ESem: To harden process synchronization for servers

Author

Zhanbo WANG
Jiaxin ZHAN
Xuhua DING, Singapore Management UniversityFollow
Fengwei ZHANG
Ning HU

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

7-2024

Abstract

Process synchronization primitives lubricate server computing involving a group of processes as they ensure those processes to properly coordinate their executions for a common purpose such as provisioning a web service. A malfunctioned synchronization due to attacks causes friction among processes and leads to unexpected, and often hard-to-detect, application transaction errors. Unfortunately, synchronization primitives are not naturally protected by existing hardware-assisted isolation techniques e.g., SGX, because their process-oriented isolation conflicts with the primitive's demand for cross-process operations.This paper introduces the Enclave-Semaphore service (ESem) which shelters application semaphores and their operations against kernel-privileged attacks. ESem encapsulates all semaphores in the platform with a dedicated SGX enclave and polices accesses from users processes, thus ensuring a consistent view of the data and resources shared among collaborative processes. Although ESem provides secure semaphores only, it supports all kinds of synchronization needs, owning to the expressiveness of semaphores.We have built a prototype of ESem and conducted rigorous evaluation with micro-benchmarks, macro benchmark and real-world applications including Redis and Apache HTTP Server. ESem incurs only a modest performance overhead (around 2%) to the legacy systems. We also run a case study to demonstrate attacks against the synchronization in an SGX-hardened file server and how ESem neutralizes the attacks successfully with only one function call change to the applications. All these experiments show that ESem is lightweight yet effective solution to the security hole left open by existing isolation schemes.

Keywords

Secure synchronization, Kernel semaphore, SGX enclave

Discipline

Information Security

Research Areas

Cybersecurity

Areas of Excellence

Digital transformation

Publication

ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, Singapore, July 1-5

First Page

1554

Last Page

1567

ISBN

9798400704826

Identifier

10.1145/3634737.3657025

Publisher

ACM

City or Country

New York

Citation

WANG, Zhanbo; ZHAN, Jiaxin; DING, Xuhua; ZHANG, Fengwei; and HU, Ning. ESem: To harden process synchronization for servers. (2024). ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, Singapore, July 1-5. 1554-1567.
Available at: https://ink.library.smu.edu.sg/sis_research/9287

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3634737.3657025