SlideShare a Scribd company logo

SGX Trusted Execution Environment

Kernel TLV
Kernel TLV

Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM. In this talk, we will: * explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications, * discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation. * describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK. * discuss how it is possible for the OS to manage secure memory without having access to it. * explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations. Ofir Weisse is a Researcher PhD Student at University of Michigan. Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc

Technology
1 of 45
Download to read offline
SGX Trusted Execution Environment Linux Kernel Meetup Tel-Aviv, May 10, 2018 Ofir Weisse
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cloud Computing Attack Surface Service Hosting 2 Medical Records Intellectual Property Private Data
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cloud Computing Attack Surface  To lower costs - computation and storage are moved to third party machines  This implies trust Cloud provider employees 3 OS Virtualization Software SMM code (firmware) Hardware The attack surface is large
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Secure Execution  What is the impact on overall application’s performance?  What creates the bottlenecks? Can we alleviate them?  How can the kernel attack SGX?  How can we defend against a malicious kernel? 4 Authenticated code Malicious environment Is it practical? No SGX With SGX Throughput degradation
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 5
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX in a nutshell User Space ddddddd d OS Kernel VMM SMM RAM HW CPU Enclave 6 Attestation Remote Client
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX – Memory Organization Physical Memory Enclave Page Cache (EPC) EPC metadata Encrypted by Memory Encryption Engine (MEE) 7
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX – Memory Organization No roll back 8 Physical Memory Enclave Page Cache (EPC) EPC metadata No roll-back
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Encrypted Memory Management 9 Virtual Address space (>4GB): code data Physical memory: Enclave Page Cache (EPC)
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Instructions Supervisor Instructions (Ring 0)  ECREATE  EADD – copy to EPC  EEXTEND – add to SHA256  EINIT  EDBGRD  EDBGWR  EINIT  EWB – evict from EPC  ELD – load to EPC  ETRACK 10 User Instructions (Ring 3)  EENTER  EEXIT  ERESUME  EGETKEY  EREPORT
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Encrypted Memory Management 11 Virtual Address space (>4GB): code data Physical memory: Enclave Page Cache (EPC) EADD
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Application memory address spacePlaintext Shared Memory SGX - Secure Enclave Life-cycle 12 Enclave – Trusted Code Application – Untrusted Code Encrypted Memory ocall ecall • Can access all memory • No access to system calls • Can call system API functions (send, fread, etc.) External Verifier SGX operations may become a bottleneck
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 13
Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Accessing encrypted memory Read Write  Control transfers Ecalls (EENTER+EEXIT) Ocalls (EEXIT+ERESUME)  SDK inefficiencies What are the Potential Bottlenecks? 14
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cost of Accessing Encrypted Memory 15 102% overhead Write Latency Read Latency 6% overhead (Cache-miss: 30%) (Cache-miss: 20%) Encrypted memory is a potential bottleneck
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Ecalls SDK code EENTER EEXIT Ocalls SDK code EEXIT ERESUME Cost of Secure Context Switch 16  Gathering required enclave information  Defensive checks of pointers  Legal destination  No overlaps
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cost of Secure Context Switch (CDF) 17 8,600 cycles = 2.16 𝝁𝒔𝒆𝒄 8,200 cycles = 2.06 𝝁𝒔𝒆𝒄 Ecalls SDK code EENTER EEXIT Ocalls SDK code EEXIT ERESUME 8,600 cycles = 2.16 𝝁𝒔𝒆𝒄 8,200 cycles = 2.06 𝝁𝒔𝒆𝒄 Cycles (x1000) 14,100 cycles = 3.52 𝝁𝒔𝒆𝒄 14,100 cycles = 3.52 𝝁𝒔𝒆𝒄 100% 50% 0% 100% 50% 0%
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Call Type Cycles Linux System Call 150 x1 (OSDI 2010) KVM Hypercall 1,300 x8 (ISCA 2016) Call Type Cycles Linux System Call 150 x1 (OSDI 2010) KVM Hypercall 1,300 x8 (ISCA 2016) SGX calls (warm cache) 8,600 x57 SGX calls (cold cache, median) 14,100 x94 SGX calls (cold cache top 5%) 16,000 x106 Context Switch in Perspective 18 #Calls per second Cycles overhead @ 4GHz 10,000 2.15% 50,000 10.75% 100,000 21.5% 200,000 43% Application # Calls /second Core spending Memcached 200,000 43% OpenVPN 275,000 57% Lighttpd 270,000 56% Real Applications
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 19
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Fast EcallsFast OcallsHotCalls HotCalls – New Calling Interface EnclaveApplication 20 Properties:  Not dependent on OS mutexes, semaphores or signals  Maintains security properties of SGX No context switch
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Fast EcallsFast OcallsHotCalls HotCalls – New Calling Interface ResponderRequester 21 Shared Memory void *dataSpinlock call_ID Go | DoneSpinlockSpinlock void *data call_ID Go | DoneSpinlock Go | Done Shared Memory void *dataSpinlock call_ID Go | DoneSpinlock void *data call_ID Shared Memory void *dataSpinlock call_ID Go | DoneSpinlock call_ID Additional thread Go | Donevoid *data Shared memory No context switch
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 HotCalls vs. SDK Calls (CDF) 23 8,200 cycles 14,100 cycles 600 cycles 1,300 cycles 580 cycles 1,300 cycles Cycles (x1000) 100% 50% 0% 100% 50% 0%
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 OS CallsOS Calls HotCalls in Practice 24 OS Calls - Porting strategy similar to Haven & SCONE - Developed an SGX porting framework to automate the process
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Lost Cycles Estimation 25 Application Frequent Calls (Calls x1000 / second) Total Calls Core Time Memcached read(66.5), sendmsg(66.5) RunEnclaveFucntion(66.5) 200K 42% OpenVPN poll(87), time(87), getpid(13.6), write(30), recvfrom(30), read(13.6) sendto(13.6) 275K 57% Lighttpd read(49),fcntl(25), epoll_ctl(25), close(25), setsockopt(25), __fxstat64(25) inet_ntop(12),accept(12), inet_addr(12),ioctl(12), __open64_2(12), sendfile64(12) shutdown(12),writev(12) 270K 56% #Calls per second Core overhead 10,000 2.15% 50,000 10.75% 100,000 21.5% 200,000 43% Context switches consume up to 57% of the cycles
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 -64% -79% -77%x2.66 x2.8 x3.7 HotCalls in Action 26 317866 53.4 OpenVPN (MB / sec) Memcached (K-ops / sec) Lighttpd (K-requests / sec) 66 309 12.1 185 823 44.8 Normalized Throughput Improvement
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Part 1 Conclusion  Naively porting applications may derail performance  Memory access may be expensive  Interaction with the OS may be costly  Can optimize performance with HotCalls  Request latency is reduced by up to 13X  Throughput can be boosted to near-native performance 27
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Attacks on SGX  Controlled Channel Attacks – with Page Faults  Controlled Channel Attacks – with Page Table Side Channels  Branch Shadowing  Defense Mechanisms 28
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Virtual to Physical Mapping 101 Virtual Memory: code data 29 Physical memory The OS can induce a page fault on every memory access Enclave Page Cache (EPC)
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack (The Original) 30Source: “Controlled Channel Attacks”, IEEE S&P 2015
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack (The Original) 31Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack 32Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 33Source: “Telling Your Secrets Without Page Faults”, USENIX Security 2017
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack Without Page Faults  Dirty bits in PTEs  Cache side channels 34
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Attacks on SGX  Controlled Channel Attacks – with Page Faults  Controlled Channel Attacks – with Page Table Side Channels  Branch Shadowing  Defense Mechanisms 35
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing Attacks  Branch prediction and BTB 36 Source: “Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing”, USENIX Security 2017
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Last Branch Record (LBR)  A trace of all recently taken branches and branch mispredictions  Alas, LBR is disabled when SGX enclaves are executing 37
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Prediction and Branch Target Buffer (BTB) Current RIP [Bits 31:0] Taken/Not-taken Predicted Destination 0x7FADEA1050DE0000 Taken 0x7FADEA1050DE0300 0x7FADEA1050DE0100 Taken 0x7FADEA1050DE0200 0x7FADEA1050DE0200 Not Taken 0x7FADEA1050DE0100 0x7FADEA1050DE0300 Not Taken 0x7FADEA1050DE0500 38  What happens if RIP=0x0000000050DE0000?
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing 39 Address Code 0x7FADEA1050DE0000 If( keyBit == 0 ) { 0x7FADEA1050DE0010 multiply(…); 0x7FADEA1050DE0018 ………. 0x7FADEA1050DE0020 } else if(…) { 0x7FADEA1050DE0028 add( ….. ); 0x7FADEA1050DE0030 ……. 0x7FADEA1050DE0038 } Inside Enclave Branch Shadow Address Code 0x0000000050DE0000 If( dummy != 5 ) { 0x0000000050DE0010 nop; 0x0000000050DE0018 ………. 0x0000000050DE0020 } else if(…) { 0x0000000050DE0028 nop; 0x0000000050DE0030 ……. 0x0000000050DE0038 }
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Single step(ish)  How can we pause execution after every branch?  Clock Interrupt causes Asynchronous Exit (AEX)  Then single step branch shadow code  Observe LBR 40
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing Results  66% of the bits of 1024 RSA key were recovered using a single run  With 10 runs – all the bits were recovered 41
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Defense Mechanisms  T-SGX – using Transactional Memory Extensions (TSX)  SGX-Shield – ASLR for SGX  Racing in Hyperspace 42
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 TSX – Transactional Synchronization eXtensions  Computation performed in cache  Complete rollback upon abort  Faults are supressed 43 Transaction XBEGIN XEND TSX Abort Transaction complete
Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Page-fault -> TSX abort T-SGX 44 XBEGIN XEND TSX Abort Transaction complete Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
Linux Kernel Meetup, Tel-Aviv, May 10, 2018 T-SGX (2) 45 XBEGIN XEND TSX Abort Transaction complete  Timer Interrupt -> TSX abort Image Source: “Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing”, USENIX Security 2017
Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Secure execution alone is only the first step for secure systems  Performance impact may be prohibitive but can be optimized with HotCalls  Including the OS/VMM in the threat model presents new challenges Conclusion 46 www.OfirWeisse.com github.com/oweisse/hot-calls

Recommended

Intel software guard extension
Intel software guard extensionIntel software guard extension
Intel software guard extensionDESMOND YUEN
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 

Recommended

Intel software guard extension
Intel software guard extensionIntel software guard extension
Intel software guard extensionDESMOND YUEN
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Kerberos
KerberosKerberos
KerberosRahul Pundir
 
Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesRobb Boyd
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
SSH
SSHSSH
SSHZach Dennis
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL
SSLSSL
SSLtheekuchi
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
IoT Security
IoT SecurityIoT Security
IoT SecurityPeter Waher
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 mohammad norozzudegan
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpnsharetech
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityVuz Dở Hơi
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Hannes Tschofenig
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
Supermicro X12 Performance Update
Supermicro X12 Performance UpdateSupermicro X12 Performance Update
Supermicro X12 Performance UpdateRebekah Rodriguez
 
GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)Igalia
 

More Related Content

What's hot

Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesRobb Boyd
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 mohammad norozzudegan
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityVuz Dở Hơi
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Hannes Tschofenig
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 

What's hot (20)

IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
Kerberos
KerberosKerberos
Kerberos
 
Technical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series SwitchesTechnical Overview of Cisco Catalyst 9200 Series Switches
Technical Overview of Cisco Catalyst 9200 Series Switches
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
 
SSH
SSHSSH
SSH
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
SSL
SSLSSL
SSL
 
Ssl https
Ssl httpsSsl https
Ssl https
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS Network
 
IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2 IMS Authentication with AKAv1 and AKAv2
IMS Authentication with AKAv1 and AKAv2
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan Redundancy
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3Advancing IoT Communication Security with TLS and DTLS v1.3
Advancing IoT Communication Security with TLS and DTLS v1.3
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptography
 

Similar to SGX Trusted Execution Environment

Supermicro X12 Performance Update
Supermicro X12 Performance UpdateSupermicro X12 Performance Update
Supermicro X12 Performance UpdateRebekah Rodriguez
 
GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)Igalia
 
Microservices in Unikernels
Microservices in UnikernelsMicroservices in Unikernels
Microservices in UnikernelsMadhuri Yechuri
 
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackSummit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackOPNFV
 
Red hat Enterprise Linux 6.4 for IBM System z Technical Highlights
Red hat Enterprise Linux 6.4 for IBM System z Technical HighlightsRed hat Enterprise Linux 6.4 for IBM System z Technical Highlights
Red hat Enterprise Linux 6.4 for IBM System z Technical HighlightsFilipe Miranda
 
Seminar Accelerating Business Using Microservices Architecture in Digital Age...
Seminar Accelerating Business Using Microservices Architecture in Digital Age...Seminar Accelerating Business Using Microservices Architecture in Digital Age...
Seminar Accelerating Business Using Microservices Architecture in Digital Age...PT Datacomm Diangraha
 
Best Practices for performance evaluation and diagnosis of Java Applications ...
Best Practices for performance evaluation and diagnosis of Java Applications ...Best Practices for performance evaluation and diagnosis of Java Applications ...
Best Practices for performance evaluation and diagnosis of Java Applications ...IndicThreads
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6David Pasek
 
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화OpenStack Korea Community
 
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Hajime Tazaki
 
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreAdvanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreinside-BigData.com
 
Open HFT libraries in @Java
Open HFT libraries in @JavaOpen HFT libraries in @Java
Open HFT libraries in @JavaPeter Lawrey
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)Intel
 
Xilinx Data Center Strategy and CCIX
Xilinx Data Center Strategy and CCIXXilinx Data Center Strategy and CCIX
Xilinx Data Center Strategy and CCIXYoshihiro Horie
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph Ceph Community
 

Similar to SGX Trusted Execution Environment (20)

Supermicro X12 Performance Update
Supermicro X12 Performance UpdateSupermicro X12 Performance Update
Supermicro X12 Performance Update
 
GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)GStreamer and SysLink (GStreamer Conference 2011)
GStreamer and SysLink (GStreamer Conference 2011)
 
TiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architectureTiReX: Tiled Regular eXpression matching architecture
TiReX: Tiled Regular eXpression matching architecture
 
Microservices in Unikernels
Microservices in UnikernelsMicroservices in Unikernels
Microservices in Unikernels
 
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackSummit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
 
Red hat Enterprise Linux 6.4 for IBM System z Technical Highlights
Red hat Enterprise Linux 6.4 for IBM System z Technical HighlightsRed hat Enterprise Linux 6.4 for IBM System z Technical Highlights
Red hat Enterprise Linux 6.4 for IBM System z Technical Highlights
 
Seminar Accelerating Business Using Microservices Architecture in Digital Age...
Seminar Accelerating Business Using Microservices Architecture in Digital Age...Seminar Accelerating Business Using Microservices Architecture in Digital Age...
Seminar Accelerating Business Using Microservices Architecture in Digital Age...
 
Best Practices for performance evaluation and diagnosis of Java Applications ...
Best Practices for performance evaluation and diagnosis of Java Applications ...Best Practices for performance evaluation and diagnosis of Java Applications ...
Best Practices for performance evaluation and diagnosis of Java Applications ...
 
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
VMware ESXi - Intel and Qlogic NIC throughput difference v0.6
 
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
[OpenStack Days Korea 2016] Track1 - All flash CEPH 구성 및 최적화
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
 
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and moreAdvanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
Advanced Networking: The Critical Path for HPC, Cloud, Machine Learning and more
 
Open HFT libraries in @Java
Open HFT libraries in @JavaOpen HFT libraries in @Java
Open HFT libraries in @Java
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)
 
Xilinx Data Center Strategy and CCIX
Xilinx Data Center Strategy and CCIXXilinx Data Center Strategy and CCIX
Xilinx Data Center Strategy and CCIX
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
 
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph
Ceph Day Seoul - AFCeph: SKT Scale Out Storage Ceph
 

More from Kernel TLV

Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Present Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityPresent Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityKernel TLV
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
KernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernel TLV
 
Userfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentUserfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentKernel TLV
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingKernel TLV
 
WiFi and the Beast
WiFi and the BeastWiFi and the Beast
WiFi and the BeastKernel TLV
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 

More from Kernel TLV (20)

DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
Present Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityPresent Absence of Linux Filesystem Security
Present Absence of Linux Filesystem Security
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and Where
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
KernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernelTLV Speaker Guidelines
KernelTLV Speaker Guidelines
 
Userfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentUserfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future Development
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival Guide
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
WiFi and the Beast
WiFi and the BeastWiFi and the Beast
WiFi and the Beast
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and Drivers
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

SGX Trusted Execution Environment

  • 1. SGX Trusted Execution Environment Linux Kernel Meetup Tel-Aviv, May 10, 2018 Ofir Weisse
  • 2. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cloud Computing Attack Surface Service Hosting 2 Medical Records Intellectual Property Private Data
  • 3. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cloud Computing Attack Surface  To lower costs - computation and storage are moved to third party machines  This implies trust Cloud provider employees 3 OS Virtualization Software SMM code (firmware) Hardware The attack surface is large
  • 4. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Secure Execution  What is the impact on overall application’s performance?  What creates the bottlenecks? Can we alleviate them?  How can the kernel attack SGX?  How can we defend against a malicious kernel? 4 Authenticated code Malicious environment Is it practical? No SGX With SGX Throughput degradation
  • 5. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 5
  • 6. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX in a nutshell User Space ddddddd d OS Kernel VMM SMM RAM HW CPU Enclave 6 Attestation Remote Client
  • 7. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX – Memory Organization Physical Memory Enclave Page Cache (EPC) EPC metadata Encrypted by Memory Encryption Engine (MEE) 7
  • 8. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX – Memory Organization No roll back 8 Physical Memory Enclave Page Cache (EPC) EPC metadata No roll-back
  • 9. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Encrypted Memory Management 9 Virtual Address space (>4GB): code data Physical memory: Enclave Page Cache (EPC)
  • 10. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Instructions Supervisor Instructions (Ring 0)  ECREATE  EADD – copy to EPC  EEXTEND – add to SHA256  EINIT  EDBGRD  EDBGWR  EINIT  EWB – evict from EPC  ELD – load to EPC  ETRACK 10 User Instructions (Ring 3)  EENTER  EEXIT  ERESUME  EGETKEY  EREPORT
  • 11. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 SGX Encrypted Memory Management 11 Virtual Address space (>4GB): code data Physical memory: Enclave Page Cache (EPC) EADD
  • 12. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Application memory address spacePlaintext Shared Memory SGX - Secure Enclave Life-cycle 12 Enclave – Trusted Code Application – Untrusted Code Encrypted Memory ocall ecall • Can access all memory • No access to system calls • Can call system API functions (send, fread, etc.) External Verifier SGX operations may become a bottleneck
  • 13. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 13
  • 14. Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Accessing encrypted memory Read Write  Control transfers Ecalls (EENTER+EEXIT) Ocalls (EEXIT+ERESUME)  SDK inefficiencies What are the Potential Bottlenecks? 14
  • 15. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cost of Accessing Encrypted Memory 15 102% overhead Write Latency Read Latency 6% overhead (Cache-miss: 30%) (Cache-miss: 20%) Encrypted memory is a potential bottleneck
  • 16. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Ecalls SDK code EENTER EEXIT Ocalls SDK code EEXIT ERESUME Cost of Secure Context Switch 16  Gathering required enclave information  Defensive checks of pointers  Legal destination  No overlaps
  • 17. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Cost of Secure Context Switch (CDF) 17 8,600 cycles = 2.16 𝝁𝒔𝒆𝒄 8,200 cycles = 2.06 𝝁𝒔𝒆𝒄 Ecalls SDK code EENTER EEXIT Ocalls SDK code EEXIT ERESUME 8,600 cycles = 2.16 𝝁𝒔𝒆𝒄 8,200 cycles = 2.06 𝝁𝒔𝒆𝒄 Cycles (x1000) 14,100 cycles = 3.52 𝝁𝒔𝒆𝒄 14,100 cycles = 3.52 𝝁𝒔𝒆𝒄 100% 50% 0% 100% 50% 0%
  • 18. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Call Type Cycles Linux System Call 150 x1 (OSDI 2010) KVM Hypercall 1,300 x8 (ISCA 2016) Call Type Cycles Linux System Call 150 x1 (OSDI 2010) KVM Hypercall 1,300 x8 (ISCA 2016) SGX calls (warm cache) 8,600 x57 SGX calls (cold cache, median) 14,100 x94 SGX calls (cold cache top 5%) 16,000 x106 Context Switch in Perspective 18 #Calls per second Cycles overhead @ 4GHz 10,000 2.15% 50,000 10.75% 100,000 21.5% 200,000 43% Application # Calls /second Core spending Memcached 200,000 43% OpenVPN 275,000 57% Lighttpd 270,000 56% Real Applications
  • 19. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Outline  Part 1 – Performance Optimization Intel SGX background Measuring SGX performance bottlenecks Improving SGX performance with HotCalls  Part 2 – Attacks on SGX 19
  • 20. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Fast EcallsFast OcallsHotCalls HotCalls – New Calling Interface EnclaveApplication 20 Properties:  Not dependent on OS mutexes, semaphores or signals  Maintains security properties of SGX No context switch
  • 21. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Fast EcallsFast OcallsHotCalls HotCalls – New Calling Interface ResponderRequester 21 Shared Memory void *dataSpinlock call_ID Go | DoneSpinlockSpinlock void *data call_ID Go | DoneSpinlock Go | Done Shared Memory void *dataSpinlock call_ID Go | DoneSpinlock void *data call_ID Shared Memory void *dataSpinlock call_ID Go | DoneSpinlock call_ID Additional thread Go | Donevoid *data Shared memory No context switch
  • 22. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 HotCalls vs. SDK Calls (CDF) 23 8,200 cycles 14,100 cycles 600 cycles 1,300 cycles 580 cycles 1,300 cycles Cycles (x1000) 100% 50% 0% 100% 50% 0%
  • 23. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 OS CallsOS Calls HotCalls in Practice 24 OS Calls - Porting strategy similar to Haven & SCONE - Developed an SGX porting framework to automate the process
  • 24. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Lost Cycles Estimation 25 Application Frequent Calls (Calls x1000 / second) Total Calls Core Time Memcached read(66.5), sendmsg(66.5) RunEnclaveFucntion(66.5) 200K 42% OpenVPN poll(87), time(87), getpid(13.6), write(30), recvfrom(30), read(13.6) sendto(13.6) 275K 57% Lighttpd read(49),fcntl(25), epoll_ctl(25), close(25), setsockopt(25), __fxstat64(25) inet_ntop(12),accept(12), inet_addr(12),ioctl(12), __open64_2(12), sendfile64(12) shutdown(12),writev(12) 270K 56% #Calls per second Core overhead 10,000 2.15% 50,000 10.75% 100,000 21.5% 200,000 43% Context switches consume up to 57% of the cycles
  • 25. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 -64% -79% -77%x2.66 x2.8 x3.7 HotCalls in Action 26 317866 53.4 OpenVPN (MB / sec) Memcached (K-ops / sec) Lighttpd (K-requests / sec) 66 309 12.1 185 823 44.8 Normalized Throughput Improvement
  • 26. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Part 1 Conclusion  Naively porting applications may derail performance  Memory access may be expensive  Interaction with the OS may be costly  Can optimize performance with HotCalls  Request latency is reduced by up to 13X  Throughput can be boosted to near-native performance 27
  • 27. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Attacks on SGX  Controlled Channel Attacks – with Page Faults  Controlled Channel Attacks – with Page Table Side Channels  Branch Shadowing  Defense Mechanisms 28
  • 28. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Virtual to Physical Mapping 101 Virtual Memory: code data 29 Physical memory The OS can induce a page fault on every memory access Enclave Page Cache (EPC)
  • 29. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack (The Original) 30Source: “Controlled Channel Attacks”, IEEE S&P 2015
  • 30. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack (The Original) 31Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
  • 31. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack 32Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
  • 32. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 33Source: “Telling Your Secrets Without Page Faults”, USENIX Security 2017
  • 33. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Controlled Channel Attack Without Page Faults  Dirty bits in PTEs  Cache side channels 34
  • 34. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Attacks on SGX  Controlled Channel Attacks – with Page Faults  Controlled Channel Attacks – with Page Table Side Channels  Branch Shadowing  Defense Mechanisms 35
  • 35. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing Attacks  Branch prediction and BTB 36 Source: “Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing”, USENIX Security 2017
  • 36. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Last Branch Record (LBR)  A trace of all recently taken branches and branch mispredictions  Alas, LBR is disabled when SGX enclaves are executing 37
  • 37. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Prediction and Branch Target Buffer (BTB) Current RIP [Bits 31:0] Taken/Not-taken Predicted Destination 0x7FADEA1050DE0000 Taken 0x7FADEA1050DE0300 0x7FADEA1050DE0100 Taken 0x7FADEA1050DE0200 0x7FADEA1050DE0200 Not Taken 0x7FADEA1050DE0100 0x7FADEA1050DE0300 Not Taken 0x7FADEA1050DE0500 38  What happens if RIP=0x0000000050DE0000?
  • 38. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing 39 Address Code 0x7FADEA1050DE0000 If( keyBit == 0 ) { 0x7FADEA1050DE0010 multiply(…); 0x7FADEA1050DE0018 ………. 0x7FADEA1050DE0020 } else if(…) { 0x7FADEA1050DE0028 add( ….. ); 0x7FADEA1050DE0030 ……. 0x7FADEA1050DE0038 } Inside Enclave Branch Shadow Address Code 0x0000000050DE0000 If( dummy != 5 ) { 0x0000000050DE0010 nop; 0x0000000050DE0018 ………. 0x0000000050DE0020 } else if(…) { 0x0000000050DE0028 nop; 0x0000000050DE0030 ……. 0x0000000050DE0038 }
  • 39. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Single step(ish)  How can we pause execution after every branch?  Clock Interrupt causes Asynchronous Exit (AEX)  Then single step branch shadow code  Observe LBR 40
  • 40. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Branch Shadowing Results  66% of the bits of 1024 RSA key were recovered using a single run  With 10 runs – all the bits were recovered 41
  • 41. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 Defense Mechanisms  T-SGX – using Transactional Memory Extensions (TSX)  SGX-Shield – ASLR for SGX  Racing in Hyperspace 42
  • 42. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 TSX – Transactional Synchronization eXtensions  Computation performed in cache  Complete rollback upon abort  Faults are supressed 43 Transaction XBEGIN XEND TSX Abort Transaction complete
  • 43. Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Page-fault -> TSX abort T-SGX 44 XBEGIN XEND TSX Abort Transaction complete Image Source: “Controlled Channel Attacks”, IEEE S&P 2015
  • 44. Linux Kernel Meetup, Tel-Aviv, May 10, 2018 T-SGX (2) 45 XBEGIN XEND TSX Abort Transaction complete  Timer Interrupt -> TSX abort Image Source: “Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing”, USENIX Security 2017
  • 45. Linux Kernel Meetup, Tel-Aviv, May 10, 2018  Secure execution alone is only the first step for secure systems  Performance impact may be prohibitive but can be optimized with HotCalls  Including the OS/VMM in the threat model presents new challenges Conclusion 46 www.OfirWeisse.com github.com/oweisse/hot-calls