Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors: Extended Version
This addresses a critical security issue for microprocessor designers and users by providing a provably secure solution to enclave interruptibility, though it is incremental as it builds on existing enclave mechanisms.
The paper tackles the problem of extending processors with new features without compromising existing isolation mechanisms, specifically by designing and proving a secure interruptible enclave system that prevents software-based side-channel attacks, with implementation on an open-source microprocessor showing evaluated performance and hardware costs.
Computer systems often provide hardware support for isolation mechanisms like privilege levels, virtual memory, or enclaved execution. Over the past years, several successful software-based side-channel attacks have been developed that break, or at least significantly weaken the isolation that these mechanisms offer. Extending a processor with new architectural or micro-architectural features, brings a risk of introducing new such side-channel attacks. This paper studies the problem of extending a processor with new features without weakening the security of the isolation mechanisms that the processor offers. We propose to use full abstraction as a formal criterion for the security of a processor extension, and we instantiate that criterion to the concrete case of extending a microprocessor that supports enclaved execution with secure interruptibility of these enclaves. This is a very relevant instantiation as several recent papers have shown that interruptibility of enclaves leads to a variety of software-based side-channel attacks. We propose a design for interruptible enclaves, and prove that it satisfies our security criterion. We also implement the design on an open-source enclave-enabled microprocessor, and evaluate the cost of our design in terms of performance and hardware size.