Hardware enclaves rely on a disjoint memory model, which maps each physical address to an enclave to achieve strong memory isolation. However, this severely limits the performance and programmability of enclave programs. While some prior work proposes enclave memory sharing, it does not provide a formal model or verification of their designs. This paper presents Cerberus, a formal approach to secure and efficient enclave memory sharing. To reduce the burden of formal verification, we compare different sharing models and choose a simple yet powerful sharing model. Based on the sharing model, Cerberus extends an enclave platform such that enclave memory can be made immutable and shareable across multiple enclaves via additional operations. We use incremental verification starting with an existing formal model called the Trusted Abstract Platform (TAP). Using our extended TAP model, we formally verify that Cerberus does not break or weaken the security guarantees of the enclaves despite allowing memory sharing. More specifically, we prove the Secure Remote Execution (SRE) property on our formal model. Finally, the paper shows the feasibility of Cerberus by implementing it in an existing enclave platform, RISC-V Keystone.
翻译:硬体飞地依靠一种脱节的记忆模型,该模型绘制每个物理地址到飞地,以便实现强烈的记忆隔离。然而,这严重限制了飞地程序的性能和可编程性。有些先前的工作提议分享飞地内存,但并不提供正式的模式或对其设计进行验证。本文展示了Cerberus,这是安全和高效分享飞地内存的正式办法。为了减轻正式核查的负担,我们比较了不同的共享模型,选择了一个简单而有力的共享模型。根据共享模型,Cerberus扩展了一个飞地平台,这样,飞地内存可以通过额外的操作使多个飞地间间不可移动和共享。我们从现有的正式模型“信任摘要平台”(TAP)开始,我们使用我们的扩展的TAP模型,正式核实Cerberus没有打破或削弱飞地的安全保障,尽管允许分享记忆。更具体地说,我们证明我们正式模型上的“安全远程执行”财产。最后,文件通过在现有的飞地平台“RISC-V Keystone”上实施,展示了Cberus的可行性。