628 research outputs found
Resilient Authenticated Execution of Critical Applications in Untrusted Environments
Abstract-Modern computer systems are built on a foundation of software components from a variety of vendors. While critical applications may undergo extensive testing and evaluation procedures, the heterogeneity of software sources threatens the integrity of the execution environment for these trusted programs. For instance, if an attacker can combine an application exploit with a privilege escalation vulnerability, the operating system (OS) can become corrupted. Alternatively, a malicious or faulty device driver running with kernel privileges could threaten the application. While the importance of ensuring application integrity has been studied in prior work, proposed solutions immediately terminate the application once corruption is detected. Although, this approach is sufficient for some cases, it is undesirable for many critical applications. In order to overcome this shortcoming, we have explored techniques for leveraging a trusted virtual machine monitor (VMM) to observe the application and potentially repair damage that occurs. In this paper, we describe our system design, which leverages efficient coding and authentication schemes, and we present the details of our prototype implementation to quantify the overhead of our approach. Our work shows that it is feasible to build a resilient execution environment, even in the presence of a corrupted OS kernel, with a reasonable amount of storage and performance overhead
The Lazarus Effect: Healing Compromised Devices in the Internet of Small Things
We live in a time when billions of IoT devices are being deployed and
increasingly relied upon. This makes ensuring their availability and
recoverability in case of a compromise a paramount goal. The large and rapidly
growing number of deployed IoT devices make manual recovery impractical,
especially if the devices are dispersed over a large area. Thus, there is a
need for a reliable and scalable remote recovery mechanism that works even
after attackers have taken full control over devices, possibly misusing them or
trying to render them useless.
To tackle this problem, we present Lazarus, a system that enables the remote
recovery of compromised IoT devices. With Lazarus, an IoT administrator can
remotely control the code running on IoT devices unconditionally and within a
guaranteed time bound. This makes recovery possible even in case of severe
corruption of the devices' software stack. We impose only minimal hardware
requirements, making Lazarus applicable even for low-end constrained
off-the-shelf IoT devices. We isolate Lazarus's minimal recovery trusted
computing base from untrusted software both in time and by using a trusted
execution environment. The temporal isolation prevents secrets from being
leaked through side-channels to untrusted software. Inside the trusted
execution environment, we place minimal functionality that constrains untrusted
software at runtime.
We implement Lazarus on an ARM Cortex-M33-based microcontroller in a full
setup with an IoT hub, device provisioning and secure update functionality. Our
prototype can recover compromised embedded OSs and bare-metal applications and
prevents attackers from bricking devices, for example, through flash wear out.
We show this at the example of FreeRTOS, which requires no modifications but
only a single additional task. Our evaluation shows negligible runtime
performance impact and moderate memory requirements.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS 20
HardIDX: Practical and Secure Index with SGX
Software-based approaches for search over encrypted data are still either
challenged by lack of proper, low-leakage encryption or slow performance.
Existing hardware-based approaches do not scale well due to hardware
limitations and software designs that are not specifically tailored to the
hardware architecture, and are rarely well analyzed for their security (e.g.,
the impact of side channels). Additionally, existing hardware-based solutions
often have a large code footprint in the trusted environment susceptible to
software compromises. In this paper we present HardIDX: a hardware-based
approach, leveraging Intel's SGX, for search over encrypted data. It implements
only the security critical core, i.e., the search functionality, in the trusted
environment and resorts to untrusted software for the remainder. HardIDX is
deployable as a highly performant encrypted database index: it is logarithmic
in the size of the index and searches are performed within a few milliseconds
rather than seconds. We formally model and prove the security of our scheme
showing that its leakage is equivalent to the best known searchable encryption
schemes. Our implementation has a very small code and memory footprint yet
still scales to virtually unlimited search index sizes, i.e., size is limited
only by the general - non-secure - hardware resources
Privacy-preserving machine learning on Apache Spark
The adoption of third-party machine learning (ML) cloud services is highly dependent on the security guarantees and the performance penalty they incur on workloads for model training and inference. This paper explores security/performance trade-offs for the distributed Apache Spark framework and its ML library. Concretely, we build upon a key insight: in specific deployment settings, one can reveal carefully chosen non-sensitive operations (e.g. statistical calculations). This allows us to considerably improve the performance of privacy-preserving solutions without exposing the protocol to pervasive ML attacks. In more detail, we propose Soteria, a system for distributed privacy-preserving ML that leverages Trusted Execution Environments (e.g. Intel SGX) to run computations over sensitive information in isolated containers (enclaves). Unlike previous work, where all ML-related computation is performed at trusted enclaves, we introduce a hybrid scheme, combining computation done inside and outside these enclaves. The experimental evaluation validates that our approach reduces the runtime of ML algorithms by up to 41% when compared to previous related work. Our protocol is accompanied by a security proof and a discussion regarding resilience against a wide spectrum of ML attacks.This work was supported by FCT - Portuguese Foundation for Science and Technology through the Ph.D. grant DFA/BD/146528/2018 and realized within the scope of the project LA/P/0063/2020
Transparent code authentication at the processor level
The authors present a lightweight authentication mechanism that verifies the authenticity of code and thereby addresses the virus and malicious code problems at the hardware level eliminating the need for trusted extensions in the operating system. The technique proposed tightly integrates the authentication mechanism into the processor core. The authentication latency is hidden behind the memory access latency, thereby allowing seamless on-the-fly authentication of instructions. In addition, the proposed authentication method supports seamless encryption of code (and static data). Consequently, while providing the software users with assurance for authenticity of programs executing on their hardware, the proposed technique also protects the software manufacturers’ intellectual property through encryption. The performance analysis shows that, under mild assumptions, the presented technique introduces negligible overhead for even moderate cache sizes
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
EmLog:Tamper-Resistant System Logging for Constrained Devices with TEEs
Remote mobile and embedded devices are used to deliver increasingly impactful
services, such as medical rehabilitation and assistive technologies. Secure
system logging is beneficial in these scenarios to aid audit and forensic
investigations particularly if devices bring harm to end-users. Logs should be
tamper-resistant in storage, during execution, and when retrieved by a trusted
remote verifier. In recent years, Trusted Execution Environments (TEEs) have
emerged as the go-to root of trust on constrained devices for isolated
execution of sensitive applications. Existing TEE-based logging systems,
however, focus largely on protecting server-side logs and offer little
protection to constrained source devices. In this paper, we introduce EmLog --
a tamper-resistant logging system for constrained devices using the
GlobalPlatform TEE. EmLog provides protection against complex software
adversaries and offers several additional security properties over past
schemes. The system is evaluated across three log datasets using an
off-the-shelf ARM development board running an open-source,
GlobalPlatform-compliant TEE. On average, EmLog runs with low run-time memory
overhead (1MB heap and stack), 430--625 logs/second throughput, and five-times
persistent storage overhead versus unprotected logs.Comment: Accepted at the 11th IFIP International Conference on Information
Security Theory and Practice (WISTP '17
- …