• Corpus ID: 221446885

Binary Compatibility For SGX Enclaves

  title={Binary Compatibility For SGX Enclaves},
  author={Shweta Shinde and Jinhua Cui and Satyaki Sen and Pinghai Yuan and Prateek Saxena},
Enclaves, such as those enabled by Intel SGX, offer a powerful hardware isolation primitive for application partitioning. To become universally usable on future commodity OSes, enclave designs should offer compatibility with existing software. In this paper, we draw attention to 5 design decisions in SGX that create incompatibility with existing software. These represent concrete starting points, we hope, for improvements in future TEEs. Further, while many prior works have offered partial… 

Elasticlave: An Efficient Memory Model for Enclaves

This work presents Elasticlave---a new TEE memory model that allows enclaves to selectively and temporarily share memory with other enclaves and the OS, and finds that its performance characteristics and hardware area footprint scale well with the number of shared memory regions it is configured to support.

TCS Security Analysis in Intel SGX Enclave MultiThreading

It is found that in the case of multithread concurrency, a single enclave cannot resist flooding attacks, and related threads also throw TCS exception codes, so the possible security risks of enclave under concurrent conditions are found.

SecureLease: Maintaining Execution Control in The Wild using Intel SGX

This paper proposes SecureLease -- a novel approach that efficiently solves the problem of circumventing CFB attacks by running the license managers and other parts of the application in a trusted execution environment (TEE) (hardware managed sandbox).

Panoply: Low-TCB Linux Applications With SGX Enclaves

A new system called PANOPLY is presented which bridges the gap between the SGX-native abstractions and the standard OS abstractions which feature-rich, commodity Linux applications require and enables much stronger security in 4 real-world applications — including Tor, OpenSSL, and web services — which can base security on hardware-root of trust.

Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves

A first comprehensive quantitative study to evaluate the performance of SGX and designs a new SGX interface framework HotCalls, which provides a 13–27x speedup over the default interface and can easily be integrated into existing code, making it a practical solution.

Eleos: ExitLess OS Services for SGX Enclaves

Eleos introduces a novel Secure User-managed Virtual Memory (SUVM) abstraction that implements application-level paging inside the enclave, which eliminates the overheads of enclave exits due to paging, and enables new optimizations such as sub-page granularity of accesses.

BesFS: A POSIX Filesystem for Enclaves with a Mechanized Safety Proof

BesFS is presented--the first filesystem interface which provably protects the enclave integrity against a completely malicious OS and is proves 167 lemmas and 2 key theorems in 4625 lines of Coq proof scripts, which directly proves the safety properties of the BesFS specification.

SGX-FS: Hardening a File System in User-Space with Intel SGX

SGX-FS is presented, a new user-space file system that leverages SGX data sealing capabilities for secure in-memory and persistent storage and combines the FUSE framework with SGX to securely protect user data.

Running Language Interpreters Inside SGX: A Lightweight,Legacy-Compatible Script Code Hardening Approach

This paper presents SCRIPTSHIELD, a framework capable of running legacy script code while simultaneously providing confidentiality and integrity for scripting code and data, and keeps the TCB small and provides backwards compatibility.

Protecting Legacy Applications with a Purely Hardware TCB

A new architecture feature called PODARCH is proposed, which makes it easy to import executables on an OS without risking the target system’s security or the execution of the imported application.

Towards Memory Safe Enclave Programming with Rust-SGX

The key idea is to enable the development of enclave programs with an efficient memory safe system language Rust with a RUST-SGX SDK by solving the key challenges of how to make the SGX software memory safe and meanwhile run as efficiently as with the SDK provided by Intel.

Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX

The Occlum LibOS outperforms the state-of-the-art SGX LibOS on multitasking-heavy workloads by up to 6,600x on micro-benchmarks and up to 500x on application benchmarks.

SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs

SGX-Shield is built on a secure in-enclave loader to secretly bootstrap the memory space layout with a finer-grained randomization and shows a high degree of randomness in memory layouts and stops memory corruption attacks with a high probability.