# *OBFUSCURO*: A Commodity Obfuscation Engine for Intel SGX

Adil Ahmad\*, Byunggill Joe\*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee

(\* denotes equal contribution)









#### Program Obfuscation

**Trusted** 

**Untrusted (except the Black box)** 



#### Wait, isn't that what Intel SGX does?



### Intel SGX is not perfect!



Paging, Branch-prediction and Cache attacks!

[S&P14, SEC17, ASPLOS18, DIMVA17, WOOT17]

### Learning from existing solutions!



#### Lesson #1

**Ring-3** enclaves cannot hide access patterns through side-channels!



#### Lesson #2

Unreliable timers for SGX enclaves!

#### Our approach

- Indistinguishable enclave program(s)
  - A code block executed N times on C-Pad, and data block accessed from D-Pad
  - C-Pad and D-Pad are one cache-line (64B) in size!

## Instead of *trying to hide* traces, all enclaves should leak *the same* traces!



## Let Hermione explain!



## Cool, what's the challenge?

#### Naïve solution

Use a <u>software-translator</u> to copy all code and data onto C/D-Pad

different branches! **C1.** Native code is C-Pad 63 not in 64B blocks! **Enclave Storage** Bar Foo Foo C4. Timing issues **Translator 56B** Foo Bar jmp jmp not even discussed! imp **78B** Bar **64**B **67B** Main **D-Pad C2.** Access patterns leaked while copying!

**C3.** Code can have

64B

#### Obfuscuro

- Program obfuscation on Intel SGX
  - All programs should exhibit <u>same patterns</u> irrespective of logic/input.
  - Adapted from Harry Potter spell "Obscuro" (translation :> Darkness)



#### C1. Enforce code blocks of identical sizes

Break code blocks into 64 bytes and pad using nop



Foo.1()



## C2. Securely loading C/D-Pad

- Fetch code and data using Oblivious RAM (ORAM)
  - The code and data is fetched onto <u>C-Pad</u> and <u>D-Pad</u> resp.

**Execute** new

Update C-Pad with

Retrieve the block

## Side-channel-resistant ORAM scheme ensures no leakage as C/D-Pad are loaded!



### C3. Align branches to/from C-Pad

- Each instrumented code block has two branches to fixed locations
  - C-Pad → Code-Controller
  - C-Pad → Data-Controller

Code execution model

## All Obfuscuro programs execute the same sequence of branches!



#### C4. Ensuring execution time consistency

• The program executes <u>fixed</u> number of code blocks



## Execute N code blocks to ensure all programs terminate consistently!



## Faster memory store for enclaves

• Use AVX registers as store instead of "Oblivious" store

DRAM-based Have to *sequentially* access all memory indices

## AVX registers can be used as a *faster*, oblivious storage for SGX enclaves!



#### Implementation

#### LLVM compiler suite (3117 LoC)

- Breaks all code into similar blocks (C1)
- Instrument and align all control and data-flow instructions (C3)

#### Runtime library (2179 LoC)

- Initializes ORAM trees and performs secure ORAM operations (C2)
- Terminate program and fetch output (C4)

#### Intel SGX SDK (25 LoC)

Assign memory regions for C/D-Pad (support)

#### Performance Evaluation



#### **Ending Remarks!**

- 1. Program obfuscation is a *remarkable dream* to achieve
- 2. Various <u>software/hardware limitations</u> *hinder* the realization of program obfuscation on Intel SGX
- 3. Existing solutions have a *limited approach* towards side-channel mitigation in Intel SGX
- 4. Obfuscuro is compiler-based scheme which addresses this issue by ensuring all programs leak *same access patterns*

#### **Adil Ahmad**

Contact: ahmad37@purdue.edu l



#### **Execution Time Evaluation**



ORAM access time dominates the time of code block execution!