SlideShare ist ein Scribd-Unternehmen logo

Towards Memory Safety in Intel SGX Enclave

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2m6z9n9. Yu Ding discusses Rust SGX SDK which combines Intel SGX together with Rust. Developers could write memory-safe SGX enclave easily, eliminating the possibility of being pwned intrinsically. Filmed at qconsf.com. Yu Ding is a senior security scientist at Baidu X-Lab. His research interest is security issues around Intel SGX and security protocol analysis.

Technologie
1 von 54
Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei Rust SGX SDK: Towards Memory Safety in Intel SGX
InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ intel-sgx-enclave
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
CONTENTS Why SGX? PART ONE 1 Why Rust? PART TWO 2 Rust SGX SDK PART THREE 3
PART 1 Why SGX?
Why SGX War in memory • Ring 3 vs Ring 0 • Ring 0 vs Hypervisor (Ring -1) • Hypervisor vs SMM (Ring -2) • SMM vs AMT/ME (Ring -3)
Why SGX War in memory
Why SGX Hardware based trusted execution environment • Intel System Management Mode • Intel Management Engine • Trusted Platform Module (TPM) • AMD Platform Security Processor • DRTM (Dynamic Root of Trust for Measurement) • ARM Trustzone • Intel Trusted Execution Technology • Intel SGX
Why SGX:Memory Encryption Engine Without SGX SGX Enforced Figures are from Intel ISCA'15 SGX Turtorial
Why SGX:Root of Trust • Hardware Enforced Security: MEE • Remote Attestation Support: Build trust with Intel • Data Sealing: Transfer/store data
PART 2 Why Rust?
• Guarantees memory safety • No data racing • Blazingly fast Endorsed by Mozilla, competing with Go and Swift Masterpieces in Rust • Redox: A Rust Operating System https://www.redox-os.org • The Servo Browser Engine https://servo.org Why Rust:Rust Programming Language
Why Rust:Excellent Performance
Why Rust:Strong Checkers • Borrow、Ownership、Lifetime fn main() { let a = String::from("book"); // a owns "book" let b = a; // transfer ownership println!("a = {}", a); // Error! a is not owner } • “One writer, or multiple reader” guaranteed by Rust • Keep each variable's ownership、lifetime in mind —Fight against borrow checker
PART 3 Rust SGX SDK
• Private keys • User privacy (health data/personal data etc.) • Raw Blu-ray video stream • DRM enforcement Intel SGX is designed to protect secret data SGX Needs Memory Safety Guarantees But, only C/C++ SDK is available. Should be very very very careful when writing SGX enclaves in C/C++ • Buffer overflow … Yes! • Return-oriented-programming … Yes! • Use-after-free … Yes! • Data racing … Yes! Memory bugs are exploitable! Intel SGX Enclave Unauthorized Mem Access Malformed Input
• Memory corruption vulnerability is exploitable • Code needs to be audited Code in Trusted Execution Engine may be vulnerable SGX Needs Memory Safety Guarantees • Provide best security guarantees • Provide latest SGX APIs by Intel To better protect secrets in SGX, we need memory safety Our Solution : Intel SGX + Rust Programming Language • Use Intel SGX for data protection • Develop Intel SGX enclaves in Rust • Develop Intel SGX untrusted components in Rust * • More details in https://github.com/baidu/rust-sgx-sdk
• Memory safety guarantees • Good functionality Goals Hybrid Memory-Safe Architecture: Rules-of-thumb • Intel SGX library is written in C/C++ Challenges Memory safety rule-of-thumb for hybrid memory-safe architecture designing 1. Unsafe components should be appropriately isolated and modularized, and the size should be small (or minimized). 2. Unsafe components should not weaken the safe, especially, public APIs and data structures. 3. Unsafe components should be clearly identified and easily upgraded.
Overview without Rust SGX SDK SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.1.0, v0.2.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:An Overview
Rust SGX SDK:Hello the world • Untrusted part • Enclave
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK:v0.9.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) EDL File
Rust SGX SDK:Partition Question: Which part of a program should be inside SGX enclave? • Decryption/Encryption using private key • Seal data/Unseal data • Analysis on secret data • … However, most SGX developers are not SGX experts, not experienced in partition an SGX app.
Good and NG Examples node-secureworker, wolfSSL SGX Samples • In-enclave DukTape Javascript engine • Remote Attestation on bootstrap • Seal all outputs Node-secureworker [GOOD] • In-enclave SSL connection • Pass in-enclave pointer as argument WolfSSL SGX Sample [NG] WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx); Tamper the ctx pointer may: 1) misguide app 2) cause DOS
Rust SGX SDK:Partition by SDK Our Goals • Partition basic libraries correctly • Provide an easy-to-use interface • Let developers feel easy in programming Intel SGX enclaves
Rust SGX SDK:Short summary 1. The Memory safety is necessary to Intel SGX enclaves. 2. Rust SGX SDK is valuable and promising • Allows to programming Intel SGX Enclaves in Rust. • Intends to build up a hybrid memory-safe architecture with Rust and Intel SGX libraries. • Provides a series of crates (libraries), such as Rust-style std, alloc etc, and Intel-SGX-style crypto, seal, protected_fs etc. • Partitions the basic libraries correctly.
Challenges What we do?
Intel SGX : Limitations Dynamic loading? NO! Static linking! System call? NO! We need partition! Threading model? Different! Redefine thread/sync! Exception/Signal? New! Reimplement exception/signal! CPUID instruction? NO in SGXv1 RDTSC instruction? NO in SGXv1
Rust SGX SDK : Dependency Rust binaries depends on libc by default (linux-x86_64, dynamic loading) Intel provides static trusted libc (tlibc.a) for Intel SGX enclave • SGX features are provided in other static libraries Rust SGX SDK statically link to Intel SGX libraries
Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function
Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function Feature function definition in EDL
Rust SGX SDK : Partition and Interaction with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function Feature function definition in EDL Rust style API
Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … u_stdout_ocall(&mut result as * mut isize as * mut usize, data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))};
Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … u_stdout_ocall(&mut result as * mut isize as * mut usize, data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))}; Defined in EDL file
Rust SGX SDK : Partition and Interaction with OS Feature function definition in EDL file stdio.edl enclave { untrusted { size_t u_stdin_ocall([out, size=nbytes] void *buf, size_t nbytes); size_t u_stdout_ocall([in, size=nbytes] const void *buf, size_t nbytes); size_t u_stderr_ocall([in, size=nbytes] const void *buf, size_t nbytes); }; }; Untrusted Run-time library sgx_urts implements the feature functions #[no_mangle] pub extern "C" fn u_stdout_ocall(buf: * const libc::c_void, nbytes: libc::size_t) -> libc::size_t { unsafe { libc::write(libc::STDOUT_FILENO, buf, nbytes) as libc::size_t} }
Rust SGX SDK : Partition and Interaction with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) u_stdout_ocall u_stdout_o call println!
Rust SGX SDK : Threading by Sample Linux ThreadLinux ThreadLinux Thread SGX Enclave SGX Thread SGX worker function SGX Thread SGX worker function SGX Thread SGX worker function SGX Global Data Structures User Space Kernel Spacetask_struct task_struct task_struct ksgxswpd task SGX Core SGX Core SGX Core Core CPU “Re-entry” using TCS pool TCSPolicy • BOUND vs UNBOUND TCSNUM • Max SGX TCS number
Rust SGX SDK:Major Differences Rust Intel SGX in C Rust SGX Mutex Mutex::new(0); sgx_thread_mutex_t struct { sgx_thread_mutex_t mutex; uint32_t n; }; SgxMutex SgxMutex::new(0); Thread Posix Thread "Re-entry" Bound: stick to pthread Unbound: random pick "Re-entry" Bound: stick to pthread Unbound: random pick Thread-Local Storage ThreadLocal::new(); ctor/dtor supported get_thread_data() BOUND: no ctor/dtor UNBOUND: no ctor/dtor thread_local! BOUND: ctor/dtor UNBOUND: no ctor/dtor
Rust SGX SDK:Exceptions and Signals Exception Handling • Implement panic-unwind mechanism • Unwind safely in Rust style • Implement stack backtrace mechanism • (optional) Dump call stack on panicking Signals • Intel SGX: AEX mechanism, exception handler registration • Rust SGX SDK • Re-export handler_register and handler_unregister function • Provide handlers to some sigs • CPUID/RDTSC etc
How to use? It's easy!
• Most of std's features are supported. • Partially support of std::fs, std::os, std::path, std::sync, std::thread • No support of std::env, std::net, std::process, std::time std => sgx_tstd Rust SGX SDK:Features Intel SGX related libraries • sgx_tcrypto, sgx_tdh, sgx_tkey_exchange, sgx_tprotected_fs, sgx_trts, sgx_tse, sgx_tseal, sgx_tservice Rust style libraries • sgx_alloc, sgx_rand, sgx_serialize, sgx_tunittest, sgx_types Supportive libraries in untrusted world • sgx_ubacktrace, sgx_urts, sgx_ustdio
Rust SGX SDK:Porting Rust Crates to Intel SGX 1.Add dependency in Cargo.toml sgx_tstd = { path = "path/to/sgx_tstd" } 2 .Change to a no_std environment in lib.rs #[no_std] 3.Include sgx_tstd in namespace of std extern crate sgx_tstd as std; 4.Fix all incompatible usage Mutex => SgxMutex 5.Use sgx_tstd as usual use std::vec::Vec; Replace dependency of Rust's std to sgx_tstd
Rust SGX SDK:An Easy-to-use SDK • Shipped with a docker image —docker pull baiduxlab/sgx-rust • Complete Rust-style documents — https://dingelish.github.io/ • Rich code samples —hello-rust, file, backtrace, hugemem(31.75GB), local attestation, remote attestation, data sealing, serialization, threading, unit testing, 3rd party code samples • Support latest Intel SGX SDK (v1.9) • Support latest Rust nightly build • A better choice than sgx-utils (libenclave)
Rust SGX SDK:Now and Future • Recommended by Intel, adopted by chain.com French Alternative Energies and Atomic Energy Commission (CEA) wins iDash’17 competition using Rust SGX SDK
Rust SGX SDK:Now and Future • Future • New target : x86_64-unknown-linux_sgx • Support rust style #[test] • std::net • std::time • Porting Rust's ring to SGX • Porting Rust's rustls to SGX • Getting Hot!
Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/intel- sgx-enclave

Empfohlen

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 

Empfohlen

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseC4Media
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinC4Media
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Weitere ähnliche Inhalte

Mehr von C4Media

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseC4Media
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinC4Media
 

Mehr von C4Media (20)

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL Database
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with Brooklin
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Kürzlich hochgeladen (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Towards Memory Safety in Intel SGX Enclave

  • 1. Yu Ding, Ran Duan , Long Li , Yueqiang Cheng , Lenx Wei Rust SGX SDK: Towards Memory Safety in Intel SGX
  • 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ intel-sgx-enclave
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. CONTENTS Why SGX? PART ONE 1 Why Rust? PART TWO 2 Rust SGX SDK PART THREE 3
  • 6. Why SGX War in memory • Ring 3 vs Ring 0 • Ring 0 vs Hypervisor (Ring -1) • Hypervisor vs SMM (Ring -2) • SMM vs AMT/ME (Ring -3)
  • 7. Why SGX War in memory
  • 8. Why SGX Hardware based trusted execution environment • Intel System Management Mode • Intel Management Engine • Trusted Platform Module (TPM) • AMD Platform Security Processor • DRTM (Dynamic Root of Trust for Measurement) • ARM Trustzone • Intel Trusted Execution Technology • Intel SGX
  • 9. Why SGX:Memory Encryption Engine Without SGX SGX Enforced Figures are from Intel ISCA'15 SGX Turtorial
  • 10. Why SGX:Root of Trust • Hardware Enforced Security: MEE • Remote Attestation Support: Build trust with Intel • Data Sealing: Transfer/store data
  • 12. • Guarantees memory safety • No data racing • Blazingly fast Endorsed by Mozilla, competing with Go and Swift Masterpieces in Rust • Redox: A Rust Operating System https://www.redox-os.org • The Servo Browser Engine https://servo.org Why Rust:Rust Programming Language
  • 14. Why Rust:Strong Checkers • Borrow、Ownership、Lifetime fn main() { let a = String::from("book"); // a owns "book" let b = a; // transfer ownership println!("a = {}", a); // Error! a is not owner } • “One writer, or multiple reader” guaranteed by Rust • Keep each variable's ownership、lifetime in mind —Fight against borrow checker
  • 16. • Private keys • User privacy (health data/personal data etc.) • Raw Blu-ray video stream • DRM enforcement Intel SGX is designed to protect secret data SGX Needs Memory Safety Guarantees But, only C/C++ SDK is available. Should be very very very careful when writing SGX enclaves in C/C++ • Buffer overflow … Yes! • Return-oriented-programming … Yes! • Use-after-free … Yes! • Data racing … Yes! Memory bugs are exploitable! Intel SGX Enclave Unauthorized Mem Access Malformed Input
  • 17. • Memory corruption vulnerability is exploitable • Code needs to be audited Code in Trusted Execution Engine may be vulnerable SGX Needs Memory Safety Guarantees • Provide best security guarantees • Provide latest SGX APIs by Intel To better protect secrets in SGX, we need memory safety Our Solution : Intel SGX + Rust Programming Language • Use Intel SGX for data protection • Develop Intel SGX enclaves in Rust • Develop Intel SGX untrusted components in Rust * • More details in https://github.com/baidu/rust-sgx-sdk
  • 18. • Memory safety guarantees • Good functionality Goals Hybrid Memory-Safe Architecture: Rules-of-thumb • Intel SGX library is written in C/C++ Challenges Memory safety rule-of-thumb for hybrid memory-safe architecture designing 1. Unsafe components should be appropriately isolated and modularized, and the size should be small (or minimized). 2. Unsafe components should not weaken the safe, especially, public APIs and data structures. 3. Unsafe components should be clearly identified and easily upgraded.
  • 19. Overview without Rust SGX SDK SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
  • 20. Rust SGX SDK:v0.1.0, v0.2.0 SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
  • 22. Rust SGX SDK:An Overview
  • 23. Rust SGX SDK:Hello the world • Untrusted part • Enclave
  • 29. Rust SGX SDK:Partition Question: Which part of a program should be inside SGX enclave? • Decryption/Encryption using private key • Seal data/Unseal data • Analysis on secret data • … However, most SGX developers are not SGX experts, not experienced in partition an SGX app.
  • 30. Good and NG Examples node-secureworker, wolfSSL SGX Samples • In-enclave DukTape Javascript engine • Remote Attestation on bootstrap • Seal all outputs Node-secureworker [GOOD] • In-enclave SSL connection • Pass in-enclave pointer as argument WolfSSL SGX Sample [NG] WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx); Tamper the ctx pointer may: 1) misguide app 2) cause DOS
  • 31. Rust SGX SDK:Partition by SDK Our Goals • Partition basic libraries correctly • Provide an easy-to-use interface • Let developers feel easy in programming Intel SGX enclaves
  • 32. Rust SGX SDK:Short summary 1. The Memory safety is necessary to Intel SGX enclaves. 2. Rust SGX SDK is valuable and promising • Allows to programming Intel SGX Enclaves in Rust. • Intends to build up a hybrid memory-safe architecture with Rust and Intel SGX libraries. • Provides a series of crates (libraries), such as Rust-style std, alloc etc, and Intel-SGX-style crypto, seal, protected_fs etc. • Partitions the basic libraries correctly.
  • 34. Intel SGX : Limitations Dynamic loading? NO! Static linking! System call? NO! We need partition! Threading model? Different! Redefine thread/sync! Exception/Signal? New! Reimplement exception/signal! CPUID instruction? NO in SGXv1 RDTSC instruction? NO in SGXv1
  • 35. Rust SGX SDK : Dependency Rust binaries depends on libc by default (linux-x86_64, dynamic loading) Intel provides static trusted libc (tlibc.a) for Intel SGX enclave • SGX features are provided in other static libraries Rust SGX SDK statically link to Intel SGX libraries
  • 36. Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo)
  • 37. Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function
  • 38. Rust SGX SDK : Partition and Interacting with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function Feature function definition in EDL
  • 39. Rust SGX SDK : Partition and Interaction with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) OCALL Feature function Feature function definition in EDL Rust style API
  • 40. Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … u_stdout_ocall(&mut result as * mut isize as * mut usize, data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))};
  • 41. Rust SGX SDK : Partition and Interaction with OS In enclave source • println!(”Hello QConf!”); In sgx_tstd, macro are expanded and invoke io API: • println! => print! => sgx_tstd::io::_print() sgx_tstd::io maintains a global Stdout object and makes it a LineWriter • fn stdout_init() -> Arc<SgxReentrantMutex<RefCell<LineWriter<Maybe<StdoutRaw>>>>> StdoutRaw is a wrapper structure of sgx_tstd::sys::Stdout impl Stdout { pub fn write(&self, data: &[u8]) -> io::Result<usize> { … u_stdout_ocall(&mut result as * mut isize as * mut usize, data.as_ptr() as * const c_void, cmp::min(data.len(), max_len()))}; Defined in EDL file
  • 42. Rust SGX SDK : Partition and Interaction with OS Feature function definition in EDL file stdio.edl enclave { untrusted { size_t u_stdin_ocall([out, size=nbytes] void *buf, size_t nbytes); size_t u_stdout_ocall([in, size=nbytes] const void *buf, size_t nbytes); size_t u_stderr_ocall([in, size=nbytes] const void *buf, size_t nbytes); }; }; Untrusted Run-time library sgx_urts implements the feature functions #[no_mangle] pub extern "C" fn u_stdout_ocall(buf: * const libc::c_void, nbytes: libc::size_t) -> libc::size_t { unsafe { libc::write(libc::STDOUT_FILENO, buf, nbytes) as libc::size_t} }
  • 43. Rust SGX SDK : Partition and Interaction with OS SGX context switch Enclave ECALL GATE ECALL GATE ECALL GATE OCALL GATE OCALL GATE OCALL GATE Untrusted ocall(bar) ecall(foo) u_stdout_ocall u_stdout_o call println!
  • 44. Rust SGX SDK : Threading by Sample Linux ThreadLinux ThreadLinux Thread SGX Enclave SGX Thread SGX worker function SGX Thread SGX worker function SGX Thread SGX worker function SGX Global Data Structures User Space Kernel Spacetask_struct task_struct task_struct ksgxswpd task SGX Core SGX Core SGX Core Core CPU “Re-entry” using TCS pool TCSPolicy • BOUND vs UNBOUND TCSNUM • Max SGX TCS number
  • 45. Rust SGX SDK:Major Differences Rust Intel SGX in C Rust SGX Mutex Mutex::new(0); sgx_thread_mutex_t struct { sgx_thread_mutex_t mutex; uint32_t n; }; SgxMutex SgxMutex::new(0); Thread Posix Thread "Re-entry" Bound: stick to pthread Unbound: random pick "Re-entry" Bound: stick to pthread Unbound: random pick Thread-Local Storage ThreadLocal::new(); ctor/dtor supported get_thread_data() BOUND: no ctor/dtor UNBOUND: no ctor/dtor thread_local! BOUND: ctor/dtor UNBOUND: no ctor/dtor
  • 46. Rust SGX SDK:Exceptions and Signals Exception Handling • Implement panic-unwind mechanism • Unwind safely in Rust style • Implement stack backtrace mechanism • (optional) Dump call stack on panicking Signals • Intel SGX: AEX mechanism, exception handler registration • Rust SGX SDK • Re-export handler_register and handler_unregister function • Provide handlers to some sigs • CPUID/RDTSC etc
  • 48. • Most of std's features are supported. • Partially support of std::fs, std::os, std::path, std::sync, std::thread • No support of std::env, std::net, std::process, std::time std => sgx_tstd Rust SGX SDK:Features Intel SGX related libraries • sgx_tcrypto, sgx_tdh, sgx_tkey_exchange, sgx_tprotected_fs, sgx_trts, sgx_tse, sgx_tseal, sgx_tservice Rust style libraries • sgx_alloc, sgx_rand, sgx_serialize, sgx_tunittest, sgx_types Supportive libraries in untrusted world • sgx_ubacktrace, sgx_urts, sgx_ustdio
  • 49. Rust SGX SDK:Porting Rust Crates to Intel SGX 1.Add dependency in Cargo.toml sgx_tstd = { path = "path/to/sgx_tstd" } 2 .Change to a no_std environment in lib.rs #[no_std] 3.Include sgx_tstd in namespace of std extern crate sgx_tstd as std; 4.Fix all incompatible usage Mutex => SgxMutex 5.Use sgx_tstd as usual use std::vec::Vec; Replace dependency of Rust's std to sgx_tstd
  • 50. Rust SGX SDK:An Easy-to-use SDK • Shipped with a docker image —docker pull baiduxlab/sgx-rust • Complete Rust-style documents — https://dingelish.github.io/ • Rich code samples —hello-rust, file, backtrace, hugemem(31.75GB), local attestation, remote attestation, data sealing, serialization, threading, unit testing, 3rd party code samples • Support latest Intel SGX SDK (v1.9) • Support latest Rust nightly build • A better choice than sgx-utils (libenclave)
  • 51. Rust SGX SDK:Now and Future • Recommended by Intel, adopted by chain.com French Alternative Energies and Atomic Energy Commission (CEA) wins iDash’17 competition using Rust SGX SDK
  • 52. Rust SGX SDK:Now and Future • Future • New target : x86_64-unknown-linux_sgx • Support rust style #[test] • std::net • std::time • Porting Rust's ring to SGX • Porting Rust's rustls to SGX • Getting Hot!
  • 53.
  • 54. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/intel- sgx-enclave