TEE² – Combining Trusted Hardware to Enhance the Security of TEEs Master-Thesis of Fritz Alder In cooperation with Aalto University, Finland Supervisor: Prof. Katzenbeisser Supervisor at Aalto University: Dr. Andrew Paverd and Prof. Asokan Fachbereich Informatik | Security Engineering Group | Prof. Katzenbeisser | 1
Motivation • Trusted Execution Environments (TEEs) provide isolated execution of security sensitive pieces of code that can be attested by remote parties. ➢ TEEs have the potential to ensure security in cloud computing environments • Real-world TEEs and their implementations are prone to attacks and bugs ➢ Trust in real-world TEEs is difficult to achieve, possibly slowing down adoption ➢ Can we combine multiple TEEs to achieve security even if all but one TEE is compromised? 2
Trusted Execution Environment (TEE) • Physical host Separated from TEE Rich Execution REE TA1 Environment (REE) execute TA1 • Executes Trusted Applications (TAs) • • Provides: Code integrity verified by TEE (e.g. with certificates) • No direct access to TAs from REE • Code integrity • Access only through predefined call-gates • Isolated execution • Sealed data • TEE attestation 3
Trusted Execution Environment (TEE) • Physical host Separated from TEE Rich Execution No access TA2 REE 2 TA1 Environment (REE) from other TAs • Executes Trusted No access Applications (TAs) from REE • Provides: 1 • Code integrity Sealed storage • Isolated execution • Sealed data Remote • TEE attestation attestation 4
System model – Ideal TEE • Similar to Honest but Curious cloud provider model: Host Secure Access • User communicates with TEE channel to host TEE • Adversary has full control of host User Adversary • Adversary has no interest in DoS • Code integrity • Adversary goal: Undermine any • Isolated execution • Sealed data of the four TEE properties • TEE attestation 5
Real-world TEE adversaries Weak attacker Strong attacker S W • • Compromises TEE confidentiality Compromises TEE confidentiality and integrity ➢ Can read run-time secrets and • sealed data Has access to architectural secrets or can influence TEE integrity ➢ But: Can not fake attestations or ➢ Can fully impersonate the TEE impact TEE integrity 6
Combined TEE – Design • User communicates with two Host unique TEEs Access to • Adversary has full control over TEE all hosts both untrusted hosts • Adversary can choose to Host Adversary User compromise any TEE Secure channel TEE Can compromise • User stays unware of choice to both TEEs one TEE by • Combined TEE remains secure choice as long as at least one TEE is uncompromised Combined TEE 7
Random Number Generation TEE TEE Goal: request 1. Generate a random string.. 2. ...that is unknown by an attacker response + attestation 3. ...and can be attested by remote parties as being actually randomly combine generated responses + attestations 8
Random Number Generation – weak adversary TEE TEE Goal: W request 1. Generate a random string.. 2. ...that is unknown by an attacker response + attestation 3. ...and can be attested by remote parties as being actually randomly combine generated responses + attestations 9
Random Number Generation – weak adversary TEE TEE Goal: W request 1. Generate a random string.. 2. ...that is unknown by an attacker response + attestation 3. ...and can be attested by remote parties as being actually randomly combine generated responses + attestations 10
Random Number Generation – strong adversary TEE TEE Goal: S request 1. Generate a random string.. 2. ...that is unknown by an attacker response + attestation 3. ...and can be attested by remote parties as being actually randomly combine generated responses + attestations 11
Random Number Generation – strong adversary TEE TEE Goal: S request request 1. Generate a random string.. true random 2. ...that is unknown by an attacker response + attestation 3. ...and can be attested by remote request parties as being actually randomly combine calculated generated response responses + attestations 12
Random Number Generation – strong adversary TEE TEE Goal: request 1. Generate a random string.. commitment 2. ...that is unknown by an attacker bind to 3. ...and can be attested by remote commitment parties as being actually randomly reveal generated combine responses + attestations Check commitments 13
Random Number Generation – strong adversary TEE TEE TEE TEE request commitment bind to commitment chain reveal combine 14
Random Number Generation – strong adversary TEE TEE TEE TEE TEE S S S request commitment bind to commitment chain reveal combine 15
Protocol Design • Combined TEE protocols differ from Ideal TEE protocols • No TEE can have knowledge of or control over any part of a secret TEE • Instead, protocols need to protect against S compromised TEEs • Defined a range of utility, one-party, and two- party protocols • TEE ElGamal operations • Key Exchange • Signing • Messaging • Store-and-forward • • Random Number Generation Oblivious Transfer 16
ElGamal operations – key generation TEE TEE Goal: 1. Operate on private keys held by request key generation the TEEs... 2. ...that are attestable 3. ...and can not be learned during return decryption public keys 4. ...but can be used for confidential combine private key private key public keys messages to the user responses + attestations 17
ElGamal operations – decryption TEE TEE Goal: 1. Operate on private keys held by Ciphertext C private key private key the TEEs... request decryption 2. ...that are attestable 3. ...and can not be learned during decryption return decryption 4. ...but can be used for confidential combine shares messages to the user shares 18
ElGamal operations – decryption TEE S TEE Goal: 1. Operate on private keys held by Ciphertext C private key private key the TEEs... request decryption 2. ...that are attestable 3. ...and can not be learned during decryption return decryption 4. ...but can be used for confidential combine shares messages to the user shares 19
ElGamal operations – decryption TEE S TEE Goal: 1. Operate on private keys held by Ciphertext C private key private key the TEEs... request decryption 2. ...that are attestable 3. ...and can not be learned during decryption return decryption 4. ...but can be used for confidential combine shares messages to the user shares y1 = x1 * G ; y2 = x2 * G ; Y = y1 + y2 ; C1 = k*G ; C2 = M + k*x1*G + k*x2*G C = (C1,C2); d1 = -x1 * C1 ; d2 = -x2 * C1 ; M = C2 + d1 + d2 20
Two-party protocols • Both parties can try to cheat and can compromise N-1 TEEs • ..but do not collaborate • Protocols require active participation from both users • More than a simple attestation verification A B TEE TEE 21
Policy based store-and-forward A B TEE TEE Goal: 1. Secretly share data with Split secret user B (XOR) 2. Only B can reveal the store secret secret request 3. B can not reveal the secret secret if a policy is not matched check check policy policy reveal secret Jump to implementation 22
Oblivious transfer – ideal version A B TEE A has a list L of n items send L Goals: choose m 1. B can select up to m items items 2. B should not learn more than m items A should not learn B‘s choices 3. (except the value of m ) 4. No third party should learn any items or choices 23
Oblivious transfer – Combined TEE A B TEE TEE A has a list L of n items establish n keys Goals: 1. B can select up to m items encrypt L send 2. B should not learn more with keys encrypted L than m items A should not learn B‘s 3. choices (except the value request m keys of m ) 4. No third party should learn check check reveal m any items or choices policy policy keys 24
Oblivious transfer – Combined TEE A B TEE TEE A has a list L of n items establish n keys Goals: 1. B can select up to m items encrypt L send 2. B should not learn more with keys encrypted L than m items A should not learn B‘s 3. choices (except the value request m keys of m ) 4. No third party should learn check check reveal m any items or choices policy policy keys 25
Oblivious transfer – Combined TEE A B TEE TEE A has a list L of n items establish n ? keys Goals: 1. B can select up to m items encrypt L send 2. B should not learn more with keys encrypted L than m items A should not learn B‘s 3. choices (except the value request m keys of m ) 4. No third party should learn check check reveal m any items or choices policy policy keys 26
Oblivious transfer – Combined TEE A B TEE TEE A has a list L of n items establish n 1. Involve B keys Goals: 2. Shuffle keys 1. B can select up to m items encrypt L send 2. B should not learn more with keys encrypted L than m items A should not learn B‘s 3. choices (except the value request m keys of m ) 4. No third party should learn check check reveal m any items or choices policy policy keys 27
Recommend
More recommend