Enclave-Aware Compartmentalization and Secure Sharing with Sirius [article]

Zahra Tarkhani, Anil Madhavapeddy
2020 arXiv   pre-print
Hardware-assisted trusted execution environments (TEEs) are critical building blocks of many modern applications. However, they have a one-way isolation model that introduces a semantic gap between a TEE and its outside world. This lack of information causes an ever-increasing set of attacks on TEE-enabled applications that exploit various insecure interactions with the host OSs, applications, or other enclaves. We introduce Sirius, the first compartmentalization framework that achieves strong
more » ... solation and secure sharing in TEE-assisted applications by controlling the dataflows within primary kernel objects (e.g. threads, processes, address spaces, files, sockets, pipes) in both the secure and normal worlds. Sirius replaces ad-hoc interactions in current TEE systems with a principled approach that adds strong inter- and intra-address space isolation and effectively eliminates a wide range of attacks. We evaluate Sirius on ARM platforms and find that it is lightweight (≈ 15K LoC) and only adds ≈ 10.8% overhead to enable TEE support on applications such as httpd, and improves the performance of existing TEE-enabled applications such as the Darknet ML framework and ARM's LibDDSSec by 0.05%-5.6%.
arXiv:2009.01869v3 fatcat:bgqsmluzdjdkxliiun6ttijqty