Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control

Size: px

Start display at page:

Download "Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control"

Cornelia Reynolds
5 years ago
Views:

1 Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Völp, Adam Lackorzynski *, Jérémie Decouchant, Vincent Rahli, Francisco Rocha, and Paulo Esteves-Veríssimo University of Luxembourg SnT CritiX Lab Luxembourg * Kernkonzept GmbH and TU Dresden Operating-systems group Dresden, Germany 1st Workshop on System Software for Trusted Execution (SysTEX 2016), Dec. 12, 2016, Trento, Italy

2 The functionality/code size dilemma application scenarios require the system to implement a certain set of functionalities implementing these functionalities comes at the cost of a certain minimal amount of code even if development time and costs don t matter; and even if you only use high-class developers correlation of code size and complexity to vulnerabilities Chou et al., An Empirical Study of Operating Systems Errors, SOSP 2001 Asadollah et al., A Study of Concurrency Bugs in an Open Source Software, OSS

3 The functionality/code size dilemma application scenarios require the system to implement a certain set of functionalities implementing these functionalities comes at the cost of a certain minimal amount of code even if development RTOS time and costs ca. 5 don t KLOC matter; and5-13 PY even if you only Microkernel use high-class developers formal KLOC verification correlation of Legacy code size OS and complexity MLOC to vulnerabilities Chou et al., An Empirical Study of Operating Systems Errors, SOSP 2001 Asadollah et al., A Study of Concurrency Bugs in an Open Source Software, OSS

4 Intransitive trust secure legacy secure Player Legacy OS Driver Stub FS 4

Intransitive trust legacy Player Legacy OS Resource Mgmt Stub FS Driver secure VPFS secure En-/Decryption Codec Framebuffer Mgr. tudos.org Weinhold et al.

5 Intransitive trust legacy Player Legacy OS Resource Mgmt Stub FS Driver secure VPFS secure En-/Decryption Codec Framebuffer Mgr. tudos.org Weinhold et al., jvpfs: Adding Robustness to a Secure Stacked File System with Untrusted Local Storage Components, USENIX ATC, 2011 Singaravelu et al., Reducing TCB Complexity for Security-Sensitive lications: Three Case Studies, Eurosys, 2006 Asmussen, Völp, ASPLOS 16 5

6 Intransitive trust legacy Player Legacy OS Resource Mgmt Stub FS Driver secure VPFS secure En-/Decryption Codec Framebuffer Mgr. Intel SGX Inktag Hoffmann et al. 13 microhypervisor ARM Trustzone / M3 Manycore + DTUs Asmussen, Völp, ASPLOS 16 6

7 SGX Vulnerabilities Source: AsyncShock Fine grain preemption control to widen the window of vulnerability of synchronization bugs 7

side-channel attacks Fine grain preemption control

8 SGX Vulnerabilities Fine grain preemption control to widen the window of vulnerability for side-channel attacks Fine grain preemption control to widen the window of vulnerability of synchronization bugs 8

9 SGX Vulnerabilities Running Example: Osvik et al., Cache Attacks and Countermeasures: the Case of AES, CT-RSA 2006 in-memory tables T i source: wikimedia 9

10 SGX Vulnerabilities Running Example: Osvik et al., Cache Attacks and Countermeasures: the Case of AES, CT-RSA 2006 T i R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] T i 10

11 SGX Vulnerabilities Running Example: Osvik et al., Cache Attacks and Countermeasures: the Case of AES, CT-RSA 2006 T i R 6 = read T i [0] cmp 0, x j R 5 = cmov R 6 R 0 = xor R 0, R 5 T i low indistinguishable data access pattern embedded into low indistinguishable control flow 11

12 SGX Vulnerabilities Running Example: Osvik et al., Cache Attacks and Countermeasures: the Case of AES, CT-RSA 2006 disable preemptions R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] enable preemptions T i T i 12

This talk Re-investigate delayed-preemption: How can we allow user-level applications (in enclaves) to disable preemptions without being able to

13 This talk Re-investigate delayed-preemption: How can we allow user-level applications (in enclaves) to disable preemptions without being able to monopolizing the system? How can we prevent solicited exits through which the management OS could regain control? How can we translate delayedpreemption to Intel SGX? 13

14 This talk disable preemptions R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] enable preemptions How can we prevent solicited exits in sensitive code? How can we make sure the enclave enables preemptions again? 14

15 This talk disable preemptions prepare if preempted goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] enable preemptions How can we prevent solicited exits in sensitive code? How can we make sure the enclave enables preemptions again? 15

16 Delayed Preemption in a Trusted-Trustworthy Hypervisor user / enclave mode kernel mode time disable all interrupts except timer execute delayed preemptions program timer to max_tolerable_delay inform app about pending preemption: p = 1 16

17 Delayed Preemption in a Trusted-Trustworthy Hypervisor user / enclave mode kernel mode max_tolerable_delay disable all interrupts except timer program timer to max_tolerable_delay inform app about pending preemption: p = 1 time execute delayed preemptions 17

18 Delayed Preemption in a Trusted-Trustworthy Hypervisor sensitive code user / enclave mode kernel mode time max_tolerable_delay 18

19 Delayed Preemption in SGX xapic register sensitive code user / enclave mode kernel mode time max_tolerable_delay 19

20 Delayed Preemption in SGX xapic register not virtualizable sensitive code user / enclave mode kernel mode max_tolerable_delay xapic: set timer on first preemption; don t interrupt application time local xapic register; write only in kernel mode (i.e., not in enclave mode) 20

21 Solicited Exits disable preemptions prepare if preempted goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] enable preemptions 21

22 Solicited Exits retry: xapic.d = 1; prepare if (p = 1) goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] xapic.d = 0 // if (xapic.p = 1) -> AEX Trigger all such exits during non-sensitive prepare phase; Set p flag to make code aware of these exits; Context switch p flag as part of enclave state How to prevent solicited exits in sensitive code? data / instruction page-faults lazy FPU context switch power management device virtualization max_tolerable_delay 22

23 Solicited Exits data / instruction TLB f g T 0 T 1 T 2 T 3 retry: d = 1; //prepare call pg(f) call pg(g) or $0, [pg(t 0 )] or $0, [pg(t 1 )] or $0, [pg(t 2 )] or $0, [pg(t 3 )] if (p = 1) goto retry set p-flag on instruction / data pagefault Recall: cross-cpu page-table changes require IPIs to shootdown TLBs 23

24 Solicited Exits retry: xapic.d = 1; prepare if (p = 1) goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 read T i [0] read T i [n] xapic.d = 0 // if (xapic.p = 1) -> AEX max_tolerable_delay How to prevent solicited exits in sensitive code? data / instruction page-faults lazy FPU context switch power management device virtualization access pages / FPU; check p-flag report power state access device MMIO / ports; check p-flag check max_tolerable_delay > WCET(prepare + sensitive) of current power state 24

25 Concurrency Bugs Cannot fix concurrency bugs by delaying preemptions Avoid widening the window of vulnerability disable preemptions free object invalidate pointer enable preemptions disable preemptions if (pointer) use object enable preemptions 25

26 This talk in one slide intransitive trust: enabler for TCB reduction legacy Player Legacy OS Resource Mgmt Stub FS Driver secure VPFS secure En-/Decryption Codec Framebuffer Mgr. Intel SGX Inktag Hoffmann et al. 13 microhypervisor ARM Trustzone / M3 Manycore + DTUs Asmussen, Völp, ASPLOS 16 CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg PEARL Grant FNR/P14/ Paulo Esteves-Veríssimo We are hiring bright post-docs and research associates! 26

27 This talk in one slide intransitive trust: enabler for TCB reduction legacy Legacy OS Driver Player Resource Mgmt Stub FS Intel SGX secure delayed-preemption mechanism prevents widening attack windows disable preemptions VPFS secure prepare Codec if preempted goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 Inktag read Hoffmann T et al. 13 i [0] microhypervisor read ARM Trustzone T i [n] / enable preemptions En-/Decryption Framebuffer Mgr. M3 Manycore + DTUs Asmussen, Völp, ASPLOS 16 CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg PEARL Grant FNR/P14/ Paulo Esteves-Veríssimo We are hiring bright post-docs and research associates! 27

28 This talk in one slide intransitive trust: enabler for TCB reduction legacy Legacy OS Driver Player Resource Mgmt Stub FS Intel SGX secure delayed-preemption mechanism prevents widening attack windows disable preemptions VPFS secure prepare Codec if preempted goto retry R 5 = read T i [x j ] R 0 = xor R 0, R 5 Inktag read Hoffmann T et al. 13 i [0] microhypervisor read ARM Trustzone T i [n] / enable preemptions En-/Decryption Framebuffer Mgr. and it can be integrated in SGX user / enclave M3 mode kernel mode Manycore + DTUs Asmussen, Völp, ASPLOS 16 xapic register sensitive code max_tolerable_delay xapic: set timer on first preemption; don t interrupt application not virtualizable time local xapic register; write only in kernel mode (i.e., not in enclave mode) CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg PEARL Grant FNR/P14/ Paulo Esteves-Veríssimo We are hiring bright post-docs and research associates! 28

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races CS 563 Young Li 10/31/18 Intel Software Guard extensions (SGX) and Hyper-Threading What is Intel SGX? Set of