Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials

Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting sensitive data in untrusted environments, and are now becoming available on commodity server platforms. Although the idea of protecting keys using a server-side TEE is straight-forward, in this paper we validate this approach and show that it enables new desirable functionality. We describe the design, implementation, and evaluation of a TEE-based Cloud Key Store (CKS), an online service for securely generating, storing, and using personal cryptographic keys. Using remote attestation, users receive strong assurance about the behaviour of the CKS, and can authenticate themselves using passwords while avoiding typical risks of password-based authentication like password theft or phishing. In addition, this design allows users to i) define policy-based access controls for keys; ii) delegate keys to other CKS users for a specified time and/or a limited number of uses; and iii) audit all key usages via a secure audit log. We have implemented a proof of concept CKS using Intel SGX and integrated this into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation performs approximately 6,000 signature operations per second on a single desktop PC. The latency is in the same order of magnitude as using locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on Security, Privacy, and Identity Management in the Cloud (SECPID) 201

Software Grand Exposure: SGX Cache Attacks Are Practical

Side-channel information leakage is a known limitation of SGX. Researchers have demonstrated that secret-dependent information can be extracted from enclave execution through page-fault access patterns. Consequently, various recent research efforts are actively seeking countermeasures to SGX side-channel attacks. It is widely assumed that SGX may be vulnerable to other side channels, such as cache access pattern monitoring, as well. However, prior to our work, the practicality and the extent of such information leakage was not studied. In this paper we demonstrate that cache-based attacks are indeed a serious threat to the confidentiality of SGX-protected programs. Our goal was to design an attack that is hard to mitigate using known defenses, and therefore we mount our attack without interrupting enclave execution. This approach has major technical challenges, since the existing cache monitoring techniques experience significant noise if the victim process is not interrupted. We designed and implemented novel attack techniques to reduce this noise by leveraging the capabilities of the privileged adversary. Our attacks are able to recover confidential information from SGX enclaves, which we illustrate in two example cases: extraction of an entire RSA-2048 key during RSA decryption, and detection of specific human genome sequences during genomic indexing. We show that our attacks are more effective than previous cache attacks and harder to mitigate than previous SGX side-channel attacks

Control Behavior Integrity for Distributed Cyber-Physical Systems

Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems. We present Scadman, a system with the goal to preserve the Control Behavior Integrity (CBI) of distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers in the system can be verified. This allows Scadman to detect a wide range of attacks against controllers, like programmable logic controller (PLCs), including malware attacks, code-reuse and data-only attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for research and training on ICS security. Our results show that we can detect a wide range of attacks--including attacks that have previously been undetectable by typical state estimation techniques--while causing no false-positive warning for nominal threshold values.Comment: 15 pages, 8 figure

Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves

Intel Software Guard Extension (SGX) offers software applications enclave to protect their confidentiality and integrity from malicious operating systems. The SSL/TLS protocol, which is the de facto standard for protecting transport-layer network communications, has been broadly deployed for a secure communication channel. However, in this paper, we show that the marriage between SGX and SSL may not be smooth sailing. Particularly, we consider a category of side-channel attacks against SSL/TLS implementations in secure enclaves, which we call the control-flow inference attacks. In these attacks, the malicious operating system kernel may perform a powerful man-in-the-kernel attack to collect execution traces of the enclave programs at page, cacheline, or branch level, while positioning itself in the middle of the two communicating parties. At the center of our work is a differential analysis framework, dubbed Stacco, to dynamically analyze the SSL/TLS implementations and detect vulnerabilities that can be exploited as decryption oracles. Surprisingly, we found exploitable vulnerabilities in the latest versions of all the SSL/TLS libraries we have examined. To validate the detected vulnerabilities, we developed a man-in-the-kernel adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL library running in the SGX enclave (with the help of Graphene) and completely broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only 57286 queries. We also conducted CBC padding oracle attacks against the latest GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS (i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it only needs 48388 and 25717 queries, respectively, to break one block of AES ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US

Code Renewability for Native Software Protection

Software protection aims at safeguarding assets embedded in software by preventing and delaying reverse engineering and tampering attacks. This paper presents an architecture and supporting tool flow to renew parts of native applications dynamically. Renewed and diversified code and data belonging to either the original application or to linked-in protections are delivered from a secure server to a client on demand. This results in frequent changes to the software components when they are under attack, thus making attacks harder. By supporting various forms of diversification and renewability, novel protection combinations become available, and existing combinations become stronger. The prototype implementation is evaluated on a number of industrial use cases

Enclave Computing Paradigm: Hardware-assisted Security Architectures & Applications

Hardware-assisted security solutions, and the isolation guarantees they provide, constitute the basis for the protection of modern software systems. Hardware-enforced isolation of individual components reduces complexity of the overall software as well as the size and complexity of the individual components. The basic idea is that a reduction in complexity minimizes the probability of vulnerabilities in the software, thus strengthening the system's security. In classical system architectures, an application's security depends on the security of all privileged system entities, for example the Operating System. The Trusted Execution Environment (TEE) concept overcomes the dependence of security critical components on the systems overall security. TEEs provide isolated compartments within a single system, allowing isolated operation of a system's individual components and applications. The enclave computing paradigm enhances the TEE concept by enabling self-contained isolation of system components and applications, fulfilling the needs of modern software. It enables novel use cases by providing many parallel mutually isolated TEE-instances without the need to rely on complex privileged entities. The TEE solutions developed by industry and deployed in today's systems follow distinct design approaches and come with various limitations. ARM TrustZone, which is widely available in mobile devices, is fundamentally limited to a single isolation domain. Intel's TEE solution Software Guard Extensions (SGX) provides multiple mutually isolated execution environments, called enclaves. However, SGX enclaves face severe threats, in particular side-channel leakage, that can void its security guarantees. Preventing side-channel leakage from enclaves in a universal and efficient way is a non-trivial problem. Nevertheless, these deployed TEE solutions enable various novel applications. However, different TEE architectures come with diverse properties and features that require special consideration in the design of TEE applications. Security architectures for embedded systems face additional challenges that have not been solved, neither by industry nor by academic research. These security architectures need to be compliant with and need to preserve all functional requirements of an embedded system. Since network-connected embedded devices are increasingly used in safety critical systems, such as industrial control systems or automotive scenarios, security architectures that combine safety and security aspects are vitally needed. Remote Attestation (RA) is a security service that relies on the isolation guarantees of TEEs. It is of particularly high relevance for connected embedded systems. It allows trust establishment between these devices enabling their reliable collaboration in large connected systems. However, many aspects of RA, such as its scalability in large networks or its applicability in autonomous connected systems, are unexplored. In this dissertation, we present novel isolation architectures that bring the enclave computing paradigm to mobile and embedded platforms. We present the first security architecture for small embedded systems that provides isolated execution enclaves and real-time guarantees. Moreover, we present a novel multi-TEE security architecture for TrustZone-systems bringing the enclave computing paradigm to mobile systems, overcoming TrustZone's fundamental limitation. Furthermore, we deal with Intel SGX's vulnerability to side-channel attacks. We demonstrate the severity of side-channel leakage due to observable memory access patterns of SGX enclaves. To counter side-channel attacks, we present solutions that hide memory access patterns of enclaves for both accesses to enclave-external memory as well as access patterns within enclaves' private memory. We present two TEE-applications that follow different design approaches, leveraging the specific capabilities of Intel SGX and ARM TrustZone, respectively. We introduce a cloud-based machine learning solution that enables privacy-preserving speech recognition utilizing isolated execution enclaves. We also demonstrate the limitations of the enclave computing paradigm and show a (remote) policy enforcement solution for mobile devices, which requires an isolated execution environment with elevated privileges. Additionally, we investigate novel RA schemes, which tackle many important aspects of RA that are highly relevant in emerging connected systems. We develop solutions to prevent the misuse of remote attestation for Denial-of-Service (DoS) attacks and present the first efficient multi-prover attestation scheme. Furthermore, we introduce the concept of data integrity attestation, which allows the efficient and reliable collaboration of autonomous connected devices

Swap and Play: Live Updating Hypervisors and Its Application to Xen

Hypervisors provide the means to run multiple isolated virtual machines on the same physical host. Typically, updating hypervisors requires a reboot of the host leading to disruption of services that is highly undesirable, particularly in cloud environments. Nevertheless, security updates have to be applied fast to reduce the risk of attacks, demanding a solution which eliminates the trade-off between availability and security risk. Live updating, in general, is highly challenging and has been investigated for decades. However, all solutions proposed so far require changes to the control flow of the software and/or cause performance degradation. Moreover, currently there are no solutions for live updating of hypervisors and all major products (e.g., Hyper-V, Xen, ESXi) require a reboot for updating. In this paper, we present Swap and Play, the first live update mechanism for hypervisors. Our solution is easy to use, scalable and, in particular, deployable in cloud environments. Our approach leverages the hypervisor’s small memory footprint to swap the hypervisor on-the-fly without affecting the control flow of the (new) hypervisor, or disrupting the guests. In this context, we tackle several technically involved challenges, such as transferring the state of the running hypervisor, updating the configuration of one CPU while reinitializing the configuration of all other CPUs, and passing the control to the new hypervisor, all at run-time. We implemented our approach on the popular Xen hypervisor to show its efficiency and effectiveness