Detecting privileged side-channel attacks in shielded execution with Déjà Vu

Abstract

Intel Software Guard Extension (SGX) protects the confi- dentiality and integrity of an unprivileged program running inside a secure enclave from a privileged attacker who has full control of the entire operating system (OS). Program ex- ecution inside this enclave is therefore referred to as shielded. Unfortunately, shielded execution does not protect programs from side-channel attacks by a privileged attacker. For in- stance, it has been shown that by changing page table entries of memory pages used by shielded execution, a malicious OS kernel could observe memory page accesses from the execu- tion and hence infer a wide range of sensitive information about it. In fact, this page-fault side channel is only an instance of a category of side-channel attacks, here called privileged side-channel attacks, in which privileged attackers frequently preempt the shielded execution to obtain fine- grained side-channel observations. In this paper, we present Déjà Vu, a software framework that enables a shielded exe- cution to detect such privileged side-channel attacks. Specif- ically, we build into shielded execution the ability to check program execution time at the granularity of paths in its control-flow graph. To provide a trustworthy source of time measurement, Déjà Vu implements a novel software ref- erence clock that is protected by Intel Transactional Syn- chronization Extensions (TSX), a hardware implementation of transactional memory. Evaluations show that Déjà Vu effectively detects side-channel attacks against shielded ex- ecution and against the reference clock itself.