# Hardware-supported Trusted Execution Environment (TEE)

Mengjia Yan

Spring 2024





# What do we trust when we execute a program?

# **Trusted Computing Base (TCB)**

Trusted





# Shrink TCB. Why?

- Software bugs
  - SMM-based rootkits
  - Xen 150K LOC, 40+ vulnerabilities per year
  - Monolithic kernel, e.g., Linux, 17M LOC, 100+ vulnerabilities per year
- Remote Computing
  - Remote computer and software stack owned by an untrusted party



### **Secure Remote Computing**





How to keep my data private without trusting the host OS/hypervisor/SMM?

#### **Potential Solutions**

- Homomorphic Encryption
- 4 to 5 orders of magnitude slower than computing on unencrypted data.



Performance? Accelerators?

e.g., F1: A Fast and Programmable Accelerator for Fully Homomorphic Encryption; Axel Feldmann, Nikola Samardzic et al. MICRO'21

Remote Computer

managed by untrusted

infrastructure provider

#### **Potential Solutions**



# **TEE Examples**



# **Protection Granularity & TCB Size**



# **SGX Enclave Programming Model**

• Examples from: https://github.com/intel/linux-sgx



# **Enclave Attestation and Sealing**

 HW based attestation provides evidence that "this is the right application executing on an authentic platform" (approach similar to secure boot attestation)



#### **Outline**

Understand the threat model: privilege SW attacks

Understand how to mitigate these threats

# **Privilege Software Attacks**

# **Operating Systems**



#### **Launch Time**

./helloworld

- Operations at launch time:
  - Create a process (PID, status, etc.)
  - Create a virtual address space: allocate memory for stack, heap, code region, set up the page tables



Setup file descriptor for input and output



Load the binary into the code region, and linked library if needed



Transfer the control to user space



# What can a privilege software attacker do?

- A non-comprehensive list
  - Modify the code to be executed
  - Monitor the whole execution process and data in register and in memory
  - Modify data in register and memory
  - Intercept IO, eavesdrop and tamper with the communication

•

### **Privilege Software Tasks**



# Case Study: Memory Management in Intel SGX

#### **Intel SGX Overview**

 Enclave code/data map to PRM; Different enclaves access their own memory region



#### **Intel SGX Address Translation Overview**



#### **Intel SGX Address Translation Overview**







Application code written by developer



Application code seen by CPU



# **Solution: Inverted Page Table**

• For each page in the PRM, remember the mapping from

```
<PPN> → <VPN, Enclave ID>
```

Keep the reversed page table in PRM, so privilege software cannot modify

- When to perform the check? (Review address translation process)
  - After each address translation



# Solution: Page Encryption and Authentication



# **Summary: SGX Memory Management**

• #1: Maintain a inverted page table and check after every address translation

Physical page in PRM -> (enclave ID, virtual page number)

- #2: Encrypt/decrypt upon page swap to non-PRM region (nounce, enclave ID, virtual page number, key, page content) → MAC
- #3: Keep TLB state up-to-date

Upon page swap, block the page in the inverted page table and unblock only until all the corresponding TLB entries are flushed

(We did not discuss this item in detail. Feel free to refer to the reference materials)

#### **Alternative Solutions**

- Naïve idea:
  - Let the trusted component handle page management
  - Problem: Large TLB
- Keystone's approach: leverage RISC-V's PMP registers
  - Enforce coarse-grained isolation and let the application to manage their page mappings
- AMD SEV:
  - Rely on encryption. But symmetric key vulnerability
  - Recent version introduces reverse page table

# **Keystone's Solution**

- PMP check after every page translation to avoid cross-domain access
- Enclave application uses a runtime to support self-managed mapping.



#### **Controlled Side Channels**

Virtual Address Space (Programmer's View)



Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems; Xu et al; S&P'15

#### **Controlled Side Channels**

- Access to a page that is
  - Unmapped
  - Invalid
  - Wrong access rights
- Exception is generated → Run page fault handler
- Page fault handler = Operating system
- Red flag: operating system was untrusted
- We can use it monitor control flow (victim's execution) at page granularity

#### **Controlled Side Channels**



Step 2: Let the victim execute

# How about other system tasks?



#### **Future Trends**

- Extend TEE to heterogenous systems
  - GPUs
  - Accelerators
- IO Problems
  - Trusted IO

### Summary

What can privilege software attackers do?

- Design tradeoffs between TCB size, flexibility, perf overhead, cost, etc.
  - Intel SGX, AMD SEV, ARM CCA
  - Keystone, Sanctum, Penglai, etc
- Read more:
  - Intel SGX Explained; by Costan et al
  - SoK: Understanding Designs Choices and Pitfalls of Trusted Execution Environments; by Li et al