ROTE: Rollback Protection for Trusted Execution

Similar documents
Logical Partitions on Many-core Processors

Intel Software Guard Extensions

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Sealing and Attestation in Intel Software Guard Extensions (SGX)

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

ARM Security Solutions and Numonyx Authenticated Flash

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services

Flicker: An Execution Infrastructure for TCB Minimization

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Lecture Embedded System Security Trusted Platform Module

Advanced Systems Security: Cloud Computing Security

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Crypto Background & Concepts SGX Software Attestation

Platform Configuration Registers

REM: Resource Efficient Mining for Blockchains

TRUSTED COMPUTING TECHNOLOGIES

Resource-Efficient Mining (REM) with Proofs of Useful Work (PoUW)

Trusted Platform Module (TPM) Quick Reference Guide

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

OVAL + The Trusted Platform Module

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Mobile Platform Security Architectures A perspective on their evolution

Trusted Platform Module explained

TrInc: Small Trusted Hardware for Large Distributed Systems

A Developer's Guide to Security on Cortex-M based MCUs

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Resilient IoT Security: The end of flat security models

Lecture 3 MOBILE PLATFORM SECURITY

TPM v.s. Embedded Board. James Y

MU2b Authentication, Authorization and Accounting Questions Set 2

Lecture Embedded System Security Introduction to Trusted Computing

Recommendations for TEEP Support of Intel SGX Technology

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

SafeBricks: Shielding Network Functions in the Cloud

Sancus 2.0: Open-Source Trusted Computing for the IoT

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Massively Parallel Hardware Security Platform

Intel Software Guard Extensions (Intel SGX) Developer Guide

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

6.857 L17. Secure Processors. Srini Devadas

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

Hypervisor Security First Published On: Last Updated On:

How to create a trust anchor with coreboot.

Lecture Embedded System Security Introduction to Trusted Computing

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

Cache Side Channel Attacks on Intel SGX

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Trojan-tolerant Hardware & Supply Chain Security in Practice

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Trustzone Security IP for IoT

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS

COMPUTER NETWORK SECURITY

Embedded System Security Mobile Hardware Platform Security

Connecting Securely to the Cloud

Embedded System Security Mobile Hardware Platform Security

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Lecture Embedded System Security Introduction to Trusted Computing

Influential OS Research Security. Michael Raitza

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Trusted Mobile Keyboard Controller Architecture

9 GENERATION INTEL CORE DESKTOP PROCESSORS

Sanctum: Minimal HW Extensions for Strong SW Isolation

A Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1

Designing Security & Trust into Connected Devices

Intelligent Terminal System Based on Trusted Platform Module

Copyright

Bromium: Virtualization-Based Security

Unicorn: Two- Factor Attestation for Data Security

EXTERNALLY VERIFIABLE CODE EXECUTION

Module: Cloud Computing Security

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Trusted Platform Modules Automotive applications and differentiation from HSM

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Virtualisation on Mobile Devices {Hugo Marques, Nuno Conceição, Luis Pereira}

Trusted Computing and O/S Security

Memory Defenses. The Elevation from Obscurity to Headlines. Rajeev Balasubramonian School of Computing, University of Utah

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci

GSE/Belux Enterprise Systems Security Meeting

How to protect Automotive systems with ARM Security Architecture

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

ETH, Design of Digital Circuits, SS17 Review Session Questions I - SOLUTIONS

Transcription:

ROTE: Rollback Protection for Trusted Execution Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, Srdjan Capkun Siniša Matetić ETH Zurich Institute of Information Security August 18th, 2017

Intel Introduction Intel Software Guard Extensions () - Intel s new architecture containing new instructions and protective mechanism in the processor Regular systems are vulnerable to various attacks APP APP APP APP OS OS HW HW Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 2

Intel Introduction Enables trusted execution of security-critical application code - enclaves Isolation from the untrusted system software, other enclaves and peripherals Security perimeter is the processor itself Images taken from software.intel.com Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 3

Intel Introduction Sealing - storing data for persistent storage across executions which gives confidentiality and authentication - but what about integrity? Processors are equipped with certified cryptographic keys - enables remotely verifiable attestation statements Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 4

Intel + and - + Isolates execution, can handle untrusted OS + Can run many enclaves in parallel + Supports attestation + Supports sealing + Unlike with TPM, security boundary is the processor - It is not system-wide (unlike TrustZone) - No direct access to peripherals - Side Channels [many recent works] - No Rollback Protection Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 5

Rollback attack Example Please store message 1 Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 6

Rollback attack Example I have stored message 1 Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 7

Rollback attack Example Please store message 2 Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 8

Rollback attack Example I have stored message 2 Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 9

Rollback attack Example Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 10

Rollback attack Example Could you give me the latest message? Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 11

Rollback attack Example Sure. Here s Message 1 Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 12

Rollback attack Intel - Protecting the Local State? In a rollback attack a malicious OS replaces the latest sealed data with an older encrypted and authenticated version Another way to violate state integrity is to create two instances of the same enclave and route update requests to one instance and read requests to the other (restart, terminate, ). Enclaves cannot detect replay, because the processor does not hold persistent state across enclave executions (and platform reboots) Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 13

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 1: Initial bank account balance: 300 Attacker Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 14

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 1: Initial bank account balance: 300 Attacker User 1 1. Send 100 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 15

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 2: Initial bank account balance: 200 Attacker User 1 1. Send 100 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 16

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 2: Initial bank account balance: 200 Attacker User 1 1. Send 100 2. Send 200 User 2 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 17

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 3: Initial bank account balance: 0 Attacker User 1 1. Send 100 2. Send 200 User 2 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 18

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 3: Initial bank account balance: 0 Attacker User 1 1. Send 100 2. Send 200 3. Restart and replay old state User 2 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 19

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 1: Initial bank account balance: 300 Attacker User 1 1. Send 100 2. Send 200 3. Restart and replay old state User 2 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 20

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 1: Initial bank account balance: 300 Attacker User 1 1. Send 100 2. Send 200 3. Restart and replay old state User 2 4. Send 100 User 3 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 21

Rollback attack Example scenario Imagine a financial application where account balance is enforced by State 2: Initial bank account balance: 200 Attacker User 1 1. Send 100 2. Send 200 3. Restart and replay old state User 2 4. Send 100 User 3 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 22

ROTE Main contributions of this work New security model for reasoning about the integrity and freshness of applications - identified security weaknesses in existing systems. counter experiments showing limitation of the service Novel approach of realising rollback protection by storing enclave-specific counters in a distributed system Implemented ROTE system that ensures integrity and freshness of application data in a powerful adversarial model. Experimental evaluation showing only a small performance overhead for our system - in a low-latency network state update overhead is only 1-2 ms Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 23

Rollback attack Example solution Store << Message n, n >> Increment MC Target Enclave Adversary OS Protected Space Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 24

Rollback attack Example solution Target Enclave Adversary OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 25

Rollback attack Example solution Here is << Message x, x >> Target Enclave Adversary OS MC = n Protected Space Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 26

Rollback attack Example solution Is x = n? Here is << Message x, x >> Target Enclave Adversary OS MC = n Protected Space Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 27

Existing solutions To address rollback attacks, two basic approaches are known: - use non-volatile memory element to store the state - maintain integrity information in a separate trusted server supports Monotonic Counter service - limited security guarantees - poor performance (limits high-throughput transactions) Leveraging Trusted Platform Modules (TPMs) - similar limitations Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 28

Solution provided by Intel supports Monotonic Counter service Stored in an off-cpu memory Security concern: counters stored in a flash memory that is also used by the BIOS, connected via an SPI bus. This is a passive component. Performance concerns: how practical is this? Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 29

Experiments - counter service Counter increment operation took 80-250 ms (model dependent). Counter read operations took 60-140 ms 1.05 M writes render the NV counter (memory) unusable (wear) Reinstalling the Platform Software (PSW) or removing the BIOS battery deletes all counters After reinstalling the PSW the platform software connects to Intel server. If connection not available, the counter service is unavailable Updates of an enclave every 250 ms => counters become unusable in few days. - with one increment per minute, the counters are exhausted in two years Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 30

ROTE : System / Attacker Model Attacker: - enclave scheduling, - platform reboots, - control of the full software stack, - control over the complete communication channel, and - compromising the hardware One can achieve all-or-nothing rollback - the only way to violate data integrity is to reset the entire group to its initial state Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 31

ROTE Our Approach Intuition: A single platform cannot efficiently prevent rollback, but in many practical scenarios, multiple processors can be enrolled to assist each other Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 32

ROTE Our Approach We try to build a distributed system where each participating nodes provides state protection for all other nodes Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 33

ROTE Our Approach When an enclave updates its state, it stores a counter to a set of enclaves running on assisting processors 1 1 1 1 1 State update 0->1 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 34

ROTE Our Approach When the enclave needs to recover its state, it obtains counter values from assisting enclaves to verify that the recovered state data is of the latest version 1 1 1 1 Restart Retrieve state Check counter State 1 1 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 35

ROTE Challenges 1. Protection against the strong adversary model 2. Network partitioning 3. Coordinated enclave restarts 4. Multiple enclave instances 5. Group establishment Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 36

ROTE System architecture Multiple user applications with matching Application-Specific Enclave (ASE) System service, Rollback Enclave (RE), implements ROTE library that ASEs use The design choice of introducing a dedicated system service (RE) hides the distributed counter maintenance from the applications Platform A ROTE System (TCB) 3 rd Party Development ASE A1 ASE Ai RE A Platform B ROTE lib ROTE lib OS Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 37

ROTE System protocols ASE State update protocol RE restart protocol ASE start/read protocol ASE A1 1 Rollback Enclave A incrementase A1 Counter(); 9 ACK 3 6 8 acceptnewstate(); store&seal(); updatelocalasecountertable(); increasemc(); 2 signed (MC A ) verify Echoes signed (MC A ) Echo B Echo i returned Echo i verify final ACKs(); acceptnewstate(); store&seal(); REQUEST RESPONSE final ACK B final ACK i returned Echo B LOCAL ENTITY Rollback Enclave B... Rollback Enclave i updategroupcountertable() 5 4 check returned Echo i for valididity 7 EXTERNAL ENTITY Operating system 2 requestlocalstate() OfferSeal(RE A,seal) Rollback Enclave A 6 7 REQUEST RESPONSE 4 3 Session key(s) establishment 1 unsealstate(); extract MC getmc()... getmc() signed MC(RE A ), signed MC(all) signed MC(RE A ), signed MC(all) compare MC from sealed state with max(mc) verify final ACKs(); acceptnewstate(); store&seal(); continueoperation(); Rollback Enclave B... Rollback Enclave i checkgroupcountertable() 5 LOCAL ENTITY EXTERNAL ENTITY Operating system ASE A1 CounterASE A1 Rollback Enclave A requestlocalstate() 1 2 unsealstate(); retrieveasecounter() OfferSeal(ASE A1,seal) checklocalasecountertable() getase A1 Counter() 3 REQUEST RESPONSE 6 compare counter from the unsealed state with counter received from RE A 4 LOCAL ENTITY 5... Rollback Enclave i RE restart protocol STEPS 4-6 EXTERNAL ENTITY Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 38

ROTE Security Analysis Basic intuition: Given a secure storage functionality (abstraction), the RE can verify that its state its the latest and rollback is prevented - First start - Sealing & Unsealing - Forking - Restart ready to update state 8 normal operation 7 ReadCounter() check counter empty 2 counter match 1 Start() Write- Counter() Seal() increment 9 ok 10 ok fail fail counter match fail value OfferSeal 3 ask seal (latest) OfferSeal 4 (arbitrary) OfferSeal unseal fail 5 (previous) unseal halt 6 unseal Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 39

ROTE Security Analysis Realization of the secure storage functionality as a distributed system - Quorum size - Platform restarts - Forking attacks 1 target RE Dependency between the parameters is n=f+2u+1 state=1 n state=2 u l f 1 u r state update: 2 state retrieval q state update: 1 Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 40

ROTE Performance evaluation Experimental results - state update/read delay. 1. ROTE performance for a group within a local network, 2. Geographically distributed protection groups, 3. Simulated performance for a larger group within a local network. Time (ms) 2.6 2.4 2.2 2.0 1.8 1.6 1.4 1.2 Response Time Update Response Time Read 1 2 3 1.0 2 3 4 Number of nodes in the group Time (ms) 1400 1200 1000 800 600 400 Response Time Update Response Time Read 200 2 3 4 5 6 Number of nodes in the group Time (ms) 3.2 3.0 2.8 2.6 Response Time Update Response Time Read 2.4 2.2 2.0 1.8 1.6 1.4 1.2 1.0 0.8 0.6 2 4 6 8 10 12 14 16 18 20 Number of nodes in the group Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 41

ROTE Performance evaluation Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 42

Lessons learnt The current design and architecture clearly have some shortcoming that could be addressed in the future to strengthen its position Designing a distributed system that is both efficient and satisfies the required security properties proved to be quite a challenge - http://scholar.harvard.edu/files/mickens/files/thesaddestmoment.pdf During the whole project we stumbled upon numerous new attack vectors and thus had to change the core work to adapt Developing enclaves for Intel is still buggy and cumbersome Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 43

ROTE Conclusion New security model for reasoning about the integrity and freshness of applications - identified security weaknesses in existing systems. counter experiments showing limitation of the service Novel approach of realising rollback protection by storing enclave-specific counters in a distributed system Implemented ROTE system that ensures integrity and freshness of application data in a powerful adversarial model. Experimental evaluation showing only a small performance overhead for our system - in a low-latency network state update overhead is only 1-2 ms Sinisa Matetic - ROTE: Rollback Protection for Trusted Execution 44

Thank you for your attention! Any Questions? sinisa.matetic@inf.ethz.ch

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback