SGX隔离技术研究综述OA北大核心CSTPCD

Intel SGX(software guard eXtensions)ensures the confidentiality and integrity for data in use by creating a trusted execution environment(TEE or enclave),which can prevent arbitrary access from any privileged software such as operating systems and Hypervisor.Although SGX is designed for a higher-level hardware-assisted security primitive,it is still faced with some crucial problems in aspects of compatibility,performance and security.This survey first systematically analyzed and summarized five SGX design restrictions,leading to the incompatibility or poor usability of SGX with binary applications and language runtimes.Working with restrictions,a"choose 2-out-of-3"trilemma between security,performance,and binary compatibility often occurred.Subsequently,three types of compatibility solutions were reviewed and the advantages and disadvantages for each were comprehensively analyzed.A classification method for popular attack techniques on SGX was presented and the key problems and root causes for each were described.The main factors that slowdown the performance of SGX enclave were summarized.Finally,the lessons from SGX studies were summarized,and several research directions on next-generation TEE were pointed out.