PRIDWEN: Universally Hardening SGX Programs via Load-Time Synthesis

Authors: 

Fan Sang, Georgia Institute of Technology; Ming-Wei Shih, Microsoft; Sangho Lee, Microsoft Research; Xiaokuan Zhang, Georgia Institute of Technology; Michael Steiner, Intel; Mona Vij, Intel Labs; Taesoo Kim, Georgia Institute of Technology

Abstract: 

A growing class of threats to Intel Software Guard Extensions (SGX) is Side-Channel Attacks (SCAs). As a response, numerous countermeasures have been proposed. However, it is hard to incorporate them to protect SGX programs against multiple SCAs simultaneously. A naive combination of distinct countermeasures does not work in practice because some of them are 1) undeployable in target environments lacking dependent hardware features, 2) redundant if there are already defenses with similar functionalities, and 3) incompatible with each other by design or implementation. Identifying all of such conditions and preparing potential workarounds before deployment are challenging, primarily when an SGX program targets multiple platforms that abstract or manipulate their configurations.

Pridwen is a framework that selectively applies essential SCA countermeasures when loading an SGX program based on the configurations of the target execution platform. Pridwen allows a developer to deploy a program in the form of WebAssembly (Wasm). Upon receiving a Wasm binary, Pridwen probes the current hardware configuration, synthesizes a program (i.e., a native binary) with an optimal set of countermeasures, and validates the final binary. Pridwen supports both software-only and hardware-assisted countermeasures, and our evaluations show Pridwen efficiently, faithfully synthesizes multiple benchmark programs and real-world applications while securing them against multiple SCAs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {280800,
author = {Fan Sang and Ming-Wei Shih and Sangho Lee and Xiaokuan Zhang and Michael Steiner and Mona Vij and Taesoo Kim},
title = {{PRIDWEN}: Universally Hardening {SGX} Programs via {Load-Time} Synthesis},
booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)},
year = {2022},
isbn = {978-1-939133-29-69},
address = {Carlsbad, CA},
pages = {455--472},
url = {https://www.usenix.org/conference/atc22/presentation/sang},
publisher = {USENIX Association},
month = jul
}

Presentation Video