utilizes a code scanning technology to ensure that no WRPKRU instruction which can bypass MPK data access limitation occurs in the entire life cycle of the Enclose. The invention realizes the high-efficiency sandbox system aiming at the Enclave based on the existing hardware, can be directly applied to the existing Intel processor platform and improves the safety, and has small influence on the system performance.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an Enclave sandbox system based on an Intel MPK and a single-step mode.
Background
In recent years, techniques of trusted execution environments such as SGX are increasingly used to protect sensitive code and data. By means of the hardware isolation capability provided by the SGX, the service provider can safely distribute the sensitive code and data of the service provider to an untrusted user platform to run in an Enclave mode without worrying about the stealing of the sensitive code or data of the service provider. This approach to Enclave-based service distribution simplifies the interaction between service providers and users, and is becoming a trend.
However, the existing SGX technology only restricts access to the Enclave content by software (such as host program, OS, etc.) outside the Enclave, and does not consider the harm of the potentially malicious Enclave to its host program. This hazard is manifested in both data access and control flow diversion. In terms of data access, Enclave can arbitrarily access the host program address space. In terms of control flow migration, when the control flow exits the Enclave, the Enclave can arbitrarily specify the jump target address of the control flow in the host program address space. The hazards in the two aspects can be utilized by potential malicious enclaves to perform information leakage or even control flow hijacking attack on a host program. Therefore, from the perspective of the host program, any data access and any control flow jump capability of Enclave to the host program need to be limited, and a sandbox scheme for Enclave is implemented.
The existing sandbox scheme for Enclave is realized by process isolation, and has the defects of high performance overhead, poor expandability and the like.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an Enclave sandbox system based on an Intel MPK and a single step mode, which respectively limits any data access and any control flow control capability of the Enclave to a host program by utilizing the existing MPK and single step mode hardware characteristics of an Intel processor. The specific technical scheme is as follows:
an Enclose sandbox system based on Intel MPK and single step mode comprises a data access limiting module, a control flow jump limiting module and a WRPKRU instruction occurrence detection module;
the data access limiting module limits any memory access capability of the Enclave to the host program by using MPK hardware characteristics in the Intel processor, and is specifically realized by the following modes:
in an Enclave initialization stage, the data access limiting module divides a host program and an Enclave memory area into memory protection domains H and E in the MPK respectively;
in the program running process, when the thread runs in the host program, the data access limiting module is used for setting a PKRU register of the processor to have access rights to the memory protection domains H and E; before the thread enters the envelope, the data access limiting module sets a PKRU register of the processor to be only the access right to the memory protection domain E through a WRPKRU instruction; after the thread exits the Enslave and re-enters the host program, the data access limiting module recovers the access authority of the processor to the memory protection domain H through the WRPKRU instruction;
the control flow jump limiting module limits a target jump address when the Enclose exits by using a single-step mode in the Intel processor, and is specifically realized by the following mode:
in an Enclave initialization phase, the control flow jump limiting module registers a user-mode single-step debugging exception handling function for checking whether a target jump address of an EEXIT instruction is equal to a predefined address in a host program;
in the program running process, before a thread enters an envelope, the control flow jump limiting module starts a single step mode by setting a TF flag bit in an FLAGS register, so that when the thread executes an EEXIT instruction and exits the envelope, a processor triggers a single step debugging exception, at the moment, a user mode single step debugging exception handling function is called, whether a target jump address of the EEXIT instruction is equal to a predefined address or not is checked, if so, the single step mode is closed, and the interrupted thread resumes execution; if not, the program stops running;
the WRPKRU instruction occurrence detection module ensures that a WRPKRU instruction does not occur in the whole lifecycle of the Enclose by using a code scanning technology, and is specifically realized by the following modes:
in an Enclave initialization stage, the WRPKRU instruction occurrence detection module checks whether a statically loaded code in the Enclave contains a WRPKRU instruction, and if so, the Enclave is refused to be created; if not, the creation of the Enclave is allowed and the page table is operated to ensure that the memory area of the newly created Enclave does not have the writable and executable rights at the same time.
Further, in an Enclave initialization stage, the data access limiting module allocates a memory area for the Enclave in the address space of the host program as a parameter transfer cache between the host program and the Enclave, and divides a memory protection domain of the area into E.
Further, the data access limiting module copies the interactive data of the host program and the Enclave to the parameter transfer cache before the thread enters the Enclave; and after the thread exits the Enclave, copying the interactive data from the shared parameter transfer cache to a private memory area of the host program.
Further, when a plurality of envlaves exist simultaneously, the data access limiting module divides different envlaves into different memory protection domains.
Furthermore, each Enclave has a parameter transfer cache which is divided into the same parameter transfer caches as the memory protection domain of the Enclave; when the thread is in the host program, the processor has access rights to the host program and all the enclaves; before a thread enters a certain Enclave, the data access limiting module sets the access right of the processor to be only capable of accessing the memory protection domain of the Enclave.
Further, in an Enclave initialization stage, the data access limiting module may check whether a 9 th flag bit in an XFRM attribute field of the Enclave to be created is cleared; if zero clearing is carried out, allowing to create Enclave; if not, the program terminates execution.
Further, in an Enclave initialization stage, the control flow jump limiting module randomly generates a Key for a host program and stores the Key in an Enclave invisible area; in the program running process, before a thread enters an Enclave, the control flow jump limiting module performs exclusive or operation on a stack pointer RSP and a Key of the current thread and stores an exclusive or operation result into a stack; after the thread exits the envelope, the user-mode single-step debugging exception handling function performs exclusive or operation on the exclusive or operation result and the Key, and performs comparison check on the operation result and the RSP of the current thread; if not, the program terminates execution; if so, the program continues to execute.
Further, in order to support dynamic generation or loading of codes in the Enclave, in an Enclave initialization stage, the WRPKRU instruction occurrence detection module may check whether a detection code that can be called by a host program and is used for checking whether a WRPKRU instruction sequence exists in a specified memory range in the Enclave; if the segment detects the existence of the code, allowing to create an Enclave; if not, refusing to create Enclave; meanwhile, the WRPKRU instruction occurrence detection module registers a user mode page table exception handling function in the host program and is used for calling a detection code embedded in the envelope to judge whether a specified memory area in the envelope contains a WRPKRU instruction sequence or not; in the program running process, when the Enclave is ready to execute dynamic loading or code generation, the processor generates page table exception, the user-mode page table exception handling function in the WRPKRU instruction occurrence detection module is called to detect whether the dynamic loading or code generation code contains a WRPKRU instruction, and when the WRPKRU instruction is detected, the program execution is terminated; when the WRPKRU instruction does not exist, the WRPKRU instruction occurrence detection module gives the memory area executable authority for dynamically loading or generating the code, and removes the writable authority; and resume Enclave execution.
Further, before entering the Enclave to call the detection code, the WRPKRU instruction occurrence detection module sets the memory protection domain of the SSA region of the Enclave TCS corresponding to the current thread to H; after the detection code is called, the memory protection domain of the SSA region is restored to the original memory protection domain of Enclave.
Further, before entering the Enclave to call the WRPKRU instruction detection code, the WRPKRU instruction occurrence detection module may set the memory region where the code is dynamically loaded or generated to be the read-only permission through the page table operation.
The invention has the following beneficial effects:
the invention uses the existing MPK and single step mode hardware characteristics in the Intel processor to limit any data access capability and any control flow jump capability of the Enclave aiming at the host program. The high-efficiency sandbox system for Enclave is realized based on the existing hardware characteristics of the Intel processor, so that the sandbox system can be directly applied to the existing Intel processor platform to improve the safety. Compared with the existing Enclave sandbox system realized based on process isolation, the invention realizes the construction of the Enclave sandbox system in the address space of the host program, and has small influence on the program performance and strong expandability. And particularly, the performance and expandability advantages are stronger in a multi-Enclave and multi-thread application scene.
Drawings
FIG. 1 is a diagram illustrating the implementation of the Intel MPK and single step mode based Enclave sandbox system during the program execution process;
FIG. 2 is a schematic diagram of the execution logic of the Enclave embedded detection code of the Enclave sandbox system based on Intel MPK and single step mode according to the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and preferred embodiments, and the objects and effects of the present invention will become more apparent, it being understood that the specific embodiments described herein are merely illustrative of the present invention and are not intended to limit the present invention.
FIG. 1 is a schematic diagram illustrating the execution of the Intel MPK and single step mode based Enclave sandbox system during the program running process. The invention discloses an Enclave sandbox system based on an Intel MPK and single step mode, which comprises a data access limiting module, a control flow jump limiting module and a WRPKRU instruction occurrence detection module, wherein the operations of the three modules comprise the operations of two stages of an Enclave initialization process and a program running process.
In the initialization phase of Enclave, the three modules perform specific check on the created Enclave to ensure that the created Enclave is satisfactory, and perform related initialization operation.
The method comprises the following specific steps:
(1) as for the data access restriction module, it is,
and (1.1) the data access limiting module divides the host program and the Enclave memory area into memory protection areas H and E in the MPK respectively. If the memory protection domain is a plurality of enclaves, the data access limiting module divides each Enclave into a single MPK memory protection domain. The different enclaves are divided into different memory protection domains, so that data access isolation among the different enclaves can be realized. The hardware characteristics of the current Intel MPK only support 16 different memory protection domains, but the software-based MPK virtualization technology can be used to support more than 15 enclaves in the presence scenario.
And (1.2) the data access limiting module allocates a memory area for the Enclave in the address space of the host program as a parameter transfer cache between the host program and the Enclave, and divides the area into a memory protection domain of the Enclave. In this way, both Enclave and host program can access the parameter passing cache. If the number of the enclaves is multiple, each Enclave is allocated with a unique parameter transfer cache, and the memory protection domain to which the parameter transfer cache belongs is the same as the enclaves to which the parameter transfer cache belongs.
(1.3) the data access restriction module checks that the 9 th flag bit in the XFRM attribute field for which Enclave is to be created is clear. If not, the program terminates execution. If clear, allow creation of Enclave. This can avoid Enclave using XRSTOR instruction to modify the value of PKRU register to extend the access rights of Enclave to MPK memory protection domain.
(2) Limiting modules for control flow jumps
The control flow jump limiting module registers a user-mode single-step debugging exception handling function in the host program, randomly generates a Key for the host program, and stores the Key in an Enclose invisible area.
(3) Module for detecting WRPKRU instruction occurrence
(3.1) the WRPKRU instruction occurrence detection module checks whether a detection code which can be called by a host program and is used for checking whether a WRPKRU instruction sequence exists in a specified memory range in the Enclave is embedded in the Enclave to be created, and the detection code only uses a register to store data and does not store the data into the memory (the execution logic of the detection code is shown in FIG. 2). If the check fails, refusing to create the Enclave; if the check is successful, Enclave is allowed to be created. The purpose of ensuring that the detection code embedded in the Enclave only uses the register for data storage is to prevent the Enclave from destroying the integrity of the execution process of the detection code.
(3.2) the WRPKRU instruction occurrence detection module checks that the statically loaded code in the Enclave does not contain the WRPKRU instruction. If yes, refusing to create Enclave; if not, Enclave is allowed to be created.
(3.3) the WRPKRU instruction occurrence detection module ensures that the memory region for newly creating the Enable does not have both writable and executable rights by manipulating the page table. Thus, the execution of dynamically generated or loaded code in the Enclave during the program running process is captured by the WRPKRU instruction occurrence detection module due to the trigger processor page table exception.
And (3.4) the WRPKRU instruction occurrence detection module registers a user mode page table exception handling function in the host program and is used for calling a detection code embedded in the envelope to judge whether a specified memory area in the envelope contains a WRPKRU instruction sequence.
In the program running process stage, the behavior of Enclave is specifically restricted or checked by the three modules, so as to ensure that any data access capability and any control flow jump capability of the Enclave to the host program are always limited in the lifecycle of the Enclave. The method comprises the following specific steps:
(1) for data access restriction module
(1.1) when the thread runs in the host program, the data access limiting module sets the PKRU register of the processor to have access to the memory protection domains H and E. As shown in step c of fig. 1, before the thread enters Enclave, the PKRU register of the processor is set to access right only to the memory protection domain E of Enclave by the WRPKRU instruction. As shown in step f in fig. 1, after the thread exits the Enclave and re-enters the host program, the access right of the processor to the memory protection domain H is restored through the WRPKRU instruction.
(1.2) before the thread enters Enclave, the data access limiting module copies the data required by the interaction between the host program and the Enclave to the parameter passing cache, as shown in step a in fig. 1. As shown in step g in fig. 1, after the thread exits the envelope, the data access restriction module will copy the interactive data from the shared parameter transfer cache to the private memory area of the host program. The parameter passing cache is maintained in a stack data structure mode to support nested calling between the host program and the Enclave.
(2) Limiting modules for control flow jumps
(2.1) before the thread enters Enclave, as in step d of fig. 1, the control flow jump restriction module will turn on single step mode by setting the TF flag bit in the FLAGS register. When the thread executes the EEXIT instruction to exit Enclave, a single-step debug exception is triggered, step 2 in FIG. 1. As shown in step 3, the registered user-mode step-down exception handling function is called, whether the target jump address of the EEXIT instruction is equal to the predefined address is checked, and if not, the program stops running; if equal to the predefined address, the single stepping exception handling function turns off single stepping mode. The control flow jump restriction module then resumes execution of the interrupted thread as in steps 4 and 5 of FIG. 1.
(2.2) as in step b of fig. 1, before the thread enters the Enclave, the control flow jump limiting module performs an exclusive or operation on the stack pointer RSP of the current thread and the Key, and stores the result of the exclusive or operation in the stack. As shown in fig. 1, after the thread exits the envelope, the user-mode single-step debugging exception handling function performs an exclusive or operation on the previously stored exclusive or operation result and the Key, and performs a comparison check on the operation result and the RSP of the current thread. If not, the program terminates execution; if so, execution continues.
(3) For WRPKRU instruction occurrence detection module
(3.1) as in step E1 in fig. 1, when the Enclave executes the dynamic load or generates the code for the first time, a page table exception may be generated due to the lack of the executable right of the corresponding memory region, and the user-mode page table exception handling function registered before the detection module occurs in the WRPKRU instruction is called. As shown in steps E2 and E3 in fig. 1, the user page table exception handling function calls the detection code embedded in Enclave, and checks whether there is a WRPKRU instruction sequence in the dynamic load or generation code in Enclave. If so, program execution is terminated. If not, the WRPKRU instruction occurrence detection module gives the memory area executable authority for dynamically loading or generating the code, and removes the writable authority; enclave execution is then resumed as in step E4 in fig. 1. At this time, since the memory area for dynamically loading or generating the code in the Enclave already has the executable authority, the code can be normally executed. And because the write authority of the code memory area is removed, the code cannot be modified by the Enclave any more.
(3.2) as in step i of fig. 1, before entering the envelope call detection code, the WRPKRU instruction occurrence detection module sets the memory protection domain of the SSA region of the envelope TCS corresponding to the current thread to H. As shown in step m in fig. 1, after the detection code is called, the memory protection domain of the SSA region is restored to the memory protection domain of Enclave. In this way, even when the processor stores the register in which the execution state of the embedded code is stored in the SSA area due to the generation of AEX during the execution of the embedded detection code, the other threads in Enclave cannot modify the SSA area. Accordingly, before the thread enters the Enclave call detection code, the WRPKRU instruction occurrence detection module does not need to remove the access right of the processor to the host program memory protection domain.
(3.2) as in step h of fig. 1, before entering the Enclave call WRPKRU instruction detection code, the WRPKRU instruction occurrence detection module sets the memory area of the dynamically loaded or generated code to be the read-only permission through the page table operation. In this way, the Enclave cannot modify the memory area again in the checking process of the WRPKRU instruction occurrence detection module.
In addition, in order to allow the Linux operating system kernel to normally access the host program memory area in the process of distributing and processing the exception signal, the Linux operating system kernel is modified to ensure that the processor is always endowed with the access right aiming at the host program memory protection domain before the Linux operating system kernel accesses the host program memory area. After the access is complete, the processor may be restored to its original privilege.
In order to prove that the system has the advantage of low performance overhead in performance, the system is deployed on three real application programs and is subjected to performance test. The specific test data are as follows:
1. test one
A neural network model with high performance tuning for an Enclave scenario is respectively operated under the condition that whether the Enclave sandbox system is deployed or not, and obtained performance test data are shown in table 1. As can be seen from table 1, the performance overhead of 0.84% is only introduced in the case of deploying the Enclave sandbox system of the present invention, and the model inference overhead is only 0.45%.
Table 1 a performance test data table obtained by running a neural network model, which has been highly performance-optimized for an Enclave scenario, in the presence or absence of an Enclave sandbox system according to the present invention
| Default case (millisecond) | Inventive system (millisecond) | Performance overhead | |
| Enclave creation | 283.80 | 283.91 | 0.04% |
| Model loading | 43.59 | 54.00 | 23.90% |
| Model reasoning | 1962.10 | 1970.85 | 0.45% |
| Total of | 2289.49 | 2308.76 | 0.84% |
2. Test two
The test data for the performance overhead of a typical database operation, which can be run in an SQL database in the present invention, is shown in Table 2, and is only 0.19% to 2.38%.
Table 2 a performance test data table in which the SQLite database capable of operating in the Enclave respectively operates in the common database operation under the condition of the Enclave sandbox system based on the Intel MPK and single step mode of the present invention is not deployed
3. Test three
An HTTP web server capable of operating in Enclave, when operating in the system of the present invention, the test result of Apache HTTP benchmark test tool in localhost network is shown in table 3, which shows that the performance overhead introduced by the system of the present invention for the data transmission rate is less than 4.4%.
Table 3 a data transmission rate performance test data table in which an HTTP web server capable of operating in an Enclave respectively operates under the condition that the Enclave sandbox system based on IntelMPK and single step mode of the present invention is deployed or not
| Number of threads | Default case (kb/s) | System of the invention (kb/s) | |
| 1 | 5.94 | 5.69 | 4.21% |
| 2 | 5.93 | 5.70 | 3.88% |
| 4 | 5.90 | 5.70 | 3.39% |
| 8 | 5.93 | 5.67 | 4.38% |
| 16 | 5.92 | 5.68 | 4.05% |
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.
Claims (10)
1. An Enclose sandbox system based on Intel MPK and single step mode is characterized by comprising a data access limiting module, a control flow jump limiting module and a WRPKRU instruction occurrence detection module;
the data access limiting module limits any memory access capability of the Enclave to the host program by using MPK hardware characteristics in the Intel processor, and is specifically realized by the following modes:
in an Enclave initialization stage, the data access limiting module divides a host program and an Enclave memory area into memory protection domains H and E in the MPK respectively;
in the program running process, when the thread runs in the host program, the data access limiting module is used for setting a PKRU register of the processor to have access rights to the memory protection domains H and E; before the thread enters the envelope, the data access limiting module sets a PKRU register of the processor to be only the access right to the memory protection domain E through a WRPKRU instruction; after the thread exits the Enslave and re-enters the host program, the data access limiting module recovers the access authority of the processor to the memory protection domain H through the WRPKRU instruction;
the control flow jump limiting module limits a target jump address when the Enclose exits by using a single-step mode in the Intel processor, and is specifically realized by the following mode:
in an Enclave initialization phase, the control flow jump limiting module registers a user-mode single-step debugging exception handling function for checking whether a target jump address of an EEXIT instruction is equal to a predefined address in a host program;
in the program running process, before a thread enters an envelope, the control flow jump limiting module starts a single step mode by setting a TF flag bit in an FLAGS register, so that when the thread executes an EEXIT instruction and exits the envelope, a processor triggers a single step debugging exception, at the moment, a user mode single step debugging exception handling function is called, whether a target jump address of the EEXIT instruction is equal to a predefined address or not is checked, if so, the single step mode is closed, and the interrupted thread resumes execution; if not, the program stops running;
the WRPKRU instruction occurrence detection module ensures that a WRPKRU instruction does not occur in the whole lifecycle of the Enclose by using a code scanning technology, and is specifically realized by the following modes:
in an Enclave initialization stage, the WRPKRU instruction occurrence detection module checks whether a statically loaded code in the Enclave contains a WRPKRU instruction, and if so, the Enclave is refused to be created; if not, the creation of the Enclave is allowed and the page table is operated to ensure that the memory area of the newly created Enclave does not have the writable and executable rights at the same time.
2. The Intel MPK and single-step mode based Enclave sandbox system according to claim 1, wherein in the initialization phase of Enclave, said data access restriction module allocates a memory region for Enclave in the address space of the host program as the parameter transfer cache between the host program and the Enclave, and divides the memory protection domain of said region into E.
3. The Intel MPK and single-step mode based Enclave sandbox system according to claim 2, wherein said data access restriction module copies host program and Enclave interaction data to said parameter passing cache before the thread enters Enclave; and after the thread exits the Enclave, copying the interactive data from the shared parameter transfer cache to a private memory area of the host program.
4. The Intel MPK and single-step mode based Enclave sandbox system as claimed in claim 1, wherein when multiple enclaves exist simultaneously, said data access restriction module divides different enclaves into different memory protection domains.
5. The Intel MPK and single-step mode based Enclave sandbox system according to claim 4, wherein each Enclave has a parameter transfer cache divided into the same domain as its memory protection domain; when the thread is in the host program, the processor has access rights to the host program and all the enclaves; before a thread enters a certain Enclave, the data access limiting module sets the access right of the processor to be only capable of accessing the memory protection domain of the Enclave.
6. The Intel MPK and single step mode based Enclave sandbox system of claim 1, wherein in the initialization phase of Enclave, said data access restriction module will check if the 9 th flag bit in the XFRM attribute field of the to-be-created Enclave is clear; if zero clearing is carried out, allowing to create Enclave; if not, the program terminates execution.
7. The Enclave sandbox system based on Intel MPK and single step mode as claimed in claim 1, wherein in the initialization phase of Enclave, said control flow jump limiting module will randomly generate a Key for the host program and store it in the invisible area of Enclave; in the program running process, before a thread enters an Enclave, the control flow jump limiting module performs exclusive or operation on a stack pointer RSP and a Key of the current thread and stores an exclusive or operation result into a stack; after the thread exits the envelope, the user-mode single-step debugging exception handling function performs exclusive or operation on the exclusive or operation result and the Key, and performs comparison check on the operation result and the RSP of the current thread; if not, the program terminates execution; if so, the program continues to execute.
8. The Enclave sandbox system based on Intel MPK and single step mode as claimed in claim 1, wherein in order to support dynamic generation or loading of code in Enclave, during the Enclave initialization phase, said WRPKRU instruction occurrence detection module will check whether a detection code that can be called by the host program and is used to check whether there is a WRPKRU instruction sequence in a specified memory range in Enclave is embedded in Enclave; if the segment detects the existence of the code, allowing to create an Enclave; if not, refusing to create Enclave; meanwhile, the WRPKRU instruction occurrence detection module registers a user mode page table exception handling function in the host program and is used for calling a detection code embedded in the envelope to judge whether a specified memory area in the envelope contains a WRPKRU instruction sequence or not; in the program running process, when the Enclave is ready to execute dynamic loading or code generation, the processor generates page table exception, the user-mode page table exception handling function in the WRPKRU instruction occurrence detection module is called to detect whether the dynamic loading or code generation code contains a WRPKRU instruction, and when the WRPKRU instruction is detected, the program execution is terminated; when the WRPKRU instruction does not exist, the WRPKRU instruction occurrence detection module gives the memory area executable authority for dynamically loading or generating the code, and removes the writable authority; and resume Enclave execution.
9. The Enclave sandbox system based on Intel MPK and single step mode of claim 8, wherein said WRPKRU instruction occurrence detection module sets the memory protection domain of the SSA region of the Enclave TCS corresponding to the current thread to H before entering the Enclave to invoke said detection code; after the detection code is called, the memory protection domain of the SSA region is restored to the original memory protection domain of Enclave.
10. The Intel MPK and single step mode based Enclave sandbox system of claim 8, wherein said WRPKRU instruction occurrence detection module sets the memory region for dynamically loading or generating code to be read only permission by page table operation before entering the Enclave call WRPKRU instruction detection code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111407270.0A CN114168936A (en) | 2021-11-24 | 2021-11-24 | Enclave sandbox system based on Intel MPK and single step mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111407270.0A CN114168936A (en) | 2021-11-24 | 2021-11-24 | Enclave sandbox system based on Intel MPK and single step mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114168936A true CN114168936A (en) | 2022-03-11 |
Family
ID=80480531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111407270.0A Pending CN114168936A (en) | 2021-11-24 | 2021-11-24 | Enclave sandbox system based on Intel MPK and single step mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114168936A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
| CN110532767A (en) * | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| CN112182560A (en) * | 2020-09-17 | 2021-01-05 | 上海交通大学 | Efficient isolation method, system and medium for Intel SGX interior |
| CN113064697A (en) * | 2021-04-01 | 2021-07-02 | 上海交通大学 | Method for accelerating communication between microkernel processes by using multiple hardware characteristics |
-
2021
- 2021-11-24 CN CN202111407270.0A patent/CN114168936A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109840410A (en) * | 2017-12-28 | 2019-06-04 | 中国科学院计算技术研究所 | The method and system of data isolation and protection in a kind of process |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| CN110532767A (en) * | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
| CN112182560A (en) * | 2020-09-17 | 2021-01-05 | 上海交通大学 | Efficient isolation method, system and medium for Intel SGX interior |
| CN113064697A (en) * | 2021-04-01 | 2021-07-02 | 上海交通大学 | Method for accelerating communication between microkernel processes by using multiple hardware characteristics |
Non-Patent Citations (1)
| Title |
|---|
| YUAN CHEN, ET AL.: "TOWARDS EFFICIENTLY ESTABLISHING MUTUAL DISTRUST B ETWEEN HOST APPLICATION AND ENCLAVE FOR SGX", ARXIV:2010, 23 October 2020 (2020-10-23), pages 1 - 18 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7865683B2 (en) | Identifier associated with memory locations for managing memory accesses | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| US10073986B2 (en) | Regulating access to and protecting portions of applications of virtual machines | |
| CN107066311B (en) | Kernel data access control method and system | |
| RU2313126C2 (en) | System and method for protection from non-trusted system control mode code by means of redirection of system management mode interrupt and creation of virtual machine container | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| US10140448B2 (en) | Systems and methods of asynchronous analysis of event notifications for computer security applications | |
| US20120216281A1 (en) | Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel | |
| CN109840410A (en) | The method and system of data isolation and protection in a kind of process | |
| JP2010517164A (en) | Protect operating system resources | |
| JP2009516310A (en) | Page coloring that maps memory pages to programs | |
| US9639698B2 (en) | Systems and methods for active operating system kernel protection | |
| US9189620B2 (en) | Protecting a software component using a transition point wrapper | |
| US7512768B2 (en) | Dynamically sharing a stack between different code segments | |
| US9536084B1 (en) | Systems and methods for delivering event-filtered introspection notifications | |
| US9596261B1 (en) | Systems and methods for delivering context-specific introspection notifications | |
| US20220366037A1 (en) | Domain transition disable configuration parameter | |
| US20150379265A1 (en) | Systems And Methods For Preventing Code Injection In Virtualized Environments | |
| US10929148B2 (en) | Executing services in containers | |
| US20220366036A1 (en) | An apparatus and method for handling exceptions | |
| US9531735B1 (en) | Systems and methods for delivering introspection notifications from a virtual machine | |
| CN114168936A (en) | Enclave sandbox system based on Intel MPK and single step mode | |
| US20230010863A1 (en) | Intermodal calling branch instruction | |
| WO2015052829A1 (en) | Information management device, method, and program | |
| Lopes et al. | DIHyper: Providing Lifetime Hypervisor Data Integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |