# Trust for Our Time: Confidential Computing in Untrusted Environments

Jo Van Bulck

☆ DistriNet, KU Leuven, Belgium ☑ jo.vanbulck@cs.kuleuven.be У @jovanbulck S vanbulck.net

Inaugural Lecture, February 14, 2025





# The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest

# The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest



 Full disk encryption

# The Big Picture: Protecting Private Data







Data in transit

Data in use

Data at rest



- **Homomorphic encryption?**
- **?** Trusted Execution?
  - = Confidential Computing
  - = Hardware Enclaves





DALL·E 3

# **Confidential Computing: Reducing Attack Surface**



**Trusted execution:** Hardware-level isolation and attestation

# The Rise of Trusted Execution Environments (TEEs)

arm









- 2004: ARM TrustZone
- 2015: Intel Software Guard Extensions (SGX)
- 2016: AMD Secure Encrypted Virtualization (SEV)
- 2018: IBM Protected Execution Facility (PEF)
- 2020: AMD SEV with Secure Nested Paging (SEV-SNP)
- 2022: Intel Trust Domain Extensions (TDX)
- 2023: ARM Confidential Compute Architecture (CCA)
- 2024: NVIDIA Confidential Computing



# "Confidential Computing Today, Just Computing Tomorrow" \*



# **Trust for Our Time?**



# Tim Cook attacks Google over privacy of Photos service

Tim Cook continues to throw barely veiled barbs at Google, in an effort to position Apple as the privacy champion of Silicon Valley.

















Overall execution time reveals correctness of individual password bytes!

# **Building the Side-Channel Oracle with Execution Timing?**

**Too noisy:** modern x86 processors are lightning fast...



# **Challenge: Side-Channel Sampling Rate**



Slow shutter speed Medium shutter speed Fast shutter speed

CC-BY-SA Nevit Dilmen

#### **SGX-Step: Executing Enclaves one Instruction at a Time**



Van Bulck et al., "SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control", SysTEX 2017.

### **SGX-Step: Executing Enclaves one Instruction at a Time**



https://github.com/jovanbulck/sgx-step

● Watch
22
☆ Star
245
☆ Fork
52

Van Bulck et al., "SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control", SysTEX 2017.



#### CHAPTER 8 ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION

#### 8.1 INTRODUCTION

Asynchronous Enclave Exit Notify (AEX-Notify) is an extension to Intel<sup>®</sup> SGX that allows Intel SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. EDECCSSA is a new Intel SGX user leaf function (ENCLU[EDECCSSA]) that can facilitate AEX notification handline as well as software exception handling. This chapter provides information about changes to the Intel SGX are set to be compared to the Intel SGX are set to be ENCLU[EDECCSSA].

The following list summarizes the a details are provided in Section 8.3)

- SECS.ATTRIBUTES.AEXNOTIFY:
- TCS.FLAGS.AEXNOTIFY: This er

SGX-Step led to new x86 processor instructions!

- $\rightarrow$  shipped in millions of devices  $\geq$  4th Gen Xeon CPU
- SSA.GPRSGX.AEXNOTIFY: Enclave-writable byte that allows enclave software to dynamically enable/disable AEX notifications.

An AEX notification is delivered by ENCLU[ERESUME] when the following conditions are met:

Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.





Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors.

Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.

|                | 0                                             | Q 🖻 😵             |
|----------------|-----------------------------------------------|-------------------|
| Code 1         | 1 V in intel/linux-sgx X                      | = Filter          |
| v intel        | sdk/trts/linux/trts_mitigation.S              |                   |
| 48             | * Description:                                |                   |
| 49             | * The file provides mitigations for SGX-Step  |                   |
| 50             | */                                            |                   |
| 71 * Function: |                                               |                   |
|                | constant_time_apply_sgxstep_mitigation_and_co | ntinue_execution  |
| 72             | * Mitigate SGX-Step and return to the p       | oint at which the |
|                | most recent                                   |                   |
| 73             | * interrupt/exception occurred.               |                   |





Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.

# Scientific Understanding Driven by Attacker-Defender Race...



# Scientific Understanding Driven by Attacker-Defender Race...





# **Spatial Resolution: Page-Granular Memory Access Traces**





Detailed trace of (coarse-grained) code and data accesses over time...

Xu et al. "Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems", IEEE S&P 2015.

### **Spatial Resolution: Page-Granular Memory Access Traces**







Vanoverloop et. al "TLBlur: Compiler-Assisted Automated Hardening against Controlled Channels on Off-the-Shelf Intel SGX Platforms", USENIX'25. 28







# **Conclusions and Take-Away**



New era of **confidential computing** for the cloud and IoT



... but current architectures are **not perfect!** 



Scientific understanding driven by attacker-defender race

