43 research outputs found
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
Software Grand Exposure: SGX Cache Attacks Are Practical
Side-channel information leakage is a known limitation of SGX. Researchers
have demonstrated that secret-dependent information can be extracted from
enclave execution through page-fault access patterns. Consequently, various
recent research efforts are actively seeking countermeasures to SGX
side-channel attacks. It is widely assumed that SGX may be vulnerable to other
side channels, such as cache access pattern monitoring, as well. However, prior
to our work, the practicality and the extent of such information leakage was
not studied.
In this paper we demonstrate that cache-based attacks are indeed a serious
threat to the confidentiality of SGX-protected programs. Our goal was to design
an attack that is hard to mitigate using known defenses, and therefore we mount
our attack without interrupting enclave execution. This approach has major
technical challenges, since the existing cache monitoring techniques experience
significant noise if the victim process is not interrupted. We designed and
implemented novel attack techniques to reduce this noise by leveraging the
capabilities of the privileged adversary. Our attacks are able to recover
confidential information from SGX enclaves, which we illustrate in two example
cases: extraction of an entire RSA-2048 key during RSA decryption, and
detection of specific human genome sequences during genomic indexing. We show
that our attacks are more effective than previous cache attacks and harder to
mitigate than previous SGX side-channel attacks
Control Behavior Integrity for Distributed Cyber-Physical Systems
Cyber-physical control systems, such as industrial control systems (ICS), are
increasingly targeted by cyberattacks. Such attacks can potentially cause
tremendous damage, affect critical infrastructure or even jeopardize human life
when the system does not behave as intended. Cyberattacks, however, are not new
and decades of security research have developed plenty of solutions to thwart
them. Unfortunately, many of these solutions cannot be easily applied to
safety-critical cyber-physical systems. Further, the attack surface of ICS is
quite different from what can be commonly assumed in classical IT systems.
We present Scadman, a system with the goal to preserve the Control Behavior
Integrity (CBI) of distributed cyber-physical systems. By observing the
system-wide behavior, the correctness of individual controllers in the system
can be verified. This allows Scadman to detect a wide range of attacks against
controllers, like programmable logic controller (PLCs), including malware
attacks, code-reuse and data-only attacks. We implemented and evaluated Scadman
based on a real-world water treatment testbed for research and training on ICS
security. Our results show that we can detect a wide range of
attacks--including attacks that have previously been undetectable by typical
state estimation techniques--while causing no false-positive warning for
nominal threshold values.Comment: 15 pages, 8 figure
Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
Intel Software Guard Extension (SGX) offers software applications enclave to
protect their confidentiality and integrity from malicious operating systems.
The SSL/TLS protocol, which is the de facto standard for protecting
transport-layer network communications, has been broadly deployed for a secure
communication channel. However, in this paper, we show that the marriage
between SGX and SSL may not be smooth sailing.
Particularly, we consider a category of side-channel attacks against SSL/TLS
implementations in secure enclaves, which we call the control-flow inference
attacks. In these attacks, the malicious operating system kernel may perform a
powerful man-in-the-kernel attack to collect execution traces of the enclave
programs at page, cacheline, or branch level, while positioning itself in the
middle of the two communicating parties. At the center of our work is a
differential analysis framework, dubbed Stacco, to dynamically analyze the
SSL/TLS implementations and detect vulnerabilities that can be exploited as
decryption oracles. Surprisingly, we found exploitable vulnerabilities in the
latest versions of all the SSL/TLS libraries we have examined.
To validate the detected vulnerabilities, we developed a man-in-the-kernel
adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL
library running in the SGX enclave (with the help of Graphene) and completely
broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only
57286 queries. We also conducted CBC padding oracle attacks against the latest
GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS
(i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it
only needs 48388 and 25717 queries, respectively, to break one block of AES
ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can
be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US
Code Renewability for Native Software Protection
Software protection aims at safeguarding assets embedded in software by preventing and delaying reverse engineering and tampering attacks. This paper presents an architecture and supporting tool flow to renew parts of native applications dynamically. Renewed and diversified code and data belonging to either the original application or to linked-in protections are delivered from a secure server to a client on demand. This results in frequent changes to the software components when they are under attack, thus making attacks harder. By supporting various forms of diversification and renewability, novel protection combinations become available, and existing combinations become stronger. The prototype implementation is evaluated on a number of industrial use cases
Enclave Computing Paradigm: Hardware-assisted Security Architectures & Applications
Hardware-assisted security solutions, and the isolation guarantees they provide, constitute the basis for the protection of modern software systems. Hardware-enforced isolation of individual components reduces complexity of the overall software as well as the size and complexity of the individual components. The basic idea is that a reduction in complexity minimizes the probability of vulnerabilities in the software, thus strengthening the system's security.
In classical system architectures, an application's security depends on the security of all privileged system entities, for example the Operating System. The Trusted Execution Environment (TEE) concept overcomes the dependence of security critical components on the systems overall security. TEEs provide isolated compartments within a single system, allowing isolated operation of a system's individual components and applications. The enclave computing paradigm enhances the TEE concept by enabling self-contained isolation of system components and applications, fulfilling the needs of modern software. It enables novel use cases by providing many parallel mutually isolated TEE-instances without the need to rely on complex privileged entities.
The TEE solutions developed by industry and deployed in today's systems follow distinct design approaches and come with various limitations. ARM TrustZone, which is widely available in mobile devices, is fundamentally limited to a single isolation domain. Intel's TEE solution Software Guard Extensions (SGX) provides multiple mutually isolated execution environments, called enclaves. However, SGX enclaves face severe threats, in particular side-channel leakage, that can void its security guarantees. Preventing side-channel leakage from enclaves in a universal and efficient way is a non-trivial problem. Nevertheless, these deployed TEE solutions enable various novel applications. However, different TEE architectures come with diverse properties and features that require special consideration in the design of TEE applications.
Security architectures for embedded systems face additional challenges that have not been solved, neither by industry nor by academic research. These security architectures need to be compliant with and need to preserve all functional requirements of an embedded system. Since network-connected embedded devices are increasingly used in safety critical systems, such as industrial control systems or automotive scenarios, security architectures that combine safety and security aspects are vitally needed.
Remote Attestation (RA) is a security service that relies on the isolation guarantees of TEEs. It is of particularly high relevance for connected embedded systems. It allows trust establishment between these devices enabling their reliable collaboration in large connected systems. However, many aspects of RA, such as its scalability in large networks or its applicability in autonomous connected systems, are unexplored.
In this dissertation, we present novel isolation architectures that bring the enclave computing paradigm to mobile and embedded platforms. We present the first security architecture for small embedded systems that provides isolated execution enclaves and real-time guarantees. Moreover, we present a novel multi-TEE security architecture for TrustZone-systems bringing the enclave computing paradigm to mobile systems, overcoming TrustZone's fundamental limitation.
Furthermore, we deal with Intel SGX's vulnerability to side-channel attacks. We demonstrate the severity of side-channel leakage due to observable memory access patterns of SGX enclaves. To counter side-channel attacks, we present solutions that hide memory access patterns of enclaves for both accesses to enclave-external memory as well as access patterns within enclaves' private memory.
We present two TEE-applications that follow different design approaches, leveraging the specific capabilities of Intel SGX and ARM TrustZone, respectively. We introduce a cloud-based machine learning solution that enables privacy-preserving speech recognition utilizing isolated execution enclaves. We also demonstrate the limitations of the enclave computing paradigm and show a (remote) policy enforcement solution for mobile devices, which requires an isolated execution environment with elevated privileges.
Additionally, we investigate novel RA schemes, which tackle many important aspects of RA that are highly relevant in emerging connected systems. We develop solutions to prevent the misuse of remote attestation for Denial-of-Service (DoS) attacks and present the first efficient multi-prover attestation scheme. Furthermore, we introduce the concept of data integrity attestation, which allows the efficient and reliable collaboration of autonomous connected devices
Swap and Play: Live Updating Hypervisors and Its Application to Xen
Hypervisors provide the means to run multiple isolated virtual machines on the same physical host. Typically, updating hypervisors requires a reboot of the host leading to disruption of services that is highly undesirable, particularly in cloud environments. Nevertheless, security updates have to be applied fast to reduce the risk of attacks, demanding a solution which eliminates the trade-off between availability and security risk. Live updating, in general, is highly challenging and has been investigated for decades. However, all solutions proposed so far require changes to the control flow of the software and/or cause performance degradation. Moreover, currently there are no solutions for live updating of hypervisors and all major products (e.g., Hyper-V, Xen, ESXi) require a reboot for updating.
In this paper, we present Swap and Play, the first live update mechanism for hypervisors. Our solution is easy to use, scalable and, in particular, deployable in cloud environments. Our approach leverages the hypervisor’s small memory footprint to swap the hypervisor on-the-fly without affecting the control flow of the (new) hypervisor, or disrupting the guests. In this context, we tackle several technically involved challenges, such as transferring the state of the running hypervisor, updating the configuration of one CPU while reinitializing the configuration of all other CPUs, and passing the control to the new hypervisor, all at run-time. We implemented our approach on the popular Xen hypervisor to show its efficiency and effectiveness