FlexSEE: a Flexible Secure Execution Environment for protecting data-in-use
Authors: 
Jose Moreira, Jessica H. Tseng, Manoj Kumar, Eknath Ekanadham, Joefon Jann, Pratap C. Pattnaik, Gianfranco Bilardi, David Edelsohn, Henry TufoAuthors Info & Claims
Pages 329 - 336
Abstract
In this paper, we present a comprehensive security architecture, Flexible Secure Execution Environment (FlexSEE), for confidential computing in modern cloud environments. FlexSEE does not require the trust of system software on the compute server and guarantees that the user data is visible only in non-privileged mode to a designated program trusted by the data owner on a designated hardware, thus protecting the data from an untrusted hardware, hypervisor, OS, or other users' applications, on the compute server.
We describe the Hardware Trust Zone (HTZ), the enclave confining the clear-text data, the cryptography hardware used in the HTZ, the protocols used to move data between HTZ and the memory hierarchy beyond the HTZ, and the memory extensions for the L1-cache in the HTZ. Our simulation result show that the overhead of encrypting and decrypting data in an FlexSEE-enabled processor is modest, only 6% on average across a collection of commercial workloads, when the data encryption engine is placed between the L1 and L2 cache.
References
[1]
AMD January, 2020. Strengthening VM isolation with integrity protection and more. AMD. https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf accessed: April 23, 2023.
[2]
Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. 2015. SIMON and SPECK: Block Ciphers for the Internet of Things. Cryptology ePrint Archive, Paper 2015/585. https://eprint.iacr.org/2015/585
[3]
Lauren Biernacki and Todd Austin. 2020. Can hardware enclaves be as powerful as fully homomorphic encryption? Presentation at the Fifth Workshop on the Future of Computing Architectures (FOCA).
[4]
Rick Boivie. 2012. SecureBlue++:CPU Support for Secure Execution. Technical Report RC25287 (WAT1205-070). IBM Research Division, T.J. Watson Res. Ctr.
[5]
Pau-Chen Cheng, Wojciech Ozga, Enriquillo Valdez, Salman Ahmed, Zhongshu Gu, Hani Jamjoom, Hubertus Franke, and James Bottomley. 2023. Intel TDX Demystified: A Top-Down Approach. arXiv preprint arXiv:2303.15540 (2023).
[6]
Confidential Computing Consortium Jan 2021. Confidential Computing: Hardware-Based Trusted Execution for Applications and Data. Confidential Computing Consortium. https://confidentialcomputing.io/wp-content/uploads/sites/85/2021/03/confidentialcomputing_outreach_whitepaper-8-5x11-1.pdf Accessed: Feb. 16, 2023.
[7]
Craig Gentry and Shai Halevi. 2011. Implementing Gentry's Fully-Homomorphic Encryption Scheme. In Advances in Cryptology -- EUROCRYPT 2011, Kenneth G. Paterson (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 129--148.
[8]
Shay Gueron. 2016. Memory Encryption for General-Purpose Processors. IEEE Security Privacy 14, 6 (2016), 54--62. https://doi.org/10.1109/MSP.2016.124
[9]
Felicitas Hetzelt and Robert Buhren. 2017. Security analysis of encrypted virtual machines. ACM SIGPLAN Notices 52, 7 (2017), 129--142.
[10]
)]IntelMKTME Intel [n. d.]. Intel Architecture Memory Encryption Technologies. Intel. https://cdrdv2- public.intel.com/679154/multi- key- total- memory-encryption-spec-1.4.pdf Accessed: April 22, 2023.
[11]
)]IntelTDX Intel [n. d.]. Intel Trust Domain Extensions. Intel. https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- whitepaper- v4.pdf Accessed: April 22, 2023.
[12]
David Kaplan. 2017. Protecting VM register state with SEV-ES. White paper (2017). https://www.amd.com/system/files/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf Accessed: April 22, 2023.
[13]
David Kaplan, Jeremy Powell, and Tom Woller. 2016. AMD memory encryption. AMD. https://www.amd.com/system/files/TechDocs/memory-encryption-white-paper.pdf accessed: April 23, 2023.
[14]
John H Lau. 2021. State-of-the-Art and Outlooks of Chiplets Heterogeneous Integration and Hybrid Bonding. Journal of Microelectronics and Electronic Packaging 18, 4 (2021), 145--160.
[15]
H. Q. Le, J. A. Van Norstrand, B. W. Thompto, J. E. Moreira, D. Q. Nguyen, D. Hrusecky, M. J. Genden, and M. Kroener. 2018. IBM POWER9 processor core. IBM Journal of Research and Development 62, 4/5 (2018), 2:1--2:12. https://doi.org/10.1147/JRD.2018.2854039
[16]
Hyung-Jin Lee, Ravi Mahajan, Farhana Sheikh, Ramune Nagisetty, and Manish Deo. 2020. Multi-die integration using advanced packaging technologies. (2020), 1--7.
[17]
Ravi Mahajan, Zhiguo Qian, Ram S Viswanath, Sriram Srinivasan, Kemal Aygün, Wei-Lun Jen, Sujit Sharan, and Ashish Dhall. 2019. Embedded multidie interconnect bridge---A localized, high-density multichip packaging interconnect. IEEE Transactions on Components, Packaging and Manufacturing Technology 9, 10 (2019), 1952--1962.
[18]
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution. Hasp@ isca 10, 1 (2013).
[19]
B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin. 2016. TrustZone Explained: Architectural Features and Use Cases. In 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC). 445--451. https://doi.org/10.1109/CIC.2016.065
[20]
OpenPOWER Foundation Sept. 4, 2021. POWER ISA Version 3.1B. OpenPOWER Foundation. https://files.openpower.foundation/s/dAYSdGzTfW4j2r2 Accessed: Feb. 20, 2023.
[21]
Jessica Tseng, Gianfranco Bilardi, Kattamuri Ekanadham, Manoj Kumar, Jose Moreira, and PC Pattnaik. 2021. Encrypted Data Processing. arXiv preprint arXiv:2109.09821 (2021).
[22]
Peter Williams and Rick Boivie. 2011. CPU Support for Secure Executables. In Trust and Trustworthy Computing, Jonathan M. McCune, Boris Balacheff, Adrian Perrig, Ahmad-Reza Sadeghi, Angela Sasse, and Yolanta Beres (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 172--187.
Index Terms
- FlexSEE: a Flexible Secure Execution Environment for protecting data-in-use
Recommendations
TLB Poisoning Attacks on AMD Secure Encrypted Virtualization
ACSAC '21: Proceedings of the 37th Annual Computer Security Applications ConferenceAMD’s Secure Encrypted Virtualization (SEV) is an emerging technology of AMD server processors, which provides transparent memory encryption and key management for virtual machines (VM) without trusting the underlying hypervisor. Like Intel Software ...
CrossLine: Breaking "Security-by-Crash" based Memory Isolation in AMD SEV
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAMD's Secure Encrypted Virtualization (SEV) is an emerging security feature of modern AMD processors that allows virtual machines to run with encrypted memory and perform confidential computing even with an untrusted hypervisor. This paper first ...
RSA Signatures Under Hardware Restrictions
ASHES '18: Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware SecurityWe would like to compute RSA signatures with the help of a Hardware Security Module (HSM). But what can we do when we want to use a certain public exponent that the HSM does not allow or support? Surprisingly, this scenario comes up in real-world ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2023
419 pages
ISBN:9798400701405
DOI:10.1145/3587135
- General Chairs:
- Andrea Bartolini,
- Kristian Rietveld,
- Program Chairs:
- Catherine Schuman,
- Jose Moreira
Copyright © 2023 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 August 2023
Check for updates
Author Tags
Qualifiers
- Invited-talk
- Research
- Refereed limited
Conference
CF '23
Sponsor:
Acceptance Rates
CF '23 Paper Acceptance Rate 24 of 66 submissions, 36%;
Overall Acceptance Rate 273 of 785 submissions, 35%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 109Total Downloads
- Downloads (Last 12 months)58
- Downloads (Last 6 weeks)4
Reflects downloads up to 28 Sep 2024
Other Metrics
Citations
Cited By
View allView Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in