haven
play

Haven Shielding applications from an untrusted cloud Andrew - PowerPoint PPT Presentation

Oct 12, 2022 •280 likes •631 views

Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research In the old days Application Operating system 2 In the old days Application Operating system 2 In the old days

  1. Haven Shielding applications from an untrusted cloud Andrew Baumann Marcus Peinado Galen Hunt Microsoft Research

  2. In the old days… Application Operating system 2

  3. In the old days… Application Operating system 2

  4. In the old days… Application Operating system 2

  5. In the cloud Application Operating system Cloud platform Trust…? 3

  6. In the cloud Application Operating system Cloud platform Trust…? 3

  7. In the cloud Application Operating system Cloud platform Trust…? 3

  8. In the cloud Application Operating system Cloud platform Trust…? 3

  9. Our goals for Haven Secure, private execution of unmodified applications (bugs and all) in an untrusted cloud on commodity hardware (Intel SGX) 4

  10. Can you trust the cloud? • Huge trusted computing base Application • Privileged software Operating system Hypervisor, firmware, ... • Management stack Trust Hypervisor • Staff Sysadmins, cleaners, security, … Firmware/bootloader • Law enforcement • Hierarchical security model Management tools • Observe or modify any data • Even if encrypted on disk / net People … 5

  11. Current approaches 6

  12. Hardware Security Modules • Dedicated crypto hardware • Expensive • Limited set of APIs • Key storage • Crypto operations • Protects the “crown jewels”, not general -purpose 7

  13. Trusted hypervisors • Use a small, secure, hypervisor • Ensures basic security, such as strong isolation Problem #1: system administrators Problem #2: physical attacks (e.g. memory snooping) Problem #3: tampering with hypervisor ✓ 8

  14. Remote attestation • Trusted hardware: TPM chip • Basic idea: • Signed measurement (hash) of privileged software • Remote user checks measurement • Incorrect attestation → compromised software • Problem: what is the expected measurement? • Cloud provider applies patches and updates • Must trust provider for current hash value 9

  15. What do we really want? 10

  16. Secure colo provides: • Power and cooling • Network access 11

  17. Secure colo provides: • Power and cooling Raw resources • Network access Untrusted I/O 11

  18. Shielded execution • Protection of specific program from rest of system • cf. protection, isolation, sandboxing, etc. • New term (older concept) • Program unmodified, naïve to threats • Confidentiality and integrity of: • The program • Its intermediate state, control flow, etc. → Input and output may be encrypted • Host may deny service, cannot alter behaviour 12

  19. Threat model • We assume a malicious cloud provider • Convenient proxy for real threats • All the provider’s software is malicious • Hypervisor, firmware, management stack, etc. • All hardware besides the CPU is untrusted • DMA attacks, DRAM snooping, cold boot • We do not prevent: • Denial-of- service (don’t pay!) • Side-channel attacks 13

  20. Intel SGX Enclave Application (untrusted) Operating system (untrusted) 14

  21. Intel SGX • Hardware isolation for an enclave Secret EnclaveEntry: mov fs:[Tcs],rbx mov fs:[CSSA],eax Data cmp eax, 0 • New instructions to jne ExceptionEntry mov r10,fs:[ResAdr] cmp r10,0 je @F establish, protect jmp r10 @@:mov rcx, r8 mov rdx, r9 Enclave mov r8, rbx • Call gate to enter Application (untrusted) • Remote attestation Operating system (untrusted) 14

  22. SGX at the hardware level Virtual address space Physical memory RAM Enclave EPC Code/data Page table Encrypted & mappings integrity-protected checked 15

  23. SGX at the hardware level Virtual address space Physical memory RAM Enclave EPC Code/data Page table Encrypted & mappings integrity-protected checked Also: • Protected register file • Secure control transfer 15

  24. Design challenge: Iago attacks System calls Application Enclave Operating system 16

  25. Iago attacks • malloc() returns pointer to user’s stack • Scheduler allows two threads to race in a mutex • System has 379,283 cores and -42MB of RAM • read() fails with EROFS • … Our approach: • Don’t try to check them all • Admit OS into trusted computing base 17

  26. Haven Picoprocess (protects host from guest) Enclave (protects guest from host) • Unmodified binaries Application • Subset of Windows, Windows 8 API enlightened to run in-process Library OS (Drawbridge) Drawbridge ABI Shield module Mutual • Shields LibOS from Iago attacks distrust Untrusted interface Untrusted runtime • Includes typical kernel functionality Drawbridge ABI & SGX priv ops • Scheduling, VM, file system Drawbridge host SGX driver • Untrusted interface with host Windows kernel 18

  27. Untrusted interface Picoprocess • Host/guest mutual distrust Enclave • Policy/mechanism with a twist • Virtual resource policy in guest Application Windows 8 API Virtual address allocation, threads • Physical resource policy in host Library OS Physical pages, VCPUs Drawbridge ABI Shield module • ~20 calls, restricted semantics Untrusted interface Untrusted runtime Drawbridge ABI & SGX priv ops Drawbridge host SGX driver Windows kernel 19

  28. Shield module Picoprocess • Memory allocator, region manager Enclave • Host commits/protects specific pages • No address allocation • Private file system Application • Encrypted, integrity-protected VHD Windows 8 API • Scheduler Library OS Don’t trust host to schedule threads Drawbridge ABI • Exception handler Shield module • Emulation of some instructions Untrusted interface • Sanity-check of untrusted inputs Untrusted runtime • Anything wrong → panic! Drawbridge ABI & SGX priv ops • 23 KLoC (half in file system) Drawbridge host SGX driver Windows kernel 20

  29. SGX limitations 1. Dynamic memory allocation and protection • New instructions needed 2. Exception handling • SGX doesn’t report page faults or GPFs to the enclave 3. Permitted instructions • RDTSC/RDTSCP needed, for practicality and performance 1. Thread-local storage • Can’t reliably switch FS and GS 21

  30. SGX limitations 1. Dynamic memory allocation and protection • New instructions needed 2. Exception handling • SGX doesn’t report page faults or GPFs to the enclave Good news! 3. Permitted instructions These are fixed in SGX v2 • RDTSC/RDTSCP needed, for practicality and performance 1. Thread-local storage • Can’t reliably switch FS and GS 21

  31. Performance evaluation • Implemented and tested using SGX emulator • Thanks, Intel! • Problem: no SGX implementation yet • Solution: model for SGX performance 1. TLB flush on Enclave crossings 2. Variable spin-delay for critical SGX instructions • Enclave crossings • Dynamic memory allocation, protection 1.Penalty for access to encrypted memory • Slow overall system DRAM clock 22

  32. Performance summary • Depends on model parameters, details in paper • 35% (Apache) – 65% (SQL Server) slowdown vs. VM • Assumes 10k+ cycles SGX instructions, 30% slower RAM • … and you don’t have to trust the cloud! 23

  33. What’s next? • Rollback of persistent storage • Requires more hardware or communication • Untrusted time • Network time sync, RDTSC • Cloud management • Suspend / resume / migrate applications • Encrypted VLANs 24

  34. Conclusion • Closer to a true “utility computing” model • Utility provides raw resources • Doesn’t care what you do with them • Why trust the cloud when you don’t have to ? Thanks! baumann@microsoft.com 25

Recommend

Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable

Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable

Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable opportunities and conditions synonyms: sanctuary, oasis, retreat Our Haven Your Peace of Mind havenresortsacademy.com havenresorts.com

645 views • 36 slides
Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable

Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable

Haven is Back October 1st haven Noun: haven ; plural noun: havens a place offering favorable opportunities and conditions synonyms: sanctuary, oasis, retreat Our Haven Your Peace of Mind weddings@havenresorts.com havenresorts.com

742 views • 32 slides
Understanding the Tennessee Safe Haven Law & How to Comply as a Safe Haven Facility What

Understanding the Tennessee Safe Haven Law & How to Comply as a Safe Haven Facility What

Understanding the Tennessee Safe Haven Law & How to Comply as a Safe Haven Facility What is a Safe Haven? It's a place where a new mom desperate to hide an unwanted baby can bring her newborn instead of abandoning the infant in an unsafe

394 views • 20 slides
The Haven Staff The Haven is led by Mrs Sharon Robertson, headteacher. Miss Sophie Bennison

The Haven Staff The Haven is led by Mrs Sharon Robertson, headteacher. Miss Sophie Bennison

The Haven Staff The Haven is led by Mrs Sharon Robertson, headteacher. Miss Sophie Bennison is the teacher Mrs Lisa Hubbard is the teaching assistant What is The Haven? Errington is now an enhanced mainstream school (EMS) This

718 views • 16 slides
haven Noun: haven ; plural noun: havens a place offering favorable opportunities and

haven Noun: haven ; plural noun: havens a place offering favorable opportunities and

haven Noun: haven ; plural noun: havens a place offering favorable opportunities and conditions synonyms: sanctuary, oasis, retreat Your haven for romance, life, and enjoyment Hipotels fully owns and operates 29 hotels with 12,652 guest

819 views • 27 slides
haven Noun: haven ; plural noun: havens a place offering favorable opportunities and

haven Noun: haven ; plural noun: havens a place offering favorable opportunities and

haven Noun: haven ; plural noun: havens a place offering favorable opportunities and conditions synonyms: sanctuary, oasis, retreat Your haven for romance, life, and enjoyment Hipotels fully owns and operates 29 hotels with 12,652 guest

747 views • 30 slides
NHS GGC Safe Haven A local Safe Haven Roma Armstrong Senior R&D Manager Governance of NHS

NHS GGC Safe Haven A local Safe Haven Roma Armstrong Senior R&D Manager Governance of NHS

NHS GGC Safe Haven A local Safe Haven Roma Armstrong Senior R&D Manager Governance of NHS GGC safe haven Concept Approval from Board Corporate Security Management Team High level + One-off Approval from Board Caldicott CG

564 views • 8 slides
FAIR HAVEN PUBLIC SCHOOLS 2019-2020 PUBLIC HEARING ON THE BUDGET May 1, 2019 Fair Haven BOE

FAIR HAVEN PUBLIC SCHOOLS 2019-2020 PUBLIC HEARING ON THE BUDGET May 1, 2019 Fair Haven BOE

FAIR HAVEN PUBLIC SCHOOLS 2019-2020 PUBLIC HEARING ON THE BUDGET May 1, 2019 Fair Haven BOE Mission Statement The mission of the Fair Haven School District is to provide a strong academic foundation and to educate, challenge, and inspire

659 views • 21 slides
Transport Hartford Presentation Multi-Modal Transit Summit November 19, 2018 New Haven

Transport Hartford Presentation Multi-Modal Transit Summit November 19, 2018 New Haven

Transport Hartford Presentation Multi-Modal Transit Summit November 19, 2018 New Haven Alternatives Analysis Study Project Partners Greater New Haven Transit District New ew Haven en Divis visio ion Fas Fast Fac Facts : 24 ROUTES TOTAL

449 views • 7 slides
Introducing Perfect Haven Luxury Rooms and Residences & Smart Haven Corporate Rooms and

Introducing Perfect Haven Luxury Rooms and Residences & Smart Haven Corporate Rooms and

Introducing Perfect Haven Luxury Rooms and Residences & Smart Haven Corporate Rooms and Residences Creating memorable home -away-from- home experiences for our guests through our truly unique properties and warm service Our

629 views • 8 slides
HAVEN GREEN OVERVIEW - DECEMBER 5th, 2018 Community Board 2 Working Group Presentation HAVEN

HAVEN GREEN OVERVIEW - DECEMBER 5th, 2018 Community Board 2 Working Group Presentation HAVEN

HAVEN GREEN OVERVIEW - DECEMBER 5th, 2018 Community Board 2 Working Group Presentation HAVEN GREEN: AGENDA HPD Introduction (5 Minutes) Review purpose of presentation Provide brief description of Land Use Actions Provide brief

315 views • 28 slides
A Safe Haven for Miners ON 2 Mine Refuge Systems where miners Safety comes FIRST A Safe Haven

A Safe Haven for Miners ON 2 Mine Refuge Systems where miners Safety comes FIRST A Safe Haven

A Safe Haven for Miners ON 2 Mine Refuge Systems where miners Safety comes FIRST A Safe Haven for Miners ON 2 Mine Refuge Systems Our History 1994: RANA Manufacturing creates the TommyKnocker and Refuge One Air Centre Refuge One

818 views • 32 slides
LifeMoves - New Haven Inn Karissa Kim: Program Director (Pronouns: She/Her) Quinn Phan: Case

LifeMoves - New Haven Inn Karissa Kim: Program Director (Pronouns: She/Her) Quinn Phan: Case

LifeMoves - New Haven Inn Karissa Kim: Program Director (Pronouns: She/Her) Quinn Phan: Case Manager (Pronouns: They/Them) Contents are confidential and proprietary New Haven Inn (NHI) Program Overview Second LGBTQ+ specific homeless

72 views • 6 slides
New Haven Unified School District Budget and Finance Committee by Isom Advisors, a Division of

New Haven Unified School District Budget and Finance Committee by Isom Advisors, a Division of

New Haven Unified School District Budget and Finance Committee by Isom Advisors, a Division of Urban Futures, Inc. April 13, 2020 1470 Maria Lane, Ste. 315 | Walnut Creek, CA 94596 Review from Last Meeting March 4, 2020 New Haven Unified

413 views • 10 slides
Village of New Haven Audit Results March 31, 2020 Presented by Michael Rolka, CPA, CGFM &

Village of New Haven Audit Results March 31, 2020 Presented by Michael Rolka, CPA, CGFM &

Village of New Haven Audit Results March 31, 2020 Presented by Michael Rolka, CPA, CGFM & Christina Dey Presented on August 11, 2020 Village of New Haven Audit Opinion CAN ONLY BE ISSUED BY A LICENSED CPA FIRM HIGHEST LEVEL OF ASSURANCE

129 views • 12 slides
New Haven Free Public Library FY2020 Budget Presentation April 29, 2019 Board of Alders, Finance

New Haven Free Public Library FY2020 Budget Presentation April 29, 2019 Board of Alders, Finance

New Haven Free Public Library FY2020 Budget Presentation April 29, 2019 Board of Alders, Finance Committee Table of Contents PAGE 1. New Haven Free Public Library At a Glance 2 2. Strategic Initiatives and Annual Operational Plan 3 3. NHFPL General

329 views • 10 slides
A Safe Haven for Miners ON 2 Mine Refuge Systems Providing a source of breathable air during

A Safe Haven for Miners ON 2 Mine Refuge Systems Providing a source of breathable air during

A Safe Haven for Miners ON 2 Mine Refuge Systems Providing a source of breathable air during underground emergencies A Safe Haven for Miners ON 2 Mine Refuge Systems Our History 1996: RANA Manufacturing creates the TommyKnocker and

545 views • 30 slides
Prioritizing Sleep Strath Haven High School Brad Wolgast, PhD, CBSM University of Delaware

Prioritizing Sleep Strath Haven High School Brad Wolgast, PhD, CBSM University of Delaware

Strath Haven Faculty Prioritizing Sleep Strath Haven High School Brad Wolgast, PhD, CBSM University of Delaware Welcome! Who are you? Faculty? Here from other schools/communities? How many of you remember falling asleep in class during

684 views • 49 slides
Destination Weddings & Romance Packages Your personal Haven to celebrate an all-exclusive

Destination Weddings & Romance Packages Your personal Haven to celebrate an all-exclusive

Destination Weddings & Romance Packages Your personal Haven to celebrate an all-exclusive romantic experience Your All Exclusive Romantic Experience Haven Riviera Cancun Resort & Spa is one of the most romantic, tranquil and

209 views • 18 slides
NEW HAVEN UNIFIED SCHOOL DISTRICT BOARD PRESENTATION ENROLLMENT PROJECTIONS & SUBDIVISION

NEW HAVEN UNIFIED SCHOOL DISTRICT BOARD PRESENTATION ENROLLMENT PROJECTIONS & SUBDIVISION

NEW HAVEN UNIFIED SCHOOL DISTRICT BOARD PRESENTATION ENROLLMENT PROJECTIONS & SUBDIVISION ANALYSIS MAY 5, 2020 NEW HAVEN UNIFIED SCHOOL DISTRICT ENROLLMENT PROJECTIONS BY BOUNDARY SUBDIVISION ANALYSIS QUESTIONS NEW HAVEN UNIFIED SCHOOL

355 views • 19 slides
Sampling Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc Mehlman Marc

Sampling Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc Mehlman Marc

Sampling Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc Mehlman Marc Mehlman (University of New Haven) Sampling 1 / 20 Table of Contents Sampling Distributions 1 Central Limit Theorem 2 Binomial Distribution 3 Marc

308 views • 20 slides
Descriptive Statistics Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc

Descriptive Statistics Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc

Descriptive Statistics Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Marc Mehlman Marc Mehlman (University of New Haven) Descriptive Statistics 1 / 44 Table of Contents Data Distributions 1 Graphical Representation of

466 views • 44 slides
Know Before You Owe with New Haven Middlesex Association of REALTORS July 16, 2015 Jeremy

Know Before You Owe with New Haven Middlesex Association of REALTORS July 16, 2015 Jeremy

TILA-RESPA Integrated Disclosure (TRID) Rule a.k.a. Know Before You Owe with New Haven Middlesex Association of REALTORS July 16, 2015 Jeremy Potter, General Counsel and Chief Compliance Officer, Norcom Mortgage 1 What Well Cover:

498 views • 20 slides
Inference for Proportions Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Based on

Inference for Proportions Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Based on

Inference for Proportions Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Based on Rare Event Rule: rare events happen but not to me. Marc Mehlman (University of New Haven) Inference for Proportions 1 / 20 Table of

373 views • 23 slides

More recommend