Securing application with software partitioning: a case study using SGX

Conference item

Application size and complexity are the underlying cause of numerous security vulnerabilities in code. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (e.g. the operating system). However, even with these partitioning techniques, it is not immediately clear exactly they can and should be used to partition applications. What overall partitioning scheme should be followed; what granularity of the partitions should be. To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. For this work, we focus on the upcoming Intel Software Guard Extensions (SGX) technology as the state-of-the-art in this field. SGX provides a trusted execution environment, called an , that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system. We present a novel framework consisting of four possible schemes under which an application can be partitioned. These schemes range from coarse-grained partitioning, in which the full application is included in a single enclave, through ultra-fine partitioning, in which each application secret is protected in an individual enclave. We explain the specific security benefits provided by each of the partitioning schemes and discuss how the performance of the application would be affected. To compare the different partitioning schemes, we have partitioned OpenSSL using four different schemes. We discuss SGX properties together with the implications of our design choices in this paper.

Authors: Reineh, A; Martin, A

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Springer International Publishing
• Host title: Security and Privacy in Communication Networks. SecureComm 2015
• Pages: 605–621
• Series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
• Series number: 164
• Publication date: 2016-01-23
• Event title: Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015
• Event location: Dallas, TX, USA
• Event start date: 2015-10-26
• Event end date: 2015-10-29
• DOI: 10.1007/978-3-319-28865-9_40
• EISSN: 1867-822X
• ISSN: 1867-8211
• EISBN: 978-3-319-28865-9
• ISBN: 978-3-319-28864-2
• Language: English
• Keywords: virtual machine monitor; trust computing base; code execution; handshake protocol; USENIX Annual Technical