Intel Software Guard Extensions

Size: px

Start display at page:

Download "Intel Software Guard Extensions"

Maximilian Cross
6 years ago
Views:

1 Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen

2 Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel SGX is enabling companies to deliver security technologies that span the enterprise spectrum 2

3 Intel SGX Analogy: Safe in Hotel Room Hotel Safe Space for only few (sensitive) items Secure even in a catastrophic event IT Secure data in Trusted Execution Environment (TEE) Intel SGX = TEE 3

4 Intel Software Guard Extensions (SGX) New HW instructions (Intel 6th Gen Core onward) Run code & protect secrets in Trusted Execution Environment (TEE) Prevent HW attacks (memory, bus, cold boot, ) Prevent SW attacks (Ring 0, BIOS, VMM, SMM, ) Support HW Assisted Remote Attestation Measure and verify valid code and data signatures Apps run within OS environment Familiar development and debug tools Low learning curve for developers 4

5 Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App App OK Protected Mode OS 5

6 Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App App OK Protected Mode OS and apps from each other 6

7 Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App Malicious App OK Protected Mode Bad Code OS Attack OS attack and apps from each other UNTIL a malicious app exploits an OS flaw to gain full privileges and then tampers with the OS or other apps 7

8 Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App Malicious App OK Protected Mode Bad Code OS Attack OS attack and apps from each other UNTIL a malicious app exploits an OS flaw to gain full privileges and then tampers with the OS or other apps Applications are not protected from privileged code attacks 8

9 Allowing App Developers to Secure Code & Data Intel SGX provides safe place for code and data in the application Enclave(s) App Malicious App OK Protected Mode Bad Code OS Attack OS attack Undetected malicious software cannot access secrets Secrets protected from bad actors with access to the platform Need a safe as well as guards 9

10 Protection Against Memory Snooping Attacks CPU Package Cores Cache System Memory 10

11 Protection Against Memory Snooping Attacks CPU Package Cores 1. Security perimeter is the CPU package boundary Cache AMEX: System Memory 11

12 Protection Against Memory Snooping Attacks CPU Package Cores AMEX: Cache System Memory 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 12

13 Protection Against Memory Snooping Attacks CPU Package Cores Cache AMEX: AMEX: System Memory Jco3lks937weu0cwejpoi9987v80we 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked 13

Protection Against Memory Snooping Attacks CPU Package Cores Cache AMEX: 3234- AMEX: 134584-3234-

Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3.

14 Protection Against Memory Snooping Attacks CPU Package Cores Cache AMEX: AMEX: System Memory Jco3lks937weu0cwejpoi9987v80we Snoop 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked 4. External memory reads and bus snoops see only encrypted data Snoop 14

15 Attesting and Provisioning Sensitive Data Why trust client app and share data? Remote Attestation (RA) Remote Attestation has 2 verification aspects: ISV Server verifies that the ISV client enclaves are genuine Intel Attestation Service (IAS) verifies the TCB s validity and authenticity Verification success ISV Server may trust the client and provision sensitive data 15

16 Data Sealing Intel SGX allows to seal an enclave secret using a processor derived key EGETKEY instruction HW Key Derivation Function generates a seal key which is Unique to the platform Unique to enclave ID (MRENCLAVE) OR the developer of the enclave (MRSIGNER) Unique to enclave loaded in Debuggable OR Production mode Secrets once encrypted with seal key can be safely stored to disk Sealed data cannot be decrypted on another platform 16

17 Usage Models Usage Model 1 (Client) Protect IP (Data, Execution ) from disclosure or modification Usage Model 2 (End to End) Deliver app from server to endpoint Maintain IP protection standards determined by the point of service Usage Model 3 (Datacenter) Prove that datacenter has no ability to observe or tamper with app IP has not permitted other applications to do so 17

18 Use Case for Intel SGX: Securing Biometric Data and Matching Algorithm Intel SGX default Sensor Sensor Biometric Data Biometric Data Tokenization Match Enclave (SGX) Matching Algorithm and Biometric Template (User-specific) LOCAL Identity Assertion (User-specific) REMOTE TLS/SSL Session Match (Y/N) LOCAL Matching Algorithm REMOTE TLS/SSL Session Identity Assertion (User-specific) Match (Y/N) Biometric Template (User-specific) Authentication Response Authentication Response 18

19 Summary Intel Software Guard Extensions (SGX) Provide applications ability to keep a secret Capability provided by new HW instructions Provide confidentiality and integrity Resists HW & SW attacks Applications run within the OS environment Low learning curve for application developers 19

21 Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July cryptovision Mindsphere, Gelsenkirchen

22 Additional Information Intel Developer Zone Intel SGX Landing Zone: Intel SGX SDK for Windows: Articles and Whitepapers Blogs 22

Trusted Libs Trusted Libraries Documentation Reference

23 Intel SGX Software Stack Intel SGX SDK Intel SGX Application Tools & Extensions Untrusted Part Untrusted Libs Enter/Exit Enclave Trusted Libs Trusted Libraries Documentation Reference Applications Enclave Loader Intel SGX Platform SW Intel Provided Trusted Services

24 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 24

25 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Intel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 25

26 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Intel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 26

27 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 27

28 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed including enclave identity information) 3. REPORT sent to server & verified 28

29 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 29

30 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 30

Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2.

31 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 31

32 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 6. Application Key encrypted via Sealing Key & stored for later (offline) use 32

33 Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 6. Application Key encrypted via Sealing Key & stored for later (offline) use 33

CIS 4360 Secure Computer Systems SGX

CIS 4360 Secure Computer Systems SGX Professor Qiang Zeng Spring 2017 Some slides are stolen from Intel docs Previous Class UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure