Aurora: Providing Trusted System Services for Enclaves On an Untrusted System

Abstract

Intel SGX provisions shielded executions for security-sensitive computation, but lacks support for trusted system services (TSS), such as clock, network and filesystem. This makes enclaves vulnerable to Iago attacks~DBLP:conf/asplos/CheckowayS13 in the face of a powerful malicious system. To mitigate this problem, we present Aurora, a novel architecture that provides TSSes via a secure channel between enclaves and devices on top of an untrusted system, and implement two types of TSSes, i.e. clock and end-to-end network. We evaluate our solution by porting SQLite and OpenSSL into Aurora, experimental results show that SQLite benefits from a microsecond accuracy trusted clock and OpenSSL gains end-to-end secure network with about 1ms overhead.