SPEAR-V: Secure and Practical Enclave Architecture for RISC-V

David Schrammel; Moritz Waser; Lukas Anton Lamster; Martin Unterguggenberger; Stefan Mangard

doi:10.1145/3579856.3595784

SPEAR-V: Secure and Practical Enclave Architecture for RISC-V

David Schrammel^*, Moritz Waser, Lukas Anton Lamster, Martin Unterguggenberger, Stefan Mangard

^*Korrespondierende/r Autor/-in für diese Arbeit

Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges. In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.

Originalsprache	englisch
Titel	ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security
Herausgeber (Verlag)	Association of Computing Machinery
Seiten	457-468
Seitenumfang	12
ISBN (elektronisch)	9798400700989
DOIs	https://doi.org/10.1145/3579856.3595784
Publikationsstatus	Veröffentlicht - 10 Juli 2023
Veranstaltung	2023 ACM ASIA Conference on Computer and Communications Security: ASIA CCS 2023 - Melbourne, Australien Dauer: 10 Juli 2023 → 14 Juli 2023 Konferenznummer: 2023

Publikationsreihe

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Konferenz

Konferenz	2023 ACM ASIA Conference on Computer and Communications Security
Kurztitel	ASIA CCS 2023
Land/Gebiet	Australien
Ort	Melbourne
Zeitraum	10/07/23 → 14/07/23

ASJC Scopus subject areas

Software
Computernetzwerke und -kommunikation

Zugriff auf Dokument

10.1145/3579856.3595784Lizenz: CC BY 4.0

spearvAkzeptiertes Autorenmanuskript, 897 KBLizenz: CC BY 4.0

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen
Mangard, S.
1/01/22 → 31/12/24
Projekt: Forschungsprojekt

Dieses zitieren

Schrammel, D., Waser, M., Lamster, L. A., Unterguggenberger, M., & Mangard, S. (2023). SPEAR-V: Secure and Practical Enclave Architecture for RISC-V. in ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (S. 457-468). (Proceedings of the ACM Conference on Computer and Communications Security). Association of Computing Machinery. https://doi.org/10.1145/3579856.3595784

SPEAR-V: Secure and Practical Enclave Architecture for RISC-V. / Schrammel, David ; Waser, Moritz ; Lamster, Lukas Anton et al.
ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Association of Computing Machinery, 2023. S. 457-468 (Proceedings of the ACM Conference on Computer and Communications Security).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Schrammel, D , Waser, M , Lamster, LA , Unterguggenberger, M & Mangard, S 2023, SPEAR-V: Secure and Practical Enclave Architecture for RISC-V. in ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association of Computing Machinery, S. 457-468, 2023 ACM ASIA Conference on Computer and Communications Security, Melbourne, Victoria, Australien, 10/07/23. https://doi.org/10.1145/3579856.3595784

Schrammel D , Waser M , Lamster LA , Unterguggenberger M , Mangard S. SPEAR-V: Secure and Practical Enclave Architecture for RISC-V. in ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Association of Computing Machinery. 2023. S. 457-468. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3579856.3595784

@inproceedings{9de9be3b225e4d7eb0cec8ca4f2a4568,

title = "SPEAR-V: Secure and Practical Enclave Architecture for RISC-V",

abstract = "Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges. In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.",

keywords = "enclave, isolation, memory protection, memory tagging, RISC-V",

author = "David Schrammel and Moritz Waser and Lamster, {Lukas Anton} and Martin Unterguggenberger and Stefan Mangard",

year = "2023",

month = jul,

day = "10",

doi = "10.1145/3579856.3595784",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association of Computing Machinery",

pages = "457--468",

booktitle = "ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security",

address = "United States",

note = "2023 ACM ASIA Conference on Computer and Communications Security : ASIA CCS 2023, ASIA CCS 2023 ; Conference date: 10-07-2023 Through 14-07-2023",

}

TY - GEN

T1 - SPEAR-V: Secure and Practical Enclave Architecture for RISC-V

AU - Schrammel, David

AU - Waser, Moritz

AU - Lamster, Lukas Anton

AU - Unterguggenberger, Martin

AU - Mangard, Stefan

N1 - Conference code: 2023

PY - 2023/7/10

Y1 - 2023/7/10

N2 - Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges. In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.

AB - Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges. In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.

KW - enclave

KW - isolation

KW - memory protection

KW - memory tagging

KW - RISC-V

UR - http://www.scopus.com/inward/record.url?scp=85168129621&partnerID=8YFLogxK

U2 - 10.1145/3579856.3595784

DO - 10.1145/3579856.3595784

M3 - Conference paper

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 457

EP - 468

BT - ASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

PB - Association of Computing Machinery

T2 - 2023 ACM ASIA Conference on Computer and Communications Security

Y2 - 10 July 2023 through 14 July 2023

ER -

SPEAR-V: Secure and Practical Enclave Architecture for RISC-V

Abstract

Publikationsreihe

Konferenz

ASJC Scopus subject areas

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Projekte

SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen

Dieses zitieren