CURE: A Security Architecture with CUstomizable and Resilient Enclaves

by   Raad Bahmani, et al.

Security architectures providing Trusted Execution Environments (TEEs) have been an appealing research subject for a wide range of computer systems, from low-end embedded devices to powerful cloud servers. The goal of these architectures is to protect sensitive services in isolated execution contexts, called enclaves. Unfortunately, existing TEE solutions suffer from significant design shortcomings. First, they follow a one-size-fits-all approach offering only a single enclave type, however, different services need flexible enclaves that can adjust to their demands. Second, they cannot efficiently support emerging applications (e.g., Machine Learning as a Service), which require secure channels to peripherals (e.g., accelerators), or the computational power of multiple cores. Third, their protection against cache side-channel attacks is either an afterthought or impractical, i.e., no fine-grained mapping between cache resources and individual enclaves is provided. In this work, we propose CURE, the first security architecture, which tackles these design challenges by providing different types of enclaves: (i) sub-space enclaves provide vertical isolation at all execution privilege levels, (ii) user-space enclaves provide isolated execution to unprivileged applications, and (iii) self-contained enclaves allow isolated execution environments that span multiple privilege levels. Moreover, CURE enables the exclusive assignment of system resources, e.g., peripherals, CPU cores, or cache resources to single enclaves. CURE requires minimal hardware changes while significantly improving the state of the art of hardware-assisted security architectures. We implemented CURE on a RISC-V-based SoC and thoroughly evaluated our prototype in terms of hardware and performance overhead. CURE imposes a geometric mean performance overhead of 15.33



There are no comments yet.


page 1

page 2

page 3

page 4


HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments

Modern multi-core processors share cache resources for maximum cache uti...

Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures

Shared cache resources in multi-core processors are vulnerable to cache ...

SvTPM: A Secure and Efficient vTPM in the Cloud

Virtual Trusted Platform Modules (vTPMs) have been widely used in commer...

PIE: A Platform-wide TEE

While modern computing architectures rely on specialized hardware such a...

Automatically Eliminating Speculative Leaks With Blade

We introduce BLADE, a new approach to automatically and efficiently synt...

Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Operating Systems

Despite the deployment of preventive security mechanisms to protect the ...

Keystone: An Open Framework for Architecting TEEs

Trusted execution environments (TEEs) are being used in all the devices ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.