Autarky: closing controlled channels with self-paging enclaves

As the first widely-deployed secure enclave hardware, Intel SGX shows promise as a practical basis for confidential cloud computing. However, side channels remain SGX's greatest security weakness. Inparticular, the "controlled-channel attack" on enclave page faults exploits a longstanding architectural side channel and still lacks effective mitigation. We propose Autarky: a set of minor, backward-compatible modifications to the SGX ISA that hide an enclave's page access trace from the host, and give the enclave full control over its page faults. A trusted library OS implements an enclave self-paging policy. We prototype Autarky on current SGX hardware and the Graphene library OS, implementing three paging schemes: a fast software oblivious RAM system made practical by leveraging the proposed ISA, a novel page cluster abstraction for application-aware secure self-paging, and a rate-limiting paging mechanism for unmodified binaries. Overall, Autarky provides a comprehensive defense for controlled-channel attacks which supports efficient secure demand paging, and adds no overheads in page-fault free execution.