FIT3173: Introduction to Trusted Execution and Intel Software Guard Extensions (SGX)
Dr Xiao of Software Systems and Cybersecurity Faculty of Information Technology
Learning Outcomes of This Lecture
Copyright By PowCoder代写 加微信 powcoder
• Define the notion of trust
• Why we need hardware assisted trust
• Understand Trusted execution and isolation
• Know the threat models and security guarantees of Intel SGX
• Understand how SGX-based applications work
• Learn security services provided by SGX
• Employ the basic programming model of SGX
• Understand the methodology of side-channel attacks against SGX
How to improve software security
At a high-level
systemically?
• seriously looking at security requirements and threats when (prior to) building systems, at design time
At a low-level
• train programmers to be aware of pitfalls associated with programming language, OS, platform
• improve these languages, OSs, platform
• making them less error-prone, add memory and type safety
Can Software Be Made Completely
Probably not.
• modern systems are incredibly complex (hundred thousand security bugs). Not all bugs can be fixed
• compatibility requirements prohibit replacing all unsecure software code with secure one
• likely impossible to detect malicious code presence in a system without hardware support.
What do we need?
• Trusted system: a system that the user can trust that it will not fail (if it fails the whole security policy collapses)
• The trust of the system should be attested to external entities
• Trustworthy system: a system that cannot fail.
• Trusted system —-?—-> Trustworthy system
Historical Perspective
The Notion of Trust
• Trust tries to formulate a good-faith relationship between computing machines as well as between their users.
• The realization of trusting an entity B by an entity A is based on the belief that B will always behave honorably, reliably and securely under a specific context
• must involve both the user and the computing device at hand
Trusted Systems
• Policy based trust Establishment using a Trusted Computing Base (TCB) and Strong Isolation
Trusted Computing Base (TCB)
• TCB is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy
• It has the highest OS privilege level and is responsible for the system’s security policy enforcement
• Must be small, so that an exhaustive examination of its code base becomes feasible
• Manageable and to efficiently checked periodically for security compliance
• Must also be protected from itselfèNeeds Hardware Root of Trust
• Separation of resources through trust verification mechanisms
• Can be used to create self-contained computation (and communication) environments
• System Separation in trusted and untrusted zones
• Handled by a specialized level consisting of a collection of software tools that use the TCB services
Trusted System Technologies
TCB and hardware trust management:
• TrustedComputingGroup(TCG)approach
• TrustedPlatformModule
• GlobalPlatform TrustedExecutionEnvironment(TEE)
• e.g.ARMTrustZonetechnology • IntelSGX
Isolation:
• VirtualizationTechnology
• Intel/AMDhardwarevirtualization • IntelSGXbasedenclaves
• Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aims to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, etc) is potentially malicious.
• Application keeps its data/code inside the “enclave”.
Image source: OpenSGX – An open platform for SGX research
• Incorporated directly into almost all Intel CPUs manufactured in recent
years (ark.intel.com) – not a separate chip like TPM
• Designed to promote secure cloud computing: Azure confidential
computing (https://azure.microsoft.com/en-au/solutions/confidential- compute/)
SGX Threat Model
• All the cloud provider’s software is malicious
• e.g., Hypervisor, firmware, management stack, etc.
• All hardware besides the CPU is untrusted • Have to trust Intel
• Side-channel attacks (very difficult to address) • Do not prevent denial-of-service
Reduced Attack Surface with SGX
Image source: intel.com
Reduced Attack Surface with SGX
• Application gains ability to defend its own secret
• Smallest attack surface
• Malware that subverts OS/VMM, BIOS, Driver cannot steal app secrets
Image source: intel.com
SGX Security Services
• Trusted computing enabler (secure computing on someone else’s computer)
• Not a new idea, key concepts from 1980s • Trusted computing base
• Hardware secrets
• Remote attestation
• Sealed storage
• Memory encryption
Example: How SGX-based APP Works
Image source: intel.com
1. Appisbuiltwithtrustedanduntrusted parts
Example: How SGX-based APP Works
Image source: intel.com
1. Appisbuiltwithtrustedanduntrusted parts
2. Appruns&createsenclavewhichis placed in trusted memory
Example: How SGX-based APP Works
Image source: intel.com
1. Appisbuiltwithtrustedanduntrusted parts
2. Appruns&createsenclavewhichis placed in trusted memory
3. Trustedfunctioniscalled;coderunning inside enclave sees data in clear; external access to data is denied
Example: How SGX-based APP Works
Image source: intel.com
1. Appisbuiltwithtrustedanduntrusted parts
2. Appruns&createsenclavewhichis placed in trusted memory
3. Trustedfunctioniscalled;coderunning inside enclave sees data in clear; external access to data is denied
4. Functionreturns;enclavedataremains in trusted memory
Hardware Secrets
• Two 128-bit keys fused at production: • Root provisioning key
• Root seal key (not known to Intel)
• Derived keys depend on the seal key, • so Intel can’t know them
Remote Attestation
• Proof that an enclave runs a given software inside a given CPU with a given security level
• SGX mostly useless without attestation
Image source: Intel SGX explained
Sealed Storage
• Enclave’s data/code is not secret
• Secrets are provisioned later, and can be encrypted to be stored out of the enclave through the sealing mechanism
• Encrypted storage
• Stored outside the enclave
• Only decryptable by the enclave
• Different keys generated for debug- and production-mode
• One part of physical memory (RAM) is reserved for enclaves.
• It is called Enclave Page Cache (EPC).
• EPC memory is encrypted in the main memory (RAM).
Image source: intel.com
Memory Encryption
Memory Encryption
Image source: OpenSGX – An open platform for SGX research
SGX Programming: SDK for Linux
Image source: intel.com
ECall and OCall
• An ECall is a (trusted) function call that enters an enclave.
• Untrusted component can now call into trusted component
• All functions executed in enclave should be declared as ECall
• An OCall is a(n) (untrusted) function calls that leaves an enclave.
• For enclave calls to the Application
• Perform privileged or I/O operations in an enclave, e.g., system calls, file I/O
Enclave Definition Language (EDL)
• All ECall and OCall functions must be defined in EDL;
• [out] for ecall: an out parameter is passed from enclave to app; [in] for for ecall: an in parameter is passed from app to enclave
• [out] for ocall: an out parameter is passed from app to enclave; [in] for for ocall: an in parameter is passed from enclave to app
ECall Example
OCall Example
Reference • Intel Software Guard Extensions (Intel SGX):
https://software.intel.com/sites/default/files/332680-001.pdf
• Intel SGX Academic Research: https://software.intel.com/en- us/sgx/documentation/academic-research
• and , Intel SGX explained:
https://css.csail.mit.edu/6.858/2017/readings/costan-sgx.pdf
• An up-to-date list of system papers related to Intel SGX:
https://github.com/vschiavoni/sgx-papers
Side-channel Attacks against Intel SGX
Computer Memory Hierarchy
• Accessed RAM will be cached to accelerate the next access • Several memory addresses shares a specific cache line
The Basis of Attacks: Prime+Probe
The Basis of Attacks: Flush+Reload
The Basis of Attacks: Page Fault
• Adversary can access the “environment” but unprivileged • Leakage from code is not necessary
Meltdown: OOE
• Out of order execution (OOE, a core optimisation in modern CPU architecture)
• Execute instructions based on the availability of hardware and source operands instead of the instruction order
• Sort the execution result in a CPU buffer (ROB, reorder buffer)
• During the instruction retirement, commit to registers in order or roll back if CPU realises a mis- predication or exception
• Exploit the race condition between the OOE and the retirement check
• OOE executes some instructions even if there is an exception before
• Access a probe buffer with an offset = secret * 4096 (load a memory page into the cache) (4096B = 4KB = size of a memory page)
• Access memory pages and count the access time, the cached page (with the shortest access time) is the loaded one (FLUSH+RELOAD attack)
Meltdown in SGX
• Difficulties
• The content in EPC is encrypted
• An attempt to read a memory address in EPC return Abort page (0xFF, not an exception)
Foreshadow
• Observation I
• After the data loaded into CPU (cache), it is in plaintext form • The meltdown attack can target on the executing enclave
foreshadow.pdf (foreshadowattack.eu)
• Observation II
Foreshadow
• Abort page semantics apply only after the legacy page table check is done without an exception
• An unprivileged system call (mprotect(…)) can clear the ‘present’ bit of a page
• Legacy page table check fails since the page is
not presented in the memory
Foreshadow
• After the above two steps, meltdown code works again for SGX
• It can be used to extract the provisioning key and then recover the attestation key to attest any malicious enclave in the remote platform
Intel’s Response
L1 Terminal Fault: can be fixed in the microcode level or software level • Implicitly remove data from the L1 during certain privilege transitions
• Allow software to explicitly flush the L1
• OS developer should improve the paging design to ensure that PTE (Page Table Entry) only refers to specific physical address without secrets
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com