about imec distrinet enclave research
play

About imec-DistriNet enclave research - PowerPoint PPT Presentation

Aug 15, 2022 •174 likes •925 views

About imec-DistriNet enclave research https://distrinet.cs.kuleuven.be/ Trusted computing across the system stack: hardware, compiler, OS, application Integrated attack-defense perspective and open-source prototypes SGX-Step framework Sancus

  2. About imec-DistriNet enclave research https://distrinet.cs.kuleuven.be/ Trusted computing across the system stack: hardware, compiler, OS, application Integrated attack-defense perspective and open-source prototypes SGX-Step framework Sancus enclave processor CPU vulnerability research [VBMW + 18, SLM + 19, MOG + 20] [NVBM + 17] [VBPS17] 1 / 23

  4. Outline: How to besiege a fortress? Idea: security is weakest at the input/output interface(!) 2 / 23

  5. Outline: How to besiege a TEE enclave? OpenEnclave SGX-SDK Rust-EDP Graphene SGX-LKL Keystone Runtime Sancus Asylo Vulnerability #1 Entry status flags sanitization ⋆ ⋆ � � � � � � � � Tier1 #2 Entry stack pointer restore ⋆ ⋆ � � � � � � (ABI) #3 Exit register leakage ⋆ � � � � � � � #4 Missing pointer range check ⋆ ⋆ ⋆ ⋆ � � � � � ⋆ #5 Null-terminated string handling � � � � � � #6 Integer overflow in range check � � � � � � � � Tier2 #7 Incorrect pointer range check � � � � � � � � (API) #8 Double fetch untrusted pointer � � � � � � � � ⋆ ⋆ ⋆ ⋆ #9 Ocall return value not checked � � � � #10 Uninitialized padding leakage [LK17] ⋆ ⋆ ⋆ � � � � Summary: > 35 enclave interface sanitization vulnerabilities across 8 projects 2 / 23

  6. Outline: How to besiege a TEE enclave? OpenEnclave SGX-SDK Rust-EDP Graphene SGX-LKL Keystone Runtime Sancus Asylo Vulnerability #1 Entry status flags sanitization ⋆ ⋆ � � � � � � � � Tier1 #2 Entry stack pointer restore ⋆ ⋆ � � � � � � (ABI) #3 Exit register leakage ⋆ � � � � � � � #4 Missing pointer range check ⋆ ⋆ ⋆ ⋆ � � � � � ⋆ #5 Null-terminated string handling � � � � � � #6 Integer overflow in range check � � � � � � � � Tier2 #7 Incorrect pointer range check � � � � � � � � (API) #8 Double fetch untrusted pointer � � � � � � � � ⋆ ⋆ ⋆ ⋆ #9 Ocall return value not checked � � � � #10 Uninitialized padding leakage [LK17] ⋆ ⋆ ⋆ � � � � Impact: 5 CVEs . . . and lengthy embargo periods 2 / 23

  7. Why do we need enclave fortresses anyway?

  8. The big picture: Enclaved execution attack surface App App App App OS kernel Hypervisor TPM CPU Mem HDD Traditional layered designs: large trusted computing base 3 / 23

  9. The big picture: Enclaved execution attack surface App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Intel SGX promise: hardware-level isolation and attestation 3 / 23

  10. The big picture: Enclaved execution attack surface App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Previous attacks: exploit microarchitectural bugs or side-channels at the hardware level 3 / 23

  11. The big picture: Enclaved execution attack surface App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Idea: what about vulnerabilities in the trusted enclave software itself? 3 / 23

  13. What do these projects have in common?

  14. Why isolation is not enough: Enclave shielding runtimes untrusted world secure world "enclave" TEE processor TEE promise: enclave == “secure oasis” in a hostile environment 4 / 23

  15. Why isolation is not enough: Enclave shielding runtimes untrusted world secure world "enclave" TEE processor TEE promise: enclave == “secure oasis” in a hostile environment . . . but application writers and compilers are largely unaware of isolation boundaries 4 / 23

  16. Why isolation is not enough: Enclave shielding runtimes untrusted world secure world "enclave" TEE processor TEE promise: enclave == “secure oasis” in a hostile environment . . . but application writers and compilers are largely unaware of isolation boundaries Trusted shielding runtime transparently acts as a secure bridge on enclave entry/exit 4 / 23

  18. . . . but what if the bridge itself is flawed?

  19. Enclave shielding responsibilities Key questions: how to securely bootstrap from the untrusted world to the enclaved application binary (and back)? Which sanitizations to apply? EENTER enclave shielding runtime 5 / 23

  20. Enclave shielding responsibilities Key insight: split sanitization responsibilities across the ABI and API tiers: machine state vs. higher-level programming language interface Tier 1 Tier 2 Tier 3 EENTER ABI API APP enclave shielding runtime 5 / 23

  21. Tier1: Establishing a trustworthy enclave ABI Tier 1 Tier 2 Tier 3 ABI API APP 6 / 23

  22. Tier1: Establishing a trustworthy enclave ABI ↝ Attacker controls CPU register contents on enclave entry/exit ↔ Compiler expects well-behaved calling convention (e.g., stack) ⇒ Need to initialize CPU registers on entry and scrub before exit! 6 / 23

  23. Tier1: Establishing a trustworthy enclave ABI ↝ Attacker controls CPU register contents on enclave entry/exit ↔ Compiler expects well-behaved calling convention (e.g., stack) ⇒ Need to initialize CPU registers on entry and scrub before exit! ABI vulnerability analysis Relatively well-understood, but special care for stack pointer + status register 6 / 23

  24. Summary: ABI-level attack surface OpenEnclave SGX-SDK Rust-EDP Graphene SGX-LKL Keystone Runtime Sancus Asylo Vulnerability #1 Entry status flags sanitization ⋆ ⋆ � � � � � � � � Tier1 #2 Entry stack pointer restore ⋆ ⋆ � � � � � � (ABI) #3 Exit register leakage ⋆ � � � � � � � Read the paper for several exploitable ABI vulnerabilities! 7 / 23

  25. Summary: ABI-level attack surface OpenEnclave SGX-SDK Rust-EDP Graphene SGX-LKL Keystone Runtime Sancus Asylo Vulnerability #1 Entry status flags sanitization ⋆ ⋆ � � � � � � � � Tier1 #2 Entry stack pointer restore ⋆ ⋆ � � � � � � (ABI) #3 Exit register leakage ⋆ � � � � � � � x86 CISC (Intel SGX) RISC A lesson on complexity Attack surface complex x86 ABI (Intel SGX) >> simpler RISC designs 7 / 23

  26. x86 string instructions: Direction Flag (DF) operation Special x86 rep string instructions to speed up streamed memory operations l e a rdi , buf 1 2 mov al , 0x0 / ∗ memset ( buf , 0 x0 , 100) ∗ / 1 → 3 mov ecx , 100 f o r ( i n t i =0; i < 100; i++) 2 rep s t o s [ r d i ] , a l 4 buf [ i ] = 0x0 ; 3 8 / 23

  27. x86 string instructions: Direction Flag (DF) operation Special x86 rep string instructions to speed up streamed memory operations Default operate left-to-right l e a rdi , buf 1 2 mov al , 0x0 / ∗ memset ( buf , 0 x0 , 100) ∗ / 1 → 3 mov ecx , 100 f o r ( i n t i =0; i < 100; i++) 2 rep s t o s [ r d i ] , a l 4 buf [ i ] = 0x0 ; 3 00 0000000000000000000000000000 rdi 8 / 23

  28. x86 string instructions: Direction Flag (DF) operation Special x86 rep string instructions to speed up streamed memory operations Default operate left-to-right , unless software sets RFLAGS.DF=1 l e a rdi , buf+100 1 2 mov al , 0x0 / ∗ memset ( buf , 0 x0 , 100) ∗ / 1 → 3 mov ecx , 100 f o r ( i n t i =0; i < 100; i++) 2 std ; s e t d i r e c t i o n f l a g 4 buf [ i ] = 0x0 ; 3 rep s t o s [ r d i ] , a l 5 00 0000000000000000000000000000 rdi 8 / 23

  29. SGX-DF: Inverting enclaved string memory operations CVE-2019-14565 x86 System-V ABI 9 / 23

  30. SGX-DF: Inverting enclaved string memory operations CVE-2019-14565 Enter enclave with RFLAGS.DF=0 9 / 23

  31. SGX-DF: Inverting enclaved string memory operations CVE-2019-14565 Intended heap memory initialization: left-to-right 9 / 23

  32. SGX-DF: Inverting enclaved string memory operations CVE-2019-14565 Enter enclave with RFLAGS.DF=1 enclave_func: EENTER buf = malloc (100); memset (buf, 0x00, 100); 000000000 000000000 ... enclave_heap: RFLAGS.DF = 0 RFLAGS.DF = 1 000000000 9 / 23

  33. SGX-DF: Inverting enclaved string memory operations CVE-2019-14565 Enclave heap memory corruption: right-to-left. . . 9 / 23

  35. SGX-AC: Building an intra-cacheline side-channel There’s more! Alignment Check (AC) flag enables exceptions for unaligned data accesses → intra-cacheline side-channel � enclave_func: uint16_t d = lookup_table[secret]; enclave_data: A B C D 64B cacheline 10 / 23

  36. SGX-AC: Building an intra-cacheline side-channel Enter enclave with RFLAGS.AC=1 and secret index=0 → well-aligned data access: no exception enclave_func: EENTER uint16_t d = lookup_table[secret]; secret = 0 RFLAGS.AC = 1 enclave_data: A B C D 64B cacheline 10 / 23

  37. SGX-AC: Building an intra-cacheline side-channel Enter enclave with RFLAGS.AC=1 and secret index=1 → unaligned data access: alignment-check exception. . . 10 / 23

  38. Tier 2: Sanitizing the enclave API Tier 1 Tier 2 Tier 3 ABI API APP 11 / 23

  39. Validating pointer arguments: Confused deputy attacks 12 / 23

  40. Validating pointer arguments: Confused deputy attacks 12 / 23

  41. Validating pointer arguments: Confused deputy attacks 12 / 23

Recommend

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck OWASP BeNeLux-Days, November 30, 2018 A primer on software security Secure program: convert all input

1.27k views • 77 slides
Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo Van Bulck imec-DistriNet,

Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo Van Bulck imec-DistriNet,

Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck 1st RISE Annual Conference, November 14, 2018 A primer on software security Secure program:

952 views • 79 slides
Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term

Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term

Sancus 2.0: A Security Architecture for Low-Cost Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term objective: Secure open software application platforms for distributed IT infrastructure

712 views • 40 slides
Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi

Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi

Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key &amp; dictionary attack key(s) protecting

534 views • 51 slides
Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck imec-DistriNet,

Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck imec-DistriNet,

Secure Resource Sharing for Embedded Protected Module Architectures Jo Van Bulck imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium MSc Thesis Presentation BELCLIV-CLUSIB, April 21, 2017 Jo Van Bulck Secure Resource Sharing for

515 views • 29 slides
IMEC.ICON INFORMATION SESSION JUNE 9, 2017 AGENDA imec imec.icon What is an imec.icon project?

IMEC.ICON INFORMATION SESSION JUNE 9, 2017 AGENDA imec imec.icon What is an imec.icon project?

THIS IS THE TITLE SLIDE IMEC.ICON INFORMATION SESSION JUNE 9, 2017 AGENDA imec imec.icon What is an imec.icon project? Expected outcome of an imec.icon Examples Application procedure VLAIO and Innoviris funding IPR and Contracts imec is

993 views • 95 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop (OSEW 2019) Berkeley, July 2019 https://mesatee.org Rust and Keystone Enclave Open-Source Enclave (RISC-V Hardware/Keystone Enclave) :

662 views • 32 slides
Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Open Source Enclave Workshop July 2019 Berkeley, CA Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, Xi Wang University of Washington, Columbia University, Microsoft Research 1

435 views • 14 slides
Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew

Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew

Autarky: Closing controlled channels with self-paging enclaves Meni Orenbach, Technion Andrew Baumann, Microsoft Research Mark Silberstein, Technion Public cloud computing Enclave Enclave Enclave Sensitive data 29-Apr-20 Meni Orenbach,

971 views • 29 slides
PHOTONICS IN THE MAGIC KINGDOM FAIRY TALES AND TALENT FAIRS BERT GYSELINCKX IMEC USA BERT

PHOTONICS IN THE MAGIC KINGDOM FAIRY TALES AND TALENT FAIRS BERT GYSELINCKX IMEC USA BERT

5/29/18 PHOTONICS IN THE MAGIC KINGDOM FAIRY TALES AND TALENT FAIRS BERT GYSELINCKX IMEC USA BERT GYSELINCKX 92 93 01 02 05 13 14 '16 Incorporate MSEE Imec Sabbatical Imec Imec Sabbatical Imec Imec

477 views • 23 slides
Solar Energy Research Enclave Outline Introduction World Scenario Indian Scenario

Solar Energy Research Enclave Outline Introduction World Scenario Indian Scenario

Solar Energy Research Enclave Outline Introduction World Scenario Indian Scenario SWOT Analysis Objectives Technology Demonstrator Summary Energy Source &amp; Utilization (US) SOURCE(%) USAGE Hydro (1)

525 views • 27 slides
A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit Tobias Reinhard 1

A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit Tobias Reinhard 1

A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit Tobias Reinhard 1 , Amin Timany 2 , Bart Jacobs 1 1 KU Leuven, imec-DistriNet Research Group 2 Aarhus University, Logic and Semantics Group 23rd July 2020 Motivation

460 views • 23 slides
Solar Energy Research Enclave (SERE) R.S. Anand, M.K. Das, S.S.K. Iyer, S.K. Mishra, A.Singh,

Solar Energy Research Enclave (SERE) R.S. Anand, M.K. Das, S.S.K. Iyer, S.K. Mishra, A.Singh,

Solar Energy Research Enclave (SERE) R.S. Anand, M.K. Das, S.S.K. Iyer, S.K. Mishra, A.Singh, P.S. Sensarma, R. Pala, M. Katiyar I.I.T-Kanpur Outline Introduction SWOT Analysis of photovoltaic SWOT Analysis of photovoltaic (PV)

565 views • 23 slides
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure users code and data in the cloud

1.07k views • 27 slides
FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman,

FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman,

FRP IoT Modules as a Scala DSL BenCalus, BobReynders , DominiqueDevriese, Job Noorman, FrankPiessens imec - DistriNet - KU Leuven FRP IoT Modules Maintainable sensor network applications High-level FRP-based API FRP-modules compile

865 views • 53 slides
Sancus 2.0: Open-Source Trusted Computing for the IoT Jan Tobias Mhlberg

Sancus 2.0: Open-Source Trusted Computing for the IoT Jan Tobias Mhlberg

Sancus 2.0: Open-Source Trusted Computing for the IoT Jan Tobias Mhlberg jantobias.muehlberg@cs.kuleuven.be imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium FOSDEM, Brussels, February 2018 Joint work with Job Noorman, Jo Van

815 views • 46 slides
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-DistriNet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi network use encryption: 2010 Most

531 views • 19 slides
Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

897 views • 58 slides
Authentic Execution of Distributed Event-Driven Applications with a Small TCB Job Noorman, Jan

Authentic Execution of Distributed Event-Driven Applications with a Small TCB Job Noorman, Jan

Authentic Execution of Distributed Event-Driven Applications with a Small TCB Job Noorman, Jan Tobias Mhlberg and Frank Piessens jantobias.muehlberg@cs.kuleuven.be imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium STM17, Oslo,

568 views • 29 slides
Developing Secure SGX Enclaves New Challenges on the Horizon Raoul Strackx Frank Piessens imec

Developing Secure SGX Enclaves New Challenges on the Horizon Raoul Strackx Frank Piessens imec

Developing Secure SGX Enclaves New Challenges on the Horizon Raoul Strackx Frank Piessens imec - Distrinet, KU Leuven December 12, 2016 Raoul Strackx , Frank Piessens (KU Leuven) Developing Secure SGX Enclaves December 12, 2016 1 / 17 A

667 views • 20 slides
VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks Jo Van Bulck, Jan Tobias Mhlberg and Frank Piessens jo.vanbulck|jantobias.muehlberg@cs.kuleuven.be imec-DistriNet, KU Leuven, Celestijnenlaan

654 views • 28 slides
Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris

Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon University* 1 Secure Remote

356 views • 21 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides

More recommend