InversOS: Efficient Control-Flow Protection for AArch64 Applications with Privilege Inversion

With the increasing popularity of AArch64 processors in general-purpose computing, securing software running on AArch64 systems against control-flow hijacking attacks has become a critical part toward secure computation. Shadow stacks keep shadow copies of function return addresses and, when protected from illegal modifications and coupled with forward-edge control-flow integrity, form an effective and proven defense against such attacks. However, AArch64 lacks native support for write-protected shadow stacks, while software alternatives either incur prohibitive performance overhead or provide weak security guarantees. We present InversOS, the first hardware-assisted write-protected shadow stacks for AArch64 user-space applications, utilizing commonly available features of AArch64 to achieve efficient intra-address space isolation (called Privilege Inversion) required to protect shadow stacks. Privilege Inversion adopts unconventional design choices that run protected applications in the kernel mode and mark operating system (OS) kernel memory as user-accessible; InversOS therefore uses a novel combination of OS kernel modifications, compiler transformations, and another AArch64 feature to ensure the safety of doing so and to support legacy applications. We show that InversOS is secure by design, effective against various control-flow hijacking attacks, and performant on selected benchmarks and applications (incurring overhead of 7.0% on LMBench, 7.1% on SPEC CPU 2017, and 3.0% on Nginx web server).Comment: 18 pages, 9 figures, 4 table

Fidelius: Protecting User Secrets from Compromised Browsers

Users regularly enter sensitive data, such as passwords, credit card numbers, or tax information, into the browser window. While modern browsers provide powerful client-side privacy measures to protect this data, none of these defenses prevent a browser compromised by malware from stealing it. In this work, we present Fidelius, a new architecture that uses trusted hardware enclaves integrated into the browser to enable protection of user secrets during web browsing sessions, even if the entire underlying browser and OS are fully controlled by a malicious attacker. Fidelius solves many challenges involved in providing protection for browsers in a fully malicious environment, offering support for integrity and privacy for form data, JavaScript execution, XMLHttpRequests, and protected web storage, while minimizing the TCB. Moreover, interactions between the enclave and the browser, the keyboard, and the display all require new protocols, each with their own security considerations. Finally, Fidelius takes into account UI considerations to ensure a consistent and simple interface for both developers and users. As part of this project, we develop the first open source system that provides a trusted path from input and output peripherals to a hardware enclave with no reliance on additional hypervisor security assumptions. These components may be of independent interest and useful to future projects. We implement and evaluate Fidelius to measure its performance overhead, finding that Fidelius imposes acceptable overhead on page load and user interaction for secured pages and has no impact on pages and page components that do not use its enhanced security features

HasTEE: Programming Trusted Execution Environments with Haskell

Trusted Execution Environments (TEEs) are hardware-enforced memory isolation units, emerging as a pivotal security solution for security-critical applications. TEEs, like Intel SGX and ARM TrustZone, allow the isolation of confidential code and data within an untrusted host environment, such as the cloud and IoT. Despite strong security guarantees, TEE adoption has been hindered by an awkward programming model. This model requires manual application partitioning and the use of error-prone, memory-unsafe, and potentially information-leaking low-level C/C++ libraries. We address the above with \textit{HasTEE}, a domain-specific language (DSL) embedded in Haskell for programming TEE applications. HasTEE includes a port of the GHC runtime for the Intel-SGX TEE. HasTEE uses Haskell's type system to automatically partition an application and to enforce \textit{Information Flow Control} on confidential data. The DSL, being embedded in Haskell, allows for the usage of higher-order functions, monads, and a restricted set of I/O operations to write any standard Haskell application. Contrary to previous work, HasTEE is lightweight, simple, and is provided as a \emph{simple security library}; thus avoiding any GHC modifications. We show the applicability of HasTEE by implementing case studies on federated learning, an encrypted password wallet, and a differentially-private data clean room.Comment: To appear in Haskell Symposium 202

Demystifying COVID-19 digital contact tracing: A survey on frameworks and mobile apps

The coronavirus pandemic is a new reality and it severely affects the modus vivendi of the international community. In this context, governments are rushing to devise or embrace novel surveillance mechanisms and monitoring systems to fight the outbreak. The development of digital tracing apps, which among others are aimed at automatising and globalising the prompt alerting of individuals at risk in a privacy-preserving manner is a prominent example of this ongoing effort. Very promptly, a number of digital contact tracing architectures has been sprouted, followed by relevant app implementations adopted by governments worldwide. Bluetooth, and specifically its Low Energy (BLE) power-conserving variant has emerged as the most promising short-range wireless network technology to implement the contact tracing service. This work offers the first to our knowledge, full-fledged review of the most concrete contact tracing architectures proposed so far in a global scale. This endeavour does not only embrace the diverse types of architectures and systems, namely centralised, decentralised, or hybrid, but it equally addresses the client side, i.e., the apps that have been already deployed in Europe by each country. There is also a full-spectrum adversary model section, which does not only amalgamate the previous work in the topic, but also brings new insights and angles to contemplate upon.Comment: 34 pages, 3 figure

Améliorer la sécurité et la vie privée sur le Web à travers les empreintes de navigateur

I have been an associate professor in computer science at the University of Lille and a member of the Spirals project-team in the CRIStAL laboratory since September 2014. I obtained my PhD in Software Engineering in Grenoble in 2013, focusing on building robust self-adaptive component-based systems, and I completed a postdoctoral stay in the Inria DiverSE project-team, in Rennes, in the area of component-based software engineering. Since 2014, my research has mostly focused on (i) multi-cloud computing and (ii) security and privacy on the web. I have successfully co-advised two doctorates, Gustavo Sousa (defended July 2018) and Antoine Vastel (defended November 2019), and currently advise 3 students. I have decided to write my Habilitation pour Diriger des Recherches (HDR) in the area of privacy and security because this will be my main line of research activities for the near future. More specifically, I present the results of the research that my students, colleagues, collaborators, and I have done in the area of browser fingerprinting.Browser fingerprinting is the process of identifying devices by accessing a collection of relatively stable attributes through Web browsers. We call the generated identifiers browser fingerprints. Fingerprints are stateless identifiers and no information is stored on the client’s device. In the first half of this manuscript, we identify and study three properties of browser fingerprinting that make it both a risk to privacy, but also of use for security. The first property, uniqueness, is the power to uniquely identify a device. We performed a large scale study on fingerprint uniqueness and, although not a perfect identifier, we show its statistical qualities allow uniquely identifying a high percentage of both desktops and mobile devices [Laperdrix 2016]. The second property, linkability, is the capacity to re-identify, or link, fingerprints over time. This is arguably the main risk to privacy and enables fingerprint tracking. We show, through two algorithms, that some devices are highly trackable, while other devices’ fingerprints are too similar to be tracked over time [Vastel 2018b]. The third and final property is consistency, which refers to the capacity to verify the attributes in a fingerprint. Through redundancies, correlations or dependencies, many attributes are verifiable, making them more difficult to spoof convincingly. We show that most countermeasures to browser fingerprinting are identifiable through such inconsistencies [Vastel 2018a], a useful property for security applications.In the second half of this manuscript, we look at the same properties from a different angle. We create a solution that breaks fingerprint linkability by randomly generating usable browsing platforms that are unique and consistent [Laperdrix 2015]. We also propose an automated testing framework to provide feedback to the developers of browsers and browser extensions to assist them in reducing the uniqueness or their products [Vastel 2018c]. Finally, we look at how fingerprint consistency is exploited in-the-wild to protect websites against automated Web crawlers. We show that fingerprinting is effective and fast to block crawlers, but lacks resiliency when facing a determined adversary [Vastel 2020].Beyond the results I report in this manuscript, I draw perspectives for exploring browser fingerprinting for multi-factor authentication, with a planned large-scale deployment in the following months. I also believe there is potential in automated testing to improve privacy. And of course, we know that fingerprint tracking does not happen in a bubble, it is complementary to other techniques. I am therefore exploring other tracking techniques, such as our preliminary results around IP addresses [Mishra 2020] and caches [Mishra 2021], using ad blockers against their users, and a few other ideas to improve privacy and security on the Web.Les empreintes de navigateurs (en anglais browser fingerprinting) sont un mécanisme qui permet d’identifier les navigateurs Internet au travers de leurs caractéristiques et configurations uniques. Nous avons identifié trois propriétés des empreintes de navigateurs qui posent un risque pour la vie privée mais qui rendent possible des utilisations en sécurité. Ces propriétés sont l’unicité, qui permet de discriminer un navigateur parmi d’autres, la liaison d’empreintes, qui permet de suivre dans le temps un dispositif, et la cohérence, qui permet de vérifier une empreinte et rend difficile les contre-mesures. Dans la première moitié de ce manuscrit, nous explorons les qualités statistiques des empreintes de navigateurs, ainsi que la possibilité et l’efficacité de les tracer dans le temps, et nous concluons sur les propriétés statistiques imparfaites mais tout de même utiles de cet indicateur. Nous montrons également que les contre-mesures pour se protéger sont défaillantes et parfois même contre-productives.Dans la seconde partie de ce manuscrit, nous regardons les défenses et utilisations des empreintes de navigateur. Nous proposons un outil pour casser la liaison d’empreintes sans l’introduction d’incohérences, limitant ainsi le traçage. Nous avons également proposé un cadre de test automatisé pour réduire l’identifiabilité des navigateurs et de leurs extensions. Finalement, nous avons étudié comment l’analyse de cohérence des empreintes est utilisée sur le Web pour bloquer des robots, et nous concluons que cette technique est rapide mais manque encore de résilience, dont l’efficacité mériterait d’être améliorée contre des attaquants déterminés.Au-delà des résultats présentés dans ce manuscrit, je présente également des perspectives pour les recherches dans ce domaine particulièrement dynamique, avec notamment l’utilisation des empreintes de navigateur pour l’authentification multi-facteurs et l’utilisation des tests automatiques pour améliorer la vie privée des usagers. Nos résultats préliminaires sur l’utilisation d’adresses IP pour le traçage, les caches de navigateur, et les bloqueurs de publicité, méritent également d’être approfondis afin de continuer à renforcer la vie privée et la sécurité sur le Web

Systems Support for Trusted Execution Environments

Cloud computing has become a default choice for data processing by both large corporations and individuals due to its economy of scale and ease of system management. However, the question of trust and trustoworthy computing inside the Cloud environments has been long neglected in practice and further exacerbated by the proliferation of AI and its use for processing of sensitive user data. Attempts to implement the mechanisms for trustworthy computing in the cloud have previously remained theoretical due to lack of hardware primitives in the commodity CPUs, while a combination of Secure Boot, TPMs, and virtualization has seen only limited adoption. The situation has changed in 2016, when Intel introduced the Software Guard Extensions (SGX) and its enclaves to the x86 ISA CPUs: for the first time, it became possible to build trustworthy applications relying on a commonly available technology. However, Intel SGX posed challenges to the practitioners who discovered the limitations of this technology, from the limited support of legacy applications and integration of SGX enclaves into the existing system, to the performance bottlenecks on communication, startup, and memory utilization. In this thesis, our goal is enable trustworthy computing in the cloud by relying on the imperfect SGX promitives. To this end, we develop and evaluate solutions to issues stemming from limited systems support of Intel SGX: we investigate the mechanisms for runtime support of POSIX applications with SCONE, an efficient SGX runtime library developed with performance limitations of SGX in mind. We further develop this topic with FFQ, which is a concurrent queue for SCONE's asynchronous system call interface. ShieldBox is our study of interplay of kernel bypass and trusted execution technologies for NFV, which also tackles the problem of low-latency clocks inside enclave. The two last systems, Clemmys and T-Lease are built on a more recent SGXv2 ISA extension. In Clemmys, SGXv2 allows us to significantly reduce the startup time of SGX-enabled functions inside a Function-as-a-Service platform. Finally, in T-Lease we solve the problem of trusted time by introducing a trusted lease primitive for distributed systems. We perform evaluation of all of these systems and prove that they can be practically utilized in existing systems with minimal overhead, and can be combined with both legacy systems and other SGX-based solutions. In the course of the thesis, we enable trusted computing for individual applications, high-performance network functions, and distributed computing framework, making a <vision of trusted cloud computing a reality

Decentralized Authorization with Private Delegation

Authentication and authorization systems can be found in almost every software system, and consequently affects every aspect of our lives. Despite the variety in the software that relies on authorization, the authorization subsystem itself is almost universally architected following a common pattern with unfortunate characteristics.The first of these is that there usually exists a set of centralized servers that hosts the set of users and their permissions. This results in a number of security threats, such as permitting the operator of the authorization system to view or even change the permission data for all users. Secondly, these systems do not permit federation across administrative domains, as there is no safe choice of system operator: any operator would have visibility and control in all administrative domains, which is unacceptable. Thirdly, these systems do not offer transitive delegation: when a user grants permission to another user, the permissions of the recipient are not predicated upon the permissions of the granter. This makes it very difficult to reason about permissions as the complexity of the system grows, especially in the federation across domains case where no party can have absolute visibility into all permissions.Whilst several other systems, such as financial systems (e.g. blockchains) and communication systems (e.g. Signal / WhatsApp) have recently been reinvented to incorporate decentralization and privacy, there has been little attention paid to improving the authorization systems. This work aims to address that by asking the question ``How can we construct an authorization system that supports first-class transitive delegation across administrative domains without trusting a central authority or compromising on privacy?''We survey several models for authorization and find that Graph Based Authorization, where principals are vertices in a graph and delegation between principals are edges in the graph, is capable of capturing transitive delegation as a first class primitive, whilst also retaining compatibility with existing techniques such as Discretionary Access Control or Role Based Access Control. A proof of permission in the Graph Based Authorization model is represented by a path through the graph formed from the concatenation of individual edges. Whilst prior implementations of Graph Based Authorization do not meet the decentralization or privacy-preserving goals, we find that this is not intrinsic, and can be remedied by introducing two new techniques. The first is the construction of a global storage tier that cryptographically proves its integrity, and the second is an encryption technique that preserves the privacy of attestations in global storage.The horizontally-scalable storage tier is based on a new data structure, the Unequivocable Log Derived Map, which is composed of three Merkle trees. Consistency proofs over these trees allow a server to prove that objects exist or do not exist within storage, as well as proving that the storage is append-only (no previously inserted objects have been removed). Our scheme advances prior work in this field by permitting efficient auditing that scales with the number of additions to the storage rather than scaling with the total number of stored objects. By utilizing cryptographic proofs of integrity, we force storage servers to either behave honestly, or become detected as compromised. Thus, even though the architecture is centralized for availability and performance, it is does not introduce any central authorities.The design of the storage does not ensure the privacy of the permission data stored within it. We address this through the introduction of Reverse Discoverable Encryption. This technique uses the objects representing grants of permission as a key dissemination channel, thus operating without communication between participants. By using Wildcard Key Derivation Identity Based Encryption in a non-standard way (with no central Private Key Generator) we allow for permission objects to be encrypted using the authorization policy as a key. Thus, RDE permits the recipient of some permissions to decrypt other compatible permissions granted to the grantee that could be concatenated together to form a valid proof. RDE therefore protects the privacy of permission objects in storage whilst still permitting decryption of those objects by authorized parties.We construct an implementation of these techniques, named WAVE, and evaluate its performance. We find that WAVE has similar performance to the widely used OAuth system and performs better than the equally widely used LDAP system, despite offering significantly better security properties. We present an advancement to Graph Based Authorization which efficiently represents complex authorization proofs as a compact subgraph rather than a sequence of linear paths, and present a technique for efficient discovery of such proofs.To validate our techniques and ensure their efficacy in practice, we pose an additional question: ``How can we leverage WAVE to improve the security of IoT communications?'' We present a microservice architecture that abstracts the interfaces of IoT devices to permit a uniform security policy to be applied to heterogeneous devices of similar function. This is achieved by enforcing security policy at the communication bus and using hardware abstraction microservices to adapt the interfaces that devices expose on this communication bus. We construct and evaluate an instance of this communication bus, WAVEMQ and find that, with appropriate caching, its performance is comparable to that of prior publish/subscribe information busses. We discover that by enforcing WAVE's security model in the core of the network, we gain a resistance to denial of service attacks. This is particularly valuable in the IoT context where devices are typically resource constrained or connected by a bandwidth-limited link