Verifying Linearizability of Intel® Software Guard Extensions

Leslie-Hurd, Rebekah; Caspi, Dror; Fernandez, Matthew

doi:10.1007/978-3-319-21668-3_9

Cited by 10 publications

(8 citation statements)

References 21 publications

(18 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, Intel has described some works, e.g., [27], on the formal verification of Intel SGX focusing on the enclave page management and page table translations tracking [28]. Intel addresses the verification in two steps: first, to prove the sequential correctness, and second, to prove that SGX is linearizable [15]. Some undiscovered bugs were identified in both steps [27].…”

Section: B Formalizations By Intelmentioning

confidence: 99%

“…DVF has a couple of limitations. First, it does not model concurrency, whereas SGX has 22 instructions that share the concurrent data structure, some of which contain as many as 50 interleaving points [15]. Second, the verification is semi-automated and includes a painful process of manually generating the auxiliary invariants [30].…”

Section: B Formalizations By Intelmentioning

confidence: 99%

“…To address concurrency issues, Intel considers linearizability [31] as a correctness condition. Intel develops a framework called iPave [14] to prove SGX linearizability, and finds the linearization point using heuristics [15]. The properties, such as system invariants or per-state assertion, can be specified [27].…”

Section: B Formalizations By Intelmentioning

confidence: 99%

“…To overcome this limitation of testing, rigorous and sound formal methods have been utilized to analyze the security goals on a formal model. For instance, Intel developed some formal tools [13]- [15] for establishing formal correctness of SGX. However, the verification using these tools does not cover the attestation process, which is a crucial part of Intel SGX for practical use [16].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Demystifying Attestation in Intel Trust Domain Extensions via Formal Verification

2021

View full text Add to dashboard Cite

In August 2020, Intel asked the research community for feedback on the newly offered architecture extensions, called Intel Trust Domain Extensions (TDX), which give more control to Trust Domains (TDs) over processor resources. One of the key features of these extensions is the remote attestation mechanism, which provides a unified report verification mechanism for TDX and its predecessor Software Guard Extensions (SGX). Based on our experience and intuition, we respond to the request for feedback by formally specifying the attestation mechanism in the TDX using ProVerif's specification language. Although the TDX technology seems very promising, the process of formal specification reveals a number of subtle discrepancies in Intel's specifications that could potentially lead to design and implementation flaws. After resolving these discrepancies, we also present fully automated proofs that our specification of TD attestation preserves the confidentiality of the secret and authentication of the report by considering the state-of-the-art Dolev-Yao adversary in the symbolic model using ProVerif. We have submitted the draft to Intel, and Intel is in the process of making the changes.

show abstract

Section: B Formalizations By Intelmentioning

confidence: 99%

Section: B Formalizations By Intelmentioning

confidence: 99%

Section: B Formalizations By Intelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Demystifying Attestation in Intel Trust Domain Extensions via Formal Verification

2021

View full text Add to dashboard Cite

show abstract

“…For many years, industrial manufacturers [10,11] and researchers [12,13] have aimed to formally specify and verify hardware architectures. However, verifying properties of existing computing platforms poses significant challenges, because they tend to be both complex and under-specified; we are not aware of any model of an existing and broadly used computing system that is comprehensive in terms of its hardware and software components.…”

Section: Fig 1: Idealized X86 Computing Platformmentioning

confidence: 99%

Modular Verification of Programs with Effects and Effect Handlers in Coq

et al. 2018

View full text Add to dashboard Cite

Modern computing systems have grown in complexity, and the attack surface has increased accordingly. Even though system components are generally carefully designed and even verified by different groups of people, the composition of these components is often regarded with less attention. This paves the way for "architectural attacks", a class of security vulnerabilities where the attacker is able to threaten the security of the system even if each of its components continues to act as expected. In this article, we introduce FreeSpec, a formalism built upon the key idea that components can be modelled as programs with algebraic effects to be realized by other components. FreeSpec allows for the modular modelling of a complex system, by defining idealized components connected together, and the modular verification of the properties of their composition. In addition, we have implemented a framework for the Coq proof assistant based on FreeSpec. OSApp Execution Unit MMU Cache APIC IOMMU MCH Management Engine DRAM Controller VGA Controller SENTER Sandman [6], SpeedRacer [5] SMRAM cache poisoning [2,3] DMA Attacks [7] Sinkhole [4]

show abstract