trusted memory
play

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V - PowerPoint PPT Presentation

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code


  1. TRUSTED MEMORY Software-Based O�-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanović Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley

  2. TRUSTED MEMORY? Securing data/code against snooping/reverse-engineering Cryptographic keys Personally identifiable information Proprietary algorithms Code obscurity Biometric data (defense-in-depth)

  3. TRUSTED MEMORY? Two security domains of system memory: on-chip and ofg-chip . On-chip presumed secure , ofg-chip not quite

  4. TRUSTED MEMORY? Two security domains of system memory: on-chip and ofg-chip . On-chip presumed secure , O�-chip memory On-chip memory ofg-chip not quite a determined extremely di�cult hobbyist (!) could (expensive) to compromise compromise

  5. TRUSTED MEMORY? Two security domains of system memory: on-chip and ofg-chip . On-chip presumed secure , O�-chip memory ofg-chip not quite On-chip memory some gigabytes of some megabytes of storage storage

  6. TRUSTED MEMORY? (to scale) On-chip RAM Two security domains of system memory: on-chip and ofg-chip . Ofg-chip RAM On-chip presumed secure , ofg-chip not quite Hifive Unleashed

  7. also, who’s this Determined Hobbyist?

  8. also, who’s this Determined Hobbyist? the person trying to dump their game console RAM (“neimod” soldered FPGA I/O to this Nintendo 3DS’s memory bus)

  9. Problems Confidentiality Integrity “can an attacker “can an attacker secretly read my data?” change my data?” chonge

  10. Today Keystone Framework intro 1 Prior art in Intel SGX 2 Protected paging 3 Evaluation 4 Conclusion 5

  11. Our Toolset?

  12. an extensible, customizable Trusted Execution Environment framework for RISC-V

  13. Trusted Execution Other Apps Environments Ring 3 RAM OS / Hypervisor Ring 0 - 2 Trustworthy Hardware

  14. Trusted Execution Other Apps Environments Ring 3 RAM OS / Hypervisor Ring 0 - 2 Trustworthy Trusted Hardware Untrusted

  15. Trusted Sensitive Execution Other App Apps Enclave Environments Ring 3 RAM OS / Hypervisor Ring 0 - 2 Enclave Memory Trustworthy Trusted Hardware Untrusted

  16. Trusted Sensitive Execution Other App Apps Enclave Environments Ring 3 RAM OS / Hypervisor Ring 0 - 2 Integrity Enclave Memory Confidentiality Trustworthy Trusted Hardware Remote Attestation Untrusted

  17. Trusted ML Execution Training/ Competitor Inference Environments Ring 3 RAM Cloud provider Ring 0 - 2 Integrity Enclave Memory Confidentiality Trustworthy Trusted Hardware Remote Attestation Untrusted

  18. Perfect! but... Sensitive Other App Apps Enclave Ring 3 RAM On-chip memory OS / Hypervisor some megabytes of Ring 0 - 2 storage Enclave Memory Trusted Untrusted

  19. Perfect! but... Sensitive Other App Apps Enclave Ring 3 RAM On-chip memory OS / Hypervisor exhausted very Ring 0 - 2 quickly Enclave Memory Trusted Untrusted

  20. Perfect! but... Sensitive Other App Apps demand paging Enclave Ring 3 RAM On-chip memory OS / Hypervisor exhausted very Ring 0 - 2 quickly Enclave Memory Trusted Untrusted

  21. Problems Confidentiality Integrity “can an attacker “can an attacker secretly read my pages?” change my pages?” chonge

  22. Solutions Encryption Hashing any outbound pages any inbound pages have are encrypted their hashes checked

  23. Precedent Confidentiality Integrity Intel’s Secure Guard Extensions solve in hardware

  24. Precedent Confidentiality Integrity Modified Carter-Wegman AES-CTR, 128-bit MAC, 56-bit 512b block granularity Version counters Merkle tree for replay hash storage protection

  25. A Software Approach for commodity RISC-V hardware Confidentiality Integrity AES-CTR, 256-bit SHA256 page size granularity Version counters Merkle tree (multiple for replay hash storage of 4096b) protection

  26. The Scheme s_hash := sha(s)

  27. The Scheme s_hash := sha(s) s_enc := aes(s)

  28. The Scheme s_hash := sha(s) s_enc := aes(s) d_dec := aes(d)

  29. The Scheme s_hash := sha(s) s_enc := aes(s) d_dec := aes(d) d_hash := aes(d_dec)

  30. The Scheme s_hash := sha(s) s_enc := aes(s) d_dec := aes(d) d_hash := aes(d_dec) check_hash(d_hash)

  31. The Scheme s_hash := sha(s) s_enc := aes(s) d_dec := aes(d) d_hash := aes(d_dec) check_hash(d_hash) store_hash(s_hash)

  32. The Why a tree? Scheme Array of page hashes too big (wasteful) for s_hash := sha(s) s_enc := aes(s) on-chip memory d_dec := aes(d) d_hash := aes(d_dec) Move it o�-chip check_hash(d_hash) store_hash(s_hash)

  33. The Why a tree? Scheme O �-chip hashes s_hash := sha(s) s_enc := aes(s) Untrusted hashes? d_dec := aes(d) d_hash := aes(d_dec) check_hash(d_hash) store_hash(s_hash)

  34. Problems Confidentiality Integrity “can an attacker “can an attacker secretly read my hashes?” change my hashes?” chonge

  35. Solutions Don’t care! More hashing! cryptographic hash the hash hashes leak no store, keep the information root hash safe

  36. Hashing Resident pages Enclave memory the store Hash store sha(p1) sha(p1) sha(p2) sha(p3) sha(p4) sha(p5) sha(p6) sha(p7) Trusted world Original plan: Keep nonresident page hashes in Non-resident secure memory User OS pages Problem: On-chip memory too valuable! Untrusted world

  37. Hashing Resident pages Enclave memory the store Root hash sha(hash store) Trusted world Solution: Move store ofg-chip, check its Non-resident integrity during User OS pages page swaps Problem: Hash store Hashing the entire sha(p1) sha(p1) sha(p2) sha(p3) sha(p4) sha(p5) sha(p6) sha(p7) store wastes CPU Untrusted world cycles

  38. Hashing Resident pages Enclave memory the store Root hash sha(left block || right block) Trusted world Solution: - Split hash store - Hash left or right Non-resident side as needed User OS pages - Propagate to root Hash store Problem: Hashing half of sha(p1) sha(p1) sha(p2) sha(p3) sha(p4) sha(p5) sha(p6) sha(p7) store still too much Untrusted world for one page swap

  39. Hashing Resident pages Enclave memory the store Root hash sha(left node || right node) Trusted world Solution: - Recursive splits - Hash only the Non-resident relevant leaf User OS pages - Propagate to root Hash store sha(left block || right block) sha(left block || right block) This tree structure is called a Merkle Tree . sha(p1) sha(p1) sha(p2) sha(p3) sha(p4) sha(p5) sha(p6) sha(p7) Untrusted world

  40. Hashing Resident pages Enclave memory the store Root hash sha(left node || right node) Trusted world Merkle tree tradeofgs: - Very little secure memory usage Non-resident - Deeper tree needs Hash store User OS sha(left node || right node) sha(left node || right node) pages more insecure mem - Deeper tree hashes sha(left || right) sha(left || right) sha(left || right) sha(left || right) fewer bytes total - Deeper tree needs sha(p1) sha(p1) sha(p2) sha(p3) sha(p4) sha(p5) sha(p6) sha(p7) more hash passes Untrusted world

  41. Evaluation Software memory protection feasible, with appreciable overhead. Optimizations pending; current implementation conservative with security guarantees

  42. Evaluation With effjcient paging infrastructure, even unoptimized protection routines could be viable.

  43. Evaluation Unfortunately, paging currently accounts for huge runtime overheads

  44. Conclusion Protected paging appropriate for security-critical , speed-flexible operations Specifically, ones under secure memory pressure

  45. Conclusion Protected paging lays groundwork for other space optimizations - Free up L2 cache when enclave is idle - Balance on-chip memory among several enclaves

  46. A Flexible Approach

  47. Conclusion Software protections need no special IP blocks! Frees up die area for cost constrained hardware

  48. Conclusion Software protections are complemented by special IP blocks! One scheme parametrizable over many hardware configurations

Recommend


More recommend