



# TLBlur: Compiler-Assisted Automated Hardening against Controlled Channels on Off-the-Shelf Intel SGX Platforms

Daan Vanoverloop<sup>1</sup>, Andrés Sánchez<sup>2,4</sup>, Flavio Toffalini<sup>2,3</sup>, Frank Piessens<sup>1</sup>, Mathias Payer<sup>2</sup>, Jo Van Bulck<sup>1</sup>

<sup>1</sup>Distrinet, KU Leuven, Belgium, <sup>2</sup>EPFL, Switzerland, <sup>3</sup>RUB, Germany, <sup>4</sup>Amazon



ARTIFACT EVALUATED USENIX ASSOCIATION  
AVAILABLE

ARTIFACT EVALUATED USENIX ASSOCIATION  
FUNCTIONAL

ARTIFACT EVALUATED USENIX ASSOCIATION  
REPRODUCED

## Controlled-Channel Attacks on Intel SGX



Original image



Xu et al. (Oakland 2015)



Our attack with AEX-Notify single-stepping mitigation



Single-stepping mitigation is not enough!

## AEX-Notify: Thwarting Single-Stepping Attacks



Hardware extension: Interrupt awareness for Intel SGX enclaves  
Software mitigation: Prefetch next code page + stack pages



Idea: Limit temporal resolution

## TLBlur Overview



## Practical Compiler and Binary Instrumentation



## Constant-Time Working Set Estimation



## Performance Evaluation



## Leakage Reduction in Practice: Libjpeg Compiler Hardening

