TRUSTED COMPUTING TECHNOLOGIES

Similar documents
CIS 4360 Secure Computer Systems SGX

Intel Software Guard Extensions

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Recommendations for TEEP Support of Intel SGX Technology

Intel Software Guard Extensions (Intel SGX) SGX2

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Binding keys to programs using Intel SGX remote attestation

Sealing and Attestation in Intel Software Guard Extensions (SGX)

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Trustzone Security IP for IoT

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

Sanctum: Minimal HW Extensions for Strong SW Isolation

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Direct Anonymous Attestation

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

A Developer's Guide to Security on Cortex-M based MCUs

Embedded System Security Mobile Hardware Platform Security

Embedded System Security Mobile Hardware Platform Security

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Designing Security & Trust into Connected Devices

Crypto Background & Concepts SGX Software Attestation

Security of Embedded Systems

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Intel s s Security Vision for Xen

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

Lecture Embedded System Security Trusted Platform Module

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Intel SGX Virtualization

Cache Side Channel Attacks on Intel SGX

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Influential OS Research Security. Michael Raitza

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

ROTE: Rollback Protection for Trusted Execution

Intel Software Guard Extensions (Intel SGX)

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

Operating System Security

OP-TEE Using TrustZone to Protect Our Own Secrets

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Resilient IoT Security: The end of flat security models

How to protect Automotive systems with ARM Security Architecture

Intel Software Guard Extensions (Intel SGX) Developer Guide

Designing Security & Trust into Connected Devices

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Designing Security & Trust into Connected Devices

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Isolating Operating System Components with Intel SGX


ARM Security Solutions and Numonyx Authenticated Flash

Attestation Service for Intel Software Guard Extensions (Intel SGX): API Documentation. Revision: 3.0

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Breaking Hardware Wallets

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Jian Liu, Sara Ramezanian


Enforcing Trust in Pervasive Computing. Trusted Computing Technology.

CS3235 Seventh set of lecture slides

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Windows IoT Security. Jackie Chang Sr. Program Manager

0x1A Great Papers in Computer Security

Lecture 3 MOBILE PLATFORM SECURITY

Bromium: Virtualization-Based Security

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

OS Security IV: Virtualization and Trusted Computing

Flicker: An Execution Infrastructure for TCB Minimization

CPS 510 final exam, 4/27/2015

The Next Steps in the Evolution of Embedded Processors

Amanda Lowe Director Product Marketing WindRiver, an Intel Company

Tailoring TrustZone as SMM Equivalent

TPM v.s. Embedded Board. James Y

Fundamentals of HW-based Security

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Connecting Securely to the Cloud

Verifiable Anonymous Identities and Access Control in Permissioned Blockchains

Building Trust Despite Digital Personal Devices

Mobile Platform Security Architectures A perspective on their evolution

ENEE 459-C Computer Security. Security protocols

On the Revocation of U-Prove Tokens

Digital Multi Signature Schemes Premalatha A Grandhi

ENEE 459-C Computer Security. Security protocols (continued)

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

An Introduction to Platform Security

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Secure Programming with Intel SGX and Novel Applications

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

A Proposed Standard for Entity Attestation draft-mandyam-eat-00. Laurence Lundblade. November 2018

Transcription:

TRUSTED COMPUTING TECHNOLOGIES TEE = Trusted Execution Environment Mandatory reading Innovative Instructions and Software Model for Isolated Execution, Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue and Uday Savagaonkar, Intel Corporation Enhanced Privacy ID (EPID), DrDobbs, E Brickell, 2009 Mobile Trusted Computing, Ansokan et all EITN050 1 EITN050 2 TEE Architecture in a device TEE in mobile device EITN050 3 EITN050 4

Techniques to realize TEE Recall ARM TrustZone (Lect 6) Intel SGX SGX - ENCLAVES Software Guard extensions EITN050 5 EITN050 6 Overview SGX in a new technology introduced in Intel chipsets SGX architecture includes 17 new instructions, new processor structures and a new mode of execution. These include loading an enclave into protected memory, access to resources via page table mappings, and scheduling the execution of enclave enabled application. Thus, system software still maintains control as to what resources an enclave can access. An application can be encapsulated by a single enclave or can be decomposed into smaller components, such that only security critical components are placed into an enclave. Enclaves Enclaves are isolated memory regions of code and data One part of physical memory (RAM) is reserved for enclaves and is called Enclave Page Cache (EPC) EPC memory is encrypted in the main memory (RAM) EPC is managed by OS/VMM Trusted hardware consists of the CPU Die only EITN050 7 EITN050 8

Protected Mode (rings) protects Reduced attack surface with SGX App execute? O K?? App Application gains ability to defend is own secrets Smaller attack suface (App+processor) Malware that subverts OS or VMM, BIOS, Drivers cannot steal app secrets App App App Priviledged Code OS 1 OS from App 2 And from other Apps But Apps are not protect malware attacks on OS VMM Hardware EITN050 9 EITN050 10 SGX Programming Environment Protected execution environment embedded in a process OS Enclave (DLL) Enclclave data User process Enclave code Enclclave data TCS (*n) Enclave With its own code and data Provide confidentiality and integrity protection With controlled entry points Support for multiple threads With full access to app memory TCS= Thread Control Structure EITN050 11 The Enclave Page Cache (EPC) is protected memory used to store enclave pages and SGX structures. The EPC is divided into 4KB chunks called an EPC page. The Enclave Page Cache Map (EPCM) is a protected structure used by the processor to track the contents of the EPC. EITN050 12

Protection against Memory Snooping Attestation and Sealing Cores Cache attacks SYSTEM MEMORY 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted/integrity protected, 4. External memory reads and bus snoops tapping gives access to encrypted Attest an application on remote platform Check the integrity of enclave (hash of code/data pages) Verify whether enclave is running on real SGX CPU Can establish a secure channel between enclaves EITN050 13 EITN050 14 Creation Using EITN050 15 EITN050 16

Example: Life-cycle of enclave SW Intel SGX-enabled software does not ship with sensitive data. After the software is installed, it contacts the service provider to have data remotely provisioned to the enclave.. 1. Enclave Launch The untrusted application launches the enclave environment to protect the service provider's software. While the enclave is built, a secure log is recorded, the enclave s "Measurement. 2. Attestation The enclave contacts the service provider to have its sensitive data provisioned to the enclave. The platform produces a secure assertion that identifies the hardware environment and the enclave. EITN050 17 Example: Life-cycle of enclave SW 3. Provisioning The service provider assesses the trustworthiness of the enclave. It uses the attestation to establish secure communication and provision sensitive data to the enclave. Using the secure channel, the service provider sends the data to the enclave. 4. Sealing/Unsealing The enclave uses a persistent hardwarebased encryption key to securely encrypt and store its sensitive data in a way that ensures the data can be retrieved only when the trusted environment is restored. 5. Software Upgrade Enclave software updates might be required by the service provider. To streamline the migration of data from an older software version to the newer version, the software can request seal keys from older versions to unseal the data and request the new version s seal so that the sealed data won t be available to previous versions of the software. EITN050 18 Identities Identifier (name, number, etc) Namespace (set of identifiers) A secure/trustworthy description that links a credential to an identifier can be seen as the/a IDENTITY Credential (use to carryout a proof of possession) Examples: IMSI - Key in SIM card Username password Socialnumber - BankId Zero-knowledge proof Example: Discrete log over GF(q), q prime Patricia (prover) wants to prove to Vera (verifier) that she knows the logarithm of y=g x mod p (that is x) WITHOUT Vera giving x or let her learn anything about x. Protocols that achieve this are called zero-knowledge proofs. g x Patricia protocol Is the proof Vera At the end Vera is convinced Patricia knows x, but she learnt nothing about x EITN050 19 You will learn about these protocols in Advanced Web Security EITN050 20

EPID identities in SGX Public EPID setup To support attestation SGX can use EPID identities One group public key corresponds to multiple private keys Each unique private key can be used to generate a signature Signature can be verified using the group public key Secret key 1 message sign Secret key 2 epid signature EITN050 21 Secret key n message, epid signature verify Ok / Not Ok Knows issuer secret Join Each Member obtains a unique EPID private key Knows private key Sign Signs a message using his private key and outputs an EPID signature Issuer Member EPID group public key Verifier Verify Verifies EPID signature using the group public key http://csrc.nist.gov/groups/st/pec2011/presentations2011/b EITN050 22 Privacy properties for EPID Unlinkability EPID key issuing can be blinded Issuer does not need to know Member Private Key EPID signatures are anonymous EPID signatures are untraceable Nobody including the issuer can open an EPID signature and identify the member Facts Details of EPID are complicated see the DrDobbs article on EPID for an overview. EPID construction is based on admissible bilinear map functions, that is mappings e: G1 x G2 GT that satisfy the following A construction of e: Tate pairing using elliptic curves over GF(q) For all u G1, v G2, and for all integers a, b, the equation e(u a, v b ) = e(u, v) ab holds. Unlinkability property depends upon Base B Signature includes a pseudonym B f where B is base chosen for a signature and revealed during the signature f is unique per member and private Random base: Pseudonym R f where R is random signatures are unlinkable Name base: Pseudonym N f all where N is a name of verifier Signatures still unlinkable for different verifiers Signatures using common N are linkable EITN050 23 EITN050 24

Revocation in EPID Private key revocation (Revealed Key List, PRIV-RL) Ex: Private key is corrupted and is published Revocation check performed by verifier Verifier Local Revocation using name base Ex: Verifier can revoke a Pseudonym for his name (N f ) Revocation check performed by verifier Signature based revocation (Signature Revocation List, SIG-RL) Issuer and/or verifier decide that they no longer want to accept signatures from whatever signed a revoked message with pseudonym B f For each future signature, Member signs as normal Member proves he didn t sign the revoked message Member proves his pseudonym with base B is not B f Retains same anonymity and unlinkability properties http://csrc.nist.gov/groups/st/pec2011/presentations2011/b EITN050 25 SGX Summary SGX provides any application the ability to isolate itself and to keep a secret even from the root Application can support multiple enclaves Provides integrity and confidentiality Resists hardware attacks Prevent SW attacks (also for priviledged software and SMM Applications run within OS Application writing is essentially as without SGX Identity (EPID) solution for attestation Resource managed by SW HW components are supported in a driver or OS EITN050 26 refs Innovative Instructions and Software Model for Isolated Execution, Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue and Uday Savagaonkar, Intel Corporation ARM TRUSTZONE See also Youtube video on SGX (in Literature list) Innovative Technology for CPU Based Attestation and Sealing, Ittai Anati, Shay Gueron, Simon P Johnson, Vincent R Scarlata, Intel Corporation EITN050 27 EITN050 28

Samung Knox: so what is TrustZone? ARM standard approach Operating System Kernel/Services Protection rings Dedicated instructions memory space Privileged mode Supervisor mode Applications User mode EITN050 29 EITN050 30 Separation of sensitive ops and data Since too much code in running in user space and even in the privileged space: Security problem for applications Operating System Kernel/Services Protection rings Dedicated instructions memory space Sensitive applications and data cannot be given good guarantees that other running code cannot tamper or get access. Privileged mode Supervisor mode Applications App1 App2 User mode EITN050 31 EITN050 32

ARM TrustZone A special mode of operation for the ARM11 processor Divides the SoC into normal world and secure world Normal world Secure world Basic idea Introduce an NS-bit (and handling HW) use this bit to tag secure data throughout system Buses cache pages Monitor (SW) manages the NS-bit manages transition in & out of security mode Small fixed API (so we can better check/verify the code) New instruction to make a monitor call: SMC (Secure Monitor Call) Note: compare this to the ordinary SVC call to make a call to kernel code, i.e. transition from userspace to privileged EITN050 33 EITN050 34 Switching from Normal to Secure Access control userspace userspace TrustZone HW Normal application Secure Service Normal world cannot access Secure world owned objects Secure world can access any object if privilege allows it. Ring architecture priviledged Normal Normal OS Monitor Secure Kernel priviledged Switching is expensive Secure Secure drivers Secure device Boot loader Code can execute as privileged(p) or unprivileged (U) ( or user mode). Unprivileged execution limits or excludes access to some resources. Privileged execution has access to all resources. The basic rule is that if the current privilege is unprivileged mode, it cannot access the memories whose corresponding page structure has U/P bit clear. In other words, an unprivileged mode task or program cannot read (write, or fetch) access to the memory that belongs to supervisor or privileged mode. EITN050 35 EITN050 36

TrustZone uses Hardware features - Example System Other memory space protection: NX Memory space for data can be marked as not executable. This executable space protection often called NX (NoeXecute) or as XD (execute Disable), An OS can use this feature by marking some region of memory spaces not executable. Typical use: stack or heap memory space may be marked as NX. This helps to prevent certain buffer-overflow exploits from succeeding, particularly those that inject code and execute in controlled stack or heap space. EITN050 37 EITN050 38 Trustzone in embedded CPU systems Beware it does not work exactly the same. Especially the switching in and out the secure world has been redesigned (basically now via HW). ARM TrustZone in mbed (coming soon) http://www.mbed.com EITN050 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback