CURE – Customizable and Resilient Enclaves

Sustainable Security and Safety for Future Technologies

Cloud Scale Enclave Engine (CSEE)

In this project, our researchers will research, design and prototype a Cloud Scale Enclave Engine (CSEE) suitable for RISC-V server class platforms for scenarios such as public cloud (e.g. IaaS, PaaS), private cloud, multi-tenant NFV and other similar ICT scenarios: Customizable and Resilient Enclaves – CURE

In this project we extend the limits of the currently used security architectures and develop a novel enclave-based security architecture called CURE. In contrast to existing architectures, CURE offers different types of enclaves to adapt to the requirements of sensitive services on next generation computer platforms.

With CURE we introduce the first security architecture that masters various challenges within enclave computing while requiring only minimal hardware modifications.

Design of the CURE Architecture

CURE has a novel design that provides a TEE architecture with strongly-isolated and highly customizable enclaves, which can be adapted to the requirements of the services they protect. Unlike other TEE architectures, which only provide a single enclave-type, CURE allows to freely define enclave boundaries and thus, different enclaves can be constructef as shown in the Figure below.

Figure: CURE privelege levels and enclave types, namely, user-space enclaves (Encl1), kernel-space enclaves (Encl2, Encl3) and sub-space enclaves (Encl4)

Key properties of CURE:

  • Flexible TEE architecture which can protect unmodified sensitive services
  • Novel hardware security primitives for the CPU cores
  • Multiple enclave types, ranging from enclaves in user space, over sub-space enclaves, to self-contained (multi-core) enclaves which include privileged software levels secure enclave-to-peripheral binding
  • Requiring minimal and non-invasive hardware modifications
  • Advanced security features providing protection against sophisticated cache attacks