ESem: To Harden Process Synchronization for Servers

Process synchronization primitives lubricate server computing involving a group of processes as they ensure those processes to properly coordinate their executions for a common purpose such as provisioning a web service. A malfunctioned synchronization due to attacks causes friction among processes and leads to unexpected, and often hard-to-detect, application transaction errors. Unfortunately, synchronization primitives are not naturally protected by existing hardware-assisted isolation techniques e.g., SGX, because their process-oriented isolation conflicts with the primitive’s demand for cross-process operations. This paper introduces the Enclave-Semaphore service (ESem) which shelters application semaphores and their operations against kernel-privileged attacks. ESem encapsulates all semaphores in the platform with a dedicated SGX enclave and polices accesses from users processes, thus ensuring a consistent view of the data and resources shared among collaborative processes. Although ESem provides secure semaphores only, it supports all kinds of synchronization needs, owning to the expressiveness of semaphores. We have built a prototype of ESem and conducted rigorous evaluation with micro-benchmarks, macro benchmark and real-world applications including Redis and Apache HTTP Server. ESem incurs only a modest performance overhead (around 2%) to the legacy systems. We also run a case study to demonstrate attacks against the synchronization in an SGX-hardened file server and how ESem neutralizes the attacks successfully with only one function call change to the applications. All these experiments show that ESem is lightweight yet effective solution to the security hole left open by existing isolation schemes.