general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[docs] Refine the description on Occlum's PKU

Browse Source
This commit is contained in:
zhubojun 2023-07-26 10:46:05 +08:00 committed by volcano
parent 6b11e2ae3d
commit abd69269c0
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -11,7 +11,7 @@ Occlum is a *memory-safe*, *multi-process* library OS (LibOS) for [Intel SGX](ht
Occlum has the following salient features:
* **Efficient multitasking.** Occlum offers _light-weight_ LibOS processes: they are light-weight in the sense that all LibOS processes share the same SGX enclave. Compared to the heavy-weight, per-enclave LibOS processes, Occlum's light-weight LibOS processes is up to _1,000X faster_ on startup and _3X faster_ on IPC. In addition, Occlum offers an optional [**PKU**](./docs/pku_manual.md) (Protection Keys for Userspace) feature to isolate the Occlum userspace processes if needed.
* **Efficient multitasking.** Occlum offers _light-weight_ LibOS processes: they are light-weight in the sense that all LibOS processes share the same SGX enclave. Compared to the heavy-weight, per-enclave LibOS processes, Occlum's light-weight LibOS processes is up to _1,000X faster_ on startup and _3X faster_ on IPC. In addition, Occlum offers an optional [**PKU**](./docs/pku_manual.md) (Protection Keys for Userspace) feature to enhance fault isolation between Occlum's LibOS and userspace processes if needed.
* **Multiple file system support.** Occlum supports various types of file systems, e.g., _read-only hashed FS_ (for integrity protection), _writable encrypted FS_ (for confidentiality protection), _untrusted host FS_ (for convenient data exchange between the LibOS and the host OS).
* **Memory safety.** Occlum is the _first_ SGX LibOS written in a memory-safe programming language ([Rust](https://www.rust-lang.org/)). Thus, Occlum is much less likely to contain low-level, memory-safety bugs and is more trustworthy to host security-critical applications.
* **Ease-of-use.** Occlum provides user-friendly build and command-line tools. Running applications on Occlum inside SGX enclaves can be as simple as only typing several shell commands (see the next section).

11
docs/pku_manual.md
View File

@ -8,13 +8,16 @@ Occlum now can use PKU, a hardware feature, to enforce isolation between LibOS a
**PKU** (Protection Keys for Userspace) (aka. **MPK**: Memory Protection Keys) has been introduced into Linux since 2015 (details can be found in the [lwn page](https://lwn.net/Articles/643797/)). It is a lightweight intra-process isolation mechanism for userspace (Ring 3) software. Since its memory access policy is restricted by MMU (Memory Management Unit), it incurs almost non-zero overhead at runtime compared to Software Fault Isolation (SFI), and the memory access permission switch overhead is low. More details can be found in the [manual page](https://man7.org/linux/man-pages/man7/pkeys.7.html).
Currently, Occlum lacks the ability to isolate LibOS from userspace applications. Though userspace applications are **considered benign** in Occlum, but it is bug-prone inevitably. Potential illegal memory accesses may affect the correctness of computation, even lead to the crash of the whole enclave. Intra-enclave isolation is helpful for developers to uncover bugs beforehand.
Currently, Occlum lacks the ability to isolate LibOS from userspace applications. Though userspace applications are **considered benign** in Occlum, but it is bug-prone inevitably. Potential illegal memory accesses may affect the correctness of computation silently, even lead to the crash of the whole enclave. Intra-enclave isolation is helpful for developers to uncover bugs beforehand.
It necessary to enforce the isolation in Occlum, and leveraging PKU is a good choice.
**Security Concerns**:
PKU is only an option for users to enhance Occlum's security.
Userspace applications are still in TCB (Trusted Computing Base).
### Security Analysis
PKU is an option for users and developers to enhance Occlum's fault isolation between LibOS and userspace applications.
It is not a complete protection from malicious attacks which come from an enclave itself.
**Userspace applications are still in TCB (Trusted Computing Base) in Occlum's threat model.**
They are considered to be benign but inevitably bug-prone.
It is should be emphasized that OS has the full control of enclave's page table and control registers (e.g. CR4), and OS has mainly two ways to enforce data access policy related to PKU:
1. OS is able to set CR4.PKE to 0, rendering intra-enclave isolation useless;