[Resource Topic] 2015/564: Sanctum: Minimal Hardware Extensions for Strong Software Isolation

Welcome to the resource topic for 2015/564

Title:
Sanctum: Minimal Hardware Extensions for Strong Software Isolation

Authors: Victor Costan, Ilia Lebedev, Srinivas Devadas

Abstract:

Sanctum offers the same promise as SGX, namely strong provable isolation of software modules running concurrently and sharing resources, but protects against an important class of additional software attacks that infer private information from a program’s memory access patterns. We follow a principled approach to eliminating entire attack surfaces through isolation, rather than plugging attack-specific privacy leaks. Sanctum demonstrates that strong software isolation is achievable with a surprisingly small set of minimally invasive hardware changes, and a very reasonable overhead. Sanctum does not change any major CPU building block. Instead, we add hardware at the interfaces between building blocks, without impacting cycle time. Our prototype shows a 2% area increase in a Rocket RISC-V core. Over a set of benchmarks, Sanctum’s worst observed overhead for isolated execution is 15.1% over an idealized insecure baseline, and 2.7% average overhead over a representative insecure baseline.

ePrint: https://eprint.iacr.org/2015/564

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .