网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (6): 126-142.doi: 10.11959/j.issn.2096-109x.2021066
赵波1, 袁安琪1, 安杨2
修回日期:
2021-01-22
出版日期:
2021-12-15
发布日期:
2021-12-01
作者简介:
赵波(1972− ),男,山东青岛人,博士,武汉大学教授、博士生导师,主要研究方向为信息系统安全、可信计算、嵌入式安全、人工智能及大数据安全隐私保护基金资助:
Bo ZHAO1, Anqi YUAN1, Yang AN2
Revised:
2021-01-22
Online:
2021-12-15
Published:
2021-12-01
Supported by:
摘要:
可信计算技术 SGX 通过隔离出一块可信执行环境,来保护关键代码及数据的机密性与完整性,可以帮助防范各类攻击。首先,介绍了 SGX 的研究背景和工作原理,分析了 SGX 在可信计算领域的研究现状。然后,整理了 SGX 当前的应用难点和解决办法,并与其他可信计算技术进行了对比。最后,探讨了SGX技术在可信计算领域的发展方向。
中图分类号:
赵波, 袁安琪, 安杨. SGX在可信计算中的应用分析[J]. 网络与信息安全学报, 2021, 7(6): 126-142.
Bo ZHAO, Anqi YUAN, Yang AN. Application progress of SGX in trusted computing area[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 126-142.
[1] | Intel Corporation Intel Labs[EB]. |
[2] | BAUMANN A , PEINADO M , HUNT G C ,et al. Shielding applications from an untrusted cloud with Haven[C]// Operating systems Design and Implementation, 2014: 267-283. |
[3] | ARNAUTOV S , TRACH B , GREGOR F ,et al. SCONE:secure Linux containers with Intel SGX[C]// Proc of the 12th USENIX Symp.on Operating Systems Design and Implementation(OSDI). 2016. |
[4] | SCHUSTER F , COSTA M , FOURNET C ,et al. VC3:trustworthy data analytics in the cloud using SGX[C]// IEEE Symposium on Security & Privacy. 2015. |
[5] | SHIH M W , KUMAR M , KIM T ,et al. S-NFV:securing NFV states by using SGX[C]// Proc of the 2016 ACM Int'l Workshop on Security in Software Defined Networks & Network Function Virtualization. 2016: 45-48. |
[6] | ANT GROUP. Confidential computing cloud servic[EB]. |
[7] | ANT GROUP. Intel software guard extensions developer guide[EB]. |
[8] | DHIMAN C , ATUL A J , SVEN B . Poster:TGX:secure SGX enclave management using TPM[C]// Proc.of the 2017 Network and Distributed System Security Symp (NDSS 2019). 2019. |
[9] | 严飞, 于钊, 张立强 ,等. vTSE:一种基于 SGX 的 vTPM 安全增强方案[J]. 工程科学与技术, 2017(2). |
YAN F , YU Z , ZHANG L Q ,et al. vTSE:a safety enhancement scheme of vTPM based on SGX[J]. Engineering Science and Technology, 2017(2). | |
[10] | 百度安全. MesaTEE安全计算平台[EB]. |
Baidu security. Mesatee security computing platform[EB]. | |
[11] | VISHAL K , ERICK B , LIN Z Q ,et al. 2017.SGX-Log:securing system logs with SGX[C]// Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17.Association for Computing Machinery. 2017: 19-30. |
[12] | SINISA M , KARL W , MORITZ S ,et al. BITE:bitcoin lightweight client privacy using trusted execution[C]// Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). 2019: 783-800. |
[13] | PRIEBE C , VASWANI K , COSTA M . EnclaveDB:a secure database using SGX[C]// 2018 IEEE Symposium on Security and Privacy (SP). 2018. |
[14] | BZUMAN E , LIN Z Q . 2016.A case for protecting computer games with SGX[C]// Proceedings of the 1st Workshop on System Software for Trusted Execution (SysTEX '16).Association for Computing Machinery. 2016: 1-6. |
[15] | GOLTZSCHE D , WULF C , MUTHUKUMARAN D ,et al. TrustJS:trusted client-side execution of Javascript[C]// The 10th European Workshop. 2017. |
[16] | 冯达, 王强, 赵译文 ,等. 基于SGX的证书可信性验证与软件安全签发系统[J]. 信息网络安全, 2018(3): 63-69. |
FENG D , WANG Q , ZHAO Y W ,et al. Certificate credibility verification and software security issuing system based on SGX[J]. Information Network Security, 2018(3): 63-69. | |
[17] | OLGA O , FELIX S , CEDRIC F ,et al. 2016.Oblivious multi-party machine learning on trusted processors[C]// Proceedings of the 25th USENIX Conference on Security Symposium(SEC'16). 2016: 619-636. |
[18] | WANG H B , ERICK B , VIISHAL K ,et al. 2019.Running language interpreters inside SGX:a lightweight,legacy-compatible script code hardening approach[C]// Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS '19).Association for Computing Machinery. 2019: 114-121. |
[19] | 王鹃, 樊成阳, 程越强 ,等. SGX 技术的分析和研究[J]. 软件学报, 2018,9(9): 2778-2798. |
WANG J , FAN C Y , CENG Y Q ,et al. Analysis and research of SGX technology[J]. Journal of Software, 2018,9(9): 2778-2798. | |
[20] | WEISSE O , BERTACCO V , AUSTIN T . Regaining lost cycles with hotcalls:a fast interface for SGX secure enclaves[C]// The 44th Annual International Symposium. 2017. |
[21] | TIAN H , ZHANG Y , XING C ,et al. SGX Kernel:a library operating system optimized for intel SGX[C]// The Computing Frontiers Conference. 2017. |
[22] | SARTAKOV V A , BRENNER S , MOKHTAR S B ,et al. EActors:fast and flexible trusted computing using SGX[C]// The 19th International Middleware Conference. 2018. |
[23] | XING B C , SHANAHAN M , LESLIE H R . Intel software guard Extensions (Intel SGX) software support for dynamic memory allocation inside an enclave[C]// Proc of the Hardware and Architectural Support for Security and Privacy 2016 (HASP 2016). 2016. 1-9. |
[24] | ORENBACH M , LIFSHITS P , MINKIN M ,et al. Eleos:ExitLess OS services for SGX enclaves[C]// Proc of the 12th European Conf on Computer Systems. 2017. 238-253. |
[25] | MORITZ L , MICHAEL S , DANIEL G ,et al. Meltdown:reading kernel memory from user space[C]// USENIX Security Symposium. 2018. |
[26] | KOCHER P , GENKIN D , GRUSS D ,et al. Spectre Attacks:Exploiting speculative execution[J]. Communications of the ACM, 2018,63(7). |
[27] | JO V B , MARINA M , OFIR W ,et al. Foreshadow:extracting the keys to the Intel SGX kingdom with transient out-of-order execution[C]// USENIX Security Symposium. 2018. |
[28] | SCHAIK S V , MILBURN A , STERLUND S ,et al. RIDL:rogue in-flight data load[C]// Symposium on Security & Privacy. 2019. |
[29] | OLEKSII O , BOHDAN T , ROBERT K ,et al. Varys:protecting SGX enclaves from practical side-channel attacks[C]// Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC '18). 2018: 227-239. |
[30] | MURDOCK K , OSWALD D , GARCIA F D ,et al. Plundervolt:software-based fault injection attacks against intel SGX[C]// 2020 IEEE Symposium on Security and Privacy(SP). 2020. |
[31] | MUSTAKIMUR R K , CHENG Y Q , WANG Z ,et al. 2020.Coin attacks:on insecurity of enclave untrusted interfaces in SGX[C]// Proceedings of the 25 International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '20).Association for Computing Machinery. 2020: 971-985. |
[32] | BAUMAN E , WANG H B , ZHANG M W ,et al. 2018.SGXElide:enabling enclave code secrecy via self-modification[C]// Proceedings of the 2018 International Symposium on Code Generation and Optimization (CGO 2018). Association for Computing Machinery, 2018: 75-86. |
[33] | JAIN P , DESAI S , KIM S ,et al. OpenSGX:an open platform for SGX research[C]// NDSS. 2016. |
[34] | CHOI C , KWAK N , JANG J ,et al. S-OpenSGX:a system-level platform for exploring SGX enclave-based computing[J]. Computers & Security, 2017,70(sep.): 290-306. |
[35] | DING Y , DUAN R , LI L ,et al. POSTER:Rust SGX SDK:towards memory safety in Intel SGX enclave[C]// Proc of the 2017 ACM SIGSAC Conf.on Computer and Communications Security (CCS 2017). 2017. 2491-2493. |
[36] | MesaPy[EB]. |
[37] | GHOSN A , LARUS J R , BUGNION E . Secured routines:language-based construction of trusted execution environments[C]// 2019 USENIX Annual Technical Conf (ATC 2019). 2019: 571-586. |
[38] | SHINDE S , TIEN D L , TOPLE S ,et al. Panoply:low-TCB Linux applications with SGX enclaves[C]// Network & Distributed System Security Symposium. 2017. |
[39] | TSAI C C , PORTER D E , VIJ M . Graphene-SGX:a practical library OS for unmodified applications on SGX[C]// Proc of 2017 USENIX Annual Technical Conf (ATC 2017). 2017: 645-658. |
[40] | Occlum[EB]. |
[41] | VICTOR C , SRINIVAS D . Intel SGX Explained[C]// IACR Cryptology ePrint Archive 2016. 2016:86. |
[42] | 刘国杰, 张建标 . 基于 TPCM 的服务器可信 PXE 启动方法[J]. 网络与信息安全学报, 2020,6(6): 105-111. |
LIU G J , ZHANG J B . TPCM-based trusted PXE boot method for servers[J]. Chinese Journal of Network and Information Security, 2020,6(6): 105-111. | |
[43] | RICH U , GIL N , DION R ,et al. Intel virtualization technology[J]. Computer, 2005,38(5): 48-56. |
[44] | 董攀, 丁滟, 江哲 ,等. 基于TEE的主动可信TPM/TCM设计与实现[J]. 软件学报, 2020,31(5): 1392-1405. |
DONG P , DING Y , JIANG Z ,et al. Active and credible TPM/TCM design and implementation based on TEE[J]. Journal of Software, 2020,31(5): 1392-1405. | |
[45] | 章张锴, 李舟军, 夏春和 ,等. 借助 Hypervisor 强化 TrustZone对非安全世界的监控能力[J]. 软件学报, 2018(8): 2511-2526. |
ZHANG Z K , LI Z J , XIA C H ,et al. Strengthening the monitoring capability of TrustZone to non-secure world with the help of Hypervisor[J]. Journal of Software, 2018(8): 2511-2526. | |
[46] | WU Y , LIU Y , LIU R ,et al. Comprehensive VM protection against untrusted hypervisor through retrofitted AMD memory encryption[C]// IEEE International Symposium on High Performance Computer Architecture, I2018. |
[1] | 刘国杰, 张建标, 杨萍, 李铮. 基于TPCM的容器云可信环境研究[J]. 网络与信息安全学报, 2021, 7(4): 164-174. |
[2] | 刘国杰,张建标. 基于TPCM的服务器可信PXE启动方法[J]. 网络与信息安全学报, 2020, 6(6): 105-111. |
[3] | 牛玉坤,魏凌波,张驰,张霞,GustavoVejarano. 基于比特币区块链的公共无线局域网接入控制隐私保护研究[J]. 网络与信息安全学报, 2020, 6(2): 56-66. |
[4] | 赵波, 李想, 严飞, 张立强, 张焕国. 面向第三方的云平台可信性在线评测及分析技术[J]. 网络与信息安全学报, 2019, 5(5): 90-104. |
[5] | 李济洋,赵鹏远,刘喆. 基于加密SD卡的内网移动终端可信接入方案[J]. 网络与信息安全学报, 2019, 5(4): 108-118. |
[6] | 喻潇,田里,刘喆,王捷. 智能电网PDA终端的密钥管理和认证研究[J]. 网络与信息安全学报, 2018, 4(3): 68-75. |
[7] | 张建标,朱元曦,胡俊,王晓. 面向云环境的虚拟机可信迁移方案[J]. 网络与信息安全学报, 2018, 4(1): 6-14. |
[8] | 徐军. 基于生物特性可信接入协议的可信计算移动终端的应用研究[J]. 网络与信息安全学报, 2017, 3(2): 66-76. |
[9] | 孙召昌,马建峰,孙聪,卢笛. 基于嵌入式可信平台的运行时监控方法[J]. 网络与信息安全学报, 2017, 3(10): 44-51. |
[10] | 王锴,李志华,黄凡,严飞. HyperSpector:基于UEFI的VMM动态可信监控基的设计与实现[J]. 网络与信息安全学报, 2016, 2(12): 47-55. |
[11] | 刘宇涛,陈海波. 虚拟化安全:机遇,挑战与未来[J]. 网络与信息安全学报, 2016, 2(10): 17-28. |
[12] | 代炜琦,邹德清,金海,夏妍. 云环境面向虚拟域的安全状态一致性保障机制研究[J]. 网络与信息安全学报, 2016, 2(10): 48-57. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|