Embed Size (px)
Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, Emmanuel Stapf Technische Universität Darmstadt
Sanctuary: ARMing TrustZonewith User-space Enclaves
Research Problem
How can we construct an ecosystem of mutually distrusted enclaves on mobile
devices?
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
• OS large attack surface
• Insufficient sensitive app protection
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
ARM TrustZone
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
ARM TrustZone
Normal World Secure World
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
ARM TrustZone
Normal World Secure World
App App
OS
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
ARM TrustZone
Normal World Secure World
App App
OS Trusted OS
Sensitive App
Sensitive App
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
Commodity OS
App
Operating System
AppSensitive
App
ARM TrustZone
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
• OS large attack surface
• Insufficient sensitive app protection
App
Operating System
SensitiveApp
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
Sensitive App
Sensitive App
Trusted OS
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
SanctuaryMultiple Security Domains
EL0
EL1
EL3
Normal World Secure World
Trusted Firmware
App
OS
VendorCode
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
Sensitive App
Sensitive App
Trusted OS
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
SanctuaryMultiple Security Domains
EL0
EL1
EL3
Normal World Secure World
Trusted Firmware
App
OS
VendorCode
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
Sensitive App
Sensitive App
Trusted OS
Sensitive App
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
SanctuaryMultiple Security Domains
EL0
EL1
EL3
Normal World Secure World
Trusted Firmware
App
OS
VendorCode
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
• Sensitive apps can remain untrusted
• Make TrustZone protection available to third parties
Sensitive App
Sensitive App
Trusted OS
Sensitive App
Trusted Untrusted Compromised
ARM TrustZoneThe Solution?
Normal World Secure World
Trusted Firmware
App App
OS Trusted OS
Sensitive App
Sensitive App
SanctuaryMultiple Security Domains
EL0
EL1
EL3
Normal World Secure World
Trusted Firmware
App
OS
VendorCode
Sensitive App
Sensitive App
• Trusted OS still large attack surface
• High costs to protect apps with TrustZone
• Main problem: Single security domain
• Sensitive apps can remain untrusted
• Make TrustZone protection available to third parties
Sensitive App
Sensitive App
Trusted OS
Sensitive App
Challenges
• No new hardware components• No replacement of existing code bases (e.g. Trusted OS)• Only minor impact on commodity OS
Adversary Model
• Adversary can
• compromise normal-world software at all privilege levels
• run malicious sensitive apps
• Adversary cannot
• compromise TrustZone (trust anchor)
• perform physical attacks
Related Work
Existing Research Proposals
Normal World Secure World
Software ApproachesUtilizing TrustZone
AppApp
App
Sensitive App
Existing Research Proposals
Normal World Secure World
Software ApproachesUtilizing TrustZone
among others,
[Ferraiuolo et al., SOSP 2017]
[Sun et al., DSN 2015]
Improve isolation of sensitive apps without add. HW features
AppApp
App
Sensitive App
Existing Research Proposals
Normal World Secure World
Software ApproachesUtilizing TrustZone
among others,
[Ferraiuolo et al., SOSP 2017]
[Sun et al., DSN 2015]
among others,
[Hua et al., USENIX 2017]
[Cho et al., USENIX 2016]
Improve isolation of sensitive apps without add. HW features
Use virtualization to protect sensitive apps.Use TrustZone as trust anchor
AppApp
App
Sensitive App
Hypervisor
Hypervisor-based IsolationUtilizing TrustZone
AppApp
App
Sensitive App
Existing Research Proposals
Normal World Secure World
Software ApproachesUtilizing TrustZone
Cache
Memory
Architectural Modifications
among others,
[Ferraiuolo et al., SOSP 2017]
[Sun et al., DSN 2015]
among others,
[Hua et al., USENIX 2017]
[Cho et al., USENIX 2016]
among others,
[Costan et al., USENIX 2016]
[Evtyushkin et al., MICRO 2014]
Improve isolation of sensitive apps without add. HW features
Use virtualization to protect sensitive apps.Use TrustZone as trust anchor
Overcome TrustZone’sshortcomings with own HW
AppApp
App
Sensitive App
Hypervisor
Hypervisor-based IsolationUtilizing TrustZone
AppApp
App
Sensitive App
App Sensitive App
Existing Research Proposals - Problems
Replaces existing code base Hypervisor blocked New hardware design
Normal World Secure World
Software ApproachesUtilizing TrustZone
Cache
Memory
Architectural Modifications
AppApp
App
Sensitive App
App Sensitive App
Hypervisor
Hypervisor-based IsolationUtilizing TrustZone
AppApp
App
Sensitive App
Existing Research Proposals - Problems
Replaces existing code base Hypervisor blocked New hardware design
Slows down commodity OS
Additional HW for DMA access control
No support for multi-core environments
OS needs to be suspended
Additional TCB component
Normal World Secure World
Software ApproachesUtilizing TrustZone
Cache
Memory
Architectural Modifications
AppApp
App
Sensitive App
App Sensitive App
Hypervisor
Hypervisor-based IsolationUtilizing TrustZone
AppApp
App
Sensitive App
Low adoption by industry
High deployment costs
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SW
AppApp
App
Security Primitives
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SW
AppApp
App
Security Primitives
Secure world forms our trust anchor
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SW
AppApp
App
Security Primitives
Contains security primitives provided by
the device vendor
Secure world forms our trust anchor
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SW
AppApp
App
Security Primitives
Core B
NW SW
SecurityPrimitives
Core C
NW SW
Security Primitives
Every core can access same security
primitives
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SWNW SW Sanctuary I (Core B)
AppApp
App
Security Primitives
Core B
NW SW
SecurityPrimitives
Core C
NW SW
Security Primitives
Isolate core using TrustZone features
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SWNW SW Sanctuary I (Core B)
AppApp
App
Security Primitives
Core B
NW SW
SecurityPrimitives
Core C
NW SW
Security Primitives
Sensitive App I
Isolate core using TrustZone features
Sanctuary provides Multi-Domain Isolation
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SWNW SW Sanctuary I (Core B)NW SW Sanctuary I (Core B) Sanctuary II (Core C)
AppApp
App
Security Primitives
Core B
NW SW
SecurityPrimitives
Core C
NW SW
Security Primitives
Sensitive App I
Sensitive App II
Sanctuary provides Multi-Domain Isolation
• Only using TrustZone features.No new HW design
• Vendor can keep existing code in SW
• No heavy influence on commodity OS
NW SW
Memory
Core A
NW = Normal WorldSW = Secure World
NW SWNW SW Sanctuary I (Core B)NW SW Sanctuary I (Core B) Sanctuary II (Core C)
AppApp
App
Security Primitives
Core B
NW SW
SecurityPrimitives
Core C
NW SW
Security Primitives
Sensitive App I
Sensitive App II
Challenges revisited
Technical Details of Sanctuary
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM
Normal World Secure World
NM SM
Memory Controller
Soft
war
eCore A Core B
SM = Secure Mode
NM = Normal Mode
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM
Normal World Secure World
NM SM
NS = 0/1NS = 0/1
Memory Controller
NS = Non-Secure
Soft
war
eCore A Core B
SM = Secure Mode
NM = Normal Mode
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM
Normal World Secure World
NM SM
NS = 0/1NS = 0/1
Memory Controller
NS = Non-Secure
Soft
war
eSW
OS
NW
Trusted Firmware
App
TOS
SA
SW
OS
NW
Trusted Firmware
App
TOS
SA
Core A Core B
SM = Secure Mode
NM = Normal Mode
TOS = Trusted OS
SA = Sensitive App
SW = Secure World
NW = Normal World
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM
Normal World Secure World
NM SM
NS = 0/1NS = 0/1 NSAID = BNSAID = A
Memory Controller
NS = Non-Secure
NSAID = Non-Secure Access ID
Soft
war
eSW
OS
NW
Trusted Firmware
App
TOS
SA
SW
OS
NW
Trusted Firmware
App
TOS
SA
Core A Core B
SM = Secure Mode
NM = Normal Mode
TOS = Trusted OS
SA = Sensitive App
SW = Secure World
NW = Normal World
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM NM SM
NS = 0/1NS = 0/1 NSAID = BNSAID = A
Memory Controller
NW – Core A NW – Core B Secure World
NS = Non-Secure
NSAID = Non-Secure Access ID
Soft
war
eSW
OS
NW
Trusted Firmware
App
TOS
SA
SW
OS
NW
Trusted Firmware
App
TOS
SA
Core A Core B
SM = Secure Mode
NM = Normal Mode
TOS = Trusted OS
SA = Sensitive App
SW = Secure World
NW = Normal World
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM NM SM
NS = 0/1NS = 0/1 NSAID = BNSAID = A
Memory Controller
NW – Core A NW – Core B Secure World
NS = Non-Secure
NSAID = Non-Secure Access ID
Soft
war
eSW
OS
NW
Trusted Firmware
App
SW
OS
NW
Trusted Firmware
App
Core A Core B
SM = Secure Mode
NM = Normal Mode
TOS = Trusted OS
SA = Sensitive App
SW = Secure World
NW = Normal World
Going Beyond TrustZone …
Har
dw
are
RAM
NM SM NM SM
NS = 0/1NS = 0/1 NSAID = BNSAID = A
Memory Controller
NW – Core A NW – Core B Secure World
NS = Non-Secure
NSAID = Non-Secure Access ID
Soft
war
eSW
OS
NW
Trusted Firmware
App
SW
OS
NW
Trusted Firmware
App
Core A Core B
SM = Secure Mode
NM = Normal Mode
TOS = Trusted OS
SA = Sensitive App
SW = Secure World
NW = Normal World
SPSP = Security Primitives
SP
OS
Trusted Firmware
App
OS
Trusted Firmware
App
Sanctuary (Core C)
NM SM NM SM
Memory Controller
NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A
Normal World Sanctuary Secure World
Soft
war
eCore A
NW SWNW SW
Core BH
ard
war
e
Going Beyond TrustZone …
RAM
SP SP
NM SM
OS
Trusted Firmware
App
OS
Trusted Firmware
App
Sanctuary (Core C)
NM SM NM SM
Memory Controller
NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A
Normal World Sanctuary Secure World
Soft
war
eCore A
NW SWNW SW
Core BH
ard
war
e
Going Beyond TrustZone …
RAM
SP SP
Trusted Firmware
NW
Sanct. Library
Sensitive App
SW
SP
NM SM
OS
Trusted Firmware
App
OS
Trusted Firmware
App
Sanctuary (Core C)
NM SM NM SM
Memory Controller
NS = 0/1 NSAID = CNS = 0/1 NSAID = BNS = 0/1 NSAID = A
Normal World Sanctuary Secure World
Soft
war
eCore A
NW SWNW SW
Core BH
ard
war
e
Going Beyond TrustZone …
RAM
SP SP
Trusted Firmware
NW
Sanct. Library
Sensitive App
SW
SP
NM SM
Provides mgmt. functionalities. Not part of system TCB
Evaluation of Sanctuary PoC
Security Considerations
✔ Protection from compromised OSbefore, after and during runtime of sensitive app
✔ Protection from malicious sensitive appsensitive app isolated from OS and other sensitive apps
✔ Protection from cache-side channel attacksflush exclusive caches, exclude sensitive apps from shared caches
Performance Evaluation
Performance Evaluation
Sanctuary Life Cycle
Performance Evaluation
Sanctuary Life Cycle
OSExecution
Performance Evaluation
Sanctuary Life Cycle
OSExecution
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
SanctuarySetup
OSExecution
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
OSExecution
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
OSExecution
OS still runs in parallel on other cores
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
SanctuaryTeardown
OSExecution
OS still runs in parallel on other cores
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
SanctuaryTeardown
OSExecution
OSExecution
OS still runs in parallel on other cores
Sensitive app execution triggered
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
SanctuaryTeardown
OSExecution
OSExecution
OS still runs in parallel on other cores
Sensitive app execution triggered
Return core to OS
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
SanctuaryTeardown
OSExecution
OSExecution
OS still runs in parallel on other cores
Sensitive app execution triggered
440 msw/o
shared cache
110 msw/o
shared cache
Return core to OS
Performance Evaluation
Sanctuary Life Cycle
Sensitive App Execution
SanctuarySetup
SanctuaryTeardown
OSExecution
OSExecution
Sensitive app execution triggered
Return core to OS
Provision OTP Key:1.2 s (w/o shared cache)
Display OTP:600 ms (w/o shared cache)
Trusted Firmware
Normal World
Sanctuary Library
Sensitive App
SecureWorld
SecurityPrimitives
Code Modifications
Trusted Firmware
Normal World
Sanctuary Library
Sensitive App
SecureWorld
SecurityPrimitives
Reused OP-TEEModified 530 LOC
Code Modifications
Trusted Firmware
Normal World
Sanctuary Library
Sensitive App
SecureWorld
SecurityPrimitives
Reused OP-TEEModified 530 LOC
Reused ARM-TFmodified 92 LOC
Code Modifications
Trusted Firmware
Normal World
Sanctuary Library
Sensitive App
SecureWorld
SecurityPrimitives
Reused OP-TEEModified 530 LOC
Reused ARM-TFmodified 92 LOC
Used Zircon micro kernel
modified 211 LOC
Code Modifications
Conclusion
• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices
Conclusion
• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices
✔ Sanctuary does not introduce new HW designs
Conclusion
• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices
✔ Sanctuary does not introduce new HW designs
✔ Sanctuary does not replace existing code bases
Conclusion
• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices
✔ Sanctuary does not introduce new HW designs
✔ Sanctuary does not replace existing code bases
✔ Sanctuary does not impact the commodity OS heavily
Conclusion
• Sanctuary provides an ecosystem of mutually distrusted enclaves on ARM devices
✔ Sanctuary does not introduce new HW designs
✔ Sanctuary does not replace existing code bases
✔ Sanctuary does not impact the commodity OS heavily
• Current Work
➢ Implement further use cases (IP protection of ML algorithms, digital car key)
➢ Sanctuary for RISC-V
