baumann hotos17

Transcript

1 Hardware is the new software Microsoft Research Andrew Baumann, 10,000 2.5 Abstract 2 Moore’s Law may be slowing, but, perhaps as a result, 1,000 other measures of processor complexity are only acceler- 1.5 ating. In recent years, Intel’s architects have turned to an 100 alphabet soup of instruction set extensions such as MPX, 1 SGX, MPK, and CET as a way to sell CPUs through new 10 Words (millions) security features. Unlike prior extensions, which mostly Transistors (millions) 0.5 CPU transistor count focused on accelerating user-mode data processing, these Words in architecture manual new features exhibit complex interactions and give system 1 0 2003 2007 2011 2015 1999 designers plenty to think about. This calls for a rethink of how we approach the instruc- Figure 1: Complexity growth of Intel x86 CPUs and ISA tion set. In this paper we highlight some of the challenges arising from recent security-focused extensions, and spec- ulate about the longer-term implications. complex interactions with other extensions and prior ar- chitectural features. We take a detailed look at two of the most complex re- 1 Introduction § cent extensions: software guard extensions (SGX, 3) and control-flow enforcement technology (CET, 4), before § An instruction set architecture (ISA) is the key interface deriving some implications for systems developers and re- between the lowest-levels of software and the CPU. The 5). We argue that these extensions are now searchers ( § x86 ISA is a complex but enduring set of semantics for in- approaching software-like levels of complexity, yet carry structions, registers, memory, and core devices that must all the attendant drawbacks of a hardware implementation be respected by CPUs, emulators and virtual machines, and the slow deployment cycle that implies. We suspect and all the software that runs on top. Successful ISAs that the current path may be unsustainable, and posit an al- grow over time, and x86 is no stranger to growth given its ternative future with the ultimate goal of decoupling new age and popularity. However, the last two years have seen ISA features from the underlying hardware. a dramatic and rapid increase in its complexity (e.g., seen in the size of the architecture manual in Figure 1), with more extensions on the way [21]. In this paper, we examine the causes of this rapid 2 Background: x86 extensions growth, and speculate about the underlying trends driving x86 has long been a complex architecture. The 386 refer- it. We make our case concrete with a focus on the Intel ence manual [18] lists 96 instructions. (Groups of closely- x86 architecture and its recent extensions. As a market related instructions, such as varying operand widths, are leader, Intel is often the first to add new features, but we counted as they are documented: usually, as one instruc- doubt these trends are unique to Intel. As we describe in tion.) It describes an architecture including segmentation 2, recent Intel CPUs have introduced a wide range of ISA § and paging, 16-bit modes, multitasking support, excep- extensions. Whereas past extensions largely focused on tions, co-processing and debug features. Its modern de- performance improvements through new data-processing scendants have acquired features such as floating point, instructions (e.g., vector extensions), the recent additions many iterations of vector extensions, crypto accelerators, are primarily motivated by security concerns, such as de- 64-bit mode, and hardware virtual-machine extensions. fending unsafe C ++ / code against known attacks. These C While new instructions add CPU implementation com- extensions introduce new system-level functionality, often plexity [27], past system designers could, for the most change the semantics of existing instructions, and exhibit To appear in 16th Workshop on Hot Topics in Operating Systems . 1

2 Table 1: Summary of recent Intel x86 ISA extensions Year of Other ISA changes Instructions spec launch (excl. feature test bits, XSAVE / VMCS context) Extension new chg. 2011 2012 0 SMEP Block kernel exec. of user pg. 0 2011 1 0 Hardware random numbers RDRAND 2012 / GS access instructions 2011 2012 4 0 FSGSBASE FS 256-bit vector ops. 2011 30 0 wider vector registers AVX2 2013 2011 0 1 Tagged TLB invalidation INVPCID 2013 VM optimisations 2013 1 0 VMFUNC 2011 a 2012 2013 0 4 TSX 2 new instr. prefixes, transaction aborts Transactional mem. Arbitrary-precision arithmetic ADX 2014 2 0 2012 Hardware random numbers 2012 1 0 RDSEED 2014 2012 0 1 Prefetch memory for write PREFETCHW 2014 Block kernel access to user pg. 2014 2 0 SMAP 2012 Cache partitioning 2013 2014 0 0 CAT new model-specific registers CLFLUSHOPT 2013 2015 1 0 Optimised cache flush / 2014 / XRSTORS Context switch XSAVEC 2015 3 0 XSAVES Bounds checking 2013 2015 8 4 new instr. prefix, 7 new regs., bound table MPX SGX1 Secure enclaves 2013 2015 18 2 mem. access rights, exceptions, . . . (see § 3) PT Processor trace 1 0 9 new model-specific registers, trace bu ff er 2013 2015 2013 7 0 SHA crypto accel. 2016 SHA 2013 1 0 CLWB Cache line write-back 2013 / 14 129 0 wider vector registers 512-bit vector ops. AVX-512 Enclave dynamic mem. mgmt. 2014 8 0 SGX2 Protection keys for user-mode 2015 0 new register, alters page table format MPK 2 2016 Code-reuse attack defences 9 control transfers, new exception, pg. table CET [21] 10 a TSX launched with “Haswell” in 2013 but was later disabled due to a bug. “Broadwell” CPUs with the bug fix shipped in late 2014. cent 2015–2016 jump in the general complexity of x86. part, ignore such changes. Vector extensions (MMX, The jump is due to extensions introduced with the “Sky- SSE, and AVX) added data processing instructions, and lake” microarchitecture, and dwarfs even 64-bit mode and sometimes widened vector registers, but didn’t substan- virtual-machine extensions (both added in 2007). tially change systems interfaces. With the notable excep- tion of 64-bit mode and virtualisation extensions, OS de- Table 1 summarises x86 ISA extensions specified and velopers on x86 were occasionally given tweaks to im- implemented by Intel since the 2012 launch of “Ivy prove performance (e.g., fast system calls) or correct glar- Bridge” CPUs. For each extension we report the year / GS regis- ing shortcomings (e.g., user-mode access to FS of the first public specification, year of first CPU im- ters, and TLB tags for non-VM address spaces) but oth- plementation, number of new instructions, number of in- erwise ignored [29]. Even 64-bit mode didn’t substan- structions whose behaviour was non-trivially changed, tially increase architectural complexity—registers were and any other significant ISA changes. Prior to 2015, added and widened and the page table format changed, the most complex additions were the AVX2 vector ex- but there were only a handful of new instructions. In- tensions and TSX transactional memory, both introduced ectively removed: segmenta- deed, some features were e ff with 2013’s “Haswell” microarchitecture. TSX was evi- tion, task switching, and 16-bit modes. dently a complex feature to implement—the first imple- mentation turned out to be buggy, and was later disabled But this has changed. Figure 1 plots the transistor count via a microcode patch—but had relatively low ISA-level of Intel x86 CPU implementations (on a log scale), as well complexity, with only 4 new instructions. Other pre- as the number of words in the Intel architecture software Skylake extensions were minor, adding single instructions developer’s manual (on a linear scale). Transistor counts or tweaking protection (e.g., the SMEP / SMAP features). were sourced from Wikipedia [40]; manuals from vari- However, Skylake introduces substantial complexity, pdftotext|wc ous sources were counted using . The two including MPX bounds-checking instructions and regis- data sets are not comparable, but some trends are evident. ters, the processor trace (PT) feature, and SGX enclaves. First, we see Moore’s Law; the recently-announced slow- In total, it adds 31 instructions and a raft of associated down in Intel’s cadence [36] does not yet appear, and aside changes: new registers, a new instruction prefix, many from a recent 22-core Xeon, Intel has stopped publicising new processor-level data structures, changes to page ac- transistor counts. Second is the steady growth, and re- 2

3 cess rights and exception delivery. Other extensions that tions have been devised [e.g., 5–7, 11, 17, 30, 31, 33], and Intel has specified but not yet implemented include wider other vendors are racing to develop similar features [24]. vectors (AVX-512 and related instructions), additional However, SGX introduces substantial complexity: 26 SGX features, a “memory protection keys” feature, and instructions described by nearly 200 pages of En- control-flow enforcement technology (CET, § 4) which de- / glish pseudocode specification [19]. Much of this derives fends against code-reuse attacks. All are included in the from ambitious design goals: protecting enclaves from latest architecture manual [22] with the exception of CET, malicious privileged software while retaining OS-level which has its own 136-page draft specification [21]. management of physical resources using traditional mech- anisms (e.g., page tables) to minimise OS changes [29], SGX is yet avoiding the need for trusted software. What changed to cause this rapid growth? It’s likely implemented by a combination of memory encryption that the explosion in extensions is a deliberate strategy. hardware, a root of trust (key material) for attestation, Since 2007 Intel’s processors have followed a “Tick- new instructions to manipulate and execute enclaves, and Tock” development model. Roughly every two years, a changes to page access and exception semantics (i.e., new manufacturing process with smaller transistors was changes to TLB miss and exception handlers). The SGX introduced (a “tick”, or die shrink), followed a year later instructions serve as a reference monitor for privileged op- by a new microarchitecture on the existing process (a such as changes in the mapping erations / use of encrypted “tock”). However, the 2014 roll-out of “Broadwell” CPUs pages. Memory encryption operates on a fixed physical was delayed due to manufacturing problems with the new region known as the enclave page cache (EPC), and the 14nm process, and in early 2016 Intel settled on a new TLB miss handler ensures that each EPC page is acces- three-stage development model for 14nm and beyond [12, sible only to the enclave that owns it by consulting the 36], before apparently backtracking to announce a fourth- (EPCM), a table of metadata for every EPC EPC map generation 14nm architecture for 2017 [38]. page (essentially a reverse map). Software has no access The slowing pace of Moore’s Law will make it harder to the EPCM; instead, it is updated by instructions such as to sell CPUs: absent improvements in microarchitecture, EADD, which initialises a new page and adds it to an en- they won’t be substantially faster, nor substantially more EMODPE, which change permissions / clave, or EMODPR power e ffi cient, and they will have about the same num- on an existing page. These instructions perform checks to ber of cores at the same price point as prior CPUs. Why maintain EPCM consistency and enclave isolation, pre- would anyone buy a new CPU? One reason to which In- venting, for example, EPC double-mapping. tel appears to be turning is features: if the new CPU im- The advantage of implementing memory management plements an important ISA extension—say, one required in SGX instructions is that no software must be trusted. by software because it is essential to security—consumers The disadvantage, compared to a simpler primitive such will have a strong reason to upgrade. as a page table, is flexibility: each possible operation re- quires a new instruction (or set of instructions) to sup- port it. The first version of SGX supports only enclaves 3 Case study: SGX whose virtual address layout and permissions are fixed at creation time. This simplifies EPC management, but The new instructions introduced by software guard exten- practically rules out dynamic loading, and makes dynamic sions [19] enable strong isolation and remote attestation memory allocation impractical (the program’s maximum . An enclave is an isolated region of of software enclaves footprint must be allocated up front). SGX version 2 will virtual address space, whose contents are protected from add 8 instructions for basic dynamic memory manage- access by code outside the enclave. In contrast to prior ment, but still lacks the ability to perform seemingly sim- trusted execution hardware [4, 37], SGX supports secure ple operations like moving pages or sharing mappings. multiplexing: any number of distrusting enclaves may run concurrently, limited only by resource constraints, with- SGX’s embedding of memory management in the ISA out relying on a trusted kernel or hypervisor. Neverthe- further contributes to its complexity. On x86, software less, SGX supports a mostly backwards-compatible en- TLB consistency is responsible for maintaining when vironment for user-mode code. This compelling com- changing page mappings by flushing the TLB on rele- bination of features, along with strong physical security vant cores. In order to achieve this, an OS can synchro- (memory encryption), have made SGX attractive to re- nise between cores using locked data structures and inter- searchers and practitioners alike; in the short time since processor interrupts. Neither option is available at ISA SGX-capable CPUs appeared, a wide range of applica- level: instructions cannot loop waiting for a lock, nor 3

4 signal other cores. Instead, SGX uses a more complex ifications are needed, and the shadow stack can be made scheme whereby software performs the appropriate op- easily and cheaply inaccessible to software through the erations (generally, forcing threads to exit enclaves) and use of a new page table attribute which protects shadow “proves” to hardware that it has done so using yet more stacks from access by regular loads and stores. instructions before it may reuse EPC pages. indirect branch tracking to prevent CET also includes The SGX reference [19] devotes almost 20 pages to misdirection of function pointers: after an indirect JMP or documenting its interactions with prior architectural fea- CALL, an exception is raised unless the next instruction tures including virtualisation, system-management mode, is a valid programmer-intended branch target, as signified inter-processor interrupts, trusted execution technology, by a new form of NOP instruction. While this is not full machine checks, and performance monitoring. Besides control-flow integrity [1], it restricts the available gadgets. the added complexity, some of these interactions lead to ++ / CET promises to add strong defenses to unsafe C C questionable design outcomes. For example, the CPUID code, at the cost of substantial architectural complexity. instruction is always illegal inside an enclave merely be- Besides a new exception vector, page table attributes, and cause a virtual-machine monitor may have configured it to model-specific registers, the main complexity arises from trap. Conversely, the user-mode instructions to write the feature interaction. Control transfer in x86 is already very FS and GS registers are legal inside an enclave, but only complex, including many forms of call and return, such as if the host OS has enabled them via a control register bit. erent segment or privilege level. ff near and far calls to a di While SGX strives to avoid trusted software, this goal In total, nine instructions (some with many variants, such comes into conflict with the desire for compatibility with as JMP) are modified by CET. In 32-bit mode, tasking fea- existing OSes: EPC resource management uses normal tures mean that jumps or calls to particular segments can paging mechanisms. As a result, enclaves are vulnera- also switch stacks; CET must account for this. In 64-bit ble to new “controlled-channel” attacks that stem from mode, an interrupt can trigger a switch to one of seven the OS’s ability to induce and observe enclave page data stacks via the interrupt stack table. Consequently, faults [35, 41]. These attacks, which can leak enclave CET adds a model-specific register pointing to a table of data, are serious enough to bring the SGX threat model seven corresponding shadow stacks. Besides modifying of a malicious OS into doubt. Perhaps ironically, the best semantics of all indirect control transfers, CET’s indirect of the known mitigations exploits a seemingly-unintended branch tracking must also handle the case where an excep- interaction with the transactional memory extension [34]: tion occurs after a branch but before the next instruction, transactions abort rather than page fault, so the OS cannot to ensure that an exception can be raised if needed after observe transactional enclave memory accesses. any return to user mode or context switch. 4 Case study: CET 5 Implications Control-flow enforcement technology defends against Sustainability While we may disagree with some of the code-reuse attacks such as return-oriented programming design choices, these features are, individually, clearly de- (ROP). These attacks exploit vulnerabilities in unsafe sirable. What is concerning is the rate of change, and the code like bu er overflows, but rather than directly inject- ff rapid growth in complexity of systems-level features with ing executable code, manipulate the program’s control- complex interactions. As the most stable “thin waist” in- flow to execute legitimate instructions in an unintended terface in today’s commodity technology stack, the x86 context [8]. CET consists of two mechanisms: a shadow ISA sits at a critical point for many systems. A faith- stack, and indirect branch tracking. ful implementation of x86 semantics is essential to myr- is a straightforward mecha- shadow stack At its core, a iad computing technologies, including x86-compatible nism: on a function call, the processor saves the return ad- processors, virtual machines, emulators, JIT compilers, dress on both the regular and shadow stacks. The shadow dynamic translators, disassemblers, debuggers, profilers, stack stores only return addresses, and is inaccessible to and so on. Of course, not every implementation of x86 normal code. On a return, the addresses from both stacks must immediately implement every new feature, but over are popped and compared, and an exception raised if they time architectural features stabilise and software gener- ff er, defeating ROP. The advantage of CET compared di ally assumes their presence. Consider, for example, how to software implementations of shadow stacks is perfor- little of today’s software would function on a CPU with- mance, compatibility and security: by modifying the se- out a floating-point unit or MMX instructions. Given mantics of CALL and RET instructions, no program mod- this, and particularly given the complex interactions be- 4

5 tween recent features, we have to question whether the for new features as if we had paid for new hardware. On core x86 promise of indefinite backwards compatibility the other hand, a vendor may wish to encourage adop- across many implementations is sustainable. tion of a feature by making it freely available on existing CPUs. Second, we could extend the architecture to allow soft- Timescales Since they depend on deploying new CPUs, ware below the OS or hypervisor to implement security ISA features are slow to be adopted. The original SGX features. This would require a privilege level akin to Al- specification was published in 2013, but the first CPUs to pha PALcode [14] or RISC-V machine mode [39], but not implement it didn’t ship until late 2015, and at the time of a new level of address translation. Such software would writing (early 2017) server-class CPUs with SGX support inherently be a part of the trusted computing base, but un- are yet to appear. The SGX version 2 specification was like microcode would be under user control, and amenable published in 2014, but has yet to be implemented. If we to inspection and replacement independently of the CPU. ffi add the delay for su cient deployment of SGX-capable CPUs (to achieve, e.g., widespread availability in public A key selling point for many recent security Security clouds) the end-to-end deployment time for SGX is likely features, SGX in particular, is that no software is trusted. to approach a decade. This represents a di ffi ff cult tradeo Does the implementation of these features in microcode for software developers; prior ISA extensions have also change this? We argue that microcode is more reliable taken a long time to deploy, but they have generally only than current software, but not as inherently secure as we served to accelerate existing functionality; with a feature might assume. First, microcode, whose updates are en- like SGX, the developer is faced with a stark choice: wait crypted and signed, is much harder than software for an indefinitely for security, or deploy now without it. attacker to modify. Second, CPU vendors have a strong track record of testing. Intel is secretive about their valida- Hardware is the new software From a careful reading tion processes, and the cost of failure can be much higher 2.14] § of Intel patents [23, 28], Costan and Devadas [9, than software bugs, but what is known suggests that there conclude that SGX instructions are implemented entirely is extensive (but certainly not exhaustive) testing [3, 32]. in microcode. This is logical from an engineering per- For SGX, Intel has also published the formal verification the critical path, and too ff spective: EPCM updates are o of a high-level model using an SMT solver [15, 20], and complex to implement in silicon (they involve multi-word erent) model of con- verified the linearisability of a (di ff updates and atomic memory accesses). Moreover, a mi- current SGX operations [26]. These are important guar- crocode implementation of SGX allows errata to be cor- antees, but there is no known correctness proof for the rected by updates. We do not have any reason to believe implementation, which remains secret. that SGX is unique in this respect—increasingly, new ISA Ultimately both microcode and the underlying hard- features mean new microcode. Why then, must we wait ware remain opaque, and with ever-increasing complex- so long for them to arrive packaged with a new CPU? ity, it behoves us to search for ways to improve our con- Intel and its peers have always been secretive about the fidence in their security. There is one way software can boundary between microcode and silicon and the capabili- exceed microcode standards of correctness: formal ver- ties of microcode updates. We argue that it’s time to relax ification of high-level security properties [16, 25]. Re- this secrecy, and work to decouple as much as possible cently, Sanctum [10] showed how to implement SGX-like the implementation of ISA features from the underlying functionality in software for RISC-V; this addresses some silicon. This could take two (non-exclusive) forms. of the implementation complexity and side-channel prob- First, CPU vendors could ship microcode updates im- lems of SGX, but leaves open the question of trust, which plementing some new ISA features for prior CPUs. While we are presently tackling through formal verification. we shouldn’t expect that all features can be implemented this way (some may fundamentally require silicon), nor that they will perform the same, this could be a viable 6 Concluding remarks path for faster deployment of features, particularly for complex extensions like SGX. The licensing and revenue The growth rate of ISA features is concerning, but has po- model for such updates remains an open question. On one tential upsides for systems research. For one thing, new hand, we’re used to getting microcode updates for free, features (e.g., TSX, MPX, SGX, and PT) have tradition- but the availability of new features updates might depress ally heralded a slew of publications exploring their pos- the market for new CPUs. Like the on-demand upgrades sibilities, and we see no reason for this to stop. Like the of the mainframe world, we should probably expect to pay use of transactions to mitigate SGX control channels [34], 5

6 unanticipated interactions between ISA features will lead 33-1. URL https://www.usenix.org/conference/osdi16/ technical-sessions/presentation/arnautov . to the discovery of new techniques. For another, Intel and its peers are likely to be more receptive to imple- [6] A. Baumann, M. Peinado, and G. Hunt. Shielding ap- menting ideas from the research community. Finally, ris- 11th plications from an untrusted cloud with Haven. In ing complexity leads to many familiar systems problems: USENIX Symposium on Operating Systems Design and managing complexity and feature interaction, maintaining , Oct. 2014. Implementation legacy compatibility while enabling architectural evolu- [7] S. Brenner, C. Wulf, D. Goltzsche, N. Weichbrodt, tion, adapting (in software, perhaps on the fly) to a hetero- M. Lorenz, C. Fetzer, P. Pietzuch, and R. Kapitza. Se- geneous set of hardware features, and isolating developers cureKeeper: Confidential ZooKeeper using Intel SGX. from optimisation trade-o ff s; systems researchers will find , pages 17th International Middleware Conference In orts ff new applications here. We should also renew our e 14:1–14:13, 2016. doi: ISBN 978-1-4503-4300-8. primitives to design hardware that software can use to im- 2988336.2988350. / 10.1145 plement the features that today become ISA extensions. A. Barresi, [8] N. Carlini, M. Payer, D. Wagner, More broadly, now more than ever before [2, 13] it’s and T. R. Gross. Control-flow bending: On time to rethink the notion of an instruction set. It’s no ff the e ectiveness of control-flow integrity. In longer the boundary between hardware and software, but Security 24th USENIX Symposium , pages 161– rather just another translation layer in the stack. 176, 2015. URL ISBN 978-1-931971-232. https://www.usenix.org/conference/usenixsecurity15/ Acknowledgements technical-sessions/presentation/carlini . Thanks are due to Chris Hawblitzel, Jay Lorch, Bryan [9] V. Costan and S. Devadas. Intel SGX explained. Cryp- Parno, Stefan Saroiu, and the anonymous reviewers, all of 086, Feb. 2016. http: tology ePrint Archive, Report 2016 / //eprint.iacr.org/2016/086 . whom provided valuable feedback on drafts of this paper, and to the workshop attendees for a lively discussion. [10] V. Costan, I. Lebedev, and S. Devadas. Sanctum: Minimal hardware extensions for strong software iso- 25th USENIX Security Symposium lation. In , pages References 857–874, Aug. 2016. ISBN 978-1-931971-32-4. URL https://www.usenix.org/conference/usenixsecurity16/ [1] M. Abadi, M. Budiu, U. Erlingsson, and J. Lig- technical-sessions/presentation/costan . Control-flow integrity. atti. 12th ACM Confer- In , pages ence on Computer and Communications Security [11] S. Crosby. Using Intel SGX to protect on-line creden- 340–353, Nov. 2005. ISBN 1-59593-226-7. doi: https://blogs.bromium.com/2016/ tials, Aug. 2016. URL / 10.1145 1102120.1102165. . 08/09/using-intel-sgx-to-protect-on-line-credentials/ [2] K. Adams and O. Agesen. A comparison of soft- [12] I. Cutress. Intel’s ‘Tick-Tock’ seemingly dead, becomes ware and hardware techniques for x86 virtualization. , Mar. AnandTech ‘Process-Architecture-Optimization’. In 12th International Conference on Architectural Sup- . http://www.anandtech.com/show/10183 2016. URL port for Programming Languages and Operating Sys- ISBN 1-59593-451-0. tems , pages 2–13, 2006. doi: [13] J. C. Dehnert, B. K. Grant, J. P. Banning, R. Johnson, 1168857.1168860. / 10.1145 T. Kistler, A. Klaiber, and J. Mattson. The Transmeta Code Morphing Software: Using speculation, recovery, [3] N. Amit, D. Tsafrir, A. Schuster, A. Ayoub, and and adaptive retranslation to address real-life challenges. Virtual CPU validation. In E. Shlomo. 25th ACM International Symposium on Code Generation and Op- In , pages Symposium on Operating Systems Principles timization , pages 15–24, Mar. 2003. ISBN 0-7695-1913- doi: ISBN 978-1-4503-3834-9. 311–327, 2015. X. doi: 10.1109 / CGO.2003.1191529. 10.1145 2815400.2815420. / PALcode for Alpha Microprocessors System Design [14] . [4] Building a Secure System using TrustZone Technology Order Digital Equipment Corp., May 1996. . Guide ARM Limited, Apr. 2009. Ref. PRD29-GENC-009492C. No. EC-QFGLC-TE. [5] S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Mar- ́ [15] A. Goel, S. Krsti c, R. Leslie, and M. R. Tuttle. SMT- e, ff tin, C. Priebe, J. Lind, D. Muthukumaran, D. O’Kee based system verification with DVF. In 10th International M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, , pages 32–43, Workshop on Satisfiability Modulo Theories P. Pietzuch, and C. Fetzer. SCONE: Secure Linux . 2012. URL http://smt2012.loria.fr/paper2.pdf 12th USENIX Sym- In containers with Intel SGX. posium on Operating Systems Design and Implemen- ISBN 978-1-931971- tation , pages 689–703, 2016. 6

7 [28] F. X. McKeen, C. V. Rozas, U. R. Savagaonkar, S. P. [16] C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, Johnson, V. Scarlata, M. A. Goldsmith, E. Brickell, et al. B. Parno, D. Zhang, and B. Zill. Ironclad apps: End- Method and apparatus to provide secure application exe- to-end security via automated full-system verification. In cution, Dec. 2009. US Patent 9,087,200. 11th USENIX Symposium on Operating Systems Design and Implementation , Oct. 2014. [29] J. C. Mogul, A. Baumann, T. Roscoe, and L. Soares. Mind [17] T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel. the gap: Reconnecting architecture and OS research. In A distributed sandbox for untrusted com- Ryoan: 13th Workshop on Hot Topics in Operating Systems , May putation on secret data. In 12th USENIX Sympo- 2011. sium on Operating Systems Design and Implementa- [30] O. Ohrimenko, F. Schuster, C. Fournet, A. Mehta, tion ISBN 978-1-931971- , pages 533–549, 2016. Oblivious S. Nowozin, K. Vaswani, and M. Costa. https://www.usenix.org/conference/osdi16/ 33-1. URL learning machine multi-party proces- trusted on technical-sessions/presentation/hunt . , pages sors. In 25th USENIX Security Symposium . Intel Corp., [18] Intel 80386 Programmer’s Reference Manual ISBN 978-1-931971-32-4. 619–636, 2016. URL May 1987. https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/ohrimenko . Extensions Guard [19] Software Refer- Programming Ref. #329298-002 Intel Corp., Oct. 2014. . ence [31] R. Pires, M. Pasin, P. Felber, and C. Fetzer. Secure https://software.intel.com/sites/default/files/managed/ content-based routing using Intel software guard exten- 48/88/329298-002.pdf . In sions. , 17th International Middleware Conference pages 10:1–10:10, 2016. ISBN 978-1-4503-4300-8. doi: . SGX Tutorial at ISCA 2015 [20] Intel Corp., June 10.1145 / 2988336.2988346. https://software.intel.com/sites/ 2015. Ref. #332680-002 default/files/332680-002.pdf . [32] H. Rotithor. Postsilicon validation methodology for microprocessors. Test of Comput- & IEEE Design [21] Control-flow Enforcement Technology Preview . In- ISSN 0740-7475. doi: , 17(4):77–88, Oct. 2000. ers tel Corp., June 2016. Ref. #334525-001 https: / 54.895008. 10.1109 //software.intel.com/sites/default/files/managed/4d/2a/ . control-flow-enforcement-technology-preview.pdf [33] F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: [22] Intel 64 and IA-32 Architectures Software Developer’s Trustworthy data analytics in the cloud using SGX. In Manual . Intel Corp., Dec. 2016. Ref. #325462-061US. , May 2015. doi: IEEE Symposium on Security and Privacy [23] S. P. Johnson, U. R. Savagaonkar, V. R. Scarlata, F. X. Mc- SP.2015.10. 10.1109 / Keen, and C. V. Rozas. Technique for supporting multiple [34] M.-W. Shih, S. Lee, T. Kim, and M. Peinado. T- secure enclaves, Dec. 2010. US Patent 8,972,746. SGX: Eradicating controlled-channel attacks against en- [24] D. Kaplan, J. Powell, and T. Woller. AMD memory clave programs. In Annual Network and Distributed Sys- encryption. http://developer.amd.com/wordpress/ , Feb. 2017. tem Security Symposium (NDSS) Memory Encryption Whitepaper media/2013/12/AMD v7-Public.pdf , Apr. 2016. [35] S. Shinde, Z. L. Chua, V. Narayanan, and P. Saxena. Pre- 11th ACM venting page faults from telling your secrets. In [25] G. Klein, J. Andronick, K. Elphinstone, T. Murray, Asia Conference on Computer and Communications Se- T. Sewell, R. Kolanski, and G. Heiser. Comprehensive for- , pages 317–328, 2016. ISBN 978-1-4503-4233-9. curity mal verification of an OS microkernel. ACM Transactions / 2897845.2897885. doi: 10.1145 , 32(1):2:1–2:70, Feb. 2014. ISSN on Computer Systems 0734-2071. doi: 10.1145 / 2560537. Intel puts the brakes on Moore’s Law. [36] T. Simonite. https://www. , Mar. 2016. URL MIT Technology Review [26] R. Leslie-Hurd, D. Caspi, and M. Fernandez. Verifying technologyreview.com/s/601102 . linearizability of Intel software guard extensions. In 27th International Conference on Computer Aided Verification , Trusted Computing TPM Main Specification Level 2 [37] . pages 144–160, July 2015. ISBN 978-3-319-21668-3. doi: Group, Mar. 2011. Version 1.2, Revision 116. 9. 978-3-319-21668-3 / 10.1007 ee Lake ff Intel will release 8th-gen Co [38] M. Walton. [27] B. C. Lopes, R. Auler, L. Ramos, E. Borin, and , Feb. Ars Technica chips this year—still at 14nm. R. Azevedo. SHRINK: Reducing the ISA complexity via 2017. URL https://arstechnica.com/gadgets/2017/02/ instruction recycling. In 42nd International Symposium intel-coffee-lake-14nm-release-date/ . on Computer Architecture , pages 311–322, 2015. ISBN 2749469.2750391. / 978-1-4503-3402-0. doi: 10.1145 7

8 https://en.wikipedia.org/wiki/Transistor count . [39] A. Waterman, Y. Lee, R. Avizienis, D. A. Patterson, and ́ K. Asanovi c. The RISC-V instruction set manual volume [41] Y. Xu, W. Cui, and M. Peinado. Controlled-channel at- II: Privileged architecture version 1.7. Technical Report tacks: Deterministic side-channels for untrusted operating / UCB EECS-2015-49, UC Berkeley EECS, May 2015. IEEE Symposium on Security and Privacy systems. In , [40] Wikipedia. Transistor count. Retrieved 2017-01-12. URL May 2015. doi: 10.1109 / SP.2015.45. 8

Related documents

U7112 UCARE CONNECT + MEDICARE PROVIDERDIR MAY 2019 DATA.sv

U7112 UCARE CONNECT + MEDICARE PROVIDERDIR MAY 2019 DATA.sv

UCare Connect + Medicare Provider and Pharmacy Directory Introduction This Provider and Pharmacy Directory includes information about the provider and pharmacy types in UCare Connect + Medicare and li...

More info »
u7112 connectplus directories 2019

u7112 connectplus directories 2019

UCare Connect + Medicare Provider and Pharmacy Directory Introduction This Provider and Pharmacy Directory includes information about the provider and pharmacy types in UCare Connect + Medicare and li...

More info »
CDIR 2018 07 27

CDIR 2018 07 27

S. Pub. 115-7 2017-2018 Official Congressional Directory 115th Congress Convened January 3, 2017 JOINT COMMITTEE ON PRINTING UNITED STATES CONGRESS UNITED STATES GOVERNMENT PUBLISHING OFFICE WASHINGTO...

More info »
Ecology of Old Woman Creek, Ohio

Ecology of Old Woman Creek, Ohio

T E COLOGY OF HE : HIO , O O LD W OMAN C REEK STUARINE ROFILE P A N E ATERSHED AND W Charles E. Herdendorf David M. Klarer Ricki C. Herdendorf

More info »
LoveReceivedAndGiven

LoveReceivedAndGiven

Caritas: love received and given Edited by +Óscar Andrés Cardinal Rodríguez Maradiaga S.D.B.

More info »
Annual Intellectual Property Report to Congress

Annual Intellectual Property Report to Congress

A NNUAL I NTELLECTUAL P ROPERTY ONGRESS R EPORT TO C February 2019 * * * U NITED S TATES OORDINATOR NTELLECTUAL P ROPERTY E NFORCEMENT C I

More info »
A Call to Action: Why We Need More Practitioner Research. A Response to "A Teacher Educator Uses Action Research to Develop Culturally Conscious Curriculum Planners"

A Call to Action: Why We Need More Practitioner Research. A Response to "A Teacher Educator Uses Action Research to Develop Culturally Conscious Curriculum Planners"

A Call to Action: Why We Need More Practitioner Research Kimberly Hill Campbell Abstract educators we need to embrace practitioner (action) research of our own classroom prac As teacher- - tice. Such ...

More info »
Microsoft Word   TCOS  Final Version single space.doc

Microsoft Word TCOS Final Version single space.doc

The Company of Strangers: A Natural History of Economic Life Paul Seabright Contents Page Preface: 2 Part I: Tunnel Vision Chapter 1: Who’s in Charge? 9 Prologue to Part II: 20 Part II: How is Human C...

More info »
2018 MOIL Provider Directory 2 13 18 FA WEB

2018 MOIL Provider Directory 2 13 18 FA WEB

Provider Directory For more information, please contact Essence Healthcare at 866-597-9560, or for TTY users 711, 8 a.m. For more infor to 8 p.m., seven days a week, or visit essencehealthcare.com. Th...

More info »
rr11

rr11

Read About It: Scientific Evidence for Effective Teaching of Reading Kerry Hempenstall Edited by Jennifer Buckingham Research Report | March 2016

More info »
Layout 1

Layout 1

2019 State of Illinois Department of Natural Resources Illinois Fishing Information 1, 2019 through March 31, 2020 Effective: April State Records Can you beat an Illinois Record in 2019? Inside: • Aqu...

More info »
vol9 organic ligands

vol9 organic ligands

C HERMODYNAMICS HEMICAL T OMPOUNDS AND C OMPLEXES OF OF C U, Np, Pu, Am, Tc, Se, Ni and Zr O ELECTED WITH RGANIC L IGANDS S Wolfgang Hummel (Chairman) Laboratory for Waste Management Paul Scherrer Ins...

More info »
No Job Name

No Job Name

THE JOURNAL OF FINANCE • VOL. LIII, NO . 6 • DECEMBER 1998 Volume, Volatility, Price, and Profit When All Traders Are Above Average TERRANCE ODEAN* ABSTRACT People are overconfident. Overconfidence af...

More info »
ELD Standards Publication   Title III (CA Dept of Education)

ELD Standards Publication Title III (CA Dept of Education)

California English Language Development Standards (Electronic Edition) Kindergarten Through Grade 12 Adopted by the California State Board of Education November 2012

More info »
Vaginal Birth After Cesarean: New Insights. Evidence Report/Technology Assessment, No. 191

Vaginal Birth After Cesarean: New Insights. Evidence Report/Technology Assessment, No. 191

Evidence Report/Technology Assessment Number 191 Vaginal Birth After Cesarean: New Insights Prepared for: Agency for Healthcare Research and Quality U.S. Department of Health and Human Services 540 Ga...

More info »
2017 2018 Bluebook Complete

2017 2018 Bluebook Complete

IDAHO BLUE BOOK 2017-2018 Published by SECRETARY OF STATE LAWERENCE DENNEY for the STATE OF IDAHO

More info »
Appendix A.indd

Appendix A.indd

common core state stan ar D s F or D nglish Language rts e a & Literacy in s ocial s tudies, History/ s cience, and t echnical s ubjects a a : ppendix r esearch s upporting Key e lements of the s tand...

More info »