Notary: A Device for Secure Transaction Approval Anish Athalye Adam Belay Frans Kaashoek Robert Morris Nickolai Zeldovich MIT CSAIL 1
How to securely approve transactions? • Users perform sensitjve transactjonal operatjons • Bank transfers • Cryptocurrency transactjons • Deletjng backups • Modifying DNS records 2
Common solution: smartphone apps • Sufgers from isolatjon bugs (e.g. jailbreaks) Approval agent on smartphone 3
Hardware wallets for transaction approval Display TX Bu � ons Sign(TX) Ledger wallet 4
Challenge: wallets need to isolate agents Ledger app store: 50+ third-party agents 5
Challenge: wallets need to isolate agents Ledger app store: 50+ third-party agents 5
Problems with existing hardware wallets • OS bugs • Over 10 found in Ledger and Trezor wallets • Potentjal hardware bugs • Shared hardware state could leak secrets (e.g. Spectre) 6
Contribution: Notary • Agent separatjon architecture • Reset-based switching • Verifjed deterministjc start • Physical hardware wallet prototype 7
Threat model • Some agents are malicious • Physical atuacks out of scope • Could be addressed by tamper-proof hardware 8
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Notary separatjon architecture 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Kernel SoC 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Agent SoC 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Connected only by UART (and reset wire) 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Kernel resets Agent SoC 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching launch() : load agent code + data 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching Agent runs on Agent SoC, independently of Kernel SoC 9
Separation architecture provides isolation User I/O Reset bu � on uart Agent Kernel USB Storage rst SoC SoC Runs third-party code Manages storage, No OS, full access to hardware agent switching exit(state) : save state and terminate 9
Desired property: noninterference Agent A runs switch Agent B runs � me 10
Desired property: noninterference steal A's secrets? Agent A runs switch Agent B runs � me 10
Desired property: noninterference steal A's secrets? Agent A runs switch Agent B runs � me 10
Deterministic start ensures noninterference • Run before startjng any agent • Clears state in SoC (puts chip in deterministjc state) 11
Deterministic start ensures noninterference World 0 (secret = 0) World 1 (secret = 1) 11
Deterministic start ensures noninterference World 0 (secret = 0) World 1 (secret = 1) Agent A runs 11
Deterministic start ensures noninterference World 0 (secret = 0) World 1 (secret = 1) Agent A runs Determinis � c start 11
Deterministic start ensures noninterference World 0 (secret = 0) World 1 (secret = 1) Agent A runs Determinis � c start Agent B runs 11
Deterministic start ensures noninterference Determinis � c start 11
Challenge: completeness • Lots of state • Registers • Microarchitectural state: CPU caches, ... • RAM • SoC peripherals: UART, SPI, ... • Must work for all states 12
Simple approaches fail • Reset pin • Clears minimal state necessary to restart • Power cycling • State takes minutes to decay (cold boot atuacks) 13
Notary’s approach: use software • Reset returns control start code clk rst (clears state) • Sofuware in boot ROM can ROM (1 KB) clear internal state CPU (PicoRV32) RAM (128 KB) • How to write this code? • Must clear every single bit UART UART GPIO SPI of internal state 14
= Gate-level description captures all internal state ⇒ SMT-compatjble format (for symbolic circuit simulatjon) RTL (e.g. Verilog): all digital state is explicit 15
Verifying deterministic start for Notary’s SoC 16
Verifying deterministic start for Notary’s SoC /* no reset code */ 16
Verifying deterministic start for Notary’s SoC error, state not cleared: /* no reset code */ soc.cpu.latched_rd 16
Verifying deterministic start for Notary’s SoC nop nop nop 16
Verifying deterministic start for Notary’s SoC error, state not cleared: nop nop soc.cpu.cpuregs[1] nop 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 16
Verifying deterministic start for Notary’s SoC nop error, state not cleared: nop nop soc.cpu.mem_wdata /* clear registers */ li x1, 0 /* ... */ li x31, 0 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 /* clear buffer */ sw zero, 0(zero) 16
Verifying deterministic start for Notary’s SoC nop nop error, state not cleared: nop /* clear registers */ soc.ram.data[0] li x1, 0 /* ... */ li x31, 0 /* clear buffer */ sw zero, 0(zero) 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 /* clear buffer */ sw zero, 0(zero) /* clear ram */ la t0, _sram_start la t1, _sram_end loop: sw zero, 0(t0) addi t0, t0, 4 bne t0, t1, loop 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 error, state not cleared: /* clear buffer */ sw zero, 0(zero) soc.uart.cr0 /* clear ram */ la t0, _sram_start la t1, _sram_end loop: sw zero, 0(t0) addi t0, t0, 4 bne t0, t1, loop 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 /* clear buffer */ sw zero, 0(zero) /* clear ram */ la t0, _sram_start la t1, _sram_end loop: sw zero, 0(t0) addi t0, t0, 4 bne t0, t1, loop /* clear uart control register */ la t0, _uart0 sw zero, 0(t0) 16
Verifying deterministic start for Notary’s SoC nop nop nop /* clear registers */ li x1, 0 /* ... */ li x31, 0 deterministjc start verifjed! /* clear buffer */ sw zero, 0(zero) n = 180342 cycles , < 10 ms /* clear ram */ la t0, _sram_start (mostly spent clearing RAM) la t1, _sram_end loop: sw zero, 0(t0) addi t0, t0, 4 bne t0, t1, loop /* clear uart control register */ la t0, _uart0 sw zero, 0(t0) 16
Notary hardware and system software • Additjonal hardware: $8 (extra chips) • TCB: 4000 LOC (mostly drivers) Notary prototype 17
Notary agent: Bitcoin Bitcoin app (lefu) and agent (right) 18
Notary agent: web-app approval Web app (lefu) and agent (right) 19
Evaluation summary: Notary is practical Notary’s design prevents bugs while preserving developer and user experience. (see paper) 20
Related work • Non-wallet security devices [iOS enclave, Yubikey] • Verifjed kernels [SeL4, Hyperkernel, Nickel, CertjKOS] • Verifjed hardware [Kami, Hyperfmow] (see paper) 21
Conclusion • Notary separatjon architecture • Reset-based switching : clearing state between switching agents • Verifjed deterministjc start : ensuring state clearing is correct • Notary prototype • RISC-V-based prototype • 2 agents: Bitcoin, web-app approval anish.io/notary 22
Recommend
More recommend