Enclaves or Trusted Execution Environments are trusted-hardware primitives that make it possible to isolate and protect a sensitive program from an untrusted operating system. Unfortunately, almost all existing enclave platforms are vulnerable to microarchitectural side channels and transient execution attacks, and the one academic proposal that is not does not allow programs to interact with the outside world. We present Citadel, to our knowledge, the first enclave platform with microarchitectural isolation to run realistic secure programs on a speculative out-of-order multicore processor. We show how to leverage hardware/software co-design to enable shared memory between an enclave and an untrusted operating system while preventing speculative transmitters between the enclave and a potential adversary. We then evaluate our secure baseline and present further mechanisms to achieve reasonable performance for out-of-the-box programs. Our multicore processor runs on an FPGA and boots untrusted Linux from which users can securely launch and interact with enclaves. To demonstrate our platform capabilities, we run a private inference enclave that embed a small neural network trained on MNIST. A remote user can remotely attest the enclave integrity, perform key exchange and send encrypted input for secure evaluation. We open-source our end-to-end hardware and software infrastructure, hoping to spark more research and bridge the gap between conceptual proposals and FPGA prototypes.

翻译：可信执行环境（Enclaves/可信执行环境）是基于可信硬件原语的技术，能够将敏感程序隔离保护于不可信操作系统之外。然而，现有几乎所有可信执行环境平台均易受微架构侧信道与瞬态执行攻击，而唯一具备此类防御能力的学术方案却不允许程序与外部世界交互。本文提出Citadel——据我们所知，这是首个在推测性乱序多核处理器上实现微架构隔离并运行真实安全程序的可信执行环境。我们展示了如何通过软硬件协同设计，在可信执行环境与不可信操作系统之间实现安全共享内存，同时阻止潜在攻击者利用可信执行环境发起推测性传输。随后评估了安全基线方案，并进一步提出使通用程序获得合理性能的优化机制。基于FPGA运行的多核处理器可引导不可信Linux系统，用户能够安全启动并与可信执行环境交互。为验证平台能力，我们运行了一个嵌入基于MNIST训练的小型神经网络的私有推理可信执行环境：远程用户可远程验证可信执行环境完整性、执行密钥交换并发送加密输入进行安全推理。我们开源了端到端硬件与软件基础设施，期望激发更多研究，弥合概念方案与FPGA原型之间的鸿沟。