Abstract
Data security and privacy are of great concern for users of cloud computing. In order to provide such guarantees in public clouds, hardware manufacturers have designed trusted execution environments such as Intel’s Software Guard eXtensions (SGX). Intel SGX supports privacy-preserving, tamper-proof containments called enclaves. Regrettably, an SGX enclave has to rely on the untrusted operating system or hypervisor for underlying services, which contradicts the threat model of Intel SGX. Whereas much of the previous work concentrates on protecting trusted applications by means of modifying a hypervisor, we tackle the problem by reusing existing drivers and leveraging processor-enforced protection. We propose a novel approach, named SMK, to provide trusted system services for SGX enclaves. SMK leverages existing Intel architecture features, i.e., System Management Mode (SMM) and Uniform Extensible Firmware Interface (UEFI). Specifically, we retrofit UEFI firmware and design an isolated micro-kernel inside SMM to securely provision critical system services for enclaves. To highlight the effectiveness and extensibility of SMK, we implement two system services: trusted clock and trusted network. Furthermore, we harden two real-world security-sensitive applications, OpenSSL and OpenVPN, with SMK’s system services. Our evaluation indicates that SMK can supply trusted system services for enclaves with modest runtime overheads.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.