research-article

Public Access

A comparison study of intel SGX and AMD memory encryption technology

Authors:

Weidong ShiAuthors Info & Claims

HASP '18: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy

Article No.: 9, Pages 1 - 8

https://doi.org/10.1145/3214292.3214301

Published: 02 June 2018 Publication History

Abstract

Hardware-assisted trusted execution environments are secure isolation technologies that have been engineered to serve as efficient defense mechanisms to provide a security boundary at the system level. Hardware vendors have introduced a variety of hardware-assisted trusted execution environments including ARM TrustZone, Intel Management Engine, and AMD Platform Security Processor. Recently, Intel Software Guard eXtensions (SGX) and AMD Memory Encryption Technology have been introduced. To the best of our knowledge, this paper presents the first comparison study between Intel SGX and AMD Memory Encryption Technology in terms of functionality, use scenarios, security, and performance implications. We summarize the pros and cons of these two approaches in comparison to each other.

References

[1]

Secunia Advisory. 2013. Xen pv kernel decompression multiple vulnerabilities.

[2]

AMD. 2017. AMD64 architecture programmer manual volume 2: System programming. https://support.amd.com/TechDocs/24593.pdf

[3]

AMD. 2018. AMD EPYC 7251 Processor. https://www.amd.com/en/products/cpu/amd-epyc-7251.

[4]

AMD. 2018. AMD Secure Encrypted Virtualization. https://github.com/AMDESE/AMDSEV.

[5]

AMD. 2018. AMD Server Family Processor. https://www.amd.com/en/products/servers-processors.

[6]

AMD. 2018. Initial AMD Technical Assessment of CTS Labs Research. https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research.

[7]

AMD. 2018. Secure Encrypted Virtualization API Version 0.16. https://support.amd.com/en-us/search/tech-docs.

[8]

Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, Vol. 13.

[9]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark Stillwell, et al. 2016. SCONE: Secure Linux Containers with Intel SGX. In OSDI, Vol. 16. 689--703.

Digital Library

[10]

Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 8.

Digital Library

[11]

Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. arXiv preprint arXiv.1702.07521 (2017), 33.

[12]

Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt, Matthias Lorenz, Christof Fetzer, Peter R Pietzuch, and Rüdiger Kapitza. 2016. SecureKeeper: Confidential ZooKeeper using Intel SGX. In Middleware. 14.

Digital Library

[13]

Sven Bugiel, Stefan Nürnberger, Thomas Pöppelmann, Ahmad-Reza Sadeghi, and Thomas Schneider. 2011. AmazonIA: when elasticity snaps back. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 389--400.

Digital Library

[14]

Chia che Tsai, Donald E. Porter, and Mona Vij. 2017. Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 645--658. https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai

Digital Library

[15]

Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2018. SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution. arXivpreprint arXiv:1802.09085 (2018).

[16]

Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. http://eprint.iacr.org/2016/086.

[17]

Whitfield Diffie and Martin Hellman. 1976. New directions in cryptography. IEEE transactions on Information Theory 22, 6 (1976), 644--654.

Digital Library

[18]

Zhao-Hui Du, Zhiwei Ying, Zhenke Ma, Yufei Mai, Phoebe Wang, Jesse Liu, and Jesse Fang. 2017. Secure Encrypted Virtualization is Unsecure. arXiv preprint arXiv:1712.05090 (2017).

[19]

Black Duck. 2018. Black Duck Open Hub. Black Duck Software, Inc. https://www.openhub.net/p?ref=homepage&query=xen.

[20]

Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. 2017. Cache attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security. ACM, 2.

Digital Library

[21]

Shay Gueron. 2016. A Memory Encryption Engine Suitable for General Purpose Processors. IACR Cryptology ePrint Archive 2016 (2016), 204.

[22]

J Alex Halderman, Seth D Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A Calandrino, Ariel J Feldman, Jacob Appelbaum, and Edward W Felten. 2009. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52, 5 (2009), 91--98.

Digital Library

[23]

Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. HASP@ ISCA 11 (2013).

[24]

Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. In HASP@ ISCA. 11.

Digital Library

[25]

Intel. 2013. Innovative Technology for CPU Based Attestation and Sealing. https://software.intel.com/en-us/articles/innovative-technology-for-cpu-based-attestation-and-sealing.

[26]

Intel. 2015. Intel Core i7-6700 Processor. https://ark.intel.com/products/88196/Intel-Core-i7-6700-Processor-8M-Cache-up-to-4_00-GHz.

[27]

Intel. 2016. Introducing the Intel Software Guard Extensions Tutorial Series. https://software.intel.com/en-us/articles/introducing-the-intel-software-guard-extensions-tutorial-series.

[28]

Intel. 2018. Intel Software Guard Extensions SDK (ECALL-OCALL Functions). https://software.intel.com/en-us/node/709001.

[29]

Intel. 2018. Intel Software Guard Extensions SDK (EDL). https://software.intel.com/en-us/node/708968.

[30]

Intel. 2018. Intel Software Guard Extensions SDK (SGX Random Generator). https://software.intel.com/en-us/node/709094.

[31]

Intel. 2018. Intel Software Guard Extensions SDK (user_check Attribute). https://software.intel.com/en-us/node/708978.

[32]

Intel. 2018. Intel Software Guard Extensions SGX SSL. https://github.com/intel/intel-sgx-ssl.

[33]

Yeongjin Jang, Jaehyuk Lee, Sangho Lee, and Taesoo Kim. 2017. SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In Proceedings of the 2nd Workshop on System Software for Trusted Execution. ACM, 5.

Digital Library

[34]

Simon Johnson, Vincent Scarlata, Carlos Rozas, Ernie Brickell, and Frank Mckeen. 2016. Intel software guard extensions: EPID provisioning and attestation services. ser. Intel Corporation (2016).

[35]

David Kaplan. 2016. AMD x86 Memory Encryption Technologies. USENIX Association, Austin, TX.

[36]

D Kaplan. 2017. Protecting vm register state with sev-es. White paper, Feb (2017).

[37]

David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. White paper, Apr (2016).

[38]

Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. kvm: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. 225--230.

[39]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan. 2018). arXiv:1801.01203

[40]

Kostya Kortchinsky. 2009. Cloudburst: A VMware guest to host escape story. Black Hat USA (2009), 19.

[41]

Kubilay Ahmet Küçük, Andrew Paverd, Andrew Martin, N Asokan, Andrew Simpson, and Robin Ankele. 2016. Exploring the use ofIntel SGX for secure many-party applications. In Proceedings of the 1st Workshop on System Software for Trusted Execution. ACM, 5.

Digital Library

[42]

Dmitrii Kuvaiskii, Somnath Chakrabarti, and Mona Vij. 2018. Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX). arXiv preprint arXiv:1802.00508 (2018).

[43]

CTS Lab. 2018. Severe Security Advisory on AMD Processors. https://safefirmware.com/amdflaws_whitepaper.pdf.

[44]

Jaehyuk Lee, Jinsoo Jang, Yeongjin Jang, Nohyun Kwak, Yeseul Choi, Changho Choi, Taesoo Kim, Marcus Peinado, and Brent ByungHoon Kang. 2017. Hacking in Darkness: Return-oriented Programming against Secure Enclaves. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 523--539. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lee-jaehyuk

[45]

Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium, USENIX Security. 16--18.

Digital Library

[46]

LSDS. 2018. Spectre attack against SGX enclave. https://github.com/lsds/spectre-attack-sgx.

[47]

Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. 2016. Intel® Software Guard Extensions (Intel® SGX) Support for Dynamic Memory Management Inside an Enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 10.

Digital Library

[48]

Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In HASP@ ISCA. 10.

Digital Library

[49]

Ahmad Moghimi, Gorka Irazoqui, and Thomas Eisenbarth. 2017. Cachezoom: How SGX amplifies the power of cache attacks. In International Conference on Cryptographic Hardware and Embedded Systems. Springer, 69--90.

[50]

Olga Ohrimenko, Michael T Goodrich, Roberto Tamassia, and Eli Upfal. 2014. The Melbourne shuffle: Improving oblivious storage in the cloud. In International Colloquium on Automata, Languages, and Programming. Springer, 556--567.

[51]

OpenWall. 2016. A portable, fast, and free implementation of the MD5 Message-Digest Algorithm (RFC 1321). http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5.

[52]

Diego Perez-Botero, Jakub Szefer, and Ruby B Lee. 2013. Characterizing hypervisor vulnerabilities in cloud computing servers. In Proceedings of the 2013 international workshop on Security in cloud computing. ACM, 3--10.

Digital Library

[53]

Rafael Pires, Daniel Gavril, Pascal Felber, Emanuel Onica, and Marcelo Pasin. 2017. A lightweight MapReduce framework for secure processing with SGX. In Cluster, Cloud and Grid Computing (CCGRID), 2017 17th IEEE/ACM International Symposium on. IEEE, 1100--1107.

Digital Library

[54]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security. ACM, 199--212.

Digital Library

[55]

Francisco Rocha and Miguel Correia. 2011. Lucy in the sky without diamonds: Stealing confidential data in the cloud. In Dependable Systems and Networks Workshops (DSN-W), 2011IEEE/IFIP 41st International Conference on. IEEE, 129--134.

Digital Library

[56]

Bruce Schneier. 2007. Applied cryptography: protocols, algorithms, and source code in C. john wiley & sons.

[57]

Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy data analytics in the cloud using SGX. In IEEE Symposium on Security and Privacy (SP), 2015. IEEE, 38--54.

Digital Library

[58]

Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2017. Malware guard extension: Using SGX to conceal cache attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3--24.

[59]

Hiie Vill. 2017. SGX attestation process. https://courses.cs.ut.ee/MTAT.07.022/2017_spring/uploads/Main/hiie-report-s16--17.pdf.

[60]

Nico Weichbrodt, Anil Kurmus, Peter Pietzuch, and Rüdiger Kapitza. 2016. Async-Shock: Exploiting synchronisation bugs in Intel SGX enclaves. In European Symposium on Research in Computer Security. Springer, 440--457.

[61]

Rafal Wojtczuk, Joanna Rutkowska, and Alexander Tereshkin. 2008. Xen Owning trilogy. Invisible Things Lab (2008).

[62]

Bin Cedric Xing, Mark Shanahan, and Rebekah Leslie-Hurd. 2016. Intel® Software Guard Extensions (Intel® SGX) Software Support for Dynamic Memory Allocation inside an Enclave. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 11.

Digital Library

[63]

Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 640--656.

Digital Library

[64]

Fengwei Zhang and Hongwei Zhang. 2016. SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 3.

Digital Library

Cited By

Miladinović DMilaković AVukasović MStanisavljević ŽVuletić P(2024)Secure Multiparty Computation Using Secure Virtual MachinesElectronics10.3390/electronics1305099113:5(991)Online publication date: 5-Mar-2024
https://doi.org/10.3390/electronics13050991
Misono MStavrakakis DSantos NBhatotia P(2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3700418
Zhao LShuang HXu SHuang WCui RBettadpur PLie D(2024)A Survey of Hardware Improvements to Secure Program ExecutionACM Computing Surveys10.1145/367239256:12(1-37)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1145/3672392
Show More Cited By

Index Terms

A comparison study of intel SGX and AMD memory encryption technology
1. Security and privacy
  1. Security in hardware
    1. Hardware security implementation
  2. Systems security

Recommendations

Cache Attacks on Intel SGX
EuroSec'17: Proceedings of the 10th European Workshop on Systems Security

For the first time, we practically demonstrate that Intel SGX enclaves are vulnerable against cache-timing attacks. As a case study, we present an access-driven cache-timing attack on AES when running inside an Intel SGX enclave. Using Neve and Seifert'...
Switchless Calls Made Practical in Intel SGX
SysTEX '18: Proceedings of the 3rd Workshop on System Software for Trusted Execution

Intel Software Guard Extensions (SGX) is an extension to x86 architecture that enables user-level code to create trusted memory regions, called enclaves. However, the security provided by enclaves is not free: one primary performance overhead is enclave ...
Single Trace Attack Against RSA Key Generation in Intel SGX SSL
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

Microarchitectural side-channel attacks have received significant attention recently. However, while side-channel analyses on secret key operations such as decryption and signature generation are well established, the process of key generation did not ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

HASP '18: Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy

June 2018

84 pages

ISBN:9781450365000

DOI:10.1145/3214292

Conference Chairs:
Jakub Szefer
Yale University
,
Weidong Shi
University of Houston
,
Ruby B. Lee
Princeton University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

HASP '18

HASP '18: Hardware and Architectural Support for Security and Privacy

June 2, 2018

California, Los Angeles

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
3,862
Total Downloads

Downloads (Last 12 months)766
Downloads (Last 6 weeks)90

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Miladinović DMilaković AVukasović MStanisavljević ŽVuletić P(2024)Secure Multiparty Computation Using Secure Virtual MachinesElectronics10.3390/electronics1305099113:5(991)Online publication date: 5-Mar-2024
https://doi.org/10.3390/electronics13050991
Misono MStavrakakis DSantos NBhatotia P(2024)Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDXProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/37004188:3(1-42)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1145/3700418
Zhao LShuang HXu SHuang WCui RBettadpur PLie D(2024)A Survey of Hardware Improvements to Secure Program ExecutionACM Computing Surveys10.1145/367239256:12(1-37)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1145/3672392
Qiu LTaft RShraer AKollios G(2024)The Price of Privacy: A Performance Study of Confidential Virtual Machines for Database SystemsProceedings of the 20th International Workshop on Data Management on New Hardware10.1145/3662010.3663440(1-8)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3662010.3663440
Li MYang YChen GYan MZhang YQuek TGao DZhou JCardenas A(2024)SoK: Understanding Design Choices and Pitfalls of Trusted Execution EnvironmentsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644993(1600-1616)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644993
Shadab RZou YGandham SAwad ALin M(2024)A Secure Computing System With Hardware-Efficient Lazy Bonsai Merkle Tree for FPGA-Attached Embedded MemoryIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332493521:4(3262-3279)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3324935
Huang HZhang FYan SWei THe Z(2024)SoK: A Comparison Study of Arm TrustZone and CCA2024 International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED61283.2024.00021(107-118)Online publication date: 16-May-2024
https://doi.org/10.1109/SEED61283.2024.00021
Deng CShen ZLi DMi ZXia Y(2024)The Design and Optimization of Memory Ballooning in SEV Confidential Virtual Machines2024 IEEE International Conference on Joint Cloud Computing (JCC)10.1109/JCC62314.2024.00009(9-16)Online publication date: 15-Jul-2024
https://doi.org/10.1109/JCC62314.2024.00009
Maitra SAtalay TStavrou AWang H(2024)Towards Shielding 5G Control Plane Functions2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00039(302-315)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00039
Sasada TTaenaka YKadobayashi Y(2024) D 2 -PSD: Dynamic Differentially-Private Spatial Decomposition in Collaboration With Edge Server IEEE Access10.1109/ACCESS.2024.348561012(156307-156326)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3485610
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents