Log In Sign Up

Enclave-Aware Compartmentalization and Secure Sharing with Sirius

by   Zahra Tarkhani, et al.

Hardware-assisted trusted execution environments (TEEs) are critical building blocks of many modern applications. However, they have a one-way isolation model that introduces a semantic gap between a TEE and its outside world. This lack of information causes an ever-increasing set of attacks on TEE-enabled applications that exploit various insecure interactions with the host OSs, applications, or other enclaves. We introduce Sirius, the first compartmentalization framework that achieves strong isolation and secure sharing in TEE-assisted applications by controlling the dataflows within primary kernel objects (e.g. threads, processes, address spaces, files, sockets, pipes) in both the secure and normal worlds. Sirius replaces ad-hoc interactions in current TEE systems with a principled approach that adds strong inter- and intra-address space isolation and effectively eliminates a wide range of attacks. We evaluate Sirius on ARM platforms and find that it is lightweight (≈ 15K LoC) and only adds ≈ 10.8% overhead to enable TEE support on applications such as httpd, and improves the performance of existing TEE-enabled applications such as the Darknet ML framework and ARM's LibDDSSec by 0.05%-5.6%.


page 1

page 2

page 3

page 4


SoK: Hardware-supported Trusted Execution Environments

The growing complexity of modern computing platforms and the need for st...

A Fresh Look at the Architecture and Performance of Contemporary Isolation Platforms

With the ever-increasing pervasiveness of the cloud computing paradigm, ...

IRONHIDE: A Secure Multicore Architecture that Leverages Hardware Isolation Against Microarchitecture State Attacks

Modern microprocessors enable aggressive hardware virtualization that ex...

IRONHIDE: A Secure Multicore that Efficiently Mitigates Microarchitecture State Attacks for Interactive Applications

Microprocessors enable aggressive hardware virtualization by means of wh...

Building A Trusted Execution Environment for In-Storage Computing

In-storage computing with modern solid-state drives (SSDs) enables devel...

μTiles: Efficient Intra-Process Privilege Enforcement of Memory Regions

With the alarming rate of security advisories and privacy concerns on co...

Understanding TEE Containers, Easy to Use? Hard to Trust

As an emerging technique for confidential computing, trusted execution e...