SGX-Shield: Enabling Address Space Layout Randomization for SGX Programs

Traditional execution environments deploy Address Space Layout Randomization (ASLR) to defend against memory corruption attacks. However, Intel Software Guard Extension (SGX), a new trusted execution environment designed to serve security-critical applications on the cloud, lacks such an effective, well-studied feature. In fact, we find that applying ASLR to SGX programs raises non-trivial issues beyond simple engineering for a number of reasons: 1) SGX is designed to defeat a stronger adversary than the traditional model, which requires the address space layout to be hidden from the kernel; 2) the limited memory uses in SGX programs present a new challenge in providing a sufficient degree of entropy; 3) remote attestation conflicts with the dynamic relocation required for ASLR; and 4) the SGX specification relies on known and fixed addresses for key data structures that cannot be randomized. This paper presents SGX-Shield, a new ASLR scheme designed for SGX environments. SGX-Shield is built on a secure in-enclave loader to secretly bootstrap the memory space layout with a finer-grained randomization. To be compatible with SGX hardware (e.g., remote attestation, fixed addresses), SGX-Shield is designed with a software-based data execution protection mechanism through an LLVM-based compiler. We implement SGX-Shield and thoroughly evaluate it on real SGX hardware. It shows a high degree of randomness in memory layouts and stops memory corruption attacks with a high probability. SGX-Shield shows 7.61% performance overhead in running common microbenchmarks and 2.25% overhead in running a more realistic workload of an HTTPS server. § This work is done while these authors were visiting and Ph.D. students in Georgia Institute of Technology. system and hypervisor. It also offers hardware-based measurement, attestation, and enclave page access control to verify the integrity of its application code. Unfortunately, we observe that two properties, namely, confidentiality and integrity, do not guarantee the actual security of SGX programs, especially when traditional memory corruption vulnerabilities, such as buffer overflow, exist inside SGX programs. Worse yet, many existing SGX-based systems tend to have a large code base: an entire operating system as library in Haven [12] and a default runtime library in SDKs for Intel SGX [28, 29] . Further, they are mostly written in unsafe programming languages (e.g., C and C++) or often in an assembly language to provide direct compatibility with the Intel SGX hardware and to support its instruction sets. Running such a large code base inside an enclave altogether simply makes SGX programs vulnerable to traditional memory corruption attacks, facing the same security challenges as typical computer environments. This not only nullifies the security guarantee that SGX claims to provide, but also, perhaps more critically, allows attackers to exploit isolation and confidentiality to lurk-there is no way to know what the compromised enclave runs, and even worse, no way to analyze or monitor its execution behavior. For example, by exploiting a stack overflow vulnerability in a trusted web server or database server running in an enclave, an adversarial client can launch traditional return-oriented-programming (ROP) attacks [42, 49] to disclose security-sensitive data in an enclave, which violates the confidentiality guarantee of SGX, yet avoiding any runtime analysis or monitoring thanks to its isolation guarantee. To defeat such attacks in modern computing systems, many modern defense mechanisms (e.g., stack canary [20], DEP [40] , CFI [7], etc) have been proposed, implemented, and deployed recently to significantly raise the bar for exploitation in practice. Address space layout randomization (ASLR) is one of the most comprehensive, yet solid defense schemes proven to be effective in the field. In particular, when properly implemented, ASLR can provide a statistical guarantee of preventing all attackers' attempts. Since ASLR hides the memory layouts from adversaries by randomly placing code and data in runtime, it forces the attackers to guess where the victim code or data is located in order to launch control-flow hijack or data-flow manipulation attacks. This probabilistic defense mechanism has demonstrated its effectiveness in thwarting countless exploitation attempts, and now it is a de-facto security solution in today's modern operating systems, including mobile and server environments. For this reason, Intel also acknowledges the need for ASLR in the SGX environment and includes a simple ASLR Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if th