BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Similar documents
Intel Software Guard Extensions

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Crypto Background & Concepts SGX Software Attestation

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Sanctum: Minimal HW Extensions for Strong SW Isolation

CIS 4360 Secure Computer Systems SGX

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

CPS 510 final exam, 4/27/2015

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Intel SGX Virtualization

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Influential OS Research Security. Michael Raitza

SafeBricks: Shielding Network Functions in the Cloud

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Recommendations for TEEP Support of Intel SGX Technology

Lecture Embedded System Security Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Architectural Support for Copy and Tamper Resistant Software

Version:1.1. Overview of speculation-based cache timing side-channels

T-SGX: Eradicating Controlled-Channel

ROTE: Rollback Protection for Trusted Execution

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

Key Management & Protection: Evaluation of Hardware, Tokens, TEEs and MPC

Lecture Embedded System Security Introduction to Trusted Computing

Security of Embedded Systems

Iron: Functional encryption using Intel SGX

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Authenticated encryption

CS 395T. Formal Model for Secure Key Exchange


CSC 5930/9010 Cloud S & P: Cloud Primitives

Securing Cloud-assisted Services

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Binding keys to programs using Intel SGX remote attestation

SGX BigMatrix A Practical Encrypted Data Analytic Framework with Trusted Processors

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Intel Software Guard Extensions Platform Software for Windows* OS Release Notes

Trusted Platform Module explained

Computer Security CS 526

Cache Side Channel Attacks on Intel SGX

: Practical Cryptographic Systems March 25, Midterm

Cryptographically Sound Implementations for Typed Information-Flow Security

Lecture 18 - Chosen Ciphertext Security

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Encrypted Data Deduplication in Cloud Storage

Secure Remote Storage Using Oblivious RAM

TRUSTED COMPUTING TECHNOLOGIES

Intel Software Guard Extensions (Intel SGX) Developer Guide

Micro-Architectural Attacks and Countermeasures

Feedback Week 4 - Problem Set

Hardware Enclave Attacks CS261

Cryptography: More Primitives

Searchable Encryption Using ORAM. Benny Pinkas

OS Security IV: Virtualization and Trusted Computing

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

From Crypto to Code. Greg Morrisett

Side Channels and Runtime Encryption Solutions with Intel SGX

Homomorphic Encryption. By Raj Thimmiah

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Security Fundamentals

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Refining Computationally Sound Mech. Proofs for Kerberos

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage

InkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CSC 5930/9010 Modern Cryptography: Digital Signatures

Information Security CS526

Eleos: Exit-Less OS Services for SGX Enclaves

Order-Revealing Encryption:

Refresher: Applied Cryptography

MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Cryptography. Andreas Hülsing. 6 September 2016

Secure Set Intersection with Untrusted Hardware Tokens

CSE 565 Computer Security Fall 2018

Lecture Embedded System Security Introduction to Trusted Computing

Structured Encryption

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Introduction to Security and User Authentication

CSE 127: Computer Security Cryptography. Kirill Levchenko

Parallel and Dynamic Searchable Symmetric Encryption

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Transcription:

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS

DO YOU TRUST YOUR CLOUD SERVICE PROVIDER? Frequent break-ins Equifax, Yahoo, High-profile target leakages Jennifer Lawrence, Game of Thrones, Mass surveillance Snowden revelations,

ENCRYPTION? Encryption during computation still difficult Fully homomorphic encryption is too slow and too space-inefficient Multi-party computation is still slow and communication-inefficient, also doesn t fit service provider model (needs many service providers) Intel developed a hardware-supported encryption mechanism: Software Guard Extensions (SGX)

INTEL SGX WHAT IS IT?

INTEL SGX WHAT IS IT? Extension to CPU instructions introduced with Intel Skylake Isolated execution of specific parts: trusted (enclave) Small attack surface: processor + enclave Untrusted Part of App Trusted Part of App (Enclave) App App App Create Enclave Execute OS Call Trusted Func. Return VMM Privileged System Code (OS, VMM, BIOS, ) Hardware Attack Surface

INTEL SGX MEMORY PROTECTION Enclave memory is encrypted and protected against replay attacks Security perimeter is the CPU package boundary Tapping memory or BUS reveals only encrypted data CPU Package Cores Cache: unencrypted data encrypted data System Memory: encrypted data

INTEL SGX REMOTE ATTESTATION Enclave proves that the loaded code is as expected Enclave measured during creation (code is cryptographically hashed) Enclave requests REPORT (measurement signed by processor s private key) REPORT is transformed to QUOTE QUOTE is sent to remote party Remote party checks validity of QUOTE

INTEL SGX BOOTSTRAPPING ENCRYPTED COMPUTATION Load code into enclave Remotely attest integrity of code Create public-/private-key pair in encrypted memory Send public key as part of QUOTE to client Perform TLS authentication with endpoint in enclave

(SECURITY) CHALLENGES WHEN USING SGX Side channels Memory access pattern Shared Cache Resource constraints 96MB enclave (without paging) Software Vulnerabilities Hardware protection can be broken by malicious code inside the enclave

HOW TO IMPLEMENT SGX-SUPPORTED APPLICATIONS Carefully decide which parts to put into an enclave Resource efficient design Small code base ( small number of errors) Useful in many application contexts

IN THIS TALK SGX-supported implementation of a database index Benny Fuhry, Benny Fuhry, Raad Bahmani, Ferdinand Brasser, Florian Hahn, Florian Kerschbaum, Ahmad-Reza Sadeghi. HardIDX: Practical and Secure Index with SGX (DBSEC 2017 Best Paper Award) SGX-supported implementation of generic encrypted computation Andreas Fischer, Benny Fuhry, Florian Kerschbaum, Eric Bodden. Computation on Encrypted Data using Data Flow Authentication

HARDIDX: A SECURE INDEX WITH SGX

OBJECTIVES Search for values and ranges in in untrusted environment Much faster, but less secure than Fully Homomorphic Encryption Faster and as secure as Searchable Encryption As fast as, but more secure than Order Preserving Encryption Small code base in Trusted Execution Environment

BUILD SECURE INDEX SECURE B + -TREE Supports point and range queries Contains key-value pairs Typical index structure for databases and file systems Branching factor: maximal number of children Special case: unchained leaf nodes

ATTACKER MODEL Attacker controls all software (e.g., OS, firmware, BIOS) observes all interactions between untrusted and trusted part uses page-fault side channel to observe access pattern uses cache side channel to learn about code path and data access

CONSTRUCTION 1 Idea: data stored and processed completely inside SGX enclave

CONSTRUCTION 1 - PROBLEM Usable enclave memory limited to 96MB Paging leads to performance problems B+-Tree only small part of full DBMS

CONSTRUCTION 2 Idea: only load required nodes into enclave Space-Time Trade-Off Constant enclave memory for arbitrary tree size Additional decryption step in enclave

CONSTRUCTION 2 IDEA OF SECURITY PROOF CKA2-HW-security: Define leakage of the construction Simulator is able to simulate the adversary's view of the enclave-(untrusted) application interaction given only leakage Our leakage: Amount of values, size of each value, amount of nodes in tree Storage position of all nodes that get accessed at traversal Pointers to result values together with the leaf nodes in which these pointers are stored Example tree access pattern for two snapshots (R = [33,55])

SGX SIDE-CHANNELS Proof considers side channels External resource access: proof considers interactions between untrusted and trusted part Page-fault side channel: construction does not reveal additional information (nodes smaller than one page) Cache side channel: nodes are completely traversed and implementation is data independent

MICRO BENCHMARKS COMPARISON OF CONSTRUCTIONS Setting: 1.000.000 key-value pairs 1000 randomly selected ranges Different result set sizes Performance factors: Processor mode switch: Construction 1 < Construction 2 Data transfer: result set and query at Construction 1, additionally nodes at Construction 2 Access to plain data: one time effort at Construction 1, per node and query at Construction 2 Effects diminish compared to search time of algorithm

MICRO-BENCHMARKS MEMORY MANAGEMENT Setting 1.000 randomly chosen queries with result set size of 100 Different branching factors, different tree sizes Main finding: Sharp increase above a tree size of 10 6 at Construction 1 Explanation: The lower the branching factor, the higher the number of accesses to different memory pages Swapping is very costly

WHAT WE ACHIEVED An encrypted index That is even faster than naïve full-memory SGX encryption for large databases Security roughly comparable to searchable encryption that considers side-channels in a formal model

DFAUTH: COMPUTATION ON ENCRYPTED DATA WITH DATA FLOW AUTHENTICATION

THERE IS A THIRD APPROACH Fully Homomorphic Encryption Partial Encryption MRCrypt JCrypt AutoCrypt Hardware Support (SGX)

IDEA OF PARTIAL ENCRYPTION Encrypt using scheme that supports required operation Addition partially homomorphic encryption Multiplication (other) partially homomorphic encryption Comparison searchable encryption Etc. Partially leak information about execution In our case: Control-flow

PROBLEM Use of different encryption scheme requires conversion SGX enables conversion without communication with client Main application remains untrusted SGX can be used as a conversion oracle (calls to SGX cannot be authenticated) Partial leakage can be quickly amplified into full leakage (binary search) by active adversary that controls program execution

OBJECTIVE Limit leakage to only intended leakage (control flow) Approach: Data Flow Authentication

HASE: HOMOMORPHIC AUTHENTICATED SYMMETRIC ENCRYPTION KeyGen(): evaluation key ek, secret key sk Executed at client Encrypt(sk, Message m, Identifier i): ciphertext c Executed at client and inside enclave Evaluate(ek, {c1, c2,, cn}): ciphertext c Execute at server by untrusted application Derive(sk, {i1, i2,, in}): label l Executed at compile time Decrypt(sk, Ciphertext c, Label l): message m or error symbol Executed inside enclave and at client

UNFORGEABILITY HASE-UF-CPA: Unforgeability Loosely speaking: The adversary cannot decrypt unless the label was computed by Derive()

DATA FLOW AUTHENTICATION: EXAMPLE 1. Conversion to single static assignment (SSA) form Assigned variable is unique label 2. Type inference add: Addition using HASE mul: Multiplication using HASE cmp: Comparison in trusted module 3. Insertion of type conversions (trusted module calls) Example Code Before Step 1

STEP 1 1. Conversion to single static assignment (SSA) form Assigned variable is unique label 2. Type inference add: Addition using HASE mul: Multiplication using HASE cmp: Comparison in trusted module 3. Insertion of type conversions (trusted module calls) Example Code After Step 1 phi: Specially interpreted merge function combining the values of two assignments.

STEP 2 & 3 1. Conversion to single static assignment (SSA) form Assigned variable is unique label 2. Type inference add: Addition using HASE mul: Multiplication using HASE cmp: Comparison in trusted module 3. Insertion of type conversions (trusted module calls) Example Code After Step 3 phi: Specially interpreted merge function combining the values of two assignments.

CONVERSION ROUTINE IN SGX Client sends to secure enclave Secret keys sk Mapping: assigned variable HASE label On conversion request for variable x Retrieves HASE label Decrypts using HASE label On decryption error halts Returns ciphertext in new encryption scheme (or comparison result)

SECURITY Given Program P Memory locations M 1 and M 2 Classified memory locations C Non-interference under declassification P(M 1 C) = P(M 2 C)

ENCRYPTED COMPUTATION A. Generate Keys B. Comp. Program C. Deploy Program (Remote Attestation) Trusted Module 1. Encrypt Inputs 2. Send Ciphertexts 5. Verify Result Client 4. Send (Encrypted) Result 3. Exec. Program Server (Untrusted)

CASE STUDY: DEEP LEARNING Application of DFAuth technique to the Neuroph framework (Java, floating point numbers) Breast cancer neural network (image recognition) Encryption ensures protection of Input neurons (image being classified) Network weights (intellectual property) Output neurons (result of classification) Implementation of trusted module using Intel SGX Time to perform evaluation of network on encrypted inputs: 0.86s (slowdown: ca. 675x)

WHAT WE ACHIEVED Performance Much faster than Fully Homomorphic Encryption Slower than SGX-only encryption Security More leakage than Fully Homomorphic Encryption Compared to SGX-only encryption small and program-independent trusted code base

CONCLUSION: ENCRYPTED COMPUTATION IN SGX Small (and trustworthy) code base is key Program-independence is achievable Careful design for ALL side-channel is needed Resource optimization offers intriguing trade-offs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback