Meltdown • Permission check for transient instructions is only done • when committing them • Suppose we are running a user-level program below 26
Meltdown • Permission check for transient instructions is only done • when committing them • Suppose we are running a user-level program below Fetching a kernel address. Should not be allowed. 26
Meltdown • Permission check for transient instructions is only done • when committing them • Suppose we are running a user-level program below Fetching a kernel address. Permission checks will be done later Should not be allowed. 26
Meltdown • Permission check for transient instructions is only done • when committing them • Suppose we are running a user-level program below Fetching a kernel address. Permission checks will be done later Should not be allowed. 26
Meltdown • Permission check for transient instructions is only done • when committing them • Suppose we are running a user-level program below Fetching a kernel address. Permission checks will be done later Should not be allowed. kernel's data value will be stored in array, which can be retrieved using flush+reload 26
Mitigating Meltdown • Kernel Page Table Isolation • KAISER [ESSoS 17] 27
Side Channels in SGX • Page fault • Controlled Channel Attack [S&P 15] • Cache • Software Grand Exposure [WOOT 17] • Branch prediction • Branch shadowing [Security 17] • Transient out-of-order execution • Foreshadow [Security 18] • Bus snooping All of these are about memory access 28
SGX's Threat Model SGX CPU Cache MEE 29
SGX's Threat Model Only CPU is trusted SGX CPU Cache MEE All the rest are untrusted 29
SGX's Threat Model Only CPU is trusted SGX CPU Cache MEE Any data leaving CPU is All the rest are untrusted encrypted by Memory Encryption Engine (MEE) 29
Attacking SGX SGX CPU Cache MEE 30
Attacking SGX Bus snooping: Access patterns SGX CPU are still visible Cache MEE 30
Attacking SGX Bus snooping: Access patterns SGX CPU are still visible Cache MEE Monitor syscalls: Access patterns are still visible 30
Attacking SGX Bus snooping: Access patterns SGX CPU are still visible Cache MEE Monitor syscalls: Access patterns are still visible Cache side channels 30
Why Does Access Patterns Matter? Server Client Key Value A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 31
Why Does Access Patterns Matter? Server Client Key Value A E k (Blueberry) Request: C B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 31
Why Does Access Patterns Matter? Server Client Key Value A E k (Blueberry) Request: C B E k (Tomato) C E k (Apple) Response: E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 31
Why Does Access Patterns Matter? Server Client Key Value A E k (Blueberry) Request: C B E k (Tomato) C E k (Apple) Response: E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) Server learns client asked for “C” G E k (Cherry) How to make client’s query private? 31
Easy Solution: Ask Everything Server Client Key Value A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 32
Easy Solution: Ask Everything Server Client Key Value Request: A,B,C,D,…,G A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 32
Easy Solution: Ask Everything Server Client Key Value Request: A,B,C,D,…,G A E k (Blueberry) B E k (Tomato) C E k (Apple) Response: E k (Bluberry), D E k (Banana) E k (Tomato), …, E k (Cherry) E E k (Orange) F E k (Mango) G E k (Cherry) 32
Easy Solution: Ask Everything Server Client Key Value Request: A,B,C,D,…,G A E k (Blueberry) B E k (Tomato) C E k (Apple) Response: E k (Bluberry), D E k (Banana) E k (Tomato), …, E k (Cherry) E E k (Orange) F E k (Mango) Secure but too much overhead G E k (Cherry) 32
Better Solution: Ask k tuples [S&P 98] Server Client Key Value A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 33
Better Solution: Ask k tuples [S&P 98] Server Client Key Value Request: A,C A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 33
Better Solution: Ask k tuples [S&P 98] Server Client Key Value Request: A,C A E k (Blueberry) B E k (Tomato) C E k (Apple) Response: E k (Blueberry), D E k (Banana) E k (Apple) E E k (Orange) F E k (Mango) G E k (Cherry) 33
Better Solution: Ask k tuples [S&P 98] Server Client Key Value Request: A,C A E k (Blueberry) B E k (Tomato) C E k (Apple) Response: E k (Blueberry), D E k (Banana) E k (Apple) E E k (Orange) F E k (Mango) Provides k-1 ambiguity - So called k-anonymity [S&P 98] G E k (Cherry) Limited security guarantees - See l-diversity [ICDE 06], t-closeness [ICDE 07] 33
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D A E k (Blueberry) B E k (Tomato) C E k (Apple) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), C E k (Apple) E k (Apple) E k (Banana) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Banana) E E k (Orange) F E k (Mango) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Banana) E E k (Orange) Write-back: A: E k (Apple), C: E k (Banana) F E k (Mango) D: E k (Blueberry) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D E k (Apple) A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Banana) E E k (Orange) Write-back: A: E k (Apple), C: E k (Banana) F E k (Mango) D: E k (Blueberry) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D E k (Apple) A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), E k (Banana) C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Banana) E E k (Orange) Write-back: A: E k (Apple), C: E k (Banana) F E k (Mango) D: E k (Blueberry) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D E k (Apple) A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), E k (Banana) C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Banana) E k (Blueberry) E E k (Orange) Write-back: A: E k (Apple), C: E k (Banana) F E k (Mango) D: E k (Blueberry) G E k (Cherry) 34
Oblivious RAM (ORAM): Idea Sketch Server Client Key Value Request: A,C,D E k (Apple) A E k (Blueberry) B E k (Tomato) Response: E k (Blueberry), E k (Banana) C E k (Apple) E k (Apple) Shuffle E k (Banana) D E k (Blueberry) E k (Banana) E E k (Orange) Write-back: A: E k (Apple), C: E k (Banana) F E k (Mango) D: E k (Blueberry) G E k (Cherry) Key-Value mapping always changes 34
Path ORAM [CCS 13] ORAM Client ORAM Server Position Map Stash 35
Path ORAM [CCS 13] ORAM Client ORAM Server Position Map Stash Tree-like data structures - Client: Position map, stash - Server: ORAM Tree with real/dummy nodes 35
ORAM-based solutions for Memory Access SGX CPU Cache MEE 36
ORAM-based solutions for Memory Access Bus snooping: Access patterns SGX CPU are still visible Cache MEE 36
ORAM-based solutions for Memory Access Bus snooping: Access patterns SGX CPU are still visible Cache MEE Monitor syscalls: Access patterns are still visible 36
ORAM-based solutions for Memory Access Bus snooping: Access patterns SGX CPU are still visible Cache MEE Monitor syscalls: Access patterns are still visible Cache side channels 36
Mitigation: ORAM-based Memory Controller SGX CPU ORAM ORAM Cache Server Client ObfusMem [ISCA 17], SDIMM [HPCA 18] - ORAM-based Memory Controller 37
Mitigation: ORAM-based Memory Controller Patterns are secured SGX CPU using ORAM protocols ORAM ORAM Cache Server Client ObfusMem [ISCA 17], SDIMM [HPCA 18] - ORAM-based Memory Controller 37
Mitigation: ORAM-based Memory Controller Patterns are secured SGX CPU using ORAM protocols ORAM ORAM Cache Server Client ObfusMem [ISCA 17], SDIMM [HPCA 18] - ORAM-based Memory Controller 37
Mitigation: Place Trust in DRAM SGX CPU Bus snooping Cache MEE InvisiMem [ISCA 17] - Place trust in DRAM - All address and data bus traffics are encrypted Note: SGX only encrypts values in data bus - Communication patterns are normalized 38
Mitigation: Place Trust in DRAM SGX CPU Bus snooping Cache MEE InvisiMem [ISCA 17] - Place trust in DRAM - All address and data bus traffics are encrypted Note: SGX only encrypts values in data bus - Communication patterns are normalized 38
Mitigation: Place Trust in DRAM SGX CPU Bus snooping Cache MEE InvisiMem [ISCA 17] - Place trust in DRAM - All address and data bus traffics are encrypted Note: SGX only encrypts values in data bus - Communication patterns are normalized 38
Recommend
More recommend