MPTEE: Bringing flexible and efficient memory protection to Intel SGX

Wenjia Zhao, Kangjie Lu, Yong Qi, Saiyu Qi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Intel Software Guard extensions (SGX), a hardware-based Trusted Execution Environment (TEE), has become a promising solution to stopping critical threats such as insider attacks and remote exploits. SGX has recently drawn extensive research in two directions-using it to protect the confidentiality and integrity of sensitive data, and protecting itself from attacks. Both the applications and defense mechanisms of SGX have a fundamental need-flexible memory protection that updates memory-page permissions dynamically and enforces the least-privilege principle. Unfortunately, SGX does not provide such a memory-protection mechanism due to the lack of hardware support and the untrustedness of operating systems. This paper proposes MPTEE, a memory-protection mechanism that provides flexible and efficient enforcement of memory-page permissions in SGX. The enforcement relies on our elastic cross-region bound check technique which uses only three bound registers but provides six memory permissions. To defend MPTEE against potential attacks, we further develop an efficient mechanism that exploits the in-place bound-check technique to ensure the integrity of the memory protection. With MPTEE, developers can enhance the protection for data and code in SGX enclaves and enforce the least-privilege principle such as Execute-no-Read memory readily. We have implemented MPTEE and extensively evaluated its effectiveness, utility, and performance. The results show that MPTEE incurs a performance overhead of only 2%-8%, and is effective in ensuring memory protection and in defending against potential attacks.

Original languageEnglish (US)
Title of host publicationProceedings of the 15th European Conference on Computer Systems, EuroSys 2020
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450368827
DOIs
StatePublished - Apr 15 2020
Event15th European Conference on Computer Systems, EuroSys 2020 - Heraklion, Greece
Duration: Apr 27 2020Apr 30 2020

Publication series

NameProceedings of the 15th European Conference on Computer Systems, EuroSys 2020

Conference

Conference15th European Conference on Computer Systems, EuroSys 2020
CountryGreece
CityHeraklion
Period4/27/204/30/20

Bibliographical note

Funding Information:
We would like to thank our shepherd, Rodrigo Rodrigues, and the anonymous reviewers for their feedback and suggestions. This research was supported in part by the National Natural Science Foundation of China (NSFC) under grants 61672421 and 61602363, and NSF award CNS-1931208. Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of NSF.

Publisher Copyright:
© 2020 Owner/Author.

Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.

Fingerprint Dive into the research topics of 'MPTEE: Bringing flexible and efficient memory protection to Intel SGX'. Together they form a unique fingerprint.

Cite this