WIXLIB

A Comparison Study of Intel SGX andAMD Memory Encryption TechnologySaeid Mofrad, Fengwei ZhangWeidong Shi (Larry)Shiyong LuUniversity of HoustonWayne State Universitywshi3@uh.edu{saeid.mofrad, Fengwei,Shiyong}@wayne.eduWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)1

Outline Introduction Technology Background Comparison and Results Conclusions and Future WorkWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)2

Outline Introduction Technology Background Comparison and Results Conclusions and Future WorkWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)3

Trusted Execution Environment Trusted Execution Environment can be achievedwith isolation.APPAPPAPPAPPOSOSOSOSVMVMVMVM Isolation through Virtual Machine is a commonapproach to achieve security at runtime. Downsides of software only virtualization:1)Virtualization uses OS and Hypervisor andputs them in the TCB.2)OS or Hypervisor contains thousands of linesof code and may have security flaws.3)Many OS and Hypervisor exploits have beenreported.HYPERVISOR4)Increased TCB means less security.HARDWAREWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)4

Hardware-Assisted Trusted ExecutionEnvironment Hardware-Assisted TEE couples hardware with TEE technology mitigates the downsides of thesoftware only TEEs. Hardware-Assisted TEE is faster since it uses dedicated hardware. Hardware-Assisted TEE exposes small TCB and smaller TCB means better security. Early Hardware-Assisted TEE: Intel ME, AMD PSP, and x86 SMM. Two general purpose Hardware-Assisted TEE have been proposed recently in x86 architecture:1.Intel Software Guard eXtensions (SGX). (HASP 2013)2.AMD Memory Encryption Technology. (White Paper 2016)WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)5

Outline Introduction Technology Background Comparison and Results Conclusions and Future WorkWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)6

Background: Intel Software Guard eXtensions(SGX) SGX Application execution flow:1) App is built with trusted and untrustedpart.3) Trusted function is called and theexecution is transferred into the enclavewhere all data will be in clear text, then thesecurity-sensitive data is processed.Untrusted part of App1- App creates anenclave.2- App calls a trustedfunction.5- App continues itsnormal execution.Enclave(Trusted part of App)Call Gates2) Untrusted part creates and executes theenclave that is placed in the encrypted andtrusted memory referred to as EPC.App3- The trustedfunction processes thesecurity-sensitive data.4- The trustedfunction returns.Privileged System Software, OS, Hypervisor, SMM, andBIOS4) Trusted function returns.5) App continues its normal execution.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)7

Background: AMD Memory EncryptionTechnology Addresses the physical access and the systemsoftware class of attacks in the public cloud.APPAPPAPPAPPVMVMVMVM Introduces SME, TSME, and SEV1)Secure Memory Encryption (SME) and TransparentSecure Memory Encryption (TSME) protect againstthe physical access attacks.2)Secure Encrypted Virtualization (SEV) protectsagainst system software class of attacks.3)SME and TSME encrypt the system memoryproviding the confidentiality for illegally physicalaccess attempts.4)SEV encrypts VM’s memory image with an uniquekey to the VM providing confidentiality for VM’smemory image and protects against systemsoftware class of attacks.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONOS/HypervisorMemory Encryption Engine (AES-128)COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)RAM8

Outline Introduction Technology Background Comparison and Results Conclusions and Future WorkWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)9

Testbeds ConfigurationTestbed MachineCPU ModelCPU Physical CoreNumberCPU Logical CoreNumberCPU Base ClockCPU Max ClockCache TypeCache SizeMotherboardMemoryStorageOperating SystemOS, Hypervisor kernelVM KernelTEE SDK VersionWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONIntelCore i7-6700AMDEPYC-7251488163.4 GHz4.0 GHzSmart Cache8MBDELL OptiPlex 70408GB DDR4 No-ECC1TB 7200 RPM HDDLinux 16.04 LTS4.15.7-041507-genericN/ASGX SDK Ver 2.002.1 GHz2.9 GHzL332MBGIGABYTE MZ31-AR032GB DDR4-ECC512GB SSDLinux 16.04 LTS4.15.0-rc1-kvm4.14.0-rc5-tipN/ACOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)10

SGX VS SEVTEETechnologyHighestAccessLevelMemory anismProtection LevelIntel SGXRing 3Up to 128MBEPCProvidedRequiredAttestedthrough IntelRemoteAttestationProtocol andIASConfidentialityand Integrity ofthe Code andData in theEnclaveAt RuntimeAMD SEVRing 0Up to AvailableSystem RamNotRequiredOnlyHypervisorand VM’sKernelAttestedthrough AMDSecureProcessorConfidentialityof the VM’sMemory ImageAt RuntimeWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)11

Function and Use Cases ComparisonIntel SGXAMD Memory Encryption Technology (SEV)Initial design targeted microservices and smallworkload. (small amount of secure memory andwas featured mainly in mobile and desktop familyprocessors)Initial design targeted cloud and Infrastructure as aService. (Large amount of secure memory featuredin server family processors)Requires major software changes and coderefactoring. (Not suitable for securing legacyapplications)Does not require software changes and coderefactoring. (Suitable for securing legacyapplications)SGX works with ring 3 and is not suitable forworkloads with many system calls.SEV works with ring 0 and is suitable for broaderrange of workloads especially those with manysystem calls.SGX is suitable for small but security-sensitiveworkload. (SGX has small TCB)SEV is suitable for securing legacy, large andenterprise level application. (SEV has large TCB)WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)12

Security and Vulnerability ComparisonIntel SGXAMD Memory Encryption Technology (SME, SEV)Provides Memory Integrity Protection.Does Not Provide Memory Integrity Protection.Vulnerable to Memory Side Channels.Vulnerable to Memory Side Channels.Vulnerable to Denial of Service Attacks. (OSHandles System Calls)Vulnerable to Denial of Service Attacks. (HypervisorHandles VM Requests)Small TCB. (TCB is CPU package)Large TCB. (VM’s OS is located inside TCB)Vulnerable to Synchronization Attacks.(TOCTTOU, Use-After-Free)AMD Secure Processor Firmware Bug Discovered.(MASTERKEY and FALLOUT)Intel SGX carefully separates the trusted and untrusted environments, provides a narrow and protectedenclave gateway, enforces memory access control, and applies memory integrity protection, thus makingit a suitable TEE for protecting workloads that interact with security-sensitive data.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)13

Floating Point Intensive WorkloadComparison Measures the execution performance of theTEE.PlatformDriver programcalculates theelapsed time Methodology:1) Codebase is identical for SGX and SEV.Start High-Resolution Timer2) SGX uses different random numbergenerator (Provided by SGX SDK).3) Datapoints are generated inside the TEE.4) Benchmark applies floating point intensiveprimitives and calculates the elapsed time.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)Stop High-Resolution TimerTrusted ExecutionEnvironmentRandomdatapoint isgeneratedFloating pointintensiveprimitive isexecuted14

Floating Point Intensive WorkloadComparison ResultsIntel SGX Enclave Protected WorkloadIntel SGX VS AMD SEV PerformanceComparisonIntel Unprotected WorkloadAMD SEV Protected VM WorkloadAverage Relative 89.409.236.118.638.52NANOSECONDS134.18AMD Unprotected VM TAN()ARCTAN()EXP()SQRT()FLOATING POINT INTENSIVE OPERATIONSWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)Floating Point Intensive WorkloadIntel SGX SlowdownAMD SEV Slowdown15

Memory Encryption Engine PerformanceComparison Measures the MEE performance of the TEE.Platform Codebase is identical for SGX and SEV.Driver programgenerates a largebuffer with randomlygenerated numbersMethodology:1) Large buffer is generated outside of theTEE.Start High-Resolution Timer2) Large buffer is sent and copied inside theTEE.3) Elapsed time is calculated.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)Stop High-Resolution TimerTrusted ExecutionEnvironment Trusted buffer iscreated inside theTEE Untrusted buffer ismarshalled andcopied into thetrusted buffer16

Memory Encryption Engine PerformanceComparison ResultsMEE Performance with 2.8GB InputBufferMEE Performance Comparison12.001001810000MillisecondsRelative 400020001060100902.000.00AMD SEVAMDProtected VM UnprotectedVMWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONIntel SGXIntelUnprotetedCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)MEE Intensive WorkloadIntel SGX SlowdownAMD SEV Slowdown17

Comprehensive Workload Comparison Measures the performance of the TEE while a secureprotocol for public cloud data provisioning andworkload is followed. Codebase is identical for SGX and SEV.PlatformDriver programgenerates a largeencrypted buffer withrandomly generatednumbers Task performed: Quicksort and MD5 message digest.Start High-Resolution Timer SEV simulates enclave model.Methodology:1)Driver program generates and encrypts datapointswith a key known to the enclave.2)Encrypted data is sent and copied inside the TEE.3)Inside the enclave the received buffer is decrypted,task is executed, result is encrypted, and returns tothe driver program.4)Elapsed time is calculated.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)Stop High-Resolution TimerTrusted ExecutionEnvironment Trusted buffer iscreated inside theTEE, and untrustedbuffer is marshalledand copied into thetrusted buffer. Trusted buffer isdecrypted andintended task isexecuted. Result is encryptedand returns to thedriver program.18

Comprehensive Workload Comparison Results25020015010050002505007501000 1250 1500Input Size in MBIntel SGX Enclave Protected WorkloadIntel Unrotected WorkloadAMD SEV Protected VM1750 2000Comprehensive Workload Comparison6.005.005.00Average Relative SlowdownSecondsComprehensive Workload ComparisonWith Quicksort Task And Different sort with 1.9GB MD5 (OpenSource) MD5 (SGXSSL) ForInput DataWith 256 Bytes Input SGX (OpenSource)DataFor SEV With 256Bytes Input DataIntel SGX SlowdownAMD Unprotected VMWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTON1.01COMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)AMD SEV Slowdown19

Outline Introduction Technology Background Comparison and Results Conclusions and Future WorkWAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)20

Conclusions and Future Work This paper is the first comparison study between AMD Memory Encryption Technologyand Intel Software Guard eXtensions (SGX). This paper illustrates comparison information regarding the functionality and usecases, security, and performance of Intel SGX and AMD Memory Encryption Technology. We conclude that Intel SGX is suited for highly security-sensitive but small workloadssince it enforces the memory integrity protection and has a limited amount of secureresources. AMD SME and SEV do not provide memory integrity protection. However, providing agreater amount of secure resources to applications, performing faster than Intel SGX(when an application requires a large amount of secure memory), and no coderefactoring, make them more suitable for complex or legacy applications and services. Future work: SEV-ES and SGX2.WAYNE STATE UNIVERSITY & UNIVERSITY OF HOUSTONCOMPASS LAB (HTTP://COMPASS.CS.WAYNE.EDU)21