partitioning system software for hardware enclaves
play

Partitioning System Software for Hardware Enclaves Chia-Che Tsai - PowerPoint PPT Presentation

Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection


  1. Partitioning System Software for Hardware Enclaves Chia-Che Tsai Texas A&M University / Graphene Project / Anjuna

  2. Why Partition System Software? Target of Application enclave 1. Where is the partition boundary? Data Flow protection (in both data & 2. How to declassify data? control planes) Language Runtime Libraries IO Devices (less trustworthy) Operating System

  3. Attack Surface vs TCB? Large attack surface Small attack surface Small TCB Large TCB System API System API Redirection Layer Guest OS Hypervisor interface Untrusted Host OS Untrusted Host OS Library OS / Unikernel Shim Layer (Graphene, SGX-LKL) (SCONE)

  4. Danger in A Partition Interface Iago attacks [ASPLOS 2013] Enclave Untrusted OS exploits semantic vulnerabilities misplaced in legacy applications Ex: Assuming PID and time are reliable source of entropy Legacy Application Pervasive threats in libraries, runtimes, even hypervisor. gettimeofday() getpid() Integral to design of systems Untrusted OS

  5. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  6. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) fork Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  7. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) IPC fork (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  8. Partition for A Secure Interface Legacy System API (e.g., Linux System Calls) Async IPC fork IO (Message Queue, Semaphore, Signals, File locks) Secure Host Interface Potential DoS Secure Secure Secure Secure Secure Secure Boot Clock VM IO RPC Scheduling Files FIFOs Start proc Stack Yield Monotonic time Sockets Start thread Heap Poll Date / clock Signal/wait

  9. Graphene Open-Source Project h t t p s : / / g r a p h e n e p r o j e c t . i o / I N V I SI BLE T HI N G S LA B

  10. The Graphene Architecture 140 / 318 fork exec Virtual File System Signal SYS V IPC system calls Threading ELF Proc Chroot Pipe (core features) loader FS Socket Migration (Passthru) FS Namespace 63 KLOC Remote Procedure Call Virtual Memory Graphene LibOS Source code Graphene Host ABI (40 Calls ) With portable & secure semantics 1.4 MB Library size Container Port Non-Linux Platform Ports SGX Port + Shield Not just for enclaves

  11. Partition for Manage Languages Java App Target Partitioning across Sensitive system stack and components Execution is difficult Ideally you want to Example: Hadoop isolate out Language Runtime a minimum partition 6.3 MLoC Libraries 2.3 MLoC Operating System 0.9 MLoC

  12. Civet: Partitioned Java Software Stack Joint work with Raluca Ada Popa, Jeongseok Son (Berkeley), Don Porter, Bhushan Jan (UNC) Trusted JAR Partitioned Enclave (Contains only needed classes) JVM Mapper Partition Mapper Reducer Tool Reducer Load & Verify Defense RPC RPC Hadoop library Interface (6.3 MLoC) Mapper Reducer classes Untrusted JAR (Synthesized RPC interfaces) Job Job

  13. Conclusion System partitioning is a critical challenge: OS-level: Graphene library OS Emulating legacy system API on minimal secure abstractions Runtime-level: Civet framework for Java Static cross-stack partitioning + language defense & optimization h t t p s : / / g r a p h e n e p r o j e c t . i o s u p p o r t @ g r a p h e n e - p r o j e c t . i o

Recommend


More recommend