Isolating Operating System Components with Intel SGX

Similar documents
A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory

CIS 4360 Secure Computer Systems SGX

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Intel Software Guard Extensions

Android. Android. Android OS Cache-Crypt. Page Cache Encryption for Protecting Android Devices against Theft

Stefan Saroiu Microsoft Research (Redmond)

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Flicker: An Execution Infrastructure for TCB Minimization

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Cache Side Channel Attacks on Intel SGX

iphone Encryption, Apple, and The Feds David darthnull.org

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

E M S C B Milestone No. I Secure Linux Hard-Disk Encryption REQUIREMENTS SPECIFICATION

Massively Parallel Hardware Security Platform

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Hardening Fingerprint Authentication Systems Using Intel s SGX Enclave Technology. Interim Progress Report

Security features for UBIFS. Richard Weinberger sigma star gmbh

Software Vulnerability Assessment & Secure Storage

SEAhawk and Self Encrypting Drives (SED) Whitepaper

Advanced Crypto. Introduction. 5. Disk Encryption. Author: Prof Bill Buchanan. Bob. Alice. Eve.

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Sanctum: Minimal HW Extensions for Strong SW Isolation

Secure Storage with Encrypted file systems

Iron: Functional encryption using Intel SGX

SGXBounds Memory Safety for Shielded Execution

Trusted Platform Module explained

Operating System Security

Endpoint security & mobility. AFSecurity, 20. May 2011

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Crypto Background & Concepts SGX Software Attestation

Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption

Influential OS Research Security. Michael Raitza

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Security of Embedded Systems

Trusted Computing and O/S Security

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage

TRUSTED COMPUTING TECHNOLOGIES

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Binding keys to programs using Intel SGX remote attestation

Encrypting stored data

OS Security IV: Virtualization and Trusted Computing

MiniBox: A Two-Way Sandbox for x86 Native Code

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Hardware Enclave Attacks CS261

Dashlane Security Whitepaper

Lecture 44 Blockchain Security I (Overview)

SafeBricks: Shielding Network Functions in the Cloud

Protecting your system from the scum of the universe

Framework for Prevention of Insider attacks in Cloud Infrastructure through Hardware Security

Intel, OpenStack, & Trust in the Open Cloud. Intel Introduction

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control

Dashlane Security White Paper July 2018

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Recommendations for TEEP Support of Intel SGX Technology

Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18

Simple Password-Hardened Encryption Services

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

Micro-architectural Attacks. Chester Rebeiro IIT Madras

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Module: Cloud Computing Security

Android System Development Training 4-day session

SECURITY ARCHITECTURES CARSTEN WEINHOLD

On the Practicability of Cold Boot Attacks

AMD SEV Update Linux Security Summit David Kaplan, Security Architect

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

CIS 4360 Secure Computer Systems Secured System Boot

Unicorn: Two- Factor Attestation for Data Security

Crypto for Hackers. Eijah. v1.00 August 7 th, 2015

CPS 510 final exam, 4/27/2015

I Don't Want to Sleep Tonight:

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

And Then There Were More:

CloudFleet Documentation

DIY Hosting for Online Privacy

SCONE: Secure Linux Container Environments with Intel SGX

A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM

Trusted Computing Use Cases and the TCG Software Stack (TSS 2.0) Lee Wilson TSS WG Chairman OnBoard Security November 20, 2017

Hypervisor Security First Published On: Last Updated On:

Data-at-Rest Encryption

Preventing Information Leakage from Virtual Machines Memory in IaaS Clouds

ARM Security Solutions and Numonyx Authenticated Flash

Trojan-tolerant Hardware

Password Cracking via Dictionary Attack. By Gaurav Joshi Mansi Nahar (Team: RubberDuckDebuggers)

EVT/WOTE 09 AUGUST 10, Ersin Öksüzoğlu Dan S. Wallach

Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Putting It (almost) all Together: ios Security. Konstantin Beznosov

Transcription:

SysTEX 16 Trento, Italy Isolating Operating System Components with Intel SGX Lars Richter, Johannes Götzfried, Tilo Müller Department of Computer Science FAU Erlangen-Nuremberg, Germany December 12, 2016

Motivation or Why are we here? When SGX was released we thought of what to do with it Cloud-related solutions more or less addressed already Haven and VC3 (at least on a conceptual level) Attacks on SGX (maybe yet to come) Using SGX as intended not very promising in academia What would be conceptually new and could benefit from SGX? Protecting kernel components with SGX 2

Our Background: CPU-bound Disk Encryption Schemes State-of-the-Art (software-based) FDE solutions do not protect data effectively if an adversary gains physical access! RAM CPU HDD (unencrypted) (encrypted) en/decrypt 3

Coldboot Attack Disk Encryption Key in RAM Exploit remanence effect of RAM 4

Our Background: CPU-bound Disk Encryption Schemes CPU-bound disk encryption schemes prevent coldboot attacks TRESOR [USENIX 11], TreVisor [ACNS 12], MARK [TISSEC 14] Use the x86 debug registers dr0 to dr3 as key storage Utilize SSE registers to execute the AES algorithm Key schedule is calculated on-the-fly We also implemented a solution for ARM: ARMORED [ARES 13]. SGX could help overcoming some limitations of CPU-bound encryption! 5

Why Protecting Kernel Components in General? Today s kernels have huge code bases Kernel bugs are still common (cf. DirtyCow) The largest parts of those kernels are device drivers Potentially developed from 3rd parties Not all parts can be equally trusted Shielding kernel components with SGX Only one component, e.g., a driver, is compromised Other parts like scheduler or disk encryption are still protected Challenges Limited set of allowed instructions Fixed layout and memory mappings after initialization Enclaves can only be started through Intel s LE 6

How We Imagined SGX to Work untrusted Application or Kernel Code call untrusted outside functions call trusted enclave functions persistent Storage seal data unseal data proxy functions trusted Enclave send report of enclave Attestation Provider receive attestation response Application Operating System Hypervisor Hardware no access to enclave memory is possible because of CPU protection 7

There Was One Problem However... We didn t follow one very basic rule! RTFM 8

Shielding Kernel Components Entering an enclave in ring zero is not possible We decided to move kernel functionality to user mode first Kernel Space API LKM Netlink Kernel Space User Space User Space API Daemon Sealed Data Enclave 9

Shielding Kernel Components Netlink interfaces are used for communication Between the LKM and the daemon No kernel patching is required Usable through callback messages by kernel and user space Loadable kernel module Everything on the kernel side is implemented solely within an LKM The LKM can use any kernel API available Passes certain requests to the daemon Daemon is able to offer additional functionality Relays most requests to the enclave Interacts with user space API Stores sealed data 10

Shielding Linux Full Disk Encryption (FDE) Prototype Implementation to protect one specific kernel functionality dm-crypt Crypto API Encryption LKM Netlink Kernel Space User Space Password Tool Daemon Sealed Salt Encryption Enclave 11

Protection against Physical Attacks Typical FDE solutions Protect the encryption key only by logical means By relying on isolation and separation between kernel and user space Passphrase and derived key are usually stored in main memory SGX-kernel solution Protects against physical attacks on main memory In particular against cold-boot and DMA attacks Additional salt prevents derivation of key solely from passphrase Practically stronger than CPU-bound encryption schemes 12

Workflow SGX-kernel FDE initialization sequence 1. Load the LKM and start the daemon 2. Set password for FDE using the daemon (to avoid key leaking) 3. Derive encryption key using passphrase and sealed salt (PBKDF2) 4. Establish Netlink connection between LKM and daemon SGX-kernel FDE Data Encryption and Decryption 1. The LKM registers a cipher within the Linux crypto API (currently only AES is offered by the encryption enclave) 2. Netlink callbacks are used on encryption and decryption for each block 3. The encryption or decryption request is processed by the enclave 13

Performance Test System Dell Inspiron 7559 running Ubuntu 15.10 (kernel version 4.4.7) Intel i7-6700hq CPU 16 gigabytes of main memory Seagate ST1000LM024 hard drive Performance Results for SGX-kernel FDE with AES (reading and writing speeds in MB/s) Test Plain AES SGX dd 100mb block write 107.0 104.5 1.1 hdparm uncached read 110.1 113.7 1.1 hdparm cached read 13,289.5 12,004.3 1,576.7 14

Security Security guarantees of SGX-kernel FDE All guarantees inherited from SGX enclaves in general such as protection against tampering with the kernel component The disk encryption key is always kept within the enclave and never exposed to the outside world The following components need to be obtained for a successful attack user password sealed salt (possibly stored on thumb drive) unmodified enclave which sealed the salt CPU on which the salt was sealed Not sufficient to steal the password (protects against Evil Maid attacks) 15

Conclusion Concept for isolating kernel components within Linux SGX does not work in ring zero Move functionality to user space first Not generally applicable to kernel components Exemplary implementation for Linux FDE SGX-kernel FDE Protects against cold-boot and DMA attacks Stronger than existing implementations such as TRESOR and ARMORED due to sealed salt Performance has to be improved 16

Thank you for your attention! Further Information: https://www1.cs.fau.de/sgx-kernel

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback