Log In Sign Up

SERVAS! Secure Enclaves via RISC-V Authenticryption Shield

by   Stefan Steinegger, et al.

Isolation is a long-standing challenge of software security. Traditional privilege rings and virtual memory are more and more augmented with concepts such as capabilities, protection keys, and powerful enclaves. At the same time, we are evidencing an increased need for physical protection, shifting towards full memory encryption schemes. This results in a complex interplay of various security mechanisms, increasing the burden for system architects and security analysts. In this work, we tackle the isolation challenge with a new isolation primitive called authenticryption shield that unifies both traditional and advanced isolation policies while offering the potential for future extensibility. At the core, we build upon an authenticated memory encryption scheme that gives cryptographic isolation guarantees and, thus, streamlines the security reasoning. We showcase the versatility of our approach by designing and prototyping SERVAS – an innovative enclave architecture for RISC-V. Unlike current enclave systems, SERVAS facilitates efficient and secure enclave memory sharing. While the memory encryption constitutes the main overhead, entering or exiting a SERVAS enclave requires only 3.5x of a simple syscall, instead of 71x for Intel SGX.


page 1

page 2

page 3

page 4


Garmr: Defending the gates of PKU-based sandboxing

Memory Protection Keys for Userspace (PKU) is a recent hardware feature ...

The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization

Commodity applications contain more and more combinations of interacting...

A Fresh Look at the Architecture and Performance of Contemporary Isolation Platforms

With the ever-increasing pervasiveness of the cloud computing paradigm, ...

Dragon Crypto – An Innovative Cryptosystem

In recent years cyber-attacks are continuously developing. This means th...

Polytope: Practical Memory Access Control for C++ Applications

Designing and implementing secure software is inarguably more important ...

Cerberus: A Formal Approach to Secure and Efficient Enclave Memory Sharing

Hardware enclaves rely on a disjoint memory model, which maps each physi...

PULP: Inner-process Isolation based on the Program Counter and Data Memory Address

Plenty of in-process vulnerabilities are blamed on various out of bound ...