Separation of Duties
The Case: SGX Enclave
In this article, I like to explain how the separations of duties in computer systems are accomplished. The following remarks should represent the necessary computer architecture, that consists of hardware and software components, how to separate two processes from each other. In example, a malicious process should not disturb or manipulate other processes.
A process is nothing else than a bunch of micro-instructions in certain virtual addresses / segments. An Intel Architecture (IA) is built to run multiple application software instances, named processes. The operating system (OS) allocates the computer resources to the running processes. In case of server computers, multiple operating systems could be executed at the same time with the help of an hypervisor, which divides the resources between the operating system instances on the computer [1].
The system software is able to isolate each piece of software that it manages (process or operating system) from each other. The isolation is a key feature for every software, so the developers don’t need to worry about the interactions with other software. In this aspect, the main functionality of operating systems is the virtualization of address translation. Consequently, from the software’s point of view, all the memory on the computer is available for operations. In order to implement the virtual memory abstraction, every process will get its own virtual address space that only references the memory allocated to that process. The address translation concept uses a mapping defined by page tables, which are managed by the system software, to transform a virtual address to a physical address and vice versa.
As you can see, every process gets its own virtual address space and its the task of the operating system to multiplex the systems DRAM between the processes, while apparently the point of view of application developers is, they get access to the whole computer’s DRAM.
Thus, the isolation of processes is achieved and at the same time, it prevents application code to execute memory-mapped devices directly. The address translation process is carried out by a dedicated hardware in the CPU, the so called memory management unit (MMU).
Another key feature of virtualization is the distinction in software privilege levels, which are carried out by the CPU. A privilege separation implemented in hardware guarantees, that a software cannot damage other software indirectly, by interfering with the system software managing it [1].
The concept of privilege levels is hierarchically, means the most privileged Ring 0 has superpower and the Rings below, are increasingly less privileged Rings. That’s the reason, why most privileged levels can manipulate lower privileged levels, but not vice versa.
For system designers its proven practice to distinct the operating system into a kernel (= high privilege level, Ring 0) and a user-mode (less privilege level, Ring 3) to achieve a user-safe environment. The kernel allocates all the hardware resources to the other system components (e.g. drivers, lower privileged processes) and acts like an API for system calls (SYSCALLS). The lowest privilege levels are used by standard applications like web browser and user applications and is therefor called user-mode in UNIX environments. In windows environments, the kernel-mode has the synonym unprotected-mode, because the kernel is able to access whole memory space. The user-mode is called protected-mode, because the user has lower possibilities to damage the system due to limited access to the memory.
Ressources
[1] Victor Costan and Srinivas Devadas, Intel SGX Explained
