trusted execution environments
play

Trusted Execution Environments Chester Rebeiro IIT Madras Some of - PowerPoint PPT Presentation

Trusted Execution Environments Chester Rebeiro IIT Madras Some of the slides borrowed from Intel; CDACH; ARM 1 Previously in SSE We looked at techniques to run an untrusted code safely System Run Program Here If misbehaves Kill it


  1. Trusted Execution Environments Chester Rebeiro IIT Madras Some of the slides borrowed from Intel; CDACH; ARM 1

  2. Previously in SSE … • We looked at techniques to run an untrusted code safely System Run Program Here If misbehaves Kill it Confinement 2

  3. Today in SSE … We now look at how to run sensitive code in an untrusted environment • Besides other applications, the OS can also be untrusted. – Attackers can probe hardware – What to worry about: • Code / Data of the sensitive app gets read / modified by the system – Untrusted System Run Sensitive Program Here Trusted Execution Environment 3

  4. Basic Problem (Ring Architecture) 4

  5. Basic Problem (Ring Architecture) 5

  6. Invasive Attacks 6

  7. Trusted Execution Environments Achieve confidentiality and integrity even when the OS is compromised! ARM : Trustzone (trusted execution environments) • Intel : SGX (enclaves) • 7

  8. ARM Trustzone Trustzone Security Whitepaper, ARM http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/ PRD29GENC-009492C_trustzone_security_whitepaper.pdf 8

  9. ARM System on Chips GSM Modem 3G Modem Media System Main Processor ARM1156 Cortex-R4 AudioDE Cortex-A8 DSP DSP Mali200 L2 Cache DMA DMA Interrupt Controller AXI Bus Debug Bus AXI to APB Boot Level 3 Cache SRAM Bridge ROM Clock Ctrl. RTC AXI Bus Watchdog Timers Memory Memory Trace Debug Display Controller Controller Port Access Port Controller ADC / DAC KMI JTAG + DRAM Flash Trace Boundary Display Aerial Keypad Scan 9

  10. ARM Trustzone (Main Idea) Hardware and Software partitioned into two: Normal and Secure worlds Normal world Secure world A single hardware processor timesliced Normal world Secure world user mode user mode between secure and normal worlds Secure world provides an environment that Normal world Secure world supports confidentiality and integrity. privileged modes privileged modes - Can prevent software attacks - Cannot prevent invasive attacks Monitor mode 10

  11. A Typical Trustzone Application 11

  12. Switching Worlds • Execution in time sliced manner (Secure <-> Normal) New mode (monitor mode) that is invoked during switching modes • Mode switching • – triggered by secure monitoring call (SMC) instruction – certain hardware exceptions (interrupts, aborts) Monitor Mode: saves state of the current world and restores the state of the • world being switched to. Restoration by return-from-exception. NS Bit: in configuration register indicates secure / normal operating mode. • NS = 1 -> indicates non-secure (normal) mode 12

  13. NS Bit extends beyond the chip GSM Modem 3G Modem Media System Main Processor ARM1156 Cortex-R4 AudioDE Cortex-A8 DSP DSP Mali200 L2 Cache DMA DMA Interrupt Controller AXI Bus Debug Bus AXI to APB Boot Level 3 Cache SRAM Bridge ROM Clock Ctrl. RTC AXI Bus Watchdog Timers Memory Memory Trace Debug Display Controller Controller Port Access Port Controller ADC / DAC KMI JTAG + DRAM Flash Trace Boundary Display Aerial Keypad Scan 13

  14. NS Bit extends beyond the chip GSM Modem 3G Modem Media System Main Processor ARM1156 Cortex-R4 AudioDE Cortex-A8 DSP DSP Mali200 L2 Cache DMA DMA Interrupt Controller AXI Bus Debug Bus AXI to APB Boot Level 3 Cache SRAM Bridge ROM Clock Ctrl. RTC AXI Bus Watchdog Timers Memory Memory Trace Debug Display Controller Controller Port Access Port Controller ADC / DAC KMI JTAG + DRAM Flash Trace Boundary Display Aerial Keypad Scan 14

  15. Memory Management • Non Secure Table Identifier Memory (RAM) CPU Core current state of the processor (0 if secure world / 1 if normal Virtual address (VA) have an world extra bit (33-rd bit) to • If NSTID = 1 then force NS bit to 1 VA NSTID page tables Physical address MMU page tables Physical address 15

  16. Memory Management Memory (RAM) CPU Core TLB stores NSTID and NS bit per entry VA NSTID page tables VA NSTID PA NS Physical address VA NSTID PA NS MMU VA NSTID PA NS page tables VA NSTID PA NS TLB Page walk only Physical address on TLB miss 16

  17. Memory Management Memory (RAM) CPU Core Secure world page tables can map to normal world memory VA NSTID page tables VA NSTID PA NS Physical address VA NSTID PA NS MMU VA NSTID PA NS page tables VA NSTID PA NS TLB Page walk only Physical address on TLB miss 17

  18. Memory Management Memory (RAM) CPU Core Cache Memory Tag NS cache line Tag NS cache line Tag NS cache line Access RAM only Tag NS cache line VA NSTID PA on cache miss page tables VA NSTID PA NS VA NSTID PA NS MMU VA NSTID PA NS page tables VA NSTID PA NS TLB Page walk only on TLB miss 18

  19. Memory Management Units Two virtual MMUs (one for each mode) • – Two page-tables active simultaneously A single TLB present • – A tag in each TLB entry determines the mode (Normal and Secure TLB entries may co-exist; this allows for quicker switching of modes) – alternatively the monitor may flush the TLB whenever switching mode A single cache is present • – Tags (again) in each line used to store state – Any non-locked down cache line can be evicted to make space for new data – A secure line load can evict a non-secure line load (and vice-versa) 19

  20. Secure and Normal Devices GSM Modem 3G Modem Media System Main Processor ARM1156 Cortex-R4 AudioDE Cortex-A8 DSP DSP Mali200 L2 Cache DMA DMA Interrupt Controller AXI Bus Debug Bus AXI to APB Boot Level 3 Cache SRAM Bridge ROM Clock Ctrl. RTC AXI Bus Watchdog Timers Memory Memory Trace Debug Display Controller Controller Port Access Port Controller ADC / DAC KMI JTAG + DRAM Flash Trace Boundary Display Aerial Keypad Scan 20

  21. Interrupts Normal world Secure world User Code User Code Privileged Code Privileged Code IRQ Monitor IRQ IRQ All interrupts routed to monitor first. Interrupts can be configured to go either to the normal world or secure world. 21

  22. Interrupts Normal world Secure world Secure World Interrupt Vector Table User Code User Code Normal World Interrupt Vector Table Privileged Code Privileged Code IRQ Monitor Monitor Interrupt IRQ Vector Table All interrupts routed to monitor first. Interrupts can be configured to go either to the normal world or secure world. 22

  23. Software Architecture The minimal secure world can just have implementations of synchronous code • libraries Typically has an entire operating system • – Qualcomm’s QSEE; Trustonics Kinibi; Samsung Knox; Genode – The secure OS could be tightly couples to the rich OS so that a priority of a task in the rich OS gets mapped accordingly in the secure OS – Advantage of having a full OS is that we will have complete MMU support Intermediate Options • 23

  24. Secure Boot Why? Attackers may replace the flash software with a malicious version, compromising the entire system. How? Secure chain of trust. Starting from a root device (root of trust) that cannot be easily tampered 24

  25. Secure Boot Sequence On chip ROM based Bootloader May be internal to the CPU; Ini,alizes cri,cal peripherals, memory controllers Device bootloader Stored on Flash device (typically) Ini,alize cri,cal peripherals Secure opera,ng system Rich opera,ng system 25

  26. Chain of Trust check signature check signature Trustlet Trustlet Trustlet Rich OS check signature Secure OS check signature Boot loader check signature Inherently secure Component check (PUF/ TPM/ onchipROM) signature Root of trust 26

  27. Intel’s SGX Innovative Instructions and Software Model for Isolated Execution, HASP 2013 (F. McKeen et. al.) 27

  28. Reduced Attack Surface with SGX With SGX enabled Normally App App App App App App OS OS VMM VMM Hardware Hardware Attack Surface Small attack surface (App + Hardware) Malware that can subvert any one of Malware cannot steel secrets inspite app, OS, VMM, or hardware of subverting OS, BIOS, VMM, most can steal secrets parts of the App, etc. 28

  29. Enclaves (reverse sandbox) • Enclave has its own code and data areas Provides confidentiality and integrity Entry Table With controlled entry points Enclave Heap • However, enclave code and data cannot Enclave Stack be accessed from outside the enclave not Enclave even by the operating system. Code TCS • TCS: Thread control Structure (SGX supports multi-threading; one TCS for each thread supported) 29

  30. Enclave Properties Achieves confidentiality and integrity • – Tampering of code / data is detected and access to tampered code / data is prevented. Code outside enclave cannot access code/data inside the enclave • Even though OS is untrusted, it should still be able to manage page • translation and page tables of the enclave Enclave code and data • – Enclave code and data is in the clear when in the CPU package (eg. Registers / caches), but unauthorized access is prevented – Enclave code and data is automatically encrypted it leaves the CPU package 30

Recommend


More recommend