DeepAI AI Chat
Log In Sign Up

Cerberus: A Formal Approach to Secure and Efficient Enclave Memory Sharing

by   Dayeol Lee, et al.
berkeley college

Hardware enclaves rely on a disjoint memory model, which maps each physical address to an enclave to achieve strong memory isolation. However, this severely limits the performance and programmability of enclave programs. While some prior work proposes enclave memory sharing, it does not provide a formal model or verification of their designs. This paper presents Cerberus, a formal approach to secure and efficient enclave memory sharing. To reduce the burden of formal verification, we compare different sharing models and choose a simple yet powerful sharing model. Based on the sharing model, Cerberus extends an enclave platform such that enclave memory can be made immutable and shareable across multiple enclaves via additional operations. We use incremental verification starting with an existing formal model called the Trusted Abstract Platform (TAP). Using our extended TAP model, we formally verify that Cerberus does not break or weaken the security guarantees of the enclaves despite allowing memory sharing. More specifically, we prove the Secure Remote Execution (SRE) property on our formal model. Finally, the paper shows the feasibility of Cerberus by implementing it in an existing enclave platform, RISC-V Keystone.


page 1

page 2

page 3

page 4


Verifying RISC-V Physical Memory Protection

We formally verify an open-source hardware implementation of physical me...

Secure System Virtualization: End-to-End Verification of Memory Isolation

Over the last years, security kernels have played a promising role in re...

PARseL: Towards a Verified Root-of-Trust over seL4

Widespread adoption and growing popularity of embedded/IoT/CPS devices m...

SERVAS! Secure Enclaves via RISC-V Authenticryption Shield

Isolation is a long-standing challenge of software security. Traditional...

Stockade: Hardware Hardening for Distributed Trusted Sandboxes

The widening availability of hardware-based trusted execution environmen...

Secure Memory Erasure in the Presence of Man-in-the-Middle Attackers

Memory erasure protocols serve to clean up a device's memory before the ...

When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise

We propose a new formal criterion for secure compilation, giving strong ...