# TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs

Kerem Arıkan, Abraham Farrell, Williams Zhang Cen, Jack McMahon, Barry Williams, Yu David Liu, Nael Abu-Ghazaleh\*, Dmitry Ponomarev

Binghamton University, \*University of California, Riverside





#### <u>Trusted Execution Environment (TEE)</u>

#### **Traditional System Stack**





#### <u>Trusted Execution Environment (TEE)</u>

#### **Traditional System Stack**



## TEE System Stack



#### <u>Trusted Execution Environment (TEE)</u>





#### Can Information Still Leak in TEEs?









#### Can Information Still Leak in TEEs?









#### ! Side-Channel Attacks! !















#### Side-Channel Attacks on Caches

- All cache levels are vulnerable
- The system software can be a part of an attack







#### Side-Channel Attacks on Caches







#### This Talk: TEE-ShirT

How to secure all cache levels without system software support?

- Scalability: support high number of enclaves with minimal hardware
- Context switches
- Cache coherence
- Provable security







#### This Talk: TEE-ShirT

How to secure all cache levels without system software support?

- Scalability: support high number of enclaves with minimal hardware
- Context switches
- Cache coherence
- Provable security







#### **Evaluation Methodology**

- TEE-ShirT is implemented with gem5 cycle-accurate CPU simulator.
- We also implement TEE-ShirT's key components in an FPGA prototype for hardware overhead evaluation.
- We evaluate SPEC2017 and MiBench benchmark suites.
- We mechanize operational semantics for the formal security proof with **Coq**.

- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.









- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.







- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.







- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





- Flushing: invalidate and write-back dirty data.
- Partitioning: divide security domains into dedicated cache boundaries.





#### How to Secure Private Caches?

There are two levels of private caches: L1 and L2



#### TEE-SHirT L1 Caches: Flushing



Flushing across context switches and system calls is a sufficient solution for the L1 cache.



#### TEE-SHirT L1 Caches: Flushing





#### Can We Do the Same to L2 Caches?



#### Can We Do the Same to L2 Caches?



Why is it so expensive?

#### TEE-ShirT L2 Caches: Partitioning

• Inclusivity Property: Lines in a lower level structure should also be present in the higher levels.









#### TEE-ShirT L2 Caches: Partitioning

 Inclusivity Property: Lines in a lower level structure should also be present in the higher levels.









#### TEE-ShirT L2 Caches: Partitioning

• Inclusivity Property: Lines in a lower level structure should also be present in the higher levels.





#### TEE-SHirT LLC: Fine-Grain Partitioning

- Examples:
- Bespoke Cache Enclaves (SEED'21)
- Chunked-Cache (NDSS'22)
- Composable Cachelets (USENIX Sec'22)



#### TEE-SHirT LLC: Fine-Grain Partitioning

- Examples:
- Bespoke Cache Enclaves (SEED'21)
- Chunked-Cache (NDSS'22)
- Composable Cachelets (USENIX Sec'22)

Prior literature already establishes that LLC has to be partitioned.

### TEE-ShirT Cache Hierarchy

- L1 Data/Instruction Cache: Flush across context switches.
- L2 Cache: Cache partitioning
- L3 Cache (LLC): Cache Partitioning
- We also ensure cache coherence across levels (details in the paper)

#### This Talk: TEE-ShirT

How to secure all cache levels without system software support?

- Scalability: support high number of enclaves with minimal hardware
- Context switches
- Cache coherence
- Provable security







## Why is Scalability Challenging?

 Partitioning requires additional metadata associated with each partition:



### How Not to Manage Partition Metadata



#### How Not to Manage Partition Metadata



# How Not to Manage Partition Metadata



# How Not to Manage Partition Metadata



Problem: the maximum number of concurrent enclaves is limited by the number of tables provided by the remapping logic.













TEE-ShirT alleviates the context switch and system call time penalty and ensures lower hardware complexity.

### Metadata Virtualization: Results

 Slowdown inflicted by cache flushes is greatly alleviated by metadata virtualization:





### Metadata Virtualization: Results

 Slowdown inflicted by cache flushes is greatly alleviated by metadata virtualization:





### This Talk: TEE-ShirT

How to secure all cache levels without system software support?

- Scalability: support high number of enclaves with minimal hardware
- Context switches
- Cache coherence
- Provable security











































































































#### TEE-ShirT Performance for SPEC2017

• Evaluation is done on a 4-core system with five benchmarks mixes:







### TEE-ShirT Performance for SPEC2017







#### TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs

Kerem Arıkan\*, Abraham Farrell\*, Williams Zhang Cen\*, Jack McMahon\*, Barry Williams\*, Yu David Liu\*, Nael Abu-Ghazaleh<sup>†</sup>, and Dmitry Ponomarev<sup>\*</sup>

> \*Binghamton University <sup>†</sup>University of California, Riverside

Abstract—Protection of cache hierarchies from side-channel attacks is critical for building secure systems, particularly the ones using Trusted Execution Environments (TEEs). In this paper, we consider the problem of efficient and secure fine-grained partitioning of cache hierarchies and propose a framework, called Secure Hierarchies for TEEs (TEE-SHirT). In the context of a three-level cache system, TEE-SHirT consists of partitioned shared last-level cache, partitioned private L2 caches, and nonpartitioned L1 caches that are flushed on context switches and system calls. Efficient and correct partitioning requires careful design. Towards this goal, TEE-SHirT makes three contributions: 1) we demonstrate how the hardware structures used for holding cache partitioning metadata can be effectively virtualized to avoid flushing of cache partition content on context switches and system calls; 2) we show how to support multi-threaded enclaves in TEE-SHirT, addressing the issues of coherency and consistency that arise with both intra-core and inter-core data sharing; 3) we develop a formal security model for TEE-SHirT to rigorously reason about the security of our design.

In this paper, we investigate cache partitioning mech for TEE systems with the goal of protecting the entire hierarchy, and not just a single cache level. Cache part is a principled approach to security that physically j applications from each other eliminating leakage tention on shared resources. Since cache ing to different applications (or enclaves are isolated, the behavior of the victim process impact any cache-related observations by attackers, attacks impossible. Existing secure cache partitioning so consider only a single level of caches, either private level caches [23] or shared LLC [41], [44], [56], [63]. These schemes partition caches by ways [23], [41], sets [21], [56], or both [63]. Without loss of generality, we study fine-grained approaches that partition caches by both ways and sets [63]. Various levels of the cache hierarchy require different

annuaches to achieve convity. It has been established that







#### TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs

Kerem Arıkan\*, Abraham Farrell\*, Williams Zhang Cen\*, Jack McMahon\*, Barry Williams\*, Yu David Liu\*, Nael Abu-Ghazaleh<sup>†</sup>, and Dmitry Ponomarev\*

> \*Binghamton University <sup>†</sup>University of California, Riverside

Abstract—Protection of cache hierarchies from side-channel attacks is critical for building secure systems, particularly the ones using Trusted Execution Environments (TEEs). In this paper, we consider the problem of efficient and secure fine-grained partitioning of cache hierarchies and propose a framework, called Secure Hierarchies for TEEs (TEE-SHirT). In the context of a three-level cache system, TEE-SHirT consists of partitioned shared last-level cache, partitioned private L2 caches, and nonpartitioned L1 caches that are flushed on context switches and system calls. Efficient and correct partitioning requires careful design. Towards this goal, TEE-SHirT makes three contributions: 1) we demonstrate how the hardware structures used for holding cache partitioning metadata can be effectively virtualized to avoid flushing of cache partition content on context switches and system calls; 2) we show how to support multi-threaded enclaves in TEE-SHirT, addressing the issues of coherency and consistency that arise with both intra-core and inter-core data sharing; 3) we develop a formal security model for TEE-SHirT to rigorously reason about the security of our design.

In this paper, we investigate cache partitioning mech for TEE systems with the goal of protecting the entire hierarchy, and not just a single cache level. Cache part is a principled approach to security that physically i applications from each other eliminating leakage tention on shared resources. Since cache ing to different applications (or enclaves are isolated, the behavior of the victim process impact any cache-related observations by attackers, attacks impossible. Existing secure cache partitioning so consider only a single level of caches, either private level caches [23] or shared LLC [41], [44], [56], [63]. These schemes partition caches by ways [23], [41], sets [21], [56], or both [63]. Without loss of generality, we study fine-grained approaches that partition caches by both ways and sets [63]. Various levels of the cache hierarchy require different

annuachas to achieve scoviity. It has been established that

Formal security analysis







#### TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs

Kerem Arıkan\*, Abraham Farrell\*, Williams Zhang Cen\*, Jack McMahon\*, Barry Williams\*, Yu David Liu\*, Nael Abu-Ghazaleh<sup>†</sup>, and Dmitry Ponomarev\*

> \*Binghamton University <sup>†</sup>University of California, Riverside

Abstract—Protection of cache hierarchies from side-channel attacks is critical for building secure systems, particularly the ones using Trusted Execution Environments (TEEs). In this paper, we consider the problem of efficient and secure fine-grained partitioning of cache hierarchies and propose a framework, called Secure Hierarchies for TEEs (TEE-SHirT). In the context of a three-level cache system, TEE-SHirT consists of partitioned shared last-level cache, partitioned private L2 caches, and nonpartitioned L1 caches that are flushed on context switches and system calls. Efficient and correct partitioning requires careful design. Towards this goal, TEE-SHirT makes three contributions: 1) we demonstrate how the hardware structures used for holding cache partitioning metadata can be effectively virtualized to avoid flushing of cache partition content on context switches and system calls; 2) we show how to support multi-threaded enclaves in TEE-SHirT, addressing the issues of coherency and consistency that arise with both intra-core and inter-core data sharing; 3) we develop a formal security model for TEE-SHirT to rigorously reason about the security of our design.

In this paper, we investigate cache partitioning mech for TEE systems with the goal of protecting the entire hierarchy, and not just a single cache level. Cache part is a principled approach to security that physically j applications from each other eliminating leakage tention on shared resources. Since cache ing to different applications (or enclaves are isolated, the behavior of the victim process impact any cache-related observations by attackers, attacks impossible. Existing secure cache partitioning so consider only a single level of caches, either private level caches [23] or shared LLC [41], [44], [56], [63]. These schemes partition caches by ways [23], [41], sets [21], [56], or both [63]. Without loss of generality, we study fine-grained approaches that partition caches by both ways and sets [63].

Various levels of the cache hierarchy require different

annuachas to achieve scoviity. It has been established that

- Formal security analysis
- Cache coherence support



#### TEE-SHirT: Scalable Leakage-Free Cache Hierarchies for TEEs

Kerem Arıkan\*, Abraham Farrell\*, Williams Zhang Cen\*, Jack McMahon\*, Barry Williams\*, Yu David Liu\*, Nael Abu-Ghazaleh<sup>†</sup>, and Dmitry Ponomarev\*

> \*Binghamton University <sup>†</sup>University of California, Riverside

Abstract—Protection of cache hierarchies from side-channel attacks is critical for building secure systems, particularly the ones using Trusted Execution Environments (TEEs). In this paper, we consider the problem of efficient and secure fine-grained partitioning of cache hierarchies and propose a framework, called Secure Hierarchies for TEEs (TEE-SHirT). In the context of a three-level cache system, TEE-SHirT consists of partitioned shared last-level cache, partitioned private L2 caches, and nonpartitioned L1 caches that are flushed on context switches and system calls. Efficient and correct partitioning requires careful design. Towards this goal, TEE-SHirT makes three contributions: 1) we demonstrate how the hardware structures used for holding cache partitioning metadata can be effectively virtualized to avoid flushing of cache partition content on context switches and system calls; 2) we show how to support multi-threaded enclaves in TEE-SHirT, addressing the issues of coherency and consistency that arise with both intra-core and inter-core data sharing; 3) we develop a formal security model for TEE-SHirT to rigorously reason about the security of our design.

In this paper, we investigate cache partitioning mech for TEE systems with the goal of protecting the entire hierarchy, and not just a single cache level. Cache part is a principled approach to security that physically j applications from each other eliminating leakage tention on shared resources. Since cache ing to different applications (or enclaves are isolated, the behavior of the victim proce impact any cache-related observations by attackers, attacks impossible. Existing secure cache partitioning so consider only a single level of caches, either private t level caches [23] or shared LLC [41], [44], [56], [63]. These schemes partition caches by ways [23], [41], sets [21], [56], or both [63]. Without loss of generality, we study fine-grained approaches that partition caches by both ways and sets [63].

Various levels of the cache hierarchy require different annuaghas to achieve security. It has been established that

- Formal security analysis
- Cache coherence support
- Integration with Intel SGX





# Questions