SysTEX ’18- Proceedings of the 3rd Workshop on System Software for Trusted Execution
SESSION: Keynote Talk
In recent years, processor vendors have started offering trusted Execution Environments (TEEs), which provide semi-isolated areas for secure code execution. TEEs promise to protect the integrity and confidentiality of the computation executing within them even when the operating system is compromised. Prime among these is Intel’s Software Guard Extensions (SGX), which not only protects the execution of software running within it, but also provides infrastructure for secure attestation for remote parties. To provide its ambitions security guarantees, SGX must rely on the security of the underlying processor implementation, which is known to leak information through microarchitectural timing side channels. Acknowledging this limitation, Intel declared timing channels to be out-of-scope for the security model of SGX, raising the question of whether trusted execution can be supported on leaky hardware. In this talk we investigate the intricate interaction between Trusted Execution Environments and microarchitectural side channel attacks. Besides surveying published works in this area, we argue that the strong attack model in which TEEs typically operate significantly exacerbates the effectiveness of microarchitectural side channels. Finally, we conclude by presenting some live demonstrations and future research directions.
SESSION: Session 1
Internet-of-Things (IoTs) are becoming more and more popular in our life. IoT devices are generally designed for sensing or actuation purposes. However, the current sensing system on IoT devices lacks the understanding of sensing needs, which diminishes the sensing flexibility, isolation, and security when multiple sensing applications need to use sensor resources. In this work, we propose VirtSense, an ARM TrustZone based virtual sensing system, to provide each sensing application a virtual sensor instance, which further enables a safe, flexible and isolated sensing environment on the IoT devices. Our preliminary results show that VirtSense: 1) can provide virtual sensor instance for each sensing application so that the sensing needs of each application will be satisfied without affecting others; 2) is able to enforce access control policy even under an untrusted environment.
Rising concerns about mobile security have motivated the use of architectural features such as ARM TrustZone to protect sensitive applications from compromise by malicious applications or a compromised OS. However, many TEE OSes (which run in TrustZone) currently assume all applications in TrustZone are trusted, and thus do not provide strong isolation guarantees between them. The benefit of this is that TEE OSes can be simple, allowing them to provide a high-assurance trusted computing base (TCB). However, unlike how arbitrary third-party mobile applications can be installed onto a smartphone, the need for mutual trust among all applications running inside TrustZone prevents the installation of 3rd party applications on the TEE OS. In this paper, we identify the key properties that define application code that may wish to use TrustZone and show that a standard TEE OS can be extended to support multiple, mutually distrusting applications in TrustZone with less than a 3% increase in the TCB. We realize our ideas in Pearl-TEE, a novel TEE OS prototype we have implemented that can provide mechanisms specific to the needs of TrustZone applications, including isolation for execution, secure persistent storage, and support for network communication. We find that Pearl-TEE imposes less than 20% performance overhead on applications.
We present TEEshift, a tool suite that protects the confiden- tiality and integrity of code by shifting selected functions into TEEs. Our approach works entirely on binary-level and does not require the adaption of source code projects or build environments, nor does it require compiler-level patches. Programmers provide a list of ELF symbols pointing to the functions that should be protected. After post-processing an ELF binary with TEEshift, the selected functions are not present in cleartext anymore. Only after attesting to a re- mote party that the loading enclave behaves with integrity, the functions are decrypted, but remain inside the enclave protected against reverse engineering. An online connection is only required when a program starts for the first time on a PC. Afterwards, sealing is used to securely store the decryption key and bind it to the PC. By allowing program- mers to move selected function into TEEs, without patching their source code, we provide a convenient way to enable TEEs in existing projects while preserving the flexibility for a finegrained security and performance tradeoff. We evaluated our tool using a real world gaming application, confirming the practicability of our approach for existing projects. We overcome the limitation of the fragmented TEE landscape by building on top of Asylo, an open framework by Google for apps which aim to support different TEEs such as Intel SGX and AMD SEV using a unified API.
Modern Trusted Execution Environments (TEEs), such as Intel SGX, gain more and more popularity in the blockchain community and their adoption has already been started. Combining smart-contract execution with TEEs promises efficient solutions for protecting data privacy in distributed ledgers, as an alternative to much more costly cryptographic protocols. This paper describes practical challenges that arise from the combination of smart contracts with TEEs. In particular, we discuss existing solutions and their conceptional differences of on-chain and off-chain execution followed by technical challenges on attestation, key management, and non-deterministic execution.
SESSION: Session 2
Intel Software Guard Extensions (SGX) is an extension to x86 architecture that enables user-level code to create trusted memory regions, called enclaves. However, the security provided by enclaves is not free: one primary performance overhead is enclave switches, which are expensive and can be triggered frequently by cross-enclave function calls. Previous works propose a technique named Switchless Calls, which avoids enclave switches by using worker threads/cores to execute function calls asynchronously. But we find this technique is questionable in terms of efficiency: is it always wise to trade extra CPU cores for reduced enclave switches?
In this paper, we make Switchless Calls a practical technique by ensuring that it improves performance efficiently. To this end, we investigate on what conditions can Switchless Calls improve performance efficiently by establishing a performance model via both mathematical and simulation analysis. Then, we formulate the notion of worker efficiency and design an efficiency-based scheduling algorithm that can automatically adjust the number of workers in response to changing workloads. Guided by the insights obtained from our performance modeling and worker scheduling, we integrate Switchless Calls into Intel SGX SDK as an official feature. We evaluate the performance of our implementation in various benchmarks and the results demonstrate the practicality of Switchless Calls.
Due to increasing success of cloud computing offerings, the demand for sensitive data processing and security in the cloud has also increased. By incorporation of trusted execution technologies such as the broadly available Intel Software Guard Extensions (SGX), applications can be secured. However, software engineers need to align their development process with the capabilities and properties of such a technology, in order to correctly secure applications while achieving good performance. In this paper, we identify relevant aspects for partitioning applications and discuss two complementary designs optimising for performance or security respectively. Additionally, our contribution comprises a performance and security measurement, at the example of two established real-world applications, that we both partitioned according to the above two distinct design approaches. We consider this paper as a guideline for the partitioning process of mainly data-handling services for usage of trusted execution and as a collection of relevant characteristics during the development of applications with trusted execution environments.
This paper considers secure big data processing. With the architectural support, big data processing with compute accelerators can efficiently preserve privacy concern.
Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These devices are particularly susceptible to memory corruption vulnerabilities because the limited computational resources restrict the types of countermeasures that can be implemented. Run-time monitoring therefore is fundamental for the security of these devices. We propose a monitoring architecture for untrusted software at the I/O event granularity for TrustZone-enabled devices. The architecture enables us to measure the integrity of the code immediately before its execution is triggered by any input. To verify the integrity in a lightweight manner, we statically determine the minimal code region that needs to be measured based on the I/O operation. We develop a prototype of the architecture using TrustZone-M and demonstrate that our prototype has a low processing overhead and small ROM memory footprint.
Intel Software Guard Extensions (SGX) is a promising hardware-based technology for protecting sensitive computation from potentially compromised system software. However, recent research has shown that SGX is vulnerable to branch-shadowing — a side channel attack that leaks the fine-grained (branch granularity) control flow of an enclave (SGX protected code), potentially revealing sensitive data to the attacker. The previously-proposed defense mechanism, called Zigzagger, attempted to hide the control flow, but has been shown to be ineffective if the attacker can single-step through the enclave using the recent SGX-Step framework. Taking into account these stronger attacker capabilities, we propose a new defense against branch-shadowing, based on control flow randomization. Our scheme is inspired by Zigzagger, but provides quantifiable security guarantees with respect to a tunable security parameter. Specifically, we eliminate conditional branches and hide the targets of unconditional branches using a combination of compile-time modifications and run-time code randomization. We evaluated the performance of our approach using ten benchmarks from SGX-Nbench. Although we considered the worst-case scenario (whole program instrumentation), our results show that, on average, our approach results in less than 18% performance loss and less than 1.2 times code size increase.
Shielding systems such as AMD’s Secure Encrypted Virtualization aim to protect a virtual machine from a higher privileged entity such as the hypervisor. A cornerstone of these systems is the ability to protect the memory from unauthorized accesses. Despite this protection mechanism, previous attacks leveraged the control over memory resources to infer control flow of applications running in a shielded system.
While previous works focused on a specific target application, there has been no general analysis on how the control flow of a protected application can be inferred. This paper tries to overcome this gap by providing a detailed analysis on the detectability of control flow using memory access patterns. To that end, we do not focus on a specific shielding system or a specific target application, but present a framework which can be applied to different types of shielding systems as well as to different types of attackers. By training a random forest classifier on the memory accesses emitted by syscalls of a shielded entity, we show that it is possible to infer the control flow of shielded entities with a high degree of accuracy.