Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen
Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel SGX is enabling companies to deliver security technologies that span the enterprise spectrum 2
Intel SGX Analogy: Safe in Hotel Room Hotel Safe Space for only few (sensitive) items Secure even in a catastrophic event IT Secure data in Trusted Execution Environment (TEE) Intel SGX = TEE 3
Intel Software Guard Extensions (SGX) New HW instructions (Intel 6th Gen Core onward) Run code & protect secrets in Trusted Execution Environment (TEE) Prevent HW attacks (memory, bus, cold boot, ) Prevent SW attacks (Ring 0, BIOS, VMM, SMM, ) Support HW Assisted Remote Attestation Measure and verify valid code and data signatures Apps run within OS environment Familiar development and debug tools Low learning curve for developers 4
Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App App OK Protected Mode OS 5
Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App App OK Protected Mode OS and apps from each other 6
Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App Malicious App OK Protected Mode Bad Code OS Attack OS attack and apps from each other UNTIL a malicious app exploits an OS flaw to gain full privileges and then tampers with the OS or other apps 7
Why Aren t Platforms Trustworthy? Protected Mode (rings) protects OS from apps App Malicious App OK Protected Mode Bad Code OS Attack OS attack and apps from each other UNTIL a malicious app exploits an OS flaw to gain full privileges and then tampers with the OS or other apps Applications are not protected from privileged code attacks 8
Allowing App Developers to Secure Code & Data Intel SGX provides safe place for code and data in the application Enclave(s) App Malicious App OK Protected Mode Bad Code OS Attack OS attack Undetected malicious software cannot access secrets Secrets protected from bad actors with access to the platform Need a safe as well as guards 9
Protection Against Memory Snooping Attacks CPU Package Cores Cache System Memory 10
Protection Against Memory Snooping Attacks CPU Package Cores 1. Security perimeter is the CPU package boundary Cache AMEX: 3234-134584- 26864 System Memory 11
Protection Against Memory Snooping Attacks CPU Package Cores AMEX: 3234-134584- 26864 Cache System Memory 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 12
Protection Against Memory Snooping Attacks CPU Package Cores Cache AMEX: 3234- AMEX: 134584-3234- 26864 134584-26864 System Memory Jco3lks937weu0cwejpoi9987v80we 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked 13
Protection Against Memory Snooping Attacks CPU Package Cores Cache AMEX: 3234- AMEX: 134584-3234- 26864 134584-26864 System Memory Jco3lks937weu0cwejpoi9987v80we Snoop 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked 4. External memory reads and bus snoops see only encrypted data Snoop 14
Attesting and Provisioning Sensitive Data Why trust client app and share data? Remote Attestation (RA) Remote Attestation has 2 verification aspects: ISV Server verifies that the ISV client enclaves are genuine Intel Attestation Service (IAS) verifies the TCB s validity and authenticity Verification success ISV Server may trust the client and provision sensitive data 15
Data Sealing Intel SGX allows to seal an enclave secret using a processor derived key EGETKEY instruction HW Key Derivation Function generates a seal key which is Unique to the platform Unique to enclave ID (MRENCLAVE) OR the developer of the enclave (MRSIGNER) Unique to enclave loaded in Debuggable OR Production mode Secrets once encrypted with seal key can be safely stored to disk Sealed data cannot be decrypted on another platform 16
Usage Models Usage Model 1 (Client) Protect IP (Data, Execution ) from disclosure or modification Usage Model 2 (End to End) Deliver app from server to endpoint Maintain IP protection standards determined by the point of service Usage Model 3 (Datacenter) Prove that datacenter has no ability to observe or tamper with app IP has not permitted other applications to do so 17
Use Case for Intel SGX: Securing Biometric Data and Matching Algorithm Intel SGX default Sensor Sensor Biometric Data Biometric Data Tokenization Match Enclave (SGX) Matching Algorithm and Biometric Template (User-specific) LOCAL Identity Assertion (User-specific) REMOTE TLS/SSL Session Match (Y/N) LOCAL Matching Algorithm REMOTE TLS/SSL Session Identity Assertion (User-specific) Match (Y/N) Biometric Template (User-specific) Authentication Response Authentication Response 18
Summary Intel Software Guard Extensions (SGX) Provide applications ability to keep a secret Capability provided by new HW instructions Provide confidentiality and integrity Resists HW & SW attacks Applications run within the OS environment Low learning curve for application developers 19
Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 2017 cryptovision Mindsphere, Gelsenkirchen
Additional Information Intel Developer Zone Intel SGX Landing Zone: http://software.intel.com/sgx Intel SGX SDK for Windows: http://software.intel.com/sgx-sdk Articles and Whitepapers https://software.intel.com/en-us/search/site/field_technology/software-guardextensions-43865/type/article Blogs https://software.intel.com/en-us/search/site/field_technology/software-guardextensions-43865/type/blog 22
Intel SGX Software Stack Intel SGX SDK Intel SGX Application Tools & Extensions Untrusted Part Untrusted Libs Enter/Exit Enclave Trusted Libs Trusted Libraries Documentation Reference Applications Enclave Loader Intel SGX Platform SW Intel Provided Trusted Services
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 24
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Intel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 25
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Intel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 26
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 27
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed including enclave identity information) 3. REPORT sent to server & verified 28
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 29
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 30
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 31
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 6. Application Key encrypted via Sealing Key & stored for later (offline) use 32
Attestation and Sealing Client Application Service Provider Intel Attestation Service Enclave Authenticated Channel 1. Enclave built & measured 2. Enclave requests REPORT (HW-signed blob including enclave identity information) 3. REPORT sent to server & verified 4. Application Key sent to enclave; first secret can be securely provisioned 5. Enclave-platform-specific Sealing Key generated (EGETKEY) 6. Application Key encrypted via Sealing Key & stored for later (offline) use 33