Securing SGX Applications via Memory Safe Programming Languages and Augmented Runtime

Date

2019-12

ORCID

Journal Title

Journal ISSN

Volume Title

Publisher

item.page.doi

Abstract

Intel introduced Software Guard eXtensions (SGX) in its Skylake CPU, providing application programmers the ability to execute code in an isolated trusted execution environment (TEE) called an enclave. SGX isolates sensitive code and data from the operating systems, hypervisors, BIOS, and other applications. It guarantees the confidentiality and integrity of enclave programs even when the systems software, such as operating systems, hypervisors, and BIOS are compromised. Since user-level applications do not have to trust any software outside the enclave, it significantly reduces the available attack surface. While a large number of SGX-based solutions have been proposed, nearly all of them focus on protecting native code applications while leaving scripting languages unprotected. To fill this gap, we introduce ScriptShield, a framework using an augmented runtime interpreter to secure the secrecy of the SGX applications written in scripting language. ScriptShield is capable of running legacy script code while simultaneously providing confidentiality and integrity for scripting code and data. In contrast to the existing schemes that either require tedious and time-consuming re-development or result in a large TCB (Trusted Computing Base) caused by importing an entire library OS or container, ScriptShield keeps the TCB small and provides backwards compatibility (i.e., no changes are needed to the scripting code itself). The core idea is to customize the interpreter to run inside an SGX enclave and pass scripts to it. SGX hardware does not guarantee any memory safety for the software running inside enclave, since they are still developed with memory unsafe languages such as C/C⁺⁺ or assembly today. To address this issue, we propose Rust-SGX, an efficient and layered approach to exterminating memory corruption for software running inside SGX enclaves. The key idea is to enable the development of enclave programs with an efficient memory safe system language Rust with a Rust-SGX SDK by solving the key challenges of how to (1) make the SGX software memory safe and (2) make it run as efficiently as it does with the SDK provided by Intel. We therefore propose to build Rust-SGX atop Intel SGX SDK and tame unsafe components with formally proven memory safety. While Rust-SGX has made enclave memory-safe, it only addressed the system language. Many application domains, such as big data, machine learning, robotics and computer vision, are more commonly developed in Python programming language. Thus, Python application developers cannot benefit from secure enclaves like Intel SGX and Rust-SGX. To fill this gap, we propose Python-SGX, which is a memory safe SGX SDK providing enclave developers a memory safe Python development environment. The intention is to enable a memory safe Python language in SGX by solving the following challenges: (1) defining a memory safe Python interpreter, (2) replacing unsafe elements of the Python interpreter with safe ones, (3) achieving comparable performance to non-enclave Python applications, and (4) not introducing any unsafe new code or libraries into SGX. We built Python-SGX with PyPy, a Python interpreter written by RPython which is a subset of Python, and tame unsafe parts in PyPy by formal verification, security hardening, and memory safe language. In summary, we implemented ScriptShield, Rust-SGX and Python-SGX. ScriptShield was tested with three popular scripting languages: Lua, JavaScript, and Squirrel. Our experimental results show that ScriptShield does not cause noticeable overhead. Rust-SGX was tested with a series of benchmark programs. Our evaluations showed that Rust-SGX imposes little extra overhead (less than 5% with respect to the SGX-specific features and services compared to software developed by Intel SGX SDK) while having increased memory safety. Python-SGX was tested with a series of benchmark programs. Our evaluations showed that Python-SGX does not cause significant overhead.

Description

Keywords

Python (Computer program language), Confidential communications, Rust (Computer program language), Computer networks -- Security measures -- Software , Computer security -- Software

item.page.sponsorship

NSF grant nos. 1834213, 1834215 and 1834216

Rights

Citation