Intel® Software Guard Extensions (Intel® SGX) Software Support for Dynamic Memory Allocation inside an Enclave

Xing, Bin; Shanahan, Mark X.; Leslie-Hurd, Rebekah

doi:10.1145/2948618.2954330

Cited by 44 publications

(18 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is the subject of current work. Among the possible solutions, the Intel SGX (Software Guard Extensions) mechanism allows user code and data to be placed within memory enclaves [3]. Enclave memory cannot be directly accessed by code running in kernel mode.…”

Section: Methodsmentioning

confidence: 99%

Security governance as a service on the cloud

Bryce

2019

J Cloud Comp

View full text Add to dashboard Cite

Small companies need help to detect and to respond to increasing security related threats. This paper presents a cloud service that automates processes that make checks for such threats, implement mitigating procedures, and generally instructs client companies on the steps to take. For instance, a process that automates the search for leaked credentials on the Dark Web will, in the event of a leak, trigger processes that instruct the client on how to change passwords and perhaps a micro-learning process on credential management. The security governance service runs on the cloud as it needs to be managed by a security expert and because it should run on an infrastructure separated from clients. It also runs as a cloud service for economy of scale: the processes it runs can service many clients simultaneously, since many threats are common to all. We also examine how the service may be used to prove to independent auditors (e.g., cyber-insurance agents) that a company is taking the necessary steps to implement its security obligations.

show abstract

Section: Methodsmentioning

confidence: 99%

Security governance as a service on the cloud

Bryce

2019

J Cloud Comp

View full text Add to dashboard Cite

show abstract

“…From a cloud provider's perspective, the limited size of enclave memory on current SGX hardware remains a deployment barrier, since it must be virtualized across all tenants on a physical machine [30]. SGXv2's support for dynamic memory management [31] may help to mitigate this issue, as might future increases in EPC size, but this is still an area of active research.…”

Section: B Enclave Overheadsmentioning

confidence: 99%

Facilitating plausible deniability for cloud providers regarding tenants’ activities using trusted execution

O'Keeffe

Vranaki

Pasquier

et al. 2020

2020 IEEE International Conference on Cloud Engineering (IC2E)

View full text Add to dashboard Cite

show abstract

“…The current implementation of SGX requires all of the enclave code and data pages to be loaded into the EPC before the enclave execution starts. Future generations of the SGX promise to overcome this drawback by allowing dynamic addition of pages to EPC, on demand [53]. For that purpose, it introduces eaug instruction that allows an application to add a page to an already initialized enclave.…”

Section: Intel Sgxmentioning

confidence: 99%

“…While we focus on the currently available version of Intel's SGX, SG XL can easily be extended to SGX2 that allows applications to dynamically map an enclave virtual page to a page frame, on demand (e.g., on first access) [53]. SGX2 provides enclave support for dynamic heap management, stack expansion, and thread context creation.…”

Section: Extending Sg XL For Dynamic Memory Allocation (Sgx2)mentioning

confidence: 99%

SG ^XL

Yadalam

Ganapathy

Basu

2020

ACM Trans. Archit. Code Optim.

View full text Add to dashboard Cite

Intel’s SGX architecture offers clients of public cloud computing platforms the ability to create hardware-protected enclaves whose contents are protected from privileged system software. However, SGX relies on system software for enclave memory management. In a sequence of recent papers, researchers have demonstrated that this reliance allows a malicious OS/hypervisor to snoop on the page addresses being accessed from within an enclave via various channels. This page address stream can then be used to infer secrets if the enclave’s page access pattern depends upon the secret and this constitutes an important class of side-channels. We propose SG XL , a hardware-software co-designed system that significantly increases the difficulty of any page address-based side-channels through the use of large pages. A large page maps address ranges at a much larger granularity than the default page size (at least 512× larger). SG XL thus significantly lowers resolution of the leaked page address stream and could practically throttle all flavors of page-address based side-channels. We detail the modifications needed to SGX’s software stack and the (minor) hardware enhancements required for SG XL to guarantee the use of large pages in the presence of adversarial system software. We empirically show that SG XL could be one of those rare systems that enhances security with the potential of improving performance as well.

show abstract

Intel® Software Guard Extensions (Intel® SGX) Software Support for Dynamic Memory Allocation inside an Enclave

Cited by 44 publications

References 2 publications

Security governance as a service on the cloud

Security governance as a service on the cloud

Facilitating plausible deniability for cloud providers regarding tenants’ activities using trusted execution

SG ^XL

Contact Info

Product

Resources

About