# Hack, Fix, Repeat: FOSS and the Future of Systems Security

#### Jo Van Bulck

☆ DistriNet, KU Leuven, Belgium 
☐ jo.vanbulck@cs.kuleuven.be 
ⓒ vanbulck.net

Research Software Engineering Day, Dec 4, 2025



The "Great Lock Controversy" at the Industrial Exhibition of 1851



### The "Great Lock Controversy" at the Industrial Exhibition of 1851



#### **Kerckhoff's Principle: No Security through Obscurity**

"Il faut qu'il n'exige pas le secret, et qu'il puisse sans inconvénient tomber entre les mains de l'ennemi."

- Auguste Kerckhoff (1883)

#### Linus's Law: Security through Open Source?

"Given enough eyeballs, all bugs are shallow."

- Eric S. Raymond (1997)

#### **Context: Evolution of Linux Kernel Lines of Code**



#### **Context: Evolution of Linux Kernel Vulnerabilities**



# Research Landscape

Reducing attack surface with confidential computing



#### **Confidential Computing: Reducing Attack Surface**



#### The Rise of Trusted Execution Environments (TEEs)











- 2004: ARM TrustZone
- 2015: Intel Software Guard Extensions (SGX)
- 2016: AMD Secure Encrypted Virtualization (SEV)
- 2018: IBM Protected Execution Facility (PEF)
- 2020: AMD SEV with Secure Nested Paging (SEV-SNP)
- 2022: Intel Trust Domain Extensions (TDX)
- 2023: ARM Confidential Compute Architecture (CCA)
- 2024: NVIDIA Confidential Computing



## "Confidential Computing Today, Just Computing Tomorrow" \*



#### Research Agenda: (Un)confidential Computing?



- Offensive security analysis of closed-source (large) commercial systems
  - → Critical analysis of vendor claims...
- Defensive prototypes on open-source (small) research systems
  - → Next-generation innovations...

#### A Decade of Vetting Confidential Computing @DistriNet



Hackers raken in hart van Intel-processor

De Standaard



## Scientific Understanding Driven by Attacker-Defender Race...



## Scientific Understanding Driven by Attacker-Defender Race...





# Highlight #1: Sancus

Do's and don'ts for long-lived open-source research prototypes

## Sancus: Lightweight Trusted Computing for the IoT



OpenMSP430 CPU extensions for isolation + attestation

**LLVM** compiler pass

Support software "operating system"

|  | Unprotected memory | $SPM_A$ Code | Unprotected memory | $SPM_A$ Data | Unprotected memory |  |
|--|--------------------|--------------|--------------------|--------------|--------------------|--|
|--|--------------------|--------------|--------------------|--------------|--------------------|--|

0x0000 0xF

18





# **Key #1: Open-Source Ecosystem**





#### Sancus: Open-Source Artifacts for Reproducible Science

- No commercialization/patents; FOSS licenses
- Limit dependencies: e.g., LLVM <> GCC
- **Upstream** eagerly: Avoid dead forks...
  - 2012-2017: Public tarballs + private git
  - 2017: Move to public GitHub organization







# **Key #2: Modular Base Design**



## Sancus is Dead, Long Live Sancus!





## **Key #3: Build Usable Systems**





#### **Sancus: Building Usable Systems**

- Large engineering effort >> minimal publication effort
- Simulators and test frameworks
- Continuous integration
- Tutorial [DSN'18] → VulCAN [ACSAC'20]



"I'm happy to say that the evaluation worked flawlessly – great job!"







## **Key #4: Impact through Education**

#### **Maximizing Impact through Education**





- Continuous master thesis involvement
- Understanding: Putting theory into practice
  - → e.g., MIT xv6 OS, KUL Proteus RISC-V core



# **Key #4: Science Communication**

# Sancus: Lightweight and Open-Source Trusted Computing for the IoT

View on GitHub 🗘

Watch a demo

Explore Research



We do have problems with security, ones that need to be dealt with, not only with changes to software toolchains but also to the underlying hardware.

-Rik Farrow USENIX; login:



#### SOFTWARE ISOLATION

Outside software cannot read or write a protected module's runtime state. A module can only be called through one of its designated entry points.



#### SECURE COMMUNICATION

Sancus safeguards the authenticity, integrity, and freshness of all traffic between a protected module and its remote provider.



#### LIGHTWEIGHT CRYPTOGRAPHY

A minimalist cryptographic hardware unit enables low-overhead symmetric key derivation, authenticated encryption, and hashing.



#### SECURE I/O

Secure driver modules have exclusive ownership over memory-mapped I/O peripheral devices, and can implement software-defined access control policies.



#### SOFTWARE ATTESTATION

Remote or local parties can verify at runtime that a particular software module has been isolated on a specific node without having been tampered with.



#### BACKWARDS COMPATIBILITY

Legacy applications continue to function as expected; critical components can be migrated gradually into Sancus-protected modules.



Trusted Post-Meltdown on Reflections

Computing

Case for Open Security Processors

Attest a Sancus Enclave From an SGX Enclave

Amesting enclave (verifier) Attested enclave (prover) Attesting enclave verifies







"A project based on open-source building blocks and free-software ethos [...] should be lauded and considered by anyone [...]"

- Mischa Spiegelmock, LWN.net, 2018







# Highlight #2: SGX-Step

From open-source research to real-world impact

### **SGX-Step: Executing Enclaves one Instruction at a Time**



### **SGX-Step: Executing Enclaves one Instruction at a Time**



#### **SGX-Step: Open-Source Release**



https://github.com/jovanbulck/sgx-step





## **Key #1: Accessible Library Design**

#### **SGX-Step: Extensible Linux Kernel Framework**



### **SGX-Step: Extensible Linux Kernel Framework**





## **Key #2: Reusable Primitives**

### SGX-Step: Enabling a New Line of High-Resolution Attacks

| Yr  | Venue          | Paper            | Step            | Use Case               | Drv |
|-----|----------------|------------------|-----------------|------------------------|-----|
| '15 | S&P            | Ctrl channel     | ~ Page          | Probe (page fault)     | ✓ # |
| '16 | <b>ESORICS</b> | AsyncShock       | ~ Page          | Exploit (mem safety)   | - 0 |
| '17 | CHES           | CacheZoom        | × >1            | Probe (L1 cache)       | 10  |
| '17 | ATC            | Hahnel et al.    | <b>X</b> 0 - >1 | Probe (L1 cache)       | /   |
| '17 | <b>USENIX</b>  | BranchShadow     | × 5 - 50        | Probe (BPU)            | X A |
| '17 | <b>USENIX</b>  | Stealthy PTE     | ~ Page          | Probe (page table)     | 10  |
| '17 | <b>USENIX</b>  | DarkROP          | ~ Page          | Exploit (mem safety)   | V 0 |
| '17 | SysTEX         | SGX-Step         | <b>√</b> 0 - 1  | Framework              | 1-1 |
| '18 | ESSoS          | Off-limits       | <b>√</b> 0 - 1  | Probe (segmentation)   | 1-1 |
| '18 | AsiaCCS        | Single-trace RSA | ~ Page          | Probe (page fault)     | 1-4 |
| '18 | USENIX         | Foreshadow       | <b>√</b> 0 - 1  | Probe (transient exec) | 1-1 |
| '18 | EuroS&P        | SgxPectre        | ~ Page          | Exploit (transient)    | ✓ ∆ |
| '18 | CHES           | CacheQuote       | <b>X</b> >1     | Probe (L1 cache)       | 10  |
| '18 | ICCD           | SGXlinger        | X >1            | Probe (IRQ latency)    | X A |
| '18 | CCS            | Nemesis          | <b>√</b> 1      | Probe (IRQ latency)    | 1-1 |
| '19 | USENIX         | Spoiler          | ✓ 1             | Probe (IRQ latency)    | 1-1 |
| '19 | CCS            | ZombieLoad       | <b>√</b> 0 - 1  | Probe (transient exec) | 1-# |
| '19 | CCS            | Fallout          | e <del>-</del>  | Probe (transient exec) | 1-1 |
| '19 | CCS            | Tale of 2 worlds | √ 1             | Exploit (mem safety)   | 1-1 |
| '19 | ISCA           | MicroScope       | ~ 0 - Page      | Framework              | X A |
| '20 | CHES           | Bluethunder      | ✓ 1             | Probe (BPU)            | 1-1 |
| '20 | USENIX         | Big troubles     | ~ Page          | Probe (page fault)     | 1-1 |
| '20 | S&P            | Plundervolt      | _               | Exploit (undervolt)    | 1-4 |
| '20 | CHES           | Viral primitive  | <b>√</b> 1      | Probe (IRQ count)      | 1-1 |
| '20 | USENIX         | CopyCat          | <b>√</b> 1      | Probe (IRQ count)      | 1-  |
| '20 | S&P            | LVI              | <b>√</b> 1      | Exploit (transient)    | 1-# |

| Yr  | Venue         | Paper             | Step           | Use Case               | Drv |
|-----|---------------|-------------------|----------------|------------------------|-----|
| '20 | CHES          | A to Z            | ~ Page         | Probe (page fault)     | 1-1 |
| '20 | CCS           | Déjà Vu NSS       | ~ Page         | Probe (page fault)     | 1-1 |
| '20 | MICRO         | PTHammer          | _              | Probe (page walk)      | 1-4 |
| '21 | USENIX        | Frontal           | <b>√</b> 1     | Probe (IRQ latency)    | 1-4 |
| '21 | S&P           | CrossTalk         | <b>√</b> 1     | Probe (transient exec) | 1-4 |
| '21 | CHES          | Online template   | ✓ 1            | Probe (IRQ count)      | 1-4 |
| '21 | NDSS          | SpeechMiner       | _              | Framework              | 1-4 |
| '21 | S&P           | Platypus          | <b>√</b> 0 - 1 | Probe (voltage)        | 1-4 |
| '21 | DIMVA         | Aion              | <b>√</b> 1     | Probe (cache)          | 1-4 |
| '21 | CCS           | SmashEx           | <b>√</b> 1     | Exploit (mem safety)   | 1-4 |
| '21 | CCS           | Util::Lookup      | <b>√</b> 1     | Probe (L3 cache)       | 1-# |
| '22 | <b>USENIX</b> | Rapid prototyping | ✓ 1            | Framework              | 1-1 |
| '22 | CT-RSA        | Kalyna expansion  | <b>√</b> 1     | Probe (L3 cache)       | 1-4 |
| '22 | SEED          | Enclyzer          | -              | Framework              | 1-4 |
| '22 | NordSec       | Self-monitoring   | ~ Page         | Defense (detect)       | 1-4 |
| '22 | AutoSec       | Robotic vehicles  | ✓ 1 - >1       | Exploit (timestamp)    | 1-4 |
| '22 | ACSAC         | MoLE              | ✓ 1            | Defense (randomize)    | 1-4 |
| '22 | <b>USENIX</b> | AEPIC             | ✓ 1            | Probe (I/O device)     | 1-4 |
| '22 | arXiv         | Confidential code | ✓ 1            | Probe (IRQ latency)    | 1-4 |
| '23 | ComSec        | FaultMorse        | ~ Page         | Probe (page fault)     | 1-4 |
| '23 | CHES          | HQC timing        | <b>√</b> 1     | Probe (L3 cache)       | 1-4 |
| '23 | ISCA          | Belong to us      | ✓ 1            | Probe (BPU)            | 1-4 |
| '23 | USENIX        | BunnyHop          | <b>√</b> 1     | Probe (BPU)            | 1-4 |
| '23 | USENIX        | DownFall          | <b>√</b> 0 - 1 | Probe (transient exec) | 1-4 |
| '23 | USENIX        | AEX-Notify        | <b>√</b> 1     | Defense (prefetch)     | 1-4 |

#### **SGX-Step: A Versatile Open-Source Attack Framework**





## **Key #3: Engage with Industry**

### Mitigating SGX-Step: Hardware-Software Co-Design

- 2017: SGX-Step academic paper and open-source release
  - → de-facto standard attack framework; used in > 45 international papers
- 2018-2020: High-impact attacks Foreshadow, ZombieLoad, LVI, etc.
  - → coverage in (inter)national press; widespread patches in processors and operating systems
- 2023: AEX-Notify <u>hardware extension</u> for software-based mitigations
  - → collaboration with Intel Research; shipped in millions of Intel CPUs worldwide
- 2023: ACSAC'23 Cybersecurity Artifacts Impact Award
- 2025: TLBlur improved compiler mitigation











# CHAPTER 8 ASYNCHRONOUS ENCLAVE EXIT NOTIFY AND THE EDECCSSA USER LEAF FUNCTION

#### 8.1 INTRODUCTION

Asynchronous Enclave Exit Notify (AEX-Notify) is an extension to Intel<sup>®</sup> SGX that allows Intel SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. EDECCSSA is a new Intel SGX user leaf function (ENCLUEDECCSSA) that can facilitate AEX notification handless well as some and the second s

The following list summarizes the a details are provided in Section 8.3)

- SECS.ATTRIBUTES.AEXNOTIFY
- TCS.FLAGS.AEXNOTIFY: This er



#### SGX-Step led to new x86 processor instructions!

→ shipped in millions of devices ≥ 4th Gen Xeon CPU

 SSA.GPRSGX.AEXNOTIFY: Enclave-writable byte that allows enclave software to dynamically enable/disable AEX notifications.

An AEX notification is delivered by ENCLU[ERESUME] when the following conditions are met:

Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.

**ARTICLES & REVIEWS** 

**NEWS ARCHIVE** 

**FORUMS** 

PREMIUM

CONTACT

**O CATEGORIES** 



Written by Michael Larabel in Intel on 6 November 2022 at 06:01 AM EST. 5 Comments



Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors.

Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.







SGX-Step led to changes in major OSs and enclave SDKs

Constable et al. "AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves", USENIX Security 2023.

## **Conclusion: 7 Magic Ingredients**

- 1) Open-source ecosystem
- 2) Modular base design
- 3) Impact through education
- 4) Science communication
- 5) Accessible library design
- 6) Reusable primitives
- 7) Engage with industry

