partitioning system software for hardware enclaves
play

Partitioning System Software for Hardware Enclaves Chia-Che Tsai - PowerPoint PPT Presentation

May 20, 2023 •190 likes •330 views

Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection

  1. Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna

  2. Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection (in both data & 2. How to declassify data? control planes) Language Runtime Libraries IO Devices (less trustworthy) Operating System

  3. Attack Surface vs TCB? Large attack surface Small attack surface Small TCB Large TCB System API System API Redirection Layer Guest OS Hypervisor interface Untrusted Host OS Untrusted Host OS Library OS / Unikernel Shim Layer (Graphene, SGX-LKL) (SCONE)

  4. Danger in A Partition Interface Iago attacks [ASPLOS 2013] Enclave Untrusted OS exploits semantic vulnerabilities misplaced in legacy applications Ex: Assuming PID and time are reliable source of entropy Legacy Application Pervasive threats in libraries, runtimes, even hypervisor. gettimeofday() getpid() Integral to design of systems Untrusted OS

  5. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  6. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) fork Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  7. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) IPC fork (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  8. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Async IPC fork IO (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  9. Graphene Open-Source Project h t t p s : / / g r a p h e n e p r o j e c t . i o / I N V I SI BLE T HI N G S LA B

  10. The Graphene Architecture 140 / 318 fork exec Virtual File System Signal SYS V IPC system calls Threading ELF Proc Chroot Pipe (core features) loader FS Socket Migration (Passthru) FS Namespace 63 KLOC Remote Procedure Call Virtual Memory Graphene LibOS Source code Graphene Host ABI (40 Calls ) With portable & secure semantics 1.4 MB Library size Container Port Non-Linux Platform Ports SGX Port + Shield Not just for enclaves

  11. Partition for Manage Languages Java App Target Partitioning across Sensitive system stack and components Execution is difficult Ideally you want to Example: Hadoop isolate out Language Runtime a minimum partition 6.3 MLoC Libraries 2.3 MLoC Operating System 0.9 MLoC

  12. Civet: Partitioned Java Software Stack Joint work with Raluca Ada Popa, Jeongseok Son (Berkeley), Don Porter, Bhushan Jan (UNC) Trusted JAR Partitioned Enclave (Contains only needed classes) JVM Mapper Partition Mapper Reducer Tool Reducer Load & Verify Defense RPC RPC Hadoop library Interface (6.3 MLoC) Mapper Reducer classes Untrusted JAR (Synthesized RPC interfaces) Job Job

  13. Conclusion System partitioning is a critical challenge: OS-level: Graphene library OS Emulating legacy system API on minimal secure abstractions Runtime-level: Civet framework for Java Static cross-stack partitioning + language defense & optimization h t t p s : / / g r a p h e n e p r o j e c t . i o s u p p o r t @ g r a p h e n e - p r o j e c t . i o

Recommend

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System

Partitioning Introduction to Partitioning Mahapatra-Texas A&M-Spring02 1 System partitioning System level partitioning problem Assignment of operations to hardware or software Assignment of an operation to HW or SW determines

445 views • 18 slides
Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 4. System Partitioning Lothar Thiele Swiss Federal Computer Engineering 4 - 1 Institute of Technology and Networks Laboratory System Design specification system synthesis estimation SW-compilation instruction

1.35k views • 40 slides
Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and

Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and

Hardware / Software / Analog System Partitioning with SysML and SystemC-AMS Daniela Genius and Ludovic Apvrille daniela.genius@lip6.fr Paris Sorbonne University ERTS 2020 Context and Problematic Basic Concepts Contribution Case Study

507 views • 25 slides
Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for

Hardware Enclaves & In Intel SGX CS261 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms 2 Hardware Enclaves HW abstractions for distributing trusted execution to untrusted platforms

1.06k views • 18 slides
The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen University of Amsterdam 29th June 2016 Introduction 2/18 What is Intel SGX? Intel Software Guard Extension (SGX) A vault (enclave) to

353 views • 19 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Whats new? Calibration Hardware IAEA Acquisition software Hardware and Software Upgrade for

Hardware and Software Upgrade for the Solution Measurement and Monitor System at Rokkasho Reprocessing Plant R.Plenteda, A.Alessandrello, M.Frankl, W.Deringer, M.Lang, M.Cronholm, K.Baird, D.Breban, C.Creusot International Atomic Energy Agency

705 views • 17 slides
Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing

Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing

Massachusetts State Lottery Commission Meeting Gaming System Software and Hardware January 13, 2016 Background Existing host system was installed in 1997 Integrated system that requires specific terminal hardware Existing hardware

308 views • 19 slides
Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

1.41k views • 58 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter

Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter

Reconfigurable Computing Reconfigurable Computing Partitioning Partitioning Chapter 5 Chapter 5 Prof. Dr.- -Ing. Jrgen Teich Ing. Jrgen Teich Prof. Dr. Lehrstuhl fr Hardware- -Software Software- -Co Co- -Design Design

527 views • 51 slides
Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada

Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada

Oblivious Coopetitive Analytics Using Hardware Enclaves Ankur Dave , Chester Leung, Raluca Ada Popa, Joseph E. Gonzalez, Ion Stoica (UC Berkeley) EuroSys 2020 April 28, 2020 The need for coopetitive analytics Analytics can extract value

733 views • 20 slides
Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages

Introduction to Computers and Programming Hardware Software Computer languages Compiling and running 1 Computer Basics A computer system consists of both hardware and software . Hardware - the physical components.

471 views • 17 slides
BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex

BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex

BACKEND DESIGN Circuit Partitioning Partitioning System Design Decomposition of a complex system into smaller subsystems. Each subsystem can be designed independently. Decomposition scheme has to minimize the interconnections

643 views • 10 slides
Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning

Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning

Nian Ke David R . Cheriton School of Computer Science University of Waterloo Background MapReduce Model SCOPE Language and Cosmos system Advanced partitioning techniques Partial Partitioning Hash-Based Partitioning

543 views • 26 slides
Embedded systems: Nios II Software development Nios II system development flow Hardware

Embedded systems: Nios II Software development Nios II system development flow Hardware

Embedded systems: Nios II Software development Nios II system development flow Hardware generation process Platform designer to configure and generate a NIOS II system Software creation process NIOS II software build tools for

360 views • 20 slides
Hardware-Software Codesign 6. System Simulation Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 6. System Simulation Lothar Thiele Swiss Federal Computer

Hardware-Software Codesign 6. System Simulation Lothar Thiele Swiss Federal Computer Engineering 6 - 1 Institute of Technology and Networks Laboratory System Design (worst-case) system simulation perf. analysis specification (this

743 views • 50 slides
A Hardware Evaluation of Cache Partitioning to Improve Utilization and Energy-Efficiency while

A Hardware Evaluation of Cache Partitioning to Improve Utilization and Energy-Efficiency while

A Hardware Evaluation of Cache Partitioning to Improve Utilization and Energy-Efficiency while Preserving Responsiveness Henry Cook, Miquel Moreto, Sarah Bird, Kanh Dao, David Patterson, Krste Asanovic University of California, Berkeley

540 views • 40 slides
Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1

Overhead-free I/O from enclaves SysTEX'16 Trento, Italy Meni Orenbach Prof. Mark Silberstein 1 Research Statement: Enclaves are accelerators for secured execution Accelerator system services and Abstractions can be retrofitted Inspire

297 views • 28 slides
Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with

Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with

Virtualization SecDev - Fall 2019 Operating System -Software -Controls communication with hardware -Launches and manages applications -Handles I/O Peripherals Hardware -Underlying physical components -Directed by software -Easy to swap out

851 views • 47 slides
Position: Synergetic Effects of Software and Hardware Parameters on the LSM System Authors:

Position: Synergetic Effects of Software and Hardware Parameters on the LSM System Authors:

Position: Synergetic Effects of Software and Hardware Parameters on the LSM System Authors: Jinghuan Yu, Heejin Yoon* Sam H. Noh*, Young-ri Choi*, Chun Jason Xue * Log Structured Merge-tree (LSM) Specific designs for HDD and write-intensive

632 views • 11 slides
Mining and Understanding Software Enclaves (MUSE) Suresh Jagannathan Information Innovation

Mining and Understanding Software Enclaves (MUSE) Suresh Jagannathan Information Innovation

Mining and Understanding Software Enclaves (MUSE) Suresh Jagannathan Information Innovation Office DARPA http://www.darpa.mil/Our_Work/I2O/Programs/Mining_and_Understanding_Software_Enclaves_(MUSE).aspx 1 Distribution Statement A - Approved

473 views • 22 slides
Hardware/Software Hardware/Software Codesign Environments Codesign Environments Gert Jervan

Hardware/Software Hardware/Software Codesign Environments Codesign Environments Gert Jervan

12/12/01 Hardware/Software Hardware/Software Codesign Environments Codesign Environments Gert Jervan Gert Jervan IDA/SaS SaS/ESLAB /ESLAB IDA/ Overview Overview Embedded system design process Traditional Codesign The COSYMA

580 views • 30 slides
Popcorn Linux: System Software for Heterogeneous Hardware Sang-Hoon Kim Postdoctoral Associate

Popcorn Linux: System Software for Heterogeneous Hardware Sang-Hoon Kim Postdoctoral Associate

Popcorn Linux: System Software for Heterogeneous Hardware Sang-Hoon Kim Postdoctoral Associate Systems Software Research Group May 25, 2018 Trend towards heterogeneous systems Clear that microprocessor trends have shifted since 2005

712 views • 49 slides

More recommend