TRUSTED COMPUTING TECHNOLOGIES TEE = Trusted Execution Environment Mandatory reading Innovative Instructions and Software Model for Isolated Execution, Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue and Uday Savagaonkar, Intel Corporation Enhanced Privacy ID (EPID), DrDobbs, E Brickell, 2009 Mobile Trusted Computing, Ansokan et all EITN050 1 EITN050 2 TEE Architecture in a device TEE in mobile device EITN050 3 EITN050 4
Techniques to realize TEE Recall ARM TrustZone (Lect 6) Intel SGX SGX - ENCLAVES Software Guard extensions EITN050 5 EITN050 6 Overview SGX in a new technology introduced in Intel chipsets SGX architecture includes 17 new instructions, new processor structures and a new mode of execution. These include loading an enclave into protected memory, access to resources via page table mappings, and scheduling the execution of enclave enabled application. Thus, system software still maintains control as to what resources an enclave can access. An application can be encapsulated by a single enclave or can be decomposed into smaller components, such that only security critical components are placed into an enclave. Enclaves Enclaves are isolated memory regions of code and data One part of physical memory (RAM) is reserved for enclaves and is called Enclave Page Cache (EPC) EPC memory is encrypted in the main memory (RAM) EPC is managed by OS/VMM Trusted hardware consists of the CPU Die only EITN050 7 EITN050 8
Protected Mode (rings) protects Reduced attack surface with SGX App execute? O K?? App Application gains ability to defend is own secrets Smaller attack suface (App+processor) Malware that subverts OS or VMM, BIOS, Drivers cannot steal app secrets App App App Priviledged Code OS 1 OS from App 2 And from other Apps But Apps are not protect malware attacks on OS VMM Hardware EITN050 9 EITN050 10 SGX Programming Environment Protected execution environment embedded in a process OS Enclave (DLL) Enclclave data User process Enclave code Enclclave data TCS (*n) Enclave With its own code and data Provide confidentiality and integrity protection With controlled entry points Support for multiple threads With full access to app memory TCS= Thread Control Structure EITN050 11 The Enclave Page Cache (EPC) is protected memory used to store enclave pages and SGX structures. The EPC is divided into 4KB chunks called an EPC page. The Enclave Page Cache Map (EPCM) is a protected structure used by the processor to track the contents of the EPC. EITN050 12
Protection against Memory Snooping Attestation and Sealing Cores Cache attacks SYSTEM MEMORY 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted/integrity protected, 4. External memory reads and bus snoops tapping gives access to encrypted Attest an application on remote platform Check the integrity of enclave (hash of code/data pages) Verify whether enclave is running on real SGX CPU Can establish a secure channel between enclaves EITN050 13 EITN050 14 Creation Using EITN050 15 EITN050 16
Example: Life-cycle of enclave SW Intel SGX-enabled software does not ship with sensitive data. After the software is installed, it contacts the service provider to have data remotely provisioned to the enclave.. 1. Enclave Launch The untrusted application launches the enclave environment to protect the service provider's software. While the enclave is built, a secure log is recorded, the enclave s "Measurement. 2. Attestation The enclave contacts the service provider to have its sensitive data provisioned to the enclave. The platform produces a secure assertion that identifies the hardware environment and the enclave. EITN050 17 Example: Life-cycle of enclave SW 3. Provisioning The service provider assesses the trustworthiness of the enclave. It uses the attestation to establish secure communication and provision sensitive data to the enclave. Using the secure channel, the service provider sends the data to the enclave. 4. Sealing/Unsealing The enclave uses a persistent hardwarebased encryption key to securely encrypt and store its sensitive data in a way that ensures the data can be retrieved only when the trusted environment is restored. 5. Software Upgrade Enclave software updates might be required by the service provider. To streamline the migration of data from an older software version to the newer version, the software can request seal keys from older versions to unseal the data and request the new version s seal so that the sealed data won t be available to previous versions of the software. EITN050 18 Identities Identifier (name, number, etc) Namespace (set of identifiers) A secure/trustworthy description that links a credential to an identifier can be seen as the/a IDENTITY Credential (use to carryout a proof of possession) Examples: IMSI - Key in SIM card Username password Socialnumber - BankId Zero-knowledge proof Example: Discrete log over GF(q), q prime Patricia (prover) wants to prove to Vera (verifier) that she knows the logarithm of y=g x mod p (that is x) WITHOUT Vera giving x or let her learn anything about x. Protocols that achieve this are called zero-knowledge proofs. g x Patricia protocol Is the proof Vera At the end Vera is convinced Patricia knows x, but she learnt nothing about x EITN050 19 You will learn about these protocols in Advanced Web Security EITN050 20
EPID identities in SGX Public EPID setup To support attestation SGX can use EPID identities One group public key corresponds to multiple private keys Each unique private key can be used to generate a signature Signature can be verified using the group public key Secret key 1 message sign Secret key 2 epid signature EITN050 21 Secret key n message, epid signature verify Ok / Not Ok Knows issuer secret Join Each Member obtains a unique EPID private key Knows private key Sign Signs a message using his private key and outputs an EPID signature Issuer Member EPID group public key Verifier Verify Verifies EPID signature using the group public key http://csrc.nist.gov/groups/st/pec2011/presentations2011/b EITN050 22 Privacy properties for EPID Unlinkability EPID key issuing can be blinded Issuer does not need to know Member Private Key EPID signatures are anonymous EPID signatures are untraceable Nobody including the issuer can open an EPID signature and identify the member Facts Details of EPID are complicated see the DrDobbs article on EPID for an overview. EPID construction is based on admissible bilinear map functions, that is mappings e: G1 x G2 GT that satisfy the following A construction of e: Tate pairing using elliptic curves over GF(q) For all u G1, v G2, and for all integers a, b, the equation e(u a, v b ) = e(u, v) ab holds. Unlinkability property depends upon Base B Signature includes a pseudonym B f where B is base chosen for a signature and revealed during the signature f is unique per member and private Random base: Pseudonym R f where R is random signatures are unlinkable Name base: Pseudonym N f all where N is a name of verifier Signatures still unlinkable for different verifiers Signatures using common N are linkable EITN050 23 EITN050 24
Revocation in EPID Private key revocation (Revealed Key List, PRIV-RL) Ex: Private key is corrupted and is published Revocation check performed by verifier Verifier Local Revocation using name base Ex: Verifier can revoke a Pseudonym for his name (N f ) Revocation check performed by verifier Signature based revocation (Signature Revocation List, SIG-RL) Issuer and/or verifier decide that they no longer want to accept signatures from whatever signed a revoked message with pseudonym B f For each future signature, Member signs as normal Member proves he didn t sign the revoked message Member proves his pseudonym with base B is not B f Retains same anonymity and unlinkability properties http://csrc.nist.gov/groups/st/pec2011/presentations2011/b EITN050 25 SGX Summary SGX provides any application the ability to isolate itself and to keep a secret even from the root Application can support multiple enclaves Provides integrity and confidentiality Resists hardware attacks Prevent SW attacks (also for priviledged software and SMM Applications run within OS Application writing is essentially as without SGX Identity (EPID) solution for attestation Resource managed by SW HW components are supported in a driver or OS EITN050 26 refs Innovative Instructions and Software Model for Isolated Execution, Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos Rozas, Hisham Shafi, Vedvyas Shanbhogue and Uday Savagaonkar, Intel Corporation ARM TRUSTZONE See also Youtube video on SGX (in Literature list) Innovative Technology for CPU Based Attestation and Sealing, Ittai Anati, Shay Gueron, Simon P Johnson, Vincent R Scarlata, Intel Corporation EITN050 27 EITN050 28
Samung Knox: so what is TrustZone? ARM standard approach Operating System Kernel/Services Protection rings Dedicated instructions memory space Privileged mode Supervisor mode Applications User mode EITN050 29 EITN050 30 Separation of sensitive ops and data Since too much code in running in user space and even in the privileged space: Security problem for applications Operating System Kernel/Services Protection rings Dedicated instructions memory space Sensitive applications and data cannot be given good guarantees that other running code cannot tamper or get access. Privileged mode Supervisor mode Applications App1 App2 User mode EITN050 31 EITN050 32
ARM TrustZone A special mode of operation for the ARM11 processor Divides the SoC into normal world and secure world Normal world Secure world Basic idea Introduce an NS-bit (and handling HW) use this bit to tag secure data throughout system Buses cache pages Monitor (SW) manages the NS-bit manages transition in & out of security mode Small fixed API (so we can better check/verify the code) New instruction to make a monitor call: SMC (Secure Monitor Call) Note: compare this to the ordinary SVC call to make a call to kernel code, i.e. transition from userspace to privileged EITN050 33 EITN050 34 Switching from Normal to Secure Access control userspace userspace TrustZone HW Normal application Secure Service Normal world cannot access Secure world owned objects Secure world can access any object if privilege allows it. Ring architecture priviledged Normal Normal OS Monitor Secure Kernel priviledged Switching is expensive Secure Secure drivers Secure device Boot loader Code can execute as privileged(p) or unprivileged (U) ( or user mode). Unprivileged execution limits or excludes access to some resources. Privileged execution has access to all resources. The basic rule is that if the current privilege is unprivileged mode, it cannot access the memories whose corresponding page structure has U/P bit clear. In other words, an unprivileged mode task or program cannot read (write, or fetch) access to the memory that belongs to supervisor or privileged mode. EITN050 35 EITN050 36
TrustZone uses Hardware features - Example System Other memory space protection: NX Memory space for data can be marked as not executable. This executable space protection often called NX (NoeXecute) or as XD (execute Disable), An OS can use this feature by marking some region of memory spaces not executable. Typical use: stack or heap memory space may be marked as NX. This helps to prevent certain buffer-overflow exploits from succeeding, particularly those that inject code and execute in controlled stack or heap space. EITN050 37 EITN050 38 Trustzone in embedded CPU systems Beware it does not work exactly the same. Especially the switching in and out the secure world has been redesigned (basically now via HW). ARM TrustZone in mbed (coming soon) http://www.mbed.com EITN050 39