research-article

Experience Paper: sgx-dl: dynamic loading and hot-patching for secure applications

Authors:

Nico Weichbrodt,

Joshua Heinemann,

Lennart Almstedt,

Pierre-Louis Aublin,

Rüdiger KapitzaAuthors Info & Claims

Middleware '21: Proceedings of the 22nd International Middleware Conference

Pages 91 - 103

https://doi.org/10.1145/3464298.3476134

Published: 02 October 2021 Publication History

Abstract

Trusted execution as offered by Intel's Software Guard Extensions (SGX) is considered as an enabler to protect the integrity and confidentiality of stateful workloads such as key-value stores and databases in untrusted environments. These systems are typically long running and require extension mechanisms built on top of dynamic loading as well as hot-patching to avoid downtimes and apply security updates faster. However, such essential mechanisms are currently neglected or even missing in combination with trusted execution.

We present sgx-dl, a lean framework that enables dynamic loading of enclave code at the function level and hot-patching of dynamically loaded code. Additionally, sgx-dl is the first framework to utilize the new SGX version 2 features and also provides a versioning mechanism for dynamically loaded code. Our evaluation shows that sgx-dl introduces a performance overhead of less than 5% and shrinks application downtime by an order of magnitude in the case of a database system.

References

[1]

2019a. Azure Confidential Computing. https://azure.microsoft.com/en-us/solutions/confidential-compute/. Accessed on 2021-03-21.

[2]

2019b. Azure Confidential Computing. https://docs.microsoft.com/en-us/azure/automanage/automanage-hotpatch. Accessed on 2021-03-21.

[3]

2019. Hot Patching SQL Server Engine in Azure SQL Database. https://techcommunity.microsoft.com/t5/azure-sql/hot-patching-sql-server-engine-in-azure-sql-database/ba-p/849700. Accessed on 2021-03-21.

[4]

2021. Canonical Livepatch Service. https://ubuntu.com/security/livepatch. Accessed on 2021-03-21.

[5]

Adil Ahmad, Byunggill Joe, Yuan Xiao, Yinqian Zhang, Insik Shin, and Byoungyoung Lee. 2019. OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX. In <i>Network and Distributed System Security Symposium (NDSS'19)</i>.

[6]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, David Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In <i>12th USENIX Symposium on Operating Systems Design and Implementation (OSDI'16)</i>.

[7]

Jeff Arnold and M. Frans Kaashoek. 2009. Ksplice: Automatic Rebootless Kernel Updates. In <i>Proceedings of the 4th ACM European Conference on Computer Systems (EUROSYS '09)</i>.

Digital Library

[8]

Pierre-Louis Aublin, Florian Kelbert, Dan O'Keeffe, Divya Muthukumaran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer, David Eyers, and Peter Pietzuch. 2018. LibSEAL: Revealing Service Integrity Violations Using Trusted Execution. In <i>Proceedings of the Thirteenth EuroSys Conference (EUROSYS'18)</i>.

[9]

Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In <i>Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS'14)</i>.

[10]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2014. Shielding Applications from an Untrusted Cloud with Haven. In <i>Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI '14)</i>.

[11]

Marcus Brandenburger, Christian Cachin, Matthias Lorenz, and Rüdiger Kapitza. 2017. Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory. In <i>47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'17)</i>.

[12]

Ferdinand Brasser, Srdjan Capkun, Alexandra Dmitrienko, Tommaso Frassetto, Kari Kostiainen, and Ahmad-Reza Sadeghi. 2019. DR. SGX: automated and adjustable side-channel protection for SGX using data location randomization. In <i>35th Annual Computer Security Applications Conference (AC-SEC'19)</i>.

[13]

Sergey Bratus, James Oakley, Ashwin Ramaswamy, Sean W. Smith, and Michael E. Locasto. 2010. Katana: Towards Patching As a Runtime Part of the Compiler-Linker-Loader Toolchain. <i>International Journal of Secure Software Engineering (IJSSE)</i> (2010).

[14]

Stefan Brenner, Colin Wulf, Matthias Lorenz, Nico Weichbrodt, David Goltzsche, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza. 2016. SecureKeeper: Confidential ZooKeeper using Intel SGX. In <i>Proceedings of the 15th International Middleware Conference (MIDDLEWARE)</i>.

[15]

Sunjay Cauligi, Gary Soeller, Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, and Deian Stefan. 2017. FaCT: A flexible, constant-time programming language. In <i>2017 IEEE Cybersecurity Development (SecDev)</i>. IEEE, 69–76.

[16]

Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2019. SgxPectre: Stealing Intel Secrets from SGX Enclaves Via Speculative Execution. In <i>2019 IEEE European Symposium on Security and Privacy (EuroS&P'19)</i>.

[17]

Alibaba Cloud. 2021. ECS Bare Metal Instance. https://www.alibabacloud.com/product/ebm. Accessed on 2021-04-05.

[18]

Jonathan Corbet. 2014. The initial kGraft submission. https://lwn.net/Articles/596854/. Accessed on 2019-10-31.

[19]

Jeffrey Dean and Sanjay Ghemawat. 2008. MapReduce: simplified data processing on large clusters. <i>Commun. ACM</i> 51, 1 (2008), 107–113.

Digital Library

[20]

Jon Fingas. 2014. Dropbox Bug Wipes Some Users' Files From the Cloud. https://www.engadget.com/2014/10/13/dropbox-selective-sync-bug/. Accessed on 2019-11-02.

[21]

Fortanix. 2019. Fortanix Enclave Development Platform. https://edp.fortanix.com/. Accessed on 2019-09-13.

[22]

Christopher M. Hayden, Edward K. Smith, Michail Denchev, Michael Hicks, and Jeffrey S. Foster. 2012. Kitsune: Efficient, General-purpose Dynamic Software Updating for C. In <i>Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA'12)</i>.

[23]

Sean Hollister. 2011. Gmail accidentally resetting accounts, years of correspondence vanish into the cloud? https://www.engadget.com/2011/02/27/gmail-accidentally-resetting-accounts-years-of-correspondence-v/. Accessed on 2019-11-02.

[24]

Intel. 2017. Intel Software Guard Extensions (SGX) Protected Code Loader (PCL). https://github.com/intel/linux-sgx-pcl. Accessed on 2019-08-07.

[25]

Intel. 2018a. Intel Developer Zone - L1 Terminal Fault Software Guidance. https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault. Accessed on 2019-10-31.

[26]

Intel. 2018b. Intel Software Guard Extensions SDK for Linux. https://01.org/intel-softwareguard-extensions. Accessed on 2019-08-07.

[27]

Intel. 2018c. Intel Software Guard Extensions (SGX) SW Development Guidance for Potential Bounds Check Bypass (CVE-2017-5753) Side Channel Exploits. https://software.intel.com/sites/default/files/180204_SGX_SDK_Developer_Guidance_v1.0.pdf. Accessed on 2019-10-30.

[28]

Pratheek Karnati. 2018. Data-in-use protection on IBM Cloud using Intel SGX . https://www.ibm.com/cloud/blog/data-use-protection-ibm-cloud-using-intel-sgx. Accessed on 2021-04-05.

[29]

Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating Remote Attestation with Transport Layer Security. (2018). http://arxiv.org/abs/1801.05863

[30]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. <i>arXiv:1801.01203</i> (2018).

[31]

Sebastian Krieter, Tobias Thiem, and Thomas Leich. 2019. Using Dynamic Software Product Lines to Implement Adaptive SGX-enabled Systems. In <i>Proceedings of the 13th International Workshop on Variability Modelling of Software-Intensive Systems (VAMOS'19)</i>.

[32]

Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss. 2020. With Great Power Comes Great Leakage: Software-based Power Side-Channel Attacks on x86. (2020).

[33]

LSDS Team, Imperial College London. 2018. github: sgx-lkl. https://github.com/lsds/sgx-lkl. Accessed on 2019-10-30.

[34]

Sébastien Martinez, Fabien Dagnat, and Jérémy Buisson. 2013. Prototyping DSU Techniques Using Python. In <i>5th Workshop on Hot Topics in Software Upgrades (HotSWUp'13)</i>.

[35]

Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. ROTE: Rollback Protection for Trusted Execution. In <i>26th USENIX Security Symposium (USENIX Security'17)</i>.

[36]

Nicholas D. Matsakis and Felix S. Klock, II. 2014. The Rust Language. In <i>Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology (HILT'14)</i>.

[37]

Microsoft. 2019. Hot patching SQL Server Engine in Azure SQL Database. https://azure.microsoft.com/en-us/blog/hot-patching-sql-server-engine-in-azure-sql-database/. Accessed on 2021-03-21.

[38]

Jack Moffitt. 2018. libstrophe - An XMPP library for C. http://strophe.im/libstrophe/. Accessed on 2019-10-31.

[39]

Kit Murdock, David Oswald, Flavio D Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. 2020. Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In <i>Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20)</i>.

[40]

Dan O'Keeffe, Divya Muthukumaran, Pierre-Louis Aublin, Florian Kelbert, Christian Priebe, Josh Lind, Huanzhou Zhu, and Peter Pietzuch. 2018. github: spectre-attack-sgx. https://github.com/lsds/spectre-attack-sgx. Accessed on 2019-10-30.

[41]

Oracle. 2021. Oracle RDBMS Online Patching Aka Hot Patching. https://support.oracle.com/knowledge/Oracle%20Database%20Products/761111_1.html. Accessed on 2021-03-21.

[42]

Meni Orenbach, Andrew Baumann, and Mark Silberstein. 2020. Autarky: closing controlled channels with self-paging enclaves. In <i>Proceedings of the Fifteenth European Conference on Computer Systems (EuroSys '20)</i>.

[43]

Meni Orenbach, Yan Michalevsky, Christof Fetzer, and Mark Silberstein. 2019. CoSMIX: a compiler-based system for secure memory instrumentation and execution in enclaves. In <i>2019 USENIX Annual Technical Conference (USENIX ATC '19)</i>.

[44]

Vu Anh Pham and Ahmed Karmouch. 1998. Mobile Software Agents: An Overview. <i>IEEE Communications Magazine</i> (1998).

[45]

Josh Poimboeuf. 2014. kpatch: dynamic kernel patching. https://lwn.net/Articles/597123/.

[46]

Christian Priebe, Kapil Vaswani, and Manuel Costa. 2018. EnclaveDB – A Secure Database using SGX. In <i>To appear in the Proceedings of the IEEE Symposium on Security & Privacy (2018)</i>. https://www.microsoft.com/en-us/research/publication/enclavedb-a-secure-database-using-sgx/

[47]

Vasily A Sartakov, Stefan Brenner, Sonia Ben Mokhtar, Sara Bouchenak, Gaël Thomas, and Rüdiger Kapitza. 2018a. <i>E</i>Actors: Fast and flexible trusted computing using SGX. In <i>Proceedings of the 19th International Middleware Conference (Middleware'18)</i>.

[48]

Vasily A Sartakov, Nico Weichbrodt, Sebastian Krieter, Thomas Leich, and Rüdiger Kapitza. 2018b. STANlite–a database engine for secure data processing at rack-scale level. In <i>Proceedings of the Sixth International Conference on Cloud Engineering (IC2E'18)</i>.

[49]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy Data Analytics in the Cloud using SGX. In <i>2015 IEEE Symposium on Security and Privacy (S&P'15)</i>.

[50]

Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, and Daniel Gruss. 2019. ZombieLoad: Cross-Privilege-Boundary Data Sampling. <i>arXiv:1905.05726</i> (2019).

[51]

Jaebaek Seo, Byoungyoung Lee, Seong Min Kim, Ming-Wei Shih, Insik Shin, Dongsu Han, and Taesoo Kim. 2017. SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs. In <i>Network and Distributed System Security Symposium (NDSS'17)</i>.

[52]

Simon Sharwood. 2017. GitLab.com Melts Down After Wrong Directory Deleted, Backups Fail. https://www.theregister.co.uk/2017/02/01/gitlab_data_loss/?mt=1486066707837. Accessed on 2019-11-02.

[53]

Mingwei Shih. 2019. <i>Securing Intel SGX against Side-channel Attacks via Load-time Synthesis</i>. Ph.D. Dissertation. Georgia Institute of Technology.

[54]

Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs. In <i>Network and Distributed System Security Symposium (NDSS'17)</i>.

[55]

Rodolfo Silva, Pedro Barbosa, and Andrey Brito. 2017. DynSGX: A Privacy Preserving Toolset for Dynamically Loading Functions into Intel (R) SGX Enclaves. In <i>2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom'17)</i>.

[56]

Laurent Simon, David Chisnall, and Ross Anderson. 2018. What you get is what you C: Controlling side effects in mainstream C compilers. In <i>2018 IEEE European Symposium on Security and Privacy (EuroS&P)</i>. IEEE, 1–15.

[57]

Raoul Strackx and Frank Piessens. 2016. Ariadne: A Minimal Approach to State Continuity. In <i>25th USENIX Security Symposium (USENIX Security'16)</i>.

[58]

The Rust Embedded Resources Team. 2019. A nostd Rust Environment. https://rust-embedded.github.io/book/intro/no-std.html. Accessed on 2019-09-13.

[59]

The Apache Software Foundation. 2019a. ab - Apache HTTP server benchmarking tool. https://httpd.apache.org/docs/current/programs/ab.html. Accessed on 2019-10-31.

[60]

The Apache Software Foundation. 2019b. Apache HTTP Server Project. https://httpd.apache.org/. Accessed on 2019-08-12.

[61]

Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In <i>2017 USENIX Annual Technical Conference (USENIX ATC'17)</i>.

[62]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. FORESHADOW: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In <i>Proceedings of the 27th USENIX Security Symposium. (USENIX Security'18)</i>.

[63]

Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yarom Yuval, Berk Sunar, Daniel Gruss, and Frank Piessens. 2020. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In <i>41th IEEE Symposium on Security and Privacy (S&P'20)</i>.

[64]

Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and Raoul Strackx. 2017. Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution. In <i>26th USENIX Security Symposium (USENIX Security'17)</i>.

[65]

Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin, and Yuval Yarom. 2020. CacheOut: Leaking Data on Intel CPUs via Cache Evictions. https://cacheoutattack.com/.

[66]

Huibo Wang, Pei Wang, Yu Ding, Mingshen Sun, Yiming Jing, Ran Duan, Long Li, Yulong Zhang, Tao Wei, and Zhiqiang Lin. 2019. Towards Memory Safe Enclave Programming with Rust-SGX. In <i>ACM SIGSAC Conference on Computer and Communications Security (CCS'19)</i>.

[67]

Nico Weichbrodt, Anil Kurmus, Peter Pietzuch, and Rüdiger Kapitza. 2016. AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves. In <i>European Symposium on Research in Computer Security (ESORICS'16)</i>.

[68]

Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In <i>IEEE Symposium on Security and Privacy (IEEE S&P'15)</i>.

Cited By

Fruth MScherzinger S(2024)Live Patching for Distributed In-Memory Key-Value StoresProceedings of the ACM on Management of Data10.1145/36988162:6(1-26)Online publication date: 20-Dec-2024
https://dl.acm.org/doi/10.1145/3698816
Gupta SGarg AVats SBishnoi VGoel N(2024)Transforming Lung Cancer Diagnosis with Twin Vision Transformers2024 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT)10.1109/CONECCT62155.2024.10677145(1-4)Online publication date: 12-Jul-2024
https://doi.org/10.1109/CONECCT62155.2024.10677145
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Show More Cited By

Index Terms

Experience Paper: sgx-dl: dynamic loading and hot-patching for secure applications
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories

Recommendations

sgx-perf: A Performance Analysis Tool for Intel SGX Enclaves
Middleware '18: Proceedings of the 19th International Middleware Conference

Novel trusted execution technologies such as Intel's Software Guard Extensions (SGX) are considered a cure to many security risks in clouds. This is achieved by offering trusted execution contexts, so called enclaves, that enable confidentiality and ...
Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Systems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...
SGX-Bomb: Locking Down the Processor via Rowhammer Attack
SysTEX'17: Proceedings of the 2nd Workshop on System Software for Trusted Execution

Intel Software Guard Extensions (SGX) provides a strongly isolated memory space, known as an enclave, for a user process, ensuring confidentiality and integrity against software and hardware attacks. Even the operating system and hypervisor cannot ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Middleware '21: Proceedings of the 22nd International Middleware Conference

December 2021

398 pages

ISBN:9781450385343

DOI:10.1145/3464298

General Chairs:
Kaiwen Zhang
ÉTS, Canada
,
Abdelouahed Gherbi
ÉTS, Canada
,
Program Chairs:
Nalini Venkatasubramanian
UC Irvine
,
Luís Veiga
IST (U.Lisboa) & INESC-ID, Portugal

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACM: Association for Computing Machinery

In-Cooperation

USENIX Assoc: USENIX Assoc
IFIP

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Deutsche Forschungsgemeinschaft

Conference

Middleware '21

Sponsor:

ACM

Middleware '21: 22nd International Middleware Conference

December 6 - 10, 2021

Québec city, Canada

Acceptance Rates

Overall Acceptance Rate 203 of 948 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
231
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fruth MScherzinger S(2024)Live Patching for Distributed In-Memory Key-Value StoresProceedings of the ACM on Management of Data10.1145/36988162:6(1-26)Online publication date: 20-Dec-2024
https://dl.acm.org/doi/10.1145/3698816
Gupta SGarg AVats SBishnoi VGoel N(2024)Transforming Lung Cancer Diagnosis with Twin Vision Transformers2024 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT)10.1109/CONECCT62155.2024.10677145(1-4)Online publication date: 12-Jul-2024
https://doi.org/10.1109/CONECCT62155.2024.10677145
Will NMaziero C(2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3593021
Hanna CPetke J(2023)Hot Patching Hot Fixes: Reflection and Perspectives2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00021(1781-1786)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00021

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents