a first step towards leveraging commodity trusted execution environments for network applications...
TRANSCRIPT
1
A First Step Towards Leveraging Commodity Trusted Execution
Environments for Network Applications
Seongmin Kim Youjung Shin Jaehyung Ha Taesoo Kim* Dongsu Han
KAIST * Georgia Tech
2
Trend 1: Security and PrivacyCritical Factors in Technology Adoption
• Demands for “security” and “privacy” are increasing– Widespread use of Transport Layer Security (TLS)– Popularity of anonymity networks (e.g., Tor)– Use of strong authentication/encryption in WiFi
• Expectation on security and privacy impacts design decisions:– Operating system (iOS, Android)– Apps/services (e.g., messenger, adblocker)– Network infrastructure (inter-domain SDN)
3
• Demands for “security” and “privacy” are increasing– Widespread use of Transport Layer Security (TLS)– Popularity of anonymity networks (e.g., Tor)– Use of strong authentication/encryption in WiFi
• Expectation on security and privacy impacts design decisions:– Operating system (iOS, Android)– Apps/services (e.g., messenger, adblocker)– Network infrastructure (inter-domain SDN)
Trend 1: Security and PrivacyCritical Factors in Technology Adoption
4
Trend 2: Commoditization of Trusted Execution Environment
• Trusted Execution Environment (TEE)– Isolated execution: integrity of code, confidentiality – Remote attestation
• Commoditization of TEE– Trusted Platform Module (TPM) : Slow performance– ARM TrustZone : Only available for embedded devices– Intel Software Guard Extension (SGX) 1. Native performance 2. Compatibility with x86
The commoditization of TEE brings new
opportunities for network applications.
5
Network Applications + TEE = ?
• What impact does TEE have on networking?
• Previous efforts: Adopting TEE to cloud platform– Haven [OSDI’14] : Protects applications from an untrusted cloud– VC3 [S&P’15] : Trustworthy data analytics in the cloud
NetworkApplications
TEE
Intel SGX
Enhanced security
New design space
New functionality
6
SGX : Isolated Execution
• Application keeps its data/code inside the “enclave”– Smallest attack surface by reducing TCB (App + processor)– Protect app’s secret from untrusted privilege software (e.g.,
OS, VMM)
CPU Package
System Memory
Enclave
MemoryEncryptionEngine (MEE)
Snooping
Access from OS/VMMEncrypted
code/data
7
SGX : Remote Attestation
• Attest an application on remote platform• Check the identity of enclave (hash of code/data
pages)• Can establish a “secure channel” between enclaves
Target Enclave
Quoting Enclave
Challenger Enclave
SGX CPU
Host platformRemote platform
SGX CPU
1. Request2. Calculate MAC
3. Send MAC
6. Send signature
CMAC
Hash
4. Verify
5. Sign with group key [EPID]
8
Case Studies: Three Applications
1. Network infrastructure: Software-defined inter-domain routing
2. Peer-to-peer systems: Tor anonymity network3. Middlebox: TLS and “secure” middleboxes
NetworkApplications
TEE
Intel SGX
Enhanced security
New design space
New functionality
SDN-based Inter-domain Routing
• Offers new properties – Fast convergence, application-specific peering, flexibility,
what-if analysis [hotnets2011]• Reveals private information: topology and policy
AS A
AS C
AS D
AS B
9
Inter-domainController
1) Topology2) Policies (e.g., export policy)
AS A
SDN-based Inter-domain Routing
AS C
AS D
AS B
Inter-domainControllers
10
Prior work [hotnets2011] uses Secure Multi-Party Computation (SMPC) to solve this, but the computational complexity is prohibitive.
11
SDN-based Inter-domain RoutingInter-domain
Controller
AS A
AS-localController
Router
SDNSwitch
AS B
AS-localController
EnclaveEnclave
Enclave
• Enclose private information inside the enclave• Communication through a secure channel after
attestation
12
SDN-based Inter-domain RoutingInter-domain
Controller
AS A
AS-localController
Router
SDNSwitch
AS B
AS-localController
ASes agree upon a common code base.Makes sure that it does not leak private information [Moat].It becomes the TCB of the inter-domain routing infrastructure.
EnclaveEnclave
Enclave
13
SDN-based Inter-domain RoutingInter-domain
Controller
AS A
AS-localController
Router
SDNSwitch
AS B
AS-localController
1. Mutually attest/authenticate using remote attestation
2. Collect policy and topology through a secure channel
3. Main controller computes routing path
4. Sends routes for each AS through a secure channel
Agreed upon code
EnclaveEnclave
Enclave
Attestation
Collect infoSend routes
Extending Features: Policy verification
• Enabling verification on routing decisions – Want to verify whether the promise is being kept [SPIDeR]
AS A
AS C
AS D
AS B
14
I will give you my shortest route to Google!
[SPIDeR]
Inter-domainController
Extending Features: Policy verification
• Enabling verification on routing decisions – Want to verify whether the promise is being kept [SPIDeR]
AS A
AS C
AS D
AS B
Inter-domainController
15
I will give you my shortest route to Google!
[SPIDeR]
Predicate Predicate
Enclave
• Verify only the predicates agreed upon by A and B
Among all routes to Google from B, is the one B advertising to A the shortest?
16
Tor: Anonymity Network• Tor network : uses 3-hop onion routing
– Directory servers : Advertise available onion routers (ORs), vote for bad exit nodes
– Relies on volunteer provided hosts
EntryRelay
Exit
When exit node is compromised,(unless end-to-end encryption is used)1. Snooping or tampering of the plain-text2. Break of anonymity : Bad apple attack
Directory servers
Tor clientDestination
Tor network
17
Tor: Anonymity Network• Tor network : uses 3-hop onion routing
– Directory servers : Advertise available onion routers, vote for bad exit nodes
– Relies on volunteer provided hosts
Directory servers
Tor clientDestination
EntryRelay
Exit
When directory servers are compromised,1. Tie-breaking attacks while voting2. Admission of malicious ORs
Tor network
18
Tor network
Application of TEE to Tor
1) SGX-enabled directory servers2) SGX-enabled directory servers & ORs
Directory servers
Tor clientDestination
EntryRelay
Exit
Enclave
Enclave Remote attestation
- Detect problematic exit nodes through integrity check
- Keep sensitive data in enclave1) Authority keys2) List of available ORs
- Integrity check each other- Automatic admission of new ORs
19
Application of TEE to Tor
1) SGX-enabled directory servers2) SGX-enabled directory servers & ORs3) Fully SGX-enabled setting
Remote attestation
Tor clientDestination
EntryRelay
Exit
Enclave
Enclave
Enclave Enclave
Enclave Enclave
Eliminate directory servers altogether
Tor networkEach Tor components can check the integrity of target program (Tor binary)
20
Implementation• OpenSGX [NDSS’16] : Open source SGX emulator
– Fully functional, instruction-compatible emulator of SGX build on top of QEMU
– Emulates system software and provide SGX libraries
SGX OS Emulation
QEMU SGX
CodeDataStack
Enclave Program
User process (single address space)
SGX System call
SGX instruction
Enclave mode switch
Package Info(Key, Entry point)
SGX LibrariesTrampoline
21
Preliminary Evaluation: Overhead
• Estimate the overhead in terms of additional CPU cycles– Each SGX instruction = 10 k cycles [Haven]
<Cost of remote attestation>
Target Quoting Challenger0
2000000000400000000060000000008000000000
10000000000without DHwith DH
CPU Cyc
les (B)
Cost of remote attestation:
3% of 1024-bit Diffie-Hellman
For each I/O operations, 2 Mode switches + SGX library calls
<Cost of packet transmission>
SGX libraryEnclave
…send()...
User space OS
Trampoline
22
SDN-based inter-domain routing
– 30 ASes with the centralized inter-domain controller– Inter-domain controller : 90% more CPU cycles– AS-local controllers : 70% more CPU cycles
<# of CPU cycles consumed in the inter-domain controller>
Without SGX
With SGX
0 100000000 200000000 300000000CPU Cycles
Number of participating ASes : 30
23
Conclusion
• Commoditization of TEE brings new opportunities for network applications
• Cases studies show wide range of impact:– Policy privacy of SDN-based inter-domain routing– New design space of Tor anonymity network– Secure in-network functions
• SDN-based inter-domain routing:– Characterize and measure the overhead of using SGX– Consumes 70-90% more CPU cycles
24
25
SDN-based inter-domain routing
– 30 ASes with the centralized inter-domain controller– Inter-domain controller : 90% more CPU cycles– AS-local controllers : 70% more CPU cycles
<# of CPU cycles consumed in the inter-domain controller>
CPU Cyc
les
Number of participating ASes2 5 10 15 20 25 300
50000000100000000150000000200000000250000000300000000
without SGX with SGX
26
Secure Multi-party Execution• SGX Program owner can remotely verify the integrity of code• Publicly available programs (e.g., git) can validate the integrity
of project by sharing the private key for the attestation• Creates signature of program through shared private key
Publicrepo
attestation
Example) 1. Tor binary for OR 2. SDN-based controller program
27
Enclave
In-network Functions (Middleboxes)
• Use of TLS protocol disrupts in-network processing Only endpoints of communication can access the plain-text• SGX enables opportunity for secure in-network functions
Middlebox
Proxy
Firewall
IDS
2. Gives session keys through a secure channel
1. Authenticate middlebox through remote attestaion
ServerCan be done unilaterally or bilaterally.
Enclave
Enclave
28
Trend 2: Commoditization of Trusted Execution Environment
• Trusted Execution Environment (TEE)– Isolated execution: integrity of code, confidentiality – Remote attestation
• Commoditization of TEE– Trusted Platform Module (TPM) : Slow performance– ARM TrustZone : Only available for embedded devices– Intel Software Guard Extension (SGX) 1. Native performance 2. Compatibility with x86
The commoditization of TEE brings new
opportunities for network applications.