# Fortress or Facade: Strengthening the Future of Confidential Computing

Jo Van Bulck

☆ DistriNet, KU Leuven, Belgium ☑ jo.vanbulck@cs.kuleuven.be У @jovanbulck S vanbulck.net

DRADS, March 10, 2025



#### The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest

#### The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest



 Full disk encryption

#### The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest



- **Homomorphic encryption?**
- **?** Trusted Execution?
  - = Confidential Computing
  - = Hardware Enclaves





DALL·E 3

#### **Confidential Computing: Reducing Attack Surface**



Trusted execution: Hardware-level isolation and attestation

## The Rise of Trusted Execution Environments (TEEs)

arm



| AM | IDЛ |
|----|-----|
|----|-----|





- 2004: ARM TrustZone
- 2015: Intel Software Guard Extensions (SGX)
- 2016: AMD Secure Encrypted Virtualization (SEV)
- 2018: IBM Protected Execution Facility (PEF)
- 2020: AMD SEV with Secure Nested Paging (SEV-SNP)
- 2022: Intel Trust Domain Extensions (TDX)
- 2023: ARM Confidential Compute Architecture (CCA)
- 2024: NVIDIA Confidential Computing



# "Confidential Computing Today, Just Computing Tomorrow" \*



#### **Fortress or Facade?**



DALL·E 3





DALL·E 3

#### **Context: Writing "Secure" Enclave Software is Hard...**



- API level: Sanitize pointer arguments in shared address space
- ABI level: Sanitize low-level CPU configuration registers
- μ-arch level: Spectre/LVI → lfence; ÆPIC/MMIO stale data → verw; cacheline
   GPU leak → avoid dword0/1...

#### **API Vulnerabilities: Confused-Deputy Attacks**



#### **API Vulnerabilities: Confused-Deputy Attacks**



^



Home / Tech / Security

# Manual code review finds 35 vulnerabilities in 8 enclave SDKs

0

()

 $\bigoplus$ 

All issues have been privately reported and patches are available.



Written by **Catalin Cimpanu**, Contributor Nov. 12, 2019 at 10:00 a.m. PT

⊃in 🖬 f ¥

https://www.zdnet.com/article/manual-code-review-finds-35-vulnerabilities-in-8-enclave-sdks/

#### Pandora: Principled Symbolic Validation of Intel SGX Enclaves

```
1 int ecall(int pin){
2     if(pin == 123){
3         return secret;
4     } else {
5         return 0;
6     }
7 }
```



https://angr.io/



- Symbolic execution uses a constraint solver
- Execution works on instruction-level, i.e., as close to the binary as possible

Alder et al. "Pandora: Principled Symbolic Validation of Intel SGX Enclave Runtimes", IEEE S&P 2024.

| Runtime          | Version | Prod         | Src                   | Plugin  | Instances | Ru        |
|------------------|---------|--------------|-----------------------|---------|-----------|-----------|
| EnclaveOS        | 3.28    | ~            | <b>X</b> <sup>†</sup> | ABISan  | 1         | Lir       |
| EnclaveOS        | 3.28    | $\checkmark$ | <b>X</b> †            | PTRSan  | 15        | $\mapsto$ |
| EnclaveOS        | 3.28    | $\checkmark$ | <b>X</b> †            | ÆPICSan | 33        | $\mapsto$ |
| EnclaveOS        | 3.28    | $\checkmark$ | <b>X</b> †            | CFSan   | 2         | Lir       |
| GoTEE            | b35f    | ×            | $\checkmark$          | PTRSan  | 31        | $\mapsto$ |
| GoTEE            | b35f    | ×            | $\checkmark$          | ÆPICSan | 18        | $\mapsto$ |
| GoTEE            | b35f    | ×            | $\checkmark$          | CFSan   | 1         | Lir       |
| Gramine          | 1.4     | $\checkmark$ | $\checkmark$          | ABISan  | 1         | $\mapsto$ |
| Intel SDK        | 2.15.1  | $\checkmark$ | $\checkmark$          | PTRSan  | 2         | SC        |
| Intel SDK        | 2.19    | $\checkmark$ | $\checkmark$          | ÆPICSan | 22        | SC        |
| $\mapsto Occlum$ | 0.29.4  | $\checkmark$ | $\checkmark$          | ÆPICSan | 11        | SC        |
| Open Enclave     | 0.19.0  | $\checkmark$ | $\checkmark$          | ABISan  | 2         | SC        |
| Rust EDP         | 1.71    | $\checkmark$ | $\checkmark$          | ABISan  | 1         |           |
|                  |         |              |                       |         |           |           |

| Runtime             | Version   | Prod         | Src          | Plugin  | Instances |
|---------------------|-----------|--------------|--------------|---------|-----------|
| Linux selftest      | 5.18      | ×            | $\checkmark$ | ABISan  | 1         |
| $\mapsto DCAP$      | 1.16      | $\checkmark$ | $\checkmark$ | ABISan  | 1         |
| $\mapsto$ Inclavare | 0.6.2     | ×            | $\checkmark$ | ABISan  | 1         |
| Linux selftest      | 5.18      | ×            | $\checkmark$ | PTRSan  | 5         |
| $\mapsto DCAP$      | 1.16      | $\checkmark$ | $\checkmark$ | PTRSan  | 17        |
| $\mapsto$ Inclavare | 0.6.2     | ×            | $\checkmark$ | PTRSan  | 2         |
| Linux selftest      | 5.18      | ×            | $\checkmark$ | CFSan   | 1         |
| $\mapsto$ Inclavare | 0.6.2     | ×            | $\checkmark$ | CFSan   | 1         |
| SCONE               | 5.7 / 5.8 | $\checkmark$ | ×            | ABISan  | 2/1       |
| SCONE               | 5.7 / 5.8 | $\checkmark$ | ×            | PTRSan  | 10/3      |
| SCONE               | 5.7 / 5.8 | $\checkmark$ | ×            | ÆPICSan | 11/3      |
| SCONE               | 5.8       | $\checkmark$ | ×            | CFSan   | 1         |

# Report PointerSanitizationPlugin

Plugin description: Validates attacker-tainted pointer dereferences.

Analyzed 'pandora\_selftest\_enclave\_sanitization3.elf', with 'Linux selftest enclave' enclave runtime. Ran for 0:00:12.758955 on 2023-08-03\_19-16-58.

(i) Enclave info: Address range is [0x0, 0xbfff]

**Summary:** Found 1 unique WARNING issue; 2 unique CRITICAL issues.

#### **Report summary**

| Severity | Reported issues                                                                        |
|----------|----------------------------------------------------------------------------------------|
| WARNING  | Attacker tainted read inside enclave at 0x2476                                         |
| CRITICAL | <ul> <li>Unconstrained read at 0x22c3</li> <li>Unconstrained read at 0x20be</li> </ul> |

| Key                            | Value                                                                                     |  |
|--------------------------------|-------------------------------------------------------------------------------------------|--|
| Address                        | <bv64 ((attacker_mem_66_32{uninitialized}="" +="" 0x1)="" 0x3)="" 0x3000="" <<=""></bv64> |  |
| Attacker tainted               | True                                                                                      |  |
| ength                          | 8                                                                                         |  |
| Pointer range                  | [0x3008, 0xfffffff800003008]                                                              |  |
| Pointer can wrap address space | False                                                                                     |  |
| Pointer can lie in enclave     | True                                                                                      |  |
| Extra info                     | Read address may lie inside or outside enclave                                            |  |

#### Backtrace

Basic block trace (most recent first)

#### Scientific Understanding Driven by Attacker-Defender Race...



#### Scientific Understanding Driven by Attacker-Defender Race...

















Overall execution time reveals correctness of individual password bytes!

#### **Building the Side-Channel Oracle with Execution Timing?**

**Too noisy:** modern x86 processors are lightning fast...



#### **Challenge: Side-Channel Sampling Rate**



Slow shutter speed Medium shutter speed Fast shutter speed

CC-BY-SA Nevit Dilmen

#### **SGX-Step: Executing Enclaves one Instruction at a Time**



#### **SGX-Step: Executing Enclaves one Instruction at a Time**



https://github.com/jovanbulck/sgx-step

● Watch
 22
 ☆ Star
 245
 ☆ Fork
 52

Van Bulck et al., "SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control", SysTEX 2017.

#### **SGX-Step: Executing Enclaves one Instruction at a Time**



#### SGX-Step Demo: Single-Stepping Password Comparison

jo@breuer:~/sgx-step-demo\$ sudo /app

#### SGX-Step: A Versatile Open-Source Attack Framework





#### CHAPTER 8 ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION

#### 8.1 INTRODUCTION

Asynchronous Enclave Exit Notify (AEX-Notify) is an extension to Intel<sup>®</sup> SGX that allows Intel SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. EDECCSSA is a new Intel SGX user leaf function (ENCLU[EDECCSSA]) that can facilitate AEX notification handline as well as software exception handling. This chapter provides information about changes to the Intel SGX are set to be compared to the Intel SGX are set to be ENCLU[EDECCSSA].

The following list summarizes the a details are provided in Section 8.3)

- SECS.ATTRIBUTES.AEXNOTIFY:
- TCS.FLAGS.AEXNOTIFY: This er

SGX-Step led to new x86 processor instructions!

- $\rightarrow$  shipped in millions of devices  $\geq$  4th Gen Xeon CPU
- SSA.GPRSGX.AEXNOTIFY: Enclave-writable byte that allows enclave software to dynamically enable/disable AEX notifications.

An AEX notification is delivered by ENCLU[ERESUME] when the following conditions are met:

Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.





Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors.

Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.

|         | 0                                             | Q 🖻 😵             |
|---------|-----------------------------------------------|-------------------|
| Code    | 1 V in intel/linux-sgx X                      | = Filter          |
| v intel | sdk/trts/linux/trts_mitigation.S              |                   |
| 48      | * Description:                                |                   |
| 49      | * The file provides mitigations for SGX-      | Step              |
| 50      | */                                            |                   |
| 71      | * Function:                                   |                   |
|         | constant_time_apply_sgxstep_mitigation_and_co | ntinue_execution  |
| 72      | * Mitigate SGX-Step and return to the p       | oint at which the |
|         | most recent                                   |                   |
| 73      | * interrupt/exception occurred.               |                   |





Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.





#### SGX machinery protects against direct address remapping attacks



... but untrusted address translation may fault(!)

#### **Spatial Resolution: Page-Granular Memory Access Traces**





Detailed trace of (coarse-grained) code and data accesses over time...

Xu et al. "Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems", IEEE S&P 2015.

#### **Spatial Resolution: Page-Granular Memory Access Traces**



#### **TLBlur: Self-Monitoring and Restoring Enclave Page Accesses**







Vanoverloop et. al "TLBlur: Compiler-Assisted Automated Hardening against Controlled Channels on Off-the-Shelf Intel SGX Platforms", USENIX'25. 43







## **Conclusions and Take-Away**



New era of **confidential computing** for the cloud and IoT



... but current architectures are **not perfect!** 



Scientific understanding driven by attacker-defender race

