Hardware-assisted-virtualization-based SGX Enclave Extension

Informatization platform has brought many conveniences for people,while the problem that users' personal data are faced with leakage and misappropriation emerges at the same time.With the development of informatization,privacy protection draws more and more attention,researchers have offered a large number of schemes to improve system security.Considering the increase of software complexity and attack patterns,the informatization platform is faced with serious security matters,so that there is an urgent demand for trusted execution environment.Except traditional software-based solutions,hardware-based security technologies such as Intel SGX and ARM Trust Zone also receive gradually takes.Among hardware-based security technologies,Intel SGX is a set of CPU instructions added to ISA,providing hardware-based guarantee for sensitive applications.SGX reduce the TCB to the processor instead of including privileged softwares(eg.the OS).Users are allowed to create trusted execution environments,named as enclaves,the confidentiality and integrity of their sensitive code and data inside enclaves are guaranteed by hardware.Because of its superior security guarantee,SGX has become a popular research field for researchers.However,SGX has some design limitations,such as being incapable of monitoring operation state,and high performance overhead during execution.The goal of our research is to make up for Intel SGX's shortcomings and extend enclaves' ability.After analysing SGX and virtualization,in this paper we present a hardware-assisted-virtualization-based SGX enclave extension that leverages virtualization to solve SGX's design limitations.The system firstly involves a lightweight hypervisor named as Enclave Visor and put the running system on-the-fly inside a virtual machine which is under control of Enclave Visor,leveraging the ability of intercepting and memory virtualization of Intel VT-x to support enclave applications.In our system,we solved two SGX limitations based on Enclave Visor,(1)SGX's incapability of providing an enclave with debug capability while ensuring its security,and(2)the poor performance of interaction between different enclaves.To solve the first problem,we provide secure debug enclave,which is provided the same security guarantee as production enclave with the support of Enclave Visor,and can be introspect from outside the untrusted OS.To improve the performance of interaction between different enclaves,we provide secure enclave communication channel,whose confidentiality and integrity are ensured by Enclave Visor so as to simplify the process of inter-enclave communication and gain better performance.During designing the secure enclave communication channel,we presented an approach to provide enclaves with a secondary isolation based on virtualization.In this paper we also implemented a prototype of this hardware-assistedvirtualization-based SGX enclave extension,and the prototype is demonstrated with low performance overhead while achieving expected functionality.The basic Enclave Visor and secure debug enclave only bring an overhead of around 5 percent,and the secure enclave communication channel shows gradual performance improvement with the increasing of data amount,for the interaction of 16 KB data,it can achieve over twice the performance of traditional system.