O BLIVIATE: A Data Oblivious File System for Intel SGX Adil Ahmad Purdue University ahmad37@purdue.edu Kyungtae Kim Purdue University kim1798@purdue.edu Muhammad Ihsanulhaq Sarfaraz Purdue University msarfaraz@purdue.edu Byoungyoung Lee Purdue University byoungyoung@purdue.edu Abstract—Intel SGX provides confidentiality and integrity of a program running within the confines of an enclave, and is expected to enable valuable security applications such as private information retrieval. This paper is concerned with the security aspects of SGX in accessing a key system resource, files. Through concrete attack scenarios, we show that all existing SGX filesystems are vulnerable to either system call snooping, page fault, or cache based side-channel attacks. To address this security limitations in current SGX filesystems, we present OBLIVIATE, a data oblivious filesystem for Intel SGX. The key idea behind OBLIVIATE is in adapting the ORAM protocol to read and write data from a file within an SGX enclave. OBLIVIATE redesigns the conceptual components of ORAM for SGX environments, and it seamlessly supports an SGX program without requiring any changes in the application layer. OBLIVIATE also employs SGX-specific defenses and optimizations in order to ensure complete security with acceptable overhead. The evaluation of the prototype of OBLIVIATE demonstrated its practical effectiveness in running popular server applications such as SQLite and Lighttpd, while also achieving a throughput improvement of 2×- 8× over a baseline ORAM-based solution, and less than 2× overhead over an in-memory SGX filesystem. I. I NTRODUCTION Hardware-assisted trusted computing solutions are gaining popularity today. One such solution is Intel SGX, which guaran- tees confidentiality and integrity of a user program despite the program being executed in a remote and potentially adversarial environment. Using SGX, the user program runs within an enclave, a protected region provided by the Intel hardware. The program’s execution semantics including registers and memory footprints are isolated from the remaining system components such as kernel, VMM, BIOS, etc. This isolation allows the user program to run securely even when an attacker with higher privilege i.e., kernel, tries to actively modify program execution. SGX also supports a remote attestation mechanism so that the user can verify that his/her application is actually being executed within an SGX context. An SGX enclave is designed to run user-level programs, and therefore relies on external system components to access Model Metadata Side-Channel Attacks Implementation Location Syscall PF Cache for SGX Naive (§III-A) Kernel × × × SCONE [7], Intel FS [3] In-memory (§III-B) Enclave ✓ × × Haven [9], Ryoan [18] Hybrid (§III-C) Enclave △ × × Graphene [47, 48] OBLIVIATE (§VI) Enclave ✓ ✓ ✓ This paper TABLE I: The comparison of file systems models for SGX. Columns under side-channel attacks indicate whether each filesystem model is secure against corresponding attacks: Syscall denotes syscall snooping based attack, PF denotes page fault based attacks, and Cache denotes cache based attacks. I/O resources. Amongst these resources, we note that accessing files is especially important in order to realize various security applications with SGX. This is because most of the computing data is present in the form of files. For example, running database systems in SGX environments, where the database is backed up by files, can enable the concept of private information retrieval (PIR) [13]. As another example, web servers or content delivery networks (CDNs) in SGX environments can ensure user’s privacy, and most of this data is presented in a file (e.g. HTML file, JavaScript code, and images). Other potential applications include cloud-based backup storage where the user wants to securely store and access their data without going through the hassle of maintaining a local copy. Recognizing these needs, Intel recently released Protected File System Library for SGX [3]. To perform filesystem operations, it allows an enclave to delegate such operations to the untrusted kernel, i.e., relaying all filesystem system calls from an enclave to the untrusted kernel. It also provides an encryption module in order to protect confidentiality. However, this can still result in critical security breaches because the untrusted kernel can observe detailed interactions between the enclave and the kernel (i.e., parameters in the system call including filename and file offset) while the enclave is accessing a certain file. In-memory filesystems for SGX [9, 18] prevent the above mentioned system call based attack. In the in-memory filesystem, an enclave pre-loads all the required file contents within its protective memory region and handles all filesystem interactions from within the enclave. Thus, when the enclave program tries to access a file, the request does not need to be forwarded to the kernel and can be served by the enclave. Unfortunately, in-memory filesystems are still susceptible to side-channel attacks adapted for the SGX environments, namely page fault based attacks [50] and cache based attacks [10, 40]. By observing memory access patterns, these attacks can gain insight into the internal processing semantics of the enclave application. Network and Distributed Systems Security (NDSS) Symposium 2018 18-21 February 2018, San Diego, CA, USA ISBN 1-891562-49-5 http://dx.doi.org/10.14722/ndss.2018.23284 www.ndss-symposium.org