Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX

Occlum a system that enables secure and efficient multitasking on Intel Software Guard Extensions (SGX).

Intel(R) SGX is a set of CPU instructions that can be used by applications to set aside private regions of code and data. The code outside the enclave is disallowed to access the memory inside the enclave by the CPU access control. In a way you can think that SGX provides inverted sandbox. It protects the application from a malicious host.

There is a new hardware unit in the processor called Memory Encryption Engine (MEE) starting from the Skylake microacrhitecture. BIOS can define one or many MEE regions that can hold enclave data by configuring them with PRMRR registers.

The MEE automatically encrypts the data leaving the processor package to the MEE regions. The data is encrypted using a random key whose life-time is exactly one power cycle.

The current implementation requires that the firmware sets IA32_SGXLEPUBKEYHASH* MSRs as writable so that ultimately the kernel can decide what enclaves it wants run. The implementation does not create any bottlenecks to support read-only MSRs later on.

You can tell if your CPU supports SGX by looking into /proc/cpuinfo:

cat /proc/cpuinfo  | grep sgx

Enclave-Isolated Processes (EIPs)

SGX Library operating systems (LibOSes) enables legacy applications to run inside enclaves with few or even no modifications.

The most advanced multitasking SGX LibOS is Graphene-SGX which implements LibOS processes as Enclave-Isolated Processes (EIPs).

Each EIP requires one instance of the LibOS inside an enclave, thus has strong enclave-based isolation. However,

  1. Process creation is extremely expensive due to the high cost of enclave creation (10,000× slower than that on Linux).
  2. Inter-process communication (IPC) between EIPs is also expensive, because EIPs have to communicate with each other by transferring encrypted messages through untrusted memory.
  3. Synchronizing between multiple LibOS instances is painful.

SFI-Isolated Processes (SIPs)

Software Fault Isolation (SFI) is a software instrumentation technique for sandboxing untrusted modules (called domains). SFI-Isolated Processes (SIPs) create only one enclave. It then spawns new processes. Thus, inter-process communication (IPC) does not involve encryptions. Also, a writable, encrypted file system can be implemented relatively easily. Finally, MPX-Based, Multi-Domain SFI(MMDSFI) defines a set of memory access policies to achieve isolation.

How to control memory access between processes and regions? Instrumentation!

The Occlum allocates two Guard region at the begin and end of the data region. MMDSFI inserts mem_guard before every unsafe memory access instruction to check whether the access is within the data range of the current domain.

A cfi_label and cfi_guard pseudo-instructions pair is employed to control the jumping between two instructions (as well we function calls).

Occlum is open-sourced.