Embed Size (px)
Citation preview
Intel Software Guard Protections - Protecting Data In Use
Frank McKeen, Matthias Schunter
Intel Labs
October 28, 2016
Copyright © 2016 Intel Corporation. All rights reserved.
2
Legal Disclaimers
• The comments and statements are the presenter’s and not necessarily Intel’s
• Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com
• No computer system can be absolutely secure.
Is Software sufficient to protect Data Security?
“Crypto weakness in smart light-bulbs exposes Wi-Fi passwords” (July 2014)
IoT Botnet used for DDoS Attack on Dyn
October 2016
“IoT Cyber-attack by 100000 smart appliances” (Jan 2014)
Attack on California substation fuels Grid Security debate
(IEEE Spectrum, Feb 2014)
* Computer Technology Review, March 2015
“Smart Nest Thermostat: A Smart Spy in your Home”
Aug 2014
Hackers Remotely Kill a Jeep on the Highway — With Me in It ...
July 2015
App Malicious
App
Protecting Data in Use - The Basic Issue: Vulnerabilities in Privileged Code
Privileged Code
App
Protected Mode (rings) protects OS from apps …
… and apps from each other …
X
OK
X X
… UNTIL a malicious app exploits a flaw to gain full privileges and then tampers with the OS or other apps
Apps not protected from privileged code attacks
attack
4
Bad Code
Privileged Code
Info Bad Code
5
Outline
1. Introduction: Protecting Applications from Privileged Malware
2. Intel® Software Guard Extensions (Intel® SGX) – an Overview
3. Intel® SGX: Provisioning and Keeping Secrets
4. Conclusion and Open Questions – What has been achieved?
1. Introduction: Protecting Applications from Privileged Malware Attacks
6
7
A Trustworthy Place to Stand
SGX Goal: A stable and trusted execution environment:
• Not susceptible to Privileged Software manipulation
• Provides confidentiality and integrity to data and code
• Can prove that it resides on protected hardware
• Can provide the details of hardware revision level
• Fits into the current eco-system
• Manageable and scalable
8
Protecting Data in Use – What has been tried and works - sometimes....
Approach Example Limitations
Microkernel OS OS compromise; Legacy SW
Virtual Machine Monitors VMM Compromise and Trust
Hardware Security Modules Manageability; Scaling
Software Obfuscation Protection Level; Copying; Transparency
Desired Protections for Data in Use
9
Protection Description
Protection from firmware attack SMM, BIOS, Graphics card, etc
Protection from SW attacks OS, VMM, Drivers, etc.
Operator Access Operator can’t access restricted data
Administrator Access Admin can’t access restricted data
Replay Attacks Insert old data values in place of latest data value
Protection from translation changes Privileged code should not be able to change address mappings
Understand platform type
Prove to external party what protection a platform offers
Correct entry and exit points Only execute at allowed spots
Side Channels External observers can’t gleam data from timing, power, voltage, etc.
2. Intel® Software Guard Extensions (Intel® SGX) – an Overview
10
Application gains ability to defend its own secrets – Smallest attack surface (app + processor) – Malware that subverts OS/VMM, BIOS,
Drivers etc. cannot steal app secrets
Familiar development/debug – Single application environment – Build on existing ecosystem expertise
Familiar deployment model – Platform integration not a bottleneck to
deployment of trusted apps
Proxy Proxy Proxy
Hardware
VMM (Hypervisor)
OS
App App App
Scalable security within mainstream environment
Attack surface today Attack surface with Enclaves
X X
Reduced attack surface with Intel ® SGX
Attack Surface
11
Enclave Enclave
What is an Enclave?
Enclave: trusted execution environment embedded in a process
App Code
App Data
OS Enclave
Code
Enclave Data
• Own code and data
User Process
• Provides Confidentiality
• Provides integrity
• Controlled entry points
• Full access to app memory
• Supporting multiple threads
Enclave
12
TCS (*n) TCS (*n) TCS (*n)
SECS
How Intel ® SGX Works: Protection vs. Software Attack
Untrusted Part of App
Trusted Part of App
Create Enclave
Call Trusted Func.
Execute
Return
(etc.)
Application
Privileged System Code: OS, VMM, BIOS, SMM, …
Call Gate
1. App is built with trusted and untrusted parts
2. App runs & creates enclave which is placed in trusted memory
3. Trusted public function is called; code running inside enclave sees data in clear; external access to data is denied
4. Function returns; enclave data remains in trusted memory
SSN: 999-84-2611 m8U3bcV#zP49Q
13
Protection vs. Memory Snooping Attacks
• Security perimeter is the
CPU package boundary
• Data and code unencrypted
inside CPU package
• Data and code outside CPU
package is encrypted and/or
integrity checked
• External memory reads and
bus snoops see only
encrypted data
Cores
Jco3lks937weu0cwejpoi9987v80we Cache
System Memory
AMEX: 3234-
134584-
26864
CPU Package
Snoop
Snoop
14
Non-Enclave
Access
15
Intel® SGX Software Development
Windows DLL /
Enclave
App Code
Trusted Application
Processing
Component
Glue Code Glue Code SGX SDK
Libraries
SGX SDK
Libraries
SGX SDK Tools
Intel SGX enabled CPU
Architectural Enclaves Architectural Enclaves Architectural Enclaves
• Software Developer decides which components should execute within an enclave
• Development Environment allows the Developer to quickly develop enclave enabled binaries
• Including support for common software libraries, exporting interfaces, and support for provisioning
Processing
Component
3. Intel® Software Guard Extensions (Intel® SGX): Provisioning and Keeping Secrets
16
The Challenge – Provisioning and Storing Secrets of an Enclave
• An enclave is in the clear before instantiation
– Sections of code and data could be encrypted, but their decryption key can’t be pre-installed
• Secrets come from outside the enclave
– Keys, Passwords, Sensitive data
• The enclave must be able to convince a 3rd party that it’s trustworthy and can be provisioned with the secrets
• Subsequent runs should be able to use the secrets that have already been provisioned
17
Remote Platform
Application
Enclave
1. Start Enclave 2. Establish Trust 3. Load Secrets 4. Keep secrets
Critical Features: Attestation and Sealing
Remote Platform Application
Enclave Authenticated Channel
Intel
• App executes on local platform
• HW based Attestation provides remote platform assurance that “this is the right app executing in the right platform “ Remote platform can provision local platform with secrets
• App can seal secrets to platform for future use
18
Attestation – Software TCB
• When building an enclave, Intel® SGX generates a cryptographic log of all the build activities
– Content: Code, Data, Stack, Heap
– Location of each page within the enclave
– Security flags being used
• MRENCLAVE (“Enclave Identity”) is a 256-bit digest of the log
– Represents the enclave’s software TCB
• A software TCB verifier should:
– Securely obtain the enclave’s software TCB
– Securely obtain the expected enclave’s software TCB
– Compare the two values
19
Remote Attestation - Flow
Platform
QE
Encla
ve
Remote Platform
Verifying Application
REPORT
MAC MRENCLAVE
EPID
QUOTE
1. Verifying enclave becomes the Quoting Enclave.
2. After verifying the REPORT the, QE signs the REPORT with the EPID private key and converts it into a QUOTE
3. Remote platform verifies the QUOTE with the EPID public key and verifies MRENCLAVE against the expected value
23
Enhanced Privacy ID is the leadership identity solution
SGX Privacy - Intel® Enhanced Privacy ID (EPID)
PKI EPID
Pub-Key
Pvt-Key
Pvt-Key 1
Pub-Key
Pvt-Key 2 Pvt-Key 3
International Standard • ISO/IEC 20008/20009 & TCG • Privacy Preserving Anonymous
Attestation
EPID is a digital signature scheme with special properties •One Group public key corresponds to multiple private keys
•Each unique private key can be used to generate a signature.
•Signature can be verified using the group public key.
•No one can tell which private key signed (privacy property).
26 26 Intel Confidential – for distribution under NDA only
Mature Technology • Shipping since 2008 • Xeon, Core 2011 • Atom, 2014 → sub-Atom
• 2.4B Keys since 2008
4. Conclusion and Open Research
27
SGX Technical Summary
• Provides any application the ability to keep a secret
• Provide capability using new processor instructions
• Application can support multiple enclaves
• Provides integrity and confidentiality
• Applications run within OS environment
28
Intel ® SGX Coverage of Desired Protections
29
Protection Description
Protection from firmware attack SMM, BIOS, Graphics card, etc
Protection from SW attacks OS, VMM, Drivers, etc.
Operator Access Operator can’t access restricted data
Administrator Access Admin can’t access restricted data
Replay Attacks Insert old data values in place of latest data value
Protection from translation changes Privileged code should not be able to change address mappings
Understand platform type
Prove to external party what protection a platform offers
Correct entry and exit points Only execute at allowed spots
Side Channels Ongoing research and software mitigations
Vulnerabilities in the enclave code (e.g. heartbleed)
Only entry-point protection.
30
Open Research Questions
- Tooling & Automation
- Formal validation of enclave code
- Side channel protection
- Protection against run-time attacks
- Application Security Architectures using SGX
- SGX for protecting Transactions
- SGX for protecting content and secrets
- Case Studies and Implementation Experiences
- Feedback on limitations and benefits
- Feedback on usability problems
31
Some Links • SGX Resource Page: https://software.intel.com/en-us/sgx
• Intel’s Software Developers Manual Page (Programming Reference): http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html http://www.intel.com/software/isa
• SGX Researcher’s Mailing List – Registration Page http://lists.projecteer.org/listinfo.cgi/intel-sgx-research-projecteer.org
• HASP Workshop: https://sites.google.com/site/haspworkshop2013/workshop-program
• ISCA 2015 Tutorial Link: http://sgxisca.weebly.com/
Thank You!
32
Intel Labs is hiring!
