Embed Size (px)
Citation preview
SoK:AStudyofUsingHardware-assistedIsolatedExecu<onEnvironmentsforSecurity
FengweiZhang
WayneStateUniversityDetroit,Michigan,USA
WayneStateUniversity CSC6991 1
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 2
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 3
Introduc<on• Isola<ngcodeexecu<onisoneofthefundamentalapproachesfor
achievingsecurity
• Isolatedexecu<onenvironments– SoSware-based:Virtualmachines
• Alargetrustedcompu<ngbase(e.g.,Xenhas532KSLOC)• Failuretodealwithhypervisororfirmwarerootkits• Sufferingfromsystemoverhead
• Hardware-assistedisolatedexecu<onenvironments(HIEEs)
– Isolatedexecu<onconcept:Trustedexecu<onenvironment(TEE)– Hardware-assistedtechnologies
• ExcludingthehypervisorsfromTCB• Achievingahighlevelofprivilege(i.e.,hardware-levelprivilege)• Reducingperformanceoverhead(e.g.,contextswitches)
WayneStateUniversity CSC6991 4
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 5
HIEEs• Alistofhardware-assistedisolatedexecu<onenvironments(HIEEs)
thathavebeenusedforbuildingsecuritytools
– Systemmanagementmode(SMM)[24]
– Intelmanagementengine(ME)[36]
– AMDplaaormsecurityprocessor(PSP)[4]– Dynamicrootoftrustformeasurements(DRTM)[52]
– IntelsoSwareguardextension(SGX)[5,23,34]
– ARMTrustZonetechnology[6]
WayneStateUniversity CSC6991 6
HIEE:SystemManagementMode• ACPUmodesimilartoRealandProtectedmodesavailableonx86
architecture• Ini<alizedbytheBasicInput/OutputSystem(BIOS)• EnteringSMMbyasser<ngthesystemmanagementinterrupt(SMI)pin• SystemmanagementRAM(SMRAM)thatisinaccessiblefromthenormal
OS
WayneStateUniversity CSC6991 7
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
HIEE:IntelManagementEngine
Management Engine
MEProcessor
CryptoEngine
DMAEngine
HECIEngine
ROM
InternalSRAM
InterruptController
Timer
CLink I/O
Internal Bus
WayneStateUniversity CSC6991 8
ManagementEngine(ME)isamicro-computerembeddedinsideofallrecentIntelprocessors;itisIntroducedasanembeddedprocessor,andIntelAMTisthefirstapplica<onrunninginME[36]
HIEE:AMDEmbeddedProcessors• AMDsecureprocessor[4]– Alsocalledplaaormsecurityprocessor(PSP)– EmbeddedinsideofthemainAMDCPUtoenablerunningthird-partyapplica<ons
– PartnershipwithARMTrustZone
• Systemmanagementunit(SMU)[30]– AnembeddedprocessoratNorthbridge– NorthbridgehasbeenintegratedintoCPU– Responsibleforavarietyofsystemandpowermanagementtasksduringbootandrun<me
WayneStateUniversity CSC6991 9
HIEE:DynamicRootofTrustforMeasurement
• TCGintroducedDRTM,alsocalled“latelaunch”,intheTPMv1.2specifica<onin2005[51,52]
• SRTMv.s.DRTM– Sta<crootoftrustformeasurement(SRTM)operatesatboot<me,DRTMallowstherootoftrustformeasurementtobeini<alizedatanypoints
• IntelandAMDimplementa<ons– Inteltrustedexecu<ontechnology(TXT)[25]– AMDsecurevirtualmachine(SVM)[2]– Overheadforlatelaunch:SENTERv.s.SKINIT
WayneStateUniversity CSC6991 10
HIEE:IntelSoSwareGuardExtension
• Threeintroduc<onpapers[5,34,23]aboutSGXpresentedatHASP2013
• SGXisasetofinstruc<onsandmechanismsformemoryaccessesaddedtoIntelarchitectureprocessors
• Allowinganuser-levelapplica<ontoinstan<ateaprotectedcontainer,calledenclave
• Providingconfiden<alityandintegrityevenwithouttrus<ngtheBIOS,firmware,hypervisors,andOS
• OpenSGX[27]:Anopen-sourceplaaormthatemulatesIntelSGXattheinstruc<onlevelbymodifyingQEMU
WayneStateUniversity CSC6991 11
HIEE:ARMTrustZone• ARMTrustZonetechnologyisahardwareextensionthat
createsasecureexecu<onenvironmentsinceARMv6[12]• Twomodes:Secureworldandnormalworld• Iden<fiedbytheNSbitinthesecureconfigura<onregister
(SCR)
WayneStateUniversity CSC6991 12
Normal World
Rich OS in REE
Secure World
Secure OS in TEE
Normal world
user mode
Normal world
priviledge modes
Secure world
user mode
Secure world
priviledge modes
Monitor mode
HIEEs
WayneStateUniversity CSC6991 13
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 14
UseCasesofHIEEs• Systemintrospec<on
• Memoryforensics
• Transparentmalwareanalysis
• Execu<onsensi<veworkloads
• Rootkitsandkeyloggers
WayneStateUniversity CSC6991 15
UseCase:SystemIntrospec<on• Runningsystemintrospec<ontoolsinsideofHIEEs
– Hypervisor/OSintegritychecking– OSrootkitsdetec<on– AOacksdetec<on(e.g.,heapsprayandheapoverflows)
• SMM-based– Hypercheck[65],HyperGuard[41],HyperSentry[8],IOCheck[64],and
Spectre[62]• TrustZone-based
– SPROBES[22]andTZ-RKP[7]
• DRTM-based– Flicker[31]
WayneStateUniversity CSC6991 16
UseCase:MemoryForensics
• UsingHIEEstoperformacquisi<onofvola<lememoryofatargetsystem,andthentransmitthememorycontentstoaremotemachineforanalysis
• Examplesofexis<ngsystems– SMMDump[35]implementedbyusingSMM– TrustDump[48]usedARMTrustZone
WayneStateUniversity CSC6991 17
UseCase:TransparentMalwareAnalysis
• Malwareusesan<-debugging,an<-virtualiza<on,an<-emula<ontechniquestoevadetradi<onalanalysissuingvirtualiza<onoremula<ontechnology
• AnalyzingmalwareusingHIEEssothatadvancedmalwarecanbedebuggedonbaremetal
• Exposingtherealbehaviorofmalwarewithan<-debugging,an<-vm,andan<-emula<ontechniques
• Examplesofexi<ngsystems– MalT[61]usingSMM– OtherHIEEslikeTrustZoneandMEcanbeusedforthesamepurpose
WayneStateUniversity CSC6991 18
UseCase:Execu<ngSensi<veWorkloads
• UsingHIEEstorunsecuritysensi<veopera<ons
• DRTM-based– Flicker[31],TrustVisor[32],andBumpy[33]
• TrustZone-based– TrustICE[49]andTrustOTP[47]
• SMM-based– SICE[9]andTrustLogin[63]
• SGX-based– Haven[10]andVC3[43]
WayneStateUniversity CSC6991 19
UseCase:RootkitsandKeyloggers• ThoughresearchershaveusedHIEEsforimplemen<ngdefensivetools,aOackers
canalsousethemformaliciouspurposesduetotheirhighprivilegeandstealthiness
• SMMrootkits– PS/2[20]andUSB[42]keyloggers– NSA:DEITYBOUNCEforDellandIRONCHEFforHPProliantservers[1]
• MErootkits– Ring-3rootkits[46,50]
• DRTM,SGX,andTrustZonerootkits– Wehaven’tseenanypubliclyavailableexamplesbutaOackershavethemo<va<onto
implementthemduetotheirstealthiness
• HIEEscreateidealenvironmentsorinfrastructuresthataOractaOackerstoimplementsuper-powerfulrootkits.
WayneStateUniversity CSC6991 20
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 21
HIEEAOacks• HIEEaOacks:Bypassingthehardwareprotec<onmechanisms
ofHIEEisola<on;notusingHIEEsformaliciouspurposes
• SMMaOacks
WayneStateUniversity CSC6991 22
HIEEAOacks(cont’d)• MEaOacks
– In2009,TereshkinandWojtczuk[50]demonstratedthattheycanimplementring-3rootkitsinMEbyinjec<ngthemaliciouscodeintotheIntelAMT
– DAGGER[46]bypassestheMEisola<onusingasimilartechniquein[50]
• DRTMaOacks– WojtczukandRutkowskafromInvisibleThingsLabdemonstrate
severalaOacks[57,56,59]againstIntelTXT
• TrustZoneaOacks– Di[44]foundvulnerabili<esthatareabletoexecutearbitrarilycodein
secureworldusingauser-levelapplica<oninnormalworldonHuaweiHiSilicondevices
WayneStateUniversity CSC6991 23
HIEEAOacks(cont’d)• SGXaOacks
– Cache<mingaOacksandsoSwareside-channelaOacksincludingusingperformancecountersfromthestudypublishedbyCostanandDevadas[15]
• UnclearifMEfirmwareismalicious
– SGXfordesktop-environmentsneedstoestablishasecurechannelbetweenI/Odevices(e.g.,key-boardandvideodisplay)andanenclavetopreventsensi<vedataleakage[38,27]
– ProtectedAudioVideoPath(PVAP)technologycansecurelydisplayvideoframesandplayaudiotousers;Iden<tyProtec<onTechnology(IPT)providessecurityfeaturesincludingProtectedTransac<onDisplay(e.g.,enteringaPINbyanuser)
– SGXneedsEnhancedPrivacyIden<fica<on(EPID)supportforremoteaOesta<on[27]
– PVAP,IPT,EPIDarerealizedbyME[36]
WayneStateUniversity CSC6991 24
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 25
ChallengesofUsingHIEEsforSecurity
• Ensuingtrustedswitchingpath– HIEE-basedsystemsassumeaOackershavering0privilege,so
aOackerscanintercepttheswitchingandcreateafakeone– Ad-hocsolu<onsusinganexternalsmartphone[33],keyboardLED
lights[63],LEDpowerlights[49]– Buildingagenericanduser-friendlytrustedpathmechanismform
HIEE-basedsystemisanopenresearchproblem
• Verifyingthetrustworthinessofhardware– HIEE-basedsystemsdependonthetrustworthinessofhardware– Assuminghardwarefeaturesarebug-free(e.g.,isola<onisgraduated)– Hardwarevendorstendnottoreleaseimplementa<ondetails– Howtoreliablyevaluatethetrustworthinessofthesemysterious
hardwaresecuritytechnologies(e.g.,ME)
WayneStateUniversity CSC6991 26
Conclusions• Maincontribu<onsofthisSoKpaperare:– Presen<ngathoroughstudyofsixHIEEsincludingSMM,IntelME,AMDPSP,DRTM,IntelSGX,andARMTrustZone
– ExploringboththedefensiveandoffensiveusescenariosofHIEEsanddescribethemwiththestate-of-the-artsystems
– DiscussingallaOacksagainstthecompu<ngenvironmentofeachHIEE(e.g.,bypassingtheisola<on)andsomemi<ga<ons
WayneStateUniversity CSC6991 27
ReferencesThereferencenumbersintheslidesaretheonesshownintheSec<on8ofthepaper.
WayneStateUniversity CSC6991 28
