This is the PoC implementation for the USENIX 2022 paper
Repurposing Segmentation as a Practical LVI-NULL Mitigation in SGX by Lukas Giner, Andreas Kogler, Claudio Canella, Michael Schwarz and Daniel Gruss.
This readme walks you through compiling a modified clang compiler, an extra relocator, the SGX driver, a modified SGX PSW and a modified and unmodified SGX SDK.
The modified compiler, PSW, SDK and the relocator comprise LVINullify, which allows you to build and run LVI-Null hardened SGX enclaves.
The total install time should be around 1h-2h.
To build the compiler for LVI-NULLify, install the prerequisites for llvm (e.g. cmake and ninja-build) and the symphony library
apt install coinor-libsymphony-dev
and run
./build.sh
inside the compiler folder.
If the build fails or hangs (e.g. not enough ram), you can try to restart with ninja clang in the llvm11/build directory.
To build the relocator, install rust nightly on your system see how-to-install-rust.
Then run:
make
inside the relocator folder.
Install the SGX driver according to https://github.com/intel/linux-sgx-driver .
If you have no need to preserve an old PSW or SDK and defaults for everything are fine (and you're feeling lucky), you can skip all steps in 4 by running
setup.sh
from within the scripts folder.
You still have to manually update your source.list file and install the packages, the script prints these instructions at the end.
Continue on for (partially) manual install:
We advise to completely remove all SDK and PSW installations from the system before starting the installation.
If you have previously installed a version of SGX that uses local packages, you may uninstall sdk and psw with
./uninstall_psw_sdk.sh
Please install all prerequisites for your system according to https://github.com/intel/linux-sgx/blob/master/README.md .
For Ubuntu 18.04, these are:
sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev git cmake perl
For Ubuntu 20.01:
sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
Please see the Intel page for other operating systems.
This step creates an unpatched SDK that is necessary for PSW installation.
If you want to install this to the default location, /opt/intel (recommended), you can run ./install_unmodified_sdk.sh.
First run:
./checkout.sh
Follow the Intel documentation on how to install only the SDK from the linux-sgx directory.
Now, source the resulting environment (e.g. source /opt/intel/sgxsdk).
install_patched_psw.sh
You still have to manually update your source.list file and install the packages, the script prints these instructions at the end.
Clean the complete repository. We advise to delete the repository and redo the ./checkout.sh process again.
Afterwards apply the patch:
./patch
inside the scripts folder.
Now follow the Intel documentation on how to install the PSW from the linux-sgx directory.
install_patched_sdk.sh
As the last step, build install the patched SDK from linux-sgx, following the Intel documentation.
You may want to install this to a different folder (i.e. not /opt/intel), for compatibilty with the PoCs we recommend SDKs/clang-gs (in this directory).
We provide LVI-Null PoCs inside the POC folder, see the Readme in there.
Scripts to install and run sgxbench and sgx-nbench are provided in benchmarks, continue in the Readme there.
Warning #1: We are providing this code as-is. You are responsible for protecting yourself, your property and data, and others from any risks caused by this code. This code may cause unexpected and undesirable behavior to occur on your machine.
Warning #2: This code is only for testing purposes. Do not run it on any production systems. Do not run it on any system that might be used by another person or entity.