Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Similar documents
Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

T-SGX: Eradicating Controlled-Channel

SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees

Sanctum: Minimal HW Extensions for Strong SW Isolation

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data

Hardware Enclave Attacks CS261

Lecture Secure, Trusted and Trustworthy Computing Introduction to SGX

Intel Software Guard Extensions

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Cache Side Channel Attacks on Intel SGX

Resource-Efficient Mining (REM) with Proofs of Useful Work (PoUW)

Side Channels and Runtime Encryption Solutions with Intel SGX

Lecture 44 Blockchain Security I (Overview)

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Isolating Operating System Components with Intel SGX

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

TRUSTSHADOW: SECURE EXECUTION OF UNMODIFIED APPLICATIONS WITH ARM TRUSTZONE Florian Olschewski

Leveraging Intel SGX to Create a Nondisclosure Cryptographic library

Hakim Weatherspoon CS 3410 Computer Science Cornell University

SafeBricks: Shielding Network Functions in the Cloud

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

SGXBounds Memory Safety for Shielded Execution

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

1 Achieving IND-CPA security

Firmware Updates for Internet of Things Devices

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Protection. Thierry Sans

Crypto tidbits: misuse, side channels. Slides from Dave Levin 414-spring2016

ROTE: Rollback Protection for Trusted Execution

Crypto Background & Concepts SGX Software Attestation

CS 161 Computer Security

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Computer Architecture Background

6.857 L17. Secure Processors. Srini Devadas

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Recommendations for TEEP Support of Intel SGX Technology

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

CYBER SECURITY MADE SIMPLE

Advanced Systems Security: Ordinary Operating Systems

Anne Bracy CS 3410 Computer Science Cornell University

REM: Resource Efficient Mining for Blockchains

Conventional Protection Mechanisms in File Systems

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Robbing the Bank with a Theorem Prover

Operating System Security

CIS 4360 Secure Computer Systems SGX

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Software Security: Buffer Overflow Defenses

CS162 Operating Systems and Systems Programming Lecture 12. Address Translation. Page 1

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

Lecture 4 September Required reading materials for this class

Meltdown, Spectre, and Security Boundaries in LEON/GRLIB. Technical note Doc. No GRLIB-TN-0014 Issue 1.1

Introduction to Operating Systems. Chapter Chapter

Connecting Securely to the Cloud

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

Operating Systems. Memory Management. Lecture 9 Michael O Boyle

Lecture 21: Virtual Memory. Spring 2018 Jason Tang

Operating Systems. IV. Memory Management

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing

Introduction to Operating Systems. Chapter Chapter

Virtual Memory 1. Virtual Memory

Virtual Memory 1. Virtual Memory

Influential OS Research Security. Michael Raitza

Malware Guard Extension: Using SGX to Conceal Cache Attacks

Virtual Memory. Kevin Webb Swarthmore College March 8, 2018

Implementing Secure Software Systems on ARMv8-M Microcontrollers

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Anne Bracy CS 3410 Computer Science Cornell University

Lecture 07: Private-key Encryption. Private-key Encryption

Intel Software Guard Extensions (Intel SGX) SGX2

Smart Cards in Hostile Environments

Trojan-tolerant Hardware & Supply Chain Security in Practice

Secure Computation Interfaces

CS140 Operating Systems and Systems Programming Final Exam

Obliviate: A Data Oblivious File System for Intel SGX. Adil Ahmad Kyungtae Kim Muhammad Ihsanulhaq Sarfaraz Byoungyoung Lee

OPERATING SYSTEMS CS136

Hardening Fingerprint Authentication Systems Using Intel s SGX Enclave Technology. Interim Progress Report

Introduction to Operating. Chapter Chapter

QPSI. Qualcomm Technologies Countermeasures Update

Preview. Memory Management

Binding keys to programs using Intel SGX remote attestation

Memory management. Requirements. Relocation: program loading. Terms. Relocation. Protection. Sharing. Logical organization. Physical organization

ARM TrustZone for ARMv8-M for software engineers

A Developer's Guide to Security on Cortex-M based MCUs

Creating Trust in a Highly Mobile World

Security in ECE Systems

Secure Multiparty Computation

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Authenticating People and Machines over Insecure Networks

OS: An Overview. ICS332 Operating Systems

0x1A Great Papers in Computer Security

Transcription:

: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado

2 Goal Protect the data of applications running on remote hardware

3 New tech Trusted Platform Modules Limited use cases Secure counters and signatures (trinc) Undeniable access to data (Pasture) State continuity (Memoir) Problems: Need special hardware (costly) Lack of flexibility Need to redevelop applications (costly)

4 Intel Software Guard Extensions SGX New trusted hardware from Intel Tamper proof processor with burned in cryptographic keys for signing and encryption Protects user applications from adversarial operating systems Cloud applications Protecting users from themselves (Internet banking on compromised devices)

5 SGX Enclaves Enclave = Secure execution context Run a piece of code in encrypted memory Source: Software Guard Extensions Reference Manual

6 SGX Enclaves Enclaves run directly on top of hardware App App Enclave Operating System Hardware Applications build the Enclave address space(ecreate, EINIT) The processor performs cryptographical checks to verify that the created enclave matches the developer s intention Control is eventually passed to the enclave (EENTRY) The Enclave then executes on its own

7 SGX Enclaves Why are enclaves secure? Enclave memory is stored within the Enclave Page Cache CPU Memory BUS Load/Store (encrypted data) EPC Decryption happens inside the tamper-proof chip Load/Store (cleartext data) Physical Memory

8 SGX As an enclave, you can ask the processor to sign your execution context Enclaves first prove themselves to third parties You pass secure data to the enclave only after it has proven itself So you only pass data to (hopefully) secure code Cloud user, Bank, etc. I am unchanged, running on SGX, and here is the proof Everything OK, have some secret data Remote Enclave

9 Haven So we can run programs directly on top of secure hardware Next step? Run entire operating systems on top of secure hardware Final goal: Run generic, legacy applications, securely Major issue: operating system is needed to manage input and output Compromise: Run a user mode variant of an entire operating system Haven The Windows API in a single process

10 Haven Run any legacy application on top of a library version of the Windows API Image source: Baumann, A., Peinado, M. and Hunt, G., 2014, October. Shielding applications from an untrusted cloud with haven. In USENIX Symposium on Operating Systems Design and Implementation (OSDI).

11 Job done? We can now run secure applications with encrypted data on remote hardware As long as the keys within the SGX processor remain safe, the data remains encrypted SGX processor is also (according to Intel) resilient against sidechannel attacks: No power analysis No timing analysis No interesting radio waves Turns out it s not

12 Intermission: Virtual Memory

13 Virtual Memory Each process has access to its own virtual address space Separate physical memory from application memory Advantages: Shared memory Copy-on-write Map files in memory Demand paging Translated from: Operating Systems lecture slides, Faculty of Automatic Control and Computer Science, University POLITEHNICA of Bucharest

14 Virtual Memory Pages No external fragmentation Smallest unit of allocation from the OS point of view Virtual pages (pages) Physical pages (frames) Map memory: associate frames to pages Memory Management Unit (MMU) handles translation Translated from: Operating Systems lecture slides, Faculty of Automatic Control and Computer Science, University POLITEHNICA of Bucharest Image from: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

15 Virtual Memory Page Tables Managed by the operating system Used by the MMU to perform translation Contain Page Table Entries that: Point virtual memory addresses to physical memory addresses Contain access rights (read, write, execute) If the MMU finds a problem page fault Translated from: Operating Systems lecture slides, Faculty of Automatic Control and Computer Science, University POLITEHNICA of Bucharest

16 Virtual Memory Page Fault Access to a page that is Unmapped Invalid Wrong access rights Exception is generated Run page fault handler Page fault handler = Operating system Red flag: operating system was untrusted! However: operating system is managing pages with encrypted data, it can only perform denial of service attacks (?) Translated from: Operating Systems lecture slides, Faculty of Automatic Control and Computer Science, University POLITEHNICA of Bucharest

17 Virtual Memory Page Fault Image source: OSCE, Chapter 8, pg. 325, Figure 8.6

18 Controlled-Channel Attacks

19 Overview Problem: Page tables on SGX processors are still handled by the untrusted operating system In normal operation, the running enclave will cause a small amount of page faults The MMU then reveals the required page to the operating system, so that the page fault handler can retrieve it The operating system can obtain valuable information from here Important assumption: Application code is public

20 Why it works Char* WelcomeMessage( GENDER s ) { char *mesg; //GENDER is an enum of MALE and FEMALE if ( s == MALE ) { mesg = WelcomeMessageForMale(); } else { mesg = WelcomeMessageForFemale(); } return mesg; } Void CountLogin( GENDER s ) { if ( s == MALE ) { gmalecount ++; } else { gfemalecount ++; } } Page fault for address of WelcomeMessageForMale reveals s is MALE

21 Why it s not trivial SGX tries to hide true page fault addresses by rounding them off to page boundaries Page faults caused by accesses to multiple addresses (different functions, variables, etc.) look the same Attack is still possible, only harder Page FunctionFoo() //do some work FunctionBar() //do some more work FunctionFoo() FunctionBar()

22 Sources of information Control transfers Different function are called, depending on the value of some variable Data accesses Different variables are accessed, depending on the value of some other variable Data accesses are monitored by looking at nearby code page faults the instructions that use the data Even dynamically allocated data accesses can be identified the instruction patterns around them are the same

23 Overview Before During After Step 1: Build an collection of page fault sequences to use as reference Step 2: After enclave start, remove access from all process pages Step 3: Record the pattern of page fault addresses Step 4: From the pattern, deduce information about data within the program Three attacks on common libraries: Libjpeg Hunspell FreeType

24 Step 1 Build an collection of page fault sequences to use as reference Record page faults of code pages Collect a set of page-fault traces P i = p i j j For each trace P i, generate a new trace Q i = q i page base addresses Q i will be similar to the page faults provided by SGX that contains For each s, t s.t. p t s = f, search for the minimum k 1 such that for any sequence q j k+1 i, q j k+2 j i,, q i that matches with the sequence (q t k+1 s, q t k+2 s,, q t s ), p j i equals to f Finally, use the set of unique sequences q s t k+1,, q s t to find the control transfer

25 Example Control Transfers P 1 f1 f2 f4 f2 f1 f3 f5 f3 f1 Q 1 A B D B A C D C A Image source: Xu, Y., Cui, W. and Peinado, M., 2015. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems.

26 Example Control Transfers Suppose we are searching for a jump to f4 At position 3 P 1 f1 f2 f4 f2 f1 f3 f5 f3 f1 Q 1 A B D B A C D C A For position 3, search for the smallest K 1 such that all K-length sequences in Q 1 matching the K-length sequence ending at position 3 in Q 1 end on f4 K = 1 doesn t work; why? P 1 f1 f2 f4 f2 f1 f3 f5 f3 f1 Q 1 A B D B A C D C A This sequence (B, D) is only found here K = 2 is ok; why? P 1 f1 f2 f4 f2 f1 f3 f5 f3 f1 Q 1 A B D B A C D C A Same sequence (D) ends on f5

27 Steps 2 & 3 After enclave start, remove access from all process pages Access will cause a page fault Tracking all pages is too expensive Track a subset of pages Details on the algorithm are in the paper Upon receiving a fault, the handler: Logs the requested page Enables access to the page Removes access to the previous page

28 Step 4 Analyze the logs and find the desired control transfers This can be performed offline, after the online portion of the attack We search for the control transfer (i.e. calls to a certain function), and can finally extract data if (x!= 0) { f1(); } else { f2(); } If found control transfer for f1, then x!= 0 If found control transfer for f2, then x!= 0 Attacks on real libraries are feasible, but require some thought on how to recover relevant information

29 What about ASLR? Address Space Layout Randomization Randomly arrange the address space of the process Could be implemented in the shielding system (e.g. Haven) Possible solution?

30 What about ASLR? Attack still possible: Look at the first few code page faults on application start in an offline setting In the live setting, try to match the new page fault addresses to the original ones, based on the corresponding sequence Keep building the mapping between randomized pages and the original ones; eventually the heap, stack and libraries will be located

31 Results Demo applications using the targeted libraries FreeType font library: The demo application rendered a book (taken as input in ASCII format) onto a bitmap Result: The attack managed to extract the exact ASCII input Hunspell spellchecker: The demo application spellchecked the same book Result: The attack recovered approximately 75% of the words in the input, without punctuation Libjpeg library: The demo application loaded jpeg images and saved them as bitmaps Result: Recovered features of the input images

32 Results Frame of reference for colors could not be obtained, but contours could be observed Image source: Xu, Y., Cui, W. and Peinado, M., 2015. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems.

33 Conclusion Take home message: encryption on its own is not enough to protect executable code Information can leak from many places

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback