Current processors may provide support for a trusted execution environment such as a secure enclave. Secure enclaves include segments of memory (including code and/or data) protected by the processor from unauthorized access including unauthorized reads and writes. In particular, certain processors may include Intel® Software Guard Extensions (SGX) to provide secure enclave support. SGX provides confidentiality, integrity, and replay-protection to the secure enclave data while the data is resident in the platform memory and thus provides protection against both software and hardware attacks. The on-chip boundary forms a natural security boundary, where data and code may be stored in plaintext and assumed to be secure. SGX operates in ring-3 (a lower privilege mode of the processor). Thus, SGX may allow untrusted OS/VMMs to host trusted execution environments without the risk of loss of confidentiality from attacks in the OS/VMM.
An attacker with full control of the OS/VMM may attempt a side-channel attack on a secure enclave by manipulating page table permissions. For example, an attacker may set page table permissions to induce a page fault any time a secure enclave jumps into a new code page or accesses a new data page. By doing so, an attacker may recover a coarse control-flow graph of the secure enclave or memory access patterns of the secure enclave. One potential side-channel attack is described by Yuanzhong Xu et al., Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems, IEEE Symposium on Security & Privacy (2015). Potential defensive approaches to such side-channel attacks include static code randomization, static code reorganization (e.g., reorganizing the program to cause any execution path to generate the same page access patterns), and execution path randomization (e.g., random execution of multiple versions of the code). Such approaches may be susceptible to profiling attacks, and execution path randomization has only limited randomness and increases memory usage due to code duplication. Oblivious memory, which generates memory access patterns that are indistinguishable for any inputs with the same running time, may also defend against such side-channel attacks. Oblivious memory requires rewriting source code and is expected to reduce execution speed by more than ten times.