To Isolate, or to Share? That is a Question for Intel SGX

Abstract

One cornerstone of computer security is hardware-based isolation mechanisms, among which an emerging technology named <em>Intel Software Guard Extensions (SGX)</em> offers arguably the strongest security on x86 architecture. Intel SGX enables user-level code to create trusted memory regions named <em>enclaves</em>, which are isolated from the rest of the system, including privileged system software. This strong isolation of SGX, however, forbids sharing any trusted memory between enclaves, making it difficult to implement any features or techniques that must share code or data between enclaves. This dilemma between isolation and sharing is especially challenging to system software for SGX (e.g., library OSes), to which both properties are highly desirable.To resolve the tension between isolation and sharing in system software for SGX, especially library OSes, we propose a <em>single-address-space approach</em>, which runs all (user-level) processes and the library OS in a single enclave. This single-enclave architecture enables various memory-sharing features or techniques, thus improving both performance and usability. To enforce inter-process isolation and user-privilege isolation inside the enclave, we design a <em>multi-domain</em> software fault isolation (SFI) scheme, which is unique in its support for two types of domains: 1) data domains, which enable process isolation, and 2) code domains, which enable shared libraries. Our SFI is implemented efficiently by leveraging Intel Memory Protection Extensions (MPX). Experimental results show an average overhead of 10\%, thus demonstrating the practicality of our approach.