application-oriented security: secrets … · application-oriented security: secrets management and...
TRANSCRIPT
![Page 1: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/1.jpg)
APPLICATION-ORIENTED SECURITY: SECRETS MANAGEMENT AND SIDE-
CHANNEL PROTECTION FOR TEESChristof Fetzer
TU Dresden
![Page 2: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/2.jpg)
OUTLINE
Enclave / TEEApplication Code
1.
2.
Secrets
3.
Side-Channels
�2
![Page 3: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/3.jpg)
OBJECTIVES
�3
![Page 4: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/4.jpg)
APPLICATION-ORIENTED SECURITY
Application
Objective: Ensure integrity and confidentiality of applications
Data Computation Communication
attacker
client
https://sconedocs.github.io �4
![Page 5: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/5.jpg)
THREAT MODEL
Application attacker
system administrator
(root, hardware access)
client
https://sconedocs.github.io �5
![Page 6: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/6.jpg)
SYSTEM ADMINISTRATOR
Application attacker
system administrator
(root, hardware access)
client
https://sconedocs.github.io
attacker
credentialssocial engineering
IaaS
manages
�6
![Page 7: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/7.jpg)
SERVICE PROVIDER ADMINISTRATOR
Application attacker
system administrator
(root, hardware access)
client
https://sconedocs.github.io
IaaS
attacker
FaaS
FaaS administrator
(root, application rights)
manages
�7
![Page 8: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/8.jpg)
DEFENSE IN DEPTH!
Application attacker
client
https://sconedocs.github.io
IaaS
attacker
FaaS
�8
![Page 9: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/9.jpg)
OS-BASED ACCESS CONTROL INSUFFICIENT
Application
service provider administrator
(root, application rights)
client secret
dump memory
attacker
system administrator
(root, hardware access)
https://sconedocs.github.io �9
![Page 10: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/10.jpg)
WE NEED A CRYPTOGRAPHIC APPROACH!
Application
service provider administrator
(root, application rights)
clientcrypto
TLSattacker
system administrator
(root, hardware access)
https://sconedocs.github.io �10
![Page 11: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/11.jpg)
ENGINEERING IS ABOUT …➤ … balancing multiple, often conflicting goals
�11
availability, durability
securityusability
cost (engineering, operations, …)
time to market
portability
… security is for many service providers not the most important issue
![Page 12: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/12.jpg)
SCONE: E2E ENCRYPTION WITHOUT SOURCE CODE CHANGES
Application - protected by
SCONE -
service provider administrator
(root, application rights)
clientcrypto
TLSattacker
[SCONE] Sergei Arnautov, et al, „SCONE: Secure Linux Containers with Intel SGX“, USENIX OSDI 2016
system administrator
(root, hardware access)
Languages:C,C++,Go,Rust,Java,Python,R,…
�12
![Page 13: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/13.jpg)
WHY NO SOURCE CODE CHANGES?➤ Considerations:
➤ reduce cost / time of improving security
➤ reduce the skills required to improve security
➤ no hardware / software lock-in
➤ ..
�13
➤ partitioning software for TEEs is quite difficult
![Page 14: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/14.jpg)
TOOL SUPPORTJoshua Lind, etc: „Glamdring: Automatic Application Partitioning for Intel SGX“,
Usenix ATC 2017
�14
…still hard to partition - should we really partition?
![Page 15: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/15.jpg)
EXAMPLE➤ Web Server (nginx)
➤ Configuration:
➤ TLS certificate (private key)
➤ config file
➤ …
➤ WWW files:
➤ must only be visible to authorised clients
web server (nginx)
TLS
cert wwwfiles
process
https://sconedocs.github.io �15
![Page 16: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/16.jpg)
THREAT MODEL?➤ Attacker has root access
➤ controls OS
➤ controls Hypervisor
➤ Attacker can
➤ read/modify all files
➤ can read/modify memory of processes
➤ can see all network traffic
web server (nginx)
TLS
cert www
OS
dump memory
(root)
node
hypervisorhttps://sconedocs.github.io
�16
![Page 17: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/17.jpg)
HOW TO PARTITION NGINX?➤ We need to protect certificate!
➤ must not leak private key
➤ TLS should be protected!nginxTLS
cert www
T L S
could impersonate original website if not protected �17
![Page 18: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/18.jpg)
SHOULD WE PARTITION NGINX?
➤ We need to protect certificate!
➤ must not leak
➤ TLS should be protected!
➤ Attacker does not need cert:
➤ establish connections via protected TLS stack
➤ how to protect against this?
➤ how to automate the protection?
nginxTLS
cert www
T L S
https://sconedocs.github.io �18
![Page 19: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/19.jpg)
SHOULD WE PARTITION NGINX?
➤ We need to protect certificate!
➤ must not leak
➤ TLS should be protected!
➤ We need to encrypt www files
➤ to ensure confidentiality
➤ to ensure integrity
nginxTLS
cert www
T L S
read/ modify
https://sconedocs.github.io �19
![Page 20: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/20.jpg)
SHOULD WE PARTITION NGINX?
➤ We need to protect certificate!
➤ must not leak
➤ TLS should be protected!
➤ We need to encrypt www files
➤ to ensure confidentiality
➤ to ensure integrity
➤ We need to protect content
➤ never as plain text
➤ detect modifications
nginxTLS
cert www
T L S
? Side-Channel attack!�20https://sconedocs.github.io
![Page 21: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/21.jpg)
SHIELDING➤ Partitioning requires bespoke
protection
➤ need to ensure that TLS API calls are not malicious
➤ Protecting the OS Interface
➤ larger than TLS API
➤ but reusable across many applications
TLS T L S
TLSnginx
OS Interface
shielding
attacks
https://sconedocs.github.io
![Page 22: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/22.jpg)
FILESHIELD, TLS SHIELD,…➤ Transparent encryption/
decryption of files
➤ inside of enclaves
➤ In case app does not support TLS
➤ can wrap TCP connections in TLS
➤ e.g., memcache
TLSnginx
transparently encrypted files
shielding
attacks
cert www
https://sconedocs.github.io
![Page 23: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/23.jpg)
SCONE: FILE ENCRYPTION
➤ Developer determines which files must be encrypted
➤ Encryption/authentication with source code changes
rootroot
nomodifications
�23https://sconedocs.github.io
![Page 24: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/24.jpg)
REALLY, NO PARTITIONING?
- focus on microservices -
�24
![Page 25: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/25.jpg)
CLOUD NATIVE APPLICATIONS
untrusted
clou
d pr
ovid
erse
rvic
e pr
ovid
er
trusted
cloud-native application
cloud services
integrity & confidentiality (micro-)services deployed in containers
availability
https://sconedocs.github.io �25
![Page 26: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/26.jpg)
EACH MICROSERVICE RUNS IN A CONTAINER
untrusted
clou
d pr
ovid
erse
rvic
e pr
ovid
er
cloud-native application
availability
standard containers (untrusted)
µ-service … µ-service
cloud services
e.g., no protection needed for services accessing encrypted data only
https://sconedocs.github.io �26
![Page 27: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/27.jpg)
MICROSERVICE-BASED PARTITIONING
µ-service
SGX enclave
secure containers (trusted)
clou
d pr
ovid
erse
rvic
e pr
ovid
er
standard containers (untrusted)
… µ-service
SGX enclave
µ-service … µ-service
cloud-native application
untrusted
availability
cloud services
https://sconedocs.github.io �27
![Page 28: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/28.jpg)
CONTAINER-AS-A-SERVICE AND/OR IAAS
Operating system
µ-service
SGX enclave
secure containers (trusted)
Virtual Machine
Operating system
Virtual Machine
Operating system
Virtual Machine
…
…IaaS
FaaSContainer Engine Container Engine Container Engine…
Container Swarm
untrusted
clou
d pr
ovid
erse
rvic
e pr
ovid
er
untrusted
standard containers (untrusted)
… µ-service
SGX enclave
µ-service … µ-service
cloud-based applicationintegrity & confidentiality
https://sconedocs.github.io
CaaS
�28
![Page 29: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/29.jpg)
METAL-AS-A-SERVICE
Operating system
µ-service
SGX enclave
secure containers (trusted)
host
Operating system
host
Operating system
host
…
…MaaS
Container Engine Container Engine Container Engine…
Container Swarm
untrusted
clou
d pr
ovid
erse
rvic
e pr
ovid
er
untrusted
standard containers (untrusted)
… µ-service
SGX enclave
µ-service … µ-service
cloud-based applicationintegrity & confidentiality
https://sconedocs.github.io
FaaS
CaaS
�29
![Page 30: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/30.jpg)
PORTABILITY- reduce cost / avoid lock in -
![Page 31: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/31.jpg)
SCONE PLATFORM: DESIGNED FOR MULTIPLE ARCHITECTURES
portable code
Intel AMD arm
SGX main memory encryption
???
SCONE:
no source code changesSCONE:
gcc-based crosscompiler
SCONE crossc
ompiler
Portability through cross-compilation
https://sconedocs.github.io
Languages:C,C++,Go,Rust,interpreted/JIT:Java,Python,R,…
�31
![Page 32: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/32.jpg)
MEMORY SAFETY?- exploiting application bugs -
![Page 33: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/33.jpg)
SGXBOUNDS FOR MEMORY SAFETY (C AND C++)
SGXBounds(LLVM pass)
Operating System
Shielded app(e.g., SCONE)Source code
CPU RAM SGX
Advanced features: ➥ Tolerating errors with boundless memory ➥ Metadata management support ➥ Compile-time optimizations
See paper for details
Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBOUNDS: Memory Safety for Shielded Execution. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys '17). ACM, New York, NY, USA, 205-221.
![Page 34: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/34.jpg)
SGXBOUNDS IN A NUTSHELL
![Page 35: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/35.jpg)
PERFORMANCE
ASan MPX SGXBounds
Phoenix 1.41 2.27 1.13PARSEC 1.60 1.43* 1.20
SPEC 1.76 1.52* 1.41
![Page 36: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/36.jpg)
SECRETS MANAGEMENT
Enclave / TEEApplication Code
Secrets
Side-Channels
�36
![Page 37: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/37.jpg)
DISTRIBUTED APPLICATIONS
- motivation -
�37
![Page 38: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/38.jpg)
DISTRIBUTED APPLICATIONS - SPREAD ACROSS CLOUDS
App
service provider administrator
(root, application rights)
clientTLS
attacker
App
App
back
end
edge servicebackend cloud
regional cloud
system administrator
(root, hardware access)
https://sconedocs.github.io �38
![Page 39: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/39.jpg)
HOW DO WE KNOW THAT CORRECT CODE EXECUTES?
App
service provider administrator
(root, application rights)
clientTLS
attacker
App
App
back
end
controls
We need to attest that the
correct code is running!
system administrator
(root, hardware access)
https://sconedocs.github.io �39
![Page 40: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/40.jpg)
TRANSPARENT ATTESTATION & CONFIGURATION
- problems? -
�40
![Page 41: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/41.jpg)
PROBLEM: STARTUP LATENCY!➤ Attestation via Intel Attention Service
➤ rate in which we can spawn containers limited/depends on Intel
�41
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●●●●
0.001
0.010
0.100
1.000
10 100 1000Throughput (#starts/s)
Late
ncy
(s)
●
●
●
●
IAS
CAS
SGX w/o
Native
https://sconedocs.github.io
![Page 42: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/42.jpg)
TRANSPARENT ATTESTATION
CAS (Configuration &
Attestation Service)Service
Enclave
Enclave
LAS
Enclave
host
4) Quote
2) Public-key 3) Quote
1) KeyPair
5) Configuration
Policy
same cluster �42https://sconedocs.github.io
![Page 43: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/43.jpg)
TRANSPARENT ATTESTATION
CAS (Configuration &
Attestation Service)Service
Enclave
Enclave
LAS
Enclave
host
4) Quote
2) Public-key 3) Quote
1) KeyPair
5) Configuration
Policy
same cluster �43
attested once with IAS
attested once with parent CAS
https://sconedocs.github.io
![Page 44: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/44.jpg)
PROBLEM: STARTUP LATENCY!➤ Attestation via Intel takes too long time
➤ rate in which we can spawn containers limited/depends on Intel
�44
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●●●●
0.001
0.010
0.100
1.000
10 100 1000Throughput (#starts/s)
Late
ncy
(s)
●
●
●
●
IAS
CAS
SGX w/o
Native
https://sconedocs.github.io
![Page 45: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/45.jpg)
NO SOURCE CODE CHANGES?
➤ Problem: how can the application show that it runs inside an enclave and runs correct code?
➤ Approach: attest application and give it a certificate
�45https://sconedocs.github.io
![Page 46: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/46.jpg)
REST INTERFACES➤ Application is partitioned into
microservices
➤Microservices run on same or on different machines
➤REST APIs protected by TLS
➤could add transparently if needed („SCONE TLS shield“)
�46https://sconedocs.github.io
![Page 47: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/47.jpg)
TRANSPARENT P2P ATTESTATION VIA TLS
We run our internal CA and only components belonging to the same application can talk to each other …
CertificateAuthority(integratedinSCONECAS)
https://sconedocs.github.io �47
![Page 48: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/48.jpg)
SECRETS MANAGEMENT
Enclave / TEEApplication Code
1.
2.
Secrets
3.
Side-Channels
�48
![Page 49: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/49.jpg)
SIDE CHANNELS- dealing various side channels -
![Page 50: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/50.jpg)
SIDE CHANNEL ATTACK?
➤ An attacker steals a secret from a victim via a covert channel:
➤ i.e., a channel that is not intended to communicate information
➤ Examples: timing, power, cache, …
secret
victim
secret
attackercovert channel
�50
![Page 51: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/51.jpg)
SIDE CHANNEL ATTACK?
➤ Side channel attack:
➤ information gained from the implementation
➤ not from the implemented algorithm
secret
victim
secret
attackercovert channel
implementation
�51
![Page 52: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/52.jpg)
SIDE CHANNEL ATTACK
➤ We need a
➤ transmitter code in the victim to send the secret, and a
➤ receiver to store the secret
secret transmitter code
victim
receiver secret
attackercovert channel
�52
![Page 53: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/53.jpg)
SIDE CHANNEL ATTACK
➤ Finally, we need
➤ access code to get the secret to the transmitter code
secret access code
transmitter code
victim
receiver secret
attackercovert channel
�53
![Page 54: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/54.jpg)
WHAT SIDE-CHANNELS?➤ Spectre Variant 1
➤ Spectre Variant 2
➤ Meltdown
➤ Spectre NG
➤ Foreshadow
➤ …
➤ Let’s focus on Spectre Variant 1
�54
![Page 55: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/55.jpg)
NON-SPECULATIVE EXECUTION
if(x<array1_size)y=array2[array1[x]*4096];
uncached
Note: execution must wait until array1_size is fetched from memory
Paul Kocher et al, „Spectre Attacks: Exploiting Speculative Execution“, 40th IEEE Symposium on Security and Privacy (S&P’19)
�55
![Page 56: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/56.jpg)
SPECULATIVE EXECUTION
if(x<array1_size)y=array2[array1[x]*4096];
predict
Approach: CPU predicts the outcome of the comparisons
Paul Kocher et al, „Spectre Attacks: Exploiting Speculative Execution“, 40th IEEE Symposium on Security and Privacy (S&P’19)
�56
![Page 57: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/57.jpg)
EXPLOITING CONDITIONAL BRANCH MISPREDICTION
➤ Branch prediction to speed up computations:
if(x<array1_size)y=array2[array1[x]*4096];
�57
![Page 58: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/58.jpg)
MISPREDICTION➤ CPU might (mis)predict true:
➤ accesses array1 out-of-bound
➤ will speculatively access
➤ array2[secret value*4k]
➤ CPU will eventually detect this
➤ rolls back updates
if(x<array1_size)y=array2[array1[x]*4096];
secret valueaddr
array1
x = addr-array1
controls
in cache
uncached
�58
![Page 59: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/59.jpg)
LEARNING THE SECRET…if(x<array1_size)y=array2[array1[x]*4096];
secret valueaddr
array1
x = addr-array1
controls
uncached
array2
*4096shared cache
➤ Value array2[secret value*4096] is read into cache
�59
![Page 60: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/60.jpg)
LEARNING THE SECRET…if(x<array1_size)y=array2[array1[x]*4096];
secret valueaddr
array1
x = addr-array1
uncached
array2
*4096shared cache
➤ Value array2[secret value*4096] is read into cache
probes cache to detect
which index was accessed
ACCESS CODE
�60
![Page 61: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/61.jpg)
DECOMPOSING SPECTRE 1if(x<array1_size)y=array2[array1[x]*4096];
secret valueaddr
array1
x = addr-array1
array2
*4096shared cache
➤ Value array2[secret value*4096] is read into cache
probes cache to detect
which index was accessed
Access Code
Cache
(covert channel)
ReceiverTransmitter Code
secret access code
transmitter code receiver secret
covert channel
�61
![Page 62: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/62.jpg)
ADDRESSING SIDE CHANNEL ATTACKS?
➤ Alternatives:
➤ disable access code
➤ disable transmitter code
➤ disable covert channel
➤ disable receiver code
secret access code
transmitter code
victim
receiver secret
attackercovert channel
�62
![Page 63: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/63.jpg)
VarysProtecting SGX Enclaves From Practical Side-Channel Attacks
Oleksii Oleksenko, Bohdan TrachRobert Krahn, Andre Martin, Christof Fetzer
Mark Silberstein
�63
![Page 64: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/64.jpg)
Existing solutions
Low overhead Low effort(no code changes required)
Cloak [1]
Düppel [2]
[1] Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., & Costa, M. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In Usenix Security 2017.[2] Zhang, Y., Reiter, M. K., Zhang, Y., & Reiter, M. K. Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. In CCS 2013.[3] Brasser, F., Capkun, S., Dmitrienko, A., Frassetto, T., Kostiainen, K., Müller, U., & Sadeghi, A.-R. DR.SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization. In arXiv
2017.[4] Chen, S., Reiter, M. K., Zhang, X., & Zhang, Y. Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu. In ASIA CCS ’17.[5] Shih, M., Lee, S., & Kim, T. T-SGX: Eradicating controlled-channel attacks against enclave programs. In NDSS 2017.
Dr.SGX [3]
Déjà Vu [4]
T-SGX [5]
�64
![Page 65: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/65.jpg)
Existing solutions
Low overhead Low effort(no code changes required)
Varys● 15% average slowdown● No code changes
Düppel [2]
Dr.SGX [3]
Déjà Vu [4]
T-SGX [5]
Cloak [1]
�65
![Page 66: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/66.jpg)
Approach
Rely but verify
�66
![Page 67: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/67.jpg)
Approach
Rely but verify
Request isolation from the untrusted
OS�67
![Page 68: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/68.jpg)
Approach
Rely but verify
Request isolation from the untrusted
OS
Check within the enclave
�68
![Page 69: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/69.jpg)
Complete description
�69
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
![Page 70: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/70.jpg)
Let’s explains this sentence
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
�70
![Page 71: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/71.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
�71
![Page 72: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/72.jpg)
WHAT SIDE CHANNELS DO WE CONSIDER?
core core core core… …
processor processor
platform
HT HT
HT = hyperthread
HT HT HT HT HT HT
�72
![Page 73: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/73.jpg)
L1 & L2 CACHE: SHARED BETWEEN HYPERTHREADS
shared L1 cache
Hyperthread Hyperthread
core
L2 cache (skylake): - size = 256KB - 64 bytes/cacheline - 12 cycles latency
shared L2 cache
�73
L1 cache: - instruction cache, data cache - 32 KB data cache - 32 KB instruction cache - 4 cycles
(skylake)
![Page 74: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/74.jpg)
Vulnerable shared resources
● CPU caches (L1, L2)● Page tables● FPU● Memory bus● ...
Varys
�74
![Page 75: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/75.jpg)
Side-channel attacks
Enclavedprocess
�75
![Page 76: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/76.jpg)
Enclavedprocess
if (secret == 0) read(addr1)else read(addr2)
�76
Side-channel attacks
![Page 77: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/77.jpg)
Enclavedprocess
Shared resource
addr1
addr2
�77
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 78: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/78.jpg)
Enclavedprocess
Shared resource
addr1
addr2
Cleanup
�78
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 79: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/79.jpg)
Enclavedprocess
Shared resource
addr1
addr2
Running...
�79
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 80: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/80.jpg)
Enclavedprocess
Shared resource
addr1
addr2
Running...
�80
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 81: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/81.jpg)
Enclavedprocess
Shared resource
addr1
addr2
Running...
�81
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 82: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/82.jpg)
Enclavedprocess
Shared resource
addr1
addr2
�82
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 83: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/83.jpg)
Enclavedprocess
Shared resource
addr1
addr2
addr1 was accessed!
�83
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 84: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/84.jpg)
Enclavedprocess
Shared resource
addr1
addr2
addr2 was not accessed!
�84
Side-channel attacks
if (secret == 0) read(addr1)else read(addr2)
![Page 85: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/85.jpg)
if (secret == 0) read(addr1)else read(addr2)
Enclavedprocess
Shared resource
addr1
addr2
This line was executed
�85
Side-channel attacks
![Page 86: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/86.jpg)
if (secret == 0) read(addr1)else read(addr2)
Enclavedprocess
Shared resource
addr1
addr2
The secret is 0
�86
Side-channel attacks
![Page 87: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/87.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.
�87
![Page 88: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/88.jpg)
Attack requirements
● High interrupt rate● Predefined cache state● Shared core
�88
![Page 89: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/89.jpg)
Attack requirements
● High interrupt rate● Predefined cache state● Shared core
Isolated environment
�89
![Page 90: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/90.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.
�90
![Page 91: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/91.jpg)
Design
● High preemption rate Restrict and terminate● Predefined cache state Cache eviction● Shared core Trusted reservation
�91
![Page 92: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/92.jpg)
Design
● High preemption rate Restrict and terminate● Predefined cache state Cache eviction● Shared core Trusted reservation
�92
![Page 93: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/93.jpg)
Restricting preemption rate
● Attack exit rate: ~ 5000 exits/s.
�93
![Page 94: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/94.jpg)
Restricting preemption rate
● Attack exit rate: ~ 5000 exits/s.● Normal exit rate: ~ 30 exits/s.
�94
![Page 95: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/95.jpg)
Restricting preemption rate
● Attack exit rate: ~ 5000 exits/s.● Normal exit rate: ~ 30 exits/s.
�95
![Page 96: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/96.jpg)
Asynchronous Enclave Exit (AEX)
Enclavedprocess
Memory
SGX Enclave
SGX
RIP = 0x123RAX = 0x111RBX = 0x222
.
.
.
CPU state
�96
![Page 97: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/97.jpg)
Asynchronous Enclave Exit (AEX)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
Interrupt
RIP = 0x123RAX = 0x111RBX = 0x222
�97
![Page 98: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/98.jpg)
Asynchronous Enclave Exit (AEX)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
Interrupt
RIP = 0x123RAX = 0x111RBX = 0x222
�98
![Page 99: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/99.jpg)
Asynchronous Enclave Exit (AEX)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
Interrupt
RIP = 0x123RAX = 0x111RBX = 0x222
SSA
RIP = 0x100RAX = 0x000RBX = 0x000
�99
SSA = State Save Area
![Page 100: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/100.jpg)
Detecting interrupts
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
SSA
RIP = 0x123RAX = 0x111RBX = 0x222
�100
![Page 101: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/101.jpg)
Detecting interrupts
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
RIP = 0x000SSA
RIP = 0x123RAX = 0x111RBX = 0x222
�101
![Page 102: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/102.jpg)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
RIP = 0x000SSA
RIP = 0x123RAX = 0x111RBX = 0x222
Read SSA
�102
Detecting interrupts
![Page 103: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/103.jpg)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
RIP = 0x000SSA
RIP = 0x123RAX = 0x111RBX = 0x222
Still 0x000Continue..
�103
Detecting interrupts
![Page 104: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/104.jpg)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
SSA
RIP = 0x123RAX = 0x111RBX = 0x222
Interrupt
RIP = 0x123RAX = 0x111RBX = 0x222
�104
Detecting interrupts
![Page 105: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/105.jpg)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
SSA
RIP = 0x123RAX = 0x111RBX = 0x222 RIP = 0x123
RAX = 0x111RBX = 0x222
Read SSA
�105
Detecting interrupts
![Page 106: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/106.jpg)
Enclavedprocess
Memory
SGX Enclave
SGX...
CPU state
OS
SSA
RIP = 0x123RAX = 0x111RBX = 0x222 RIP = 0x123
RAX = 0x111RBX = 0x222
Not 0x000There was an interrupt!
�106
Detecting interrupts
![Page 107: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/107.jpg)
Design
● High preemption rate Restrict and terminate● Predefined cache state Cache eviction● Shared core Trusted reservation
�107
![Page 108: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/108.jpg)
Hiding cache traces
Enclavedprocess
Cache
addr1
addr2
�108
![Page 109: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/109.jpg)
addr1
addr2
Enclavedprocess
Cleanup
Hiding cache traces
Cache
�109
![Page 110: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/110.jpg)
addr1
addr2
Enclavedprocess
There was an interrupt!
Hiding cache traces
Cache
�110
![Page 111: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/111.jpg)
addr1
addr2
Enclavedprocess
Hiding cache traces
Cache
�111
![Page 112: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/112.jpg)
addr1
addr2
Enclavedprocess
Hiding cache traces
Cache
�112
![Page 113: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/113.jpg)
addr1
addr2
Enclavedprocess
Hiding cache traces
Cache
�113
![Page 114: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/114.jpg)
addr1
addr2
Enclavedprocess
Hiding cache traces
Access addr1
Cache
�114
![Page 115: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/115.jpg)
addr1
addr2
Enclavedprocess
Hiding cache traces
???Cache
�115
![Page 116: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/116.jpg)
Design
● High preemption rate Restrict and terminate● Predefined cache state Cache eviction● Shared core Trusted reservation
�116
![Page 117: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/117.jpg)
Preventing core sharing
● Occupy both hyperthreads
Core 1
Process Attacker
�117
![Page 118: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/118.jpg)
Preventing core sharing
● Occupy both hyperthreads○ Use process affinity
Core 1
Process Process
�118
![Page 119: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/119.jpg)
How do we ensure reservation?
Core 1
Process Process
Core 2
�119
![Page 120: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/120.jpg)
How do we ensure reservation?
Core 1
Process
Core 2
Attacker Process
�120
![Page 121: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/121.jpg)
Handshake
● Use shared access timing
L1/L2LLC
Core 2
FastSlow
Process Process
�121
Core 1
![Page 122: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/122.jpg)
Handshake
● Use shared access timing
L1/L2LLC
Core 1 Core 2
FastSlow
Process Process
Write to 0x123
�122
![Page 123: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/123.jpg)
Handshake
● Use shared access timing
L1/L2
LLC
Core 1 Core 2
FastSlow
Process ProcessRead from to 0x123
�123
![Page 124: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/124.jpg)
Handshake
● Use shared access timing
L1/L2
LLC
Core 1 Core 2
FastSlow
Process ProcessIt was fast!
�124
![Page 125: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/125.jpg)
Handshake
● Use shared access timing
L1/L2
LLC
Core 1 Core 2
FastSlow
Process Attacker Process
�125
![Page 126: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/126.jpg)
Handshake
● Use shared access timing
L1/L2
LLC
Core 1 Core 2
FastSlow
Process Attacker Process
Read from to 0x123
�126
![Page 127: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/127.jpg)
Handshake
● Use shared access timing
L1/L2
LLC
Core 1 Core 2
FastSlow
Process Attacker Process
It was slow! Something is wrong...
�127
![Page 128: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/128.jpg)
Design
● High preemption rate Restrict and terminate● Predefined cache state Cache eviction● Shared core Trusted reservation
�128
![Page 129: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/129.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
�129
![Page 130: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/130.jpg)
Implementation
Source code
LLVM pass(Exit detection)
Compiler(SCONE)
Hardened binary
Runtime library(Handshake &cache eviction)
�130
![Page 131: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/131.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
�131
![Page 132: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/132.jpg)
Evaluation: performance
Lower is
better
�132
![Page 133: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/133.jpg)
Evaluation: performance
Lower is
better
�133
![Page 134: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/134.jpg)
Lower is
better
�134
Evaluation: performance
![Page 135: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/135.jpg)
Lower is
better
�135
Evaluation: performance
![Page 136: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/136.jpg)
Lower is
better
�136
Evaluation: performance
![Page 137: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/137.jpg)
Handshake and eviction only at enclave exits● 20-30 times per second
Lower is
better
�137
Evaluation: performance
![Page 138: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/138.jpg)
Evaluation: multithreading
�138
![Page 139: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/139.jpg)
Evaluation: multithreading
Lower is
better
�139
![Page 140: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/140.jpg)
EPC paging ⇒ higher exit rate
Lower is
better
�140
Evaluation: multithreading
![Page 141: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/141.jpg)
EPC paging ⇒ higher exit rate
Lower is
better
False positives
�141
Evaluation: multithreading
![Page 142: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/142.jpg)
Varys implements a low-cost protection forIntel SGX enclaves against side-channel attacksby creating an isolated environment andverifying it at runtime.
�142
![Page 143: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/143.jpg)
Evaluation: security
● Privileged cache SCA○ Target: L1 cache
● No eviction
�143
![Page 144: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/144.jpg)
Evaluation: security
● Privileged cache SCA○ Target: L2 cache
● No eviction
�144
![Page 145: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/145.jpg)
Evaluation: security
● Privileged cache SCA○ Target: L2 cache
● No eviction
�145
![Page 146: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/146.jpg)
Evaluation: security
● Privileged cache SCA○ Target: L2 cache
● Varys protection
�146
![Page 147: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/147.jpg)
Evaluation: security
● Privileged cache SCA○ Target: L2 cache
● Varys protection
�147
![Page 148: APPLICATION-ORIENTED SECURITY: SECRETS … · application-oriented security: secrets management and side-channel protection for tees christof fetzer tu dresden](https://reader031.vdocuments.net/reader031/viewer/2022022703/5bc820dc09d3f22b288cef00/html5/thumbnails/148.jpg)
Varys Summary
● Varys: side-channel protection for SGX enclaves● "Rely but verify" approach○ Ask OS for
■ Lower interrupt rate■ Paired thread allocation
○ Verify the request● Loads cache on enclave entrance
�148