Sanctum : minimal architectural extensions for isolated execution

Author(s)
Costan, Victor Marius
Thumbnail
DownloadFull printable version (22.53Mb)
Alternative title
Minimal architectural extensions for isolated execution
Other Contributors
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Advisor
Srinivas Devadas.
Terms of use
M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582
Metadata
Show full item record
Abstract
Intel's Software Guard Extensions (SGX) have captured the attention of security practitioners by promising to secure computation performed on a remote computer where all the privileged software is potentially malicious. Unfortunately, an independent analysis of SGX reveals that it is vulnerable to software attacks, and it can only be used by developers licensed by Intel. Furthermore, significant parts of SGX are undocumented, making it impossible for researchers outside of Intel to reason about some of its security properties. Sanctum offers the same promise as SGX, namely strong provable isolation of software modules running concurrently and sharing resources, but protects against an important class of additional software attacks that infer private information from a program's memory access patterns. Sanctum shuns unnecessary complexity, leading to a simpler security analysis. We follow a principled approach to eliminating entire attack surfaces through isolation, rather than plugging attack-specific privacy leaks. Most of Sanctum's logic is implemented in trusted software, which is easier to analyze than SGX's opaque microcode. Our prototype targets a Rocket RISC-V core, an open implementation that allows any researcher to reason about its security properties. Sanctum's extensions can be adapted to other RISC cores, because we do not change any major CPU building block. Instead, we add hardware at the interfaces between building blocks, without impacting cycle time. Sanctum demonstrates that strong software isolation is achievable with a surprisingly small set of minimally invasive hardware changes, and a very reasonable overhead (assuming a software attack model) that is orders of magnitude less than what is incurred by ORAM-enabled processors. Our modifications cause a 2% area increase to the Rocket core. Over a set of benchmarks, Sanctum's worst observed overhead for isolated execution is 15.1% over an idealized insecure baseline, and 2.7% average overhead over a representative insecure baseline.
Description
Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016.
 
Cataloged from PDF version of thesis.
 
Includes bibliographical references (pages 319-334).
 
Date issued
2016
URI
http://hdl.handle.net/1721.1/105660
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Publisher
Massachusetts Institute of Technology
Keywords
Electrical Engineering and Computer Science.
Collections