OBFUSCURO: A Commodity Obfuscation Engine for Intel SGX · 2020-08-03 · OBFUSCURO: A Commodity...
Transcript of OBFUSCURO: A Commodity Obfuscation Engine for Intel SGX · 2020-08-03 · OBFUSCURO: A Commodity...
OBFUSCURO: A Commodity Obfuscation Engine for Intel SGX
Adil Ahmad*, Byunggill Joe*, Yuan Xiao
Yinqian Zhang, Insik Shin, Byoungyoung Lee
(* denotes equal contribution)
Program Obfuscation
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
Trusted Untrusted (except the Black box)
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
Trusted Untrusted (except the Black box)
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
𝑷𝒑𝒓𝒊𝒗
Trusted Untrusted (except the Black box)
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
Trusted Untrusted (except the Black box)
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
UntrustedSystem
𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
Trusted Untrusted (except the Black box)
Blackbox
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
UntrustedSystem
𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
Trusted Untrusted (except the Black box)
Blackbox
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Receiver’s Goal Disclose the internals
of program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
UntrustedSystem
𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
Trusted Untrusted (except the Black box)
Blackbox
If the black box is “secure”?
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Receiver’s Goal Disclose the internals
of program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
Output
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
UntrustedSystem
𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
After constant time 𝑻
Trusted Untrusted (except the Black box)
Blackbox
If the black box is “secure”?
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Receiver’s Goal Disclose the internals
of program 𝑷𝒑𝒓𝒊𝒗
Program Obfuscation
Output
𝑷𝒑𝒓𝒊𝒗
EncryptionEngine
UntrustedSystem
Observable execution traces𝑷𝒑𝒓𝒊𝒗
Attacker chooses inputs𝐼0 𝐼1 𝐼𝑁…
Φ0 Φ1 Φ𝑁…
After constant time 𝑻
Trusted Untrusted (except the Black box)
Blackbox
If the black box is “secure”?
Sender’s Goal Protect the internals of private program 𝑷𝒑𝒓𝒊𝒗
Receiver’s Goal Disclose the internals
of program 𝑷𝒑𝒓𝒊𝒗
Execution traces should not leak information about 𝑷𝒑𝒓𝒊𝒗
Wait, isn’t that what Intel SGX does?
3
Wait, isn’t that what Intel SGX does?Program
3
Wait, isn’t that what Intel SGX does?Program
Non-Enclave
Enclave
3
Wait, isn’t that what Intel SGX does?Program
Non-Enclave
Enclave
Confidentiality and integrityguarantees
Trusted executionregion
3
Wait, isn’t that what Intel SGX does?Program
Non-Enclave
Enclave
Operating System (and other untrusted software)
Restricted by the processor
Confidentiality and integrityguarantees
Trusted executionregion
3
4
Intel SGX is not perfect!
4
Enclave
Intel SGX is not perfect!
4
Enclave
Memory accessedby the enclave
Intel SGX is not perfect!
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Tablecache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Visible traces on untrusted/shared components!
Timing
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Tablecache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Operating System
Visible traces on untrusted/shared components!
Granularity: 4KB (1 page)
Timing
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Tablecache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Operating System
Visible traces on untrusted/shared components!
Granularity: 4KB (1 page)
Granularity: 64B (1 line)
Timing
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Tablecache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Operating System
Visible traces on untrusted/shared components!
Granularity: 4KB (1 page)
Granularity: Jmp address
Granularity: 64B (1 line)
Timing
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Tablecache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Operating System
Visible traces on untrusted/shared components!
Granularity: 4KB (1 page)
Granularity: Jmp address
Granularity: 64B (1 line)
Timing
Granularity: Execution Time
4
Enclave
Memory accessedby the enclave
Access Frame #0 0x1000
Page Table
Paging, Branch-prediction and Cache attacks![S&P14, SEC17, ASPLOS18, DIMVA17, WOOT17]
cache-set 0
cache-set 3
CPU CacheTaken Address
0 0x1000
Branch Target Buffer
Intel SGX is not perfect!
Operating System
Visible traces on untrusted/shared components!
Granularity: 4KB (1 page)
Granularity: Jmp address
Granularity: 64B (1 line)
Timing
Granularity: Execution Time
Learning from existing solutions!
5
Learning from existing solutions!
5
Access patterns attacks!
Transactional Memory
[NDSS17, SEC17]
Learning from existing solutions!
5
Access patterns attacks!
Possible Soln.
Incomplete
Transactional Memory
[NDSS17, SEC17]
Learning from existing solutions!
5
Access patterns attacks!
Possible Soln.
Incomplete ring-0 required
Cache Partitioning
[SEC18]
Transactional Memory
[NDSS17, SEC17]
Learning from existing solutions!
5
Access patterns attacks!
Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Access patterns attacks!
Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Access patterns attacks! Timing attacks!
Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]RDTSC
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Access patterns attacks! Timing attacks!
OS-controllable
Possible Soln.Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]RDTSC
Networktimers
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Access patterns attacks! Timing attacks!
OS-controllable OS-controllable
Possible Soln.Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]RDTSC
Networktimers
Threadtimers
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Access patterns attacks! Timing attacks!
OS-controllable OS-controllable OS-controllable
Possible Soln.Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Transactional Memory
[NDSS17, SEC17]RDTSC
Networktimers
Threadtimers
Learning from existing solutions!
5
Lesson #1 Ring-3 enclaves cannot hide access
patterns through side-channels!
Lesson #2Unreliable timers for SGX
enclaves!
Access patterns attacks! Timing attacks!
OS-controllable OS-controllable OS-controllable
Possible Soln.Possible Soln.
Incomplete ring-0 required Insecure
Cache Partitioning
[SEC18]
Address Randomization
[NDSS17]
Our approach
6
Our approach
6
• Indistinguishable enclave program(s)
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
# of executions: 0
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Single data access
# of executions: 0
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
# of executions: 01
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
# of executions: 01
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?
Paging Attack: Same page
# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?
Cache Attack: Same cache-lines
Paging Attack: Same page
# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?
Cache Attack: Same cache-lines
Branch Attack: Same branch
Paging Attack: Same page
# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?
Cache Attack: Same cache-lines
Branch Attack: Same branch
Paging Attack: Same page
Timing Attack: Same time to execute N code blocks
# of executions: 01N
Our approach
6
• Indistinguishable enclave program(s)• A code block executed N times on C-Pad, and data block accessed from D-Pad
• C-Pad and D-Pad are one cache-line (64B) in size!
C-Pad
64B
D-Pad
64B
Branch to the start of C-Pad Single data
access
What do the attacks reveal?
Cache Attack: Same cache-lines
Branch Attack: Same branch
Paging Attack: Same page
Timing Attack: Same time to execute N code blocks
# of executions: 01N Instead of trying to hide traces, all enclaves should leak the same traces!
Let Hermione explain!
7
Let Hermione explain!
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟏
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟐
Operating System
7
Let Hermione explain!
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟏
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟐
Operating System
Pat
tern
Pat
tern
Before(Native)
7
Let Hermione explain!
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟏
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟐
Operating System
Pat
tern
Pat
tern
Before(Native)
Obfuscuro
7
Let Hermione explain!
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟏
𝑬𝒏𝒄𝒍𝒂𝒗𝒆𝟐
Operating System
Pat
tern
Pat
tern
Before(Native)
After(Obfuscuro)
Obfuscuro
7
Cool, what’s the challenge?
8
Cool, what’s the challenge?
8
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Cool, what’s the challenge?
8
C-Pad
64B
Enclave Storage
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Foo
Bar
Main
Translator
D-Pad
64B
Cool, what’s the challenge?
8
C-Pad
64B
Enclave Storage
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Foo
Bar
Main
56B
78B
67B
Translator
C1. Native code is not in 64B blocks!
D-Pad
64B
Cool, what’s the challenge?
8
C-Pad
64B
Enclave Storage
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Foo
Bar
Main
56B
78B
67B
Translator
C1. Native code is not in 64B blocks!
C2. Access patterns leaked while copying!
D-Pad
64B
FooBar
Cool, what’s the challenge?
8
C-Pad
64B
Enclave Storage
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Foo
Bar
Main
56B
78B
67B
Translator
C1. Native code is not in 64B blocks!
C2. Access patterns leaked while copying!
Foojmpjmp
Barjmp
C3. Code can havedifferent branches!
D-Pad
64B
FooBar
Cool, what’s the challenge?
8
C-Pad
64B
Enclave Storage
• Naïve solution• Use a software-translator to copy all code and data onto C/D-Pad
Foo
Bar
Main
56B
78B
67B
Translator
C1. Native code is not in 64B blocks!
C2. Access patterns leaked while copying!
Foojmpjmp
Barjmp
C3. Code can havedifferent branches!
C4. Timing issues not even discussed!
D-Pad
64B
FooBar
Obfuscuro
• Program obfuscation on Intel SGX• All programs should exhibit same patterns irrespective of logic/input.
• Adapted from Harry Potter spell “Obscuro” (translation :> Darkness)
9
Code Controller
Data Controller
stash
pos. map
D-Tree
C-Pad
64B
D-Pad
64B
stash
pos. map
ORAM BankC-Tree
Code execution model
Data access model
C1. Enforce code blocks of identical sizes
10
C1. Enforce code blocks of identical sizes
10
• Break code blocks into 64 bytes and pad using nop
C1. Enforce code blocks of identical sizes
10
• Break code blocks into 64 bytes and pad using nop
Foo()
Native
90B
C1. Enforce code blocks of identical sizes
10
• Break code blocks into 64 bytes and pad using nop
Foo()
Native
ObfuscuroCompiler90B
C1. Enforce code blocks of identical sizes
10
• Break code blocks into 64 bytes and pad using nop
Foo()
Native
ObfuscuroCompiler90B
Foo.1()
Instrumented
64B
NOPs 38 bytes
26 bytes64B
64 bytes
Foo.2()Split Foo()
C1. Enforce code blocks of identical sizes
10
• Break code blocks into 64 bytes and pad using nop
Foo()
Native
ObfuscuroCompiler90B
Foo.1()
Instrumented
64B
NOPs 38 bytes
26 bytes64B
64 bytes
Foo.2()Split Foo()
64B (single cache-line) code blocks can be loaded onto the C-Pad!
C2. Securely loading C/D-Pad
11
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
1
Execute old code block
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
Retrieve the blockusing ORAM
3
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
Retrieve the blockusing ORAM
3
Instrumented code is located in C-Tree
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
Update C-Pad withnew code block
4
Retrieve the blockusing ORAM
3
Instrumented code is located in C-Tree
Foo.1
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
Update C-Pad withnew code block
4
Retrieve the blockusing ORAM
3
Execute new code block
5
Instrumented code is located in C-Tree
Foo.1
C2. Securely loading C/D-Pad
11
• Fetch code and data using Oblivious RAM (ORAM)• The code and data is fetched onto C-Pad and D-Pad resp.
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request new code block
2
1
Execute old code block
Update C-Pad withnew code block
4
Retrieve the blockusing ORAM
3
Execute new code block
5
Instrumented code is located in C-Tree
Foo.1
Side-channel-resistant ORAM scheme ensuresno leakage as C/D-Pad are loaded!
C3. Align branches to/from C-Pad
12
C3. Align branches to/from C-Pad
12
• Each instrumented code block has two branches to fixed locations• C-Pad Code-Controller
• C-Pad Data-Controller
C3. Align branches to/from C-Pad
12
• Each instrumented code block has two branches to fixed locations• C-Pad Code-Controller
• C-Pad Data-Controller Code execution model
Data access model
C-Pad
jmp
jmp
Data Controller
stash
pos. map
Code Controller
stash
pos. map
addsub imul
CPU-boundinstructions
C3. Align branches to/from C-Pad
12
• Each instrumented code block has two branches to fixed locations• C-Pad Code-Controller
• C-Pad Data-Controller Code execution model
Data access model
C-Pad
jmp
jmp
Data Controller
stash
pos. map
Code Controller
stash
pos. map
Src. A Dst. A
addsub imul
CPU-boundinstructions
Dst. BSrc. B
FixedDst. Addr.
Fixed Src. Addr.
C3. Align branches to/from C-Pad
12
• Each instrumented code block has two branches to fixed locations• C-Pad Code-Controller
• C-Pad Data-Controller Code execution model
Data access model
C-Pad
jmp
jmp
Data Controller
stash
pos. map
Code Controller
stash
pos. map
Src. A Dst. A
addsub imul
CPU-boundinstructions
Dst. BSrc. B
FixedDst. Addr.
Fixed Src. Addr.
C/D-Controller have no conditional
branches!
C3. Align branches to/from C-Pad
12
• Each instrumented code block has two branches to fixed locations• C-Pad Code-Controller
• C-Pad Data-Controller Code execution model
Data access model
C-Pad
jmp
jmp
Data Controller
stash
pos. map
Code Controller
stash
pos. map
Src. A Dst. A
addsub imul
CPU-boundinstructions
Dst. BSrc. B
FixedDst. Addr.
Fixed Src. Addr.
C/D-Controller have no conditional
branches!
All Obfuscuro programs execute the same sequence of branches!
C4. Ensuring execution time consistency
13
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
Contains dummy but indistinguishable code
blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
2
Retrieve thenext block
Contains dummy but indistinguishable code
blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
3
2
Return to C-Pad Retrieve thenext block
Contains dummy but indistinguishable code
blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
3
2
Term
Return to C-Pad Retrieve thenext block
After N blocks
Contains dummy but indistinguishable code
blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
3
2
Term 4
Return to C-Pad
Fetches output and exits enclave!
Retrieve thenext block
After N blocks
Contains dummy but indistinguishable code
blocks
C4. Ensuring execution time consistency
13
• The program executes fixed number of code blocks
ORAM Bank
C-TreeC-Pad
64B
Code Controller
stash
pos. map
Request next code block
1
3
2
Term 4
Return to C-Pad
Fetches output and exits enclave!
Retrieve thenext block
After N blocks
Execute N code blocks to ensure all programs terminate consistently!
Faster memory store for enclaves
14
Faster memory store for enclaves
14
• Use AVX registers as store instead of ”Oblivious” store
DRAM
CPU
Faster memory store for enclaves
AVX registers
14
• Use AVX registers as store instead of ”Oblivious” store
C-Pad
64B
Code Controller
stash
pos. map
DRAM
CPU
Faster memory store for enclaves
DRAM-based store
AVX registers
Have to sequentiallyaccess all memory indices
14
• Use AVX registers as store instead of ”Oblivious” store
C-Pad
64B
Code Controller
stash
pos. map
DRAM
CPU
Faster memory store for enclaves
DRAM-based store
Register-based store
AVX registers
Have to sequentiallyaccess all memory indices
Can access individualregisters obliviously!
14
• Use AVX registers as store instead of ”Oblivious” store
C-Pad
64B
Code Controller
stash
pos. map
DRAM
CPU
Faster memory store for enclaves
DRAM-based store
Register-based store
AVX registers
Have to sequentiallyaccess all memory indices
Can access individualregisters obliviously!
14
• Use AVX registers as store instead of ”Oblivious” store
C-Pad
64B
Code Controller
stash
pos. map
AVX registers can be used as a faster, oblivious storage for SGX enclaves!
Implementation
15
Implementation
15
• LLVM compiler suite (3117 LoC)• Breaks all code into similar blocks (C1)
• Instrument and align all control and data-flow instructions (C3)
Implementation
15
• LLVM compiler suite (3117 LoC)• Breaks all code into similar blocks (C1)
• Instrument and align all control and data-flow instructions (C3)
• Runtime library (2179 LoC)• Initializes ORAM trees and performs secure ORAM operations (C2)
• Terminate program and fetch output (C4)
Implementation
15
• LLVM compiler suite (3117 LoC)• Breaks all code into similar blocks (C1)
• Instrument and align all control and data-flow instructions (C3)
• Runtime library (2179 LoC)• Initializes ORAM trees and performs secure ORAM operations (C2)
• Terminate program and fetch output (C4)
• Intel SGX SDK (25 LoC)• Assign memory regions for C/D-Pad (support)
Performance Evaluation
16
0
100
200
300
16 2768 85 121
231O
verh
ead
(ti
me
s)
Programs
Performance Evaluation
16
0
100
200
300
16 2768 85 121
231O
verh
ead
(ti
me
s)
Programs
We ported ~10 simple applications to
Obfuscuro!
Performance Evaluation
16
0
100
200
300
16 2768 85 121
231O
verh
ead
(ti
me
s)
Programs
Average overhead observed is 81 times over
native programs!
We ported ~10 simple applications to
Obfuscuro!
Performance Evaluation
16
0
100
200
300
16 2768 85 121
231O
verh
ead
(ti
me
s)
Programs
Average overhead observed is 81 times over
native programs!
The overhead is highly dependent on input size
and program type!
We ported ~10 simple applications to
Obfuscuro!
Ending Remarks!
17
Ending Remarks!
17
1. Program obfuscation is a remarkable dream to achieve
Ending Remarks!
17
1. Program obfuscation is a remarkable dream to achieve
2. Various software/hardware limitations hinder the realization of program obfuscation on Intel SGX
Ending Remarks!
17
1. Program obfuscation is a remarkable dream to achieve
2. Various software/hardware limitations hinder the realization of program obfuscation on Intel SGX
3. Existing solutions have a limited approach towards side-channel mitigation in Intel SGX
Ending Remarks!
17
1. Program obfuscation is a remarkable dream to achieve
2. Various software/hardware limitations hinder the realization of program obfuscation on Intel SGX
3. Existing solutions have a limited approach towards side-channel mitigation in Intel SGX
4. Obfuscuro is compiler-based scheme which addresses this issue by ensuring all programs leak same access patterns
Adil AhmadContact: [email protected]
18(Translation ~ Thanks!) ;)
Execution Time Evaluation
19
cycl
es
Code block with instructionsof each type
General programs
ORAM access time dominates the time of code block execution!