hi, everyone! thank you very much for coming! myname is ......myname is victor costan, and i am here...
TRANSCRIPT
Hi,everyone!Thankyouverymuchforcoming!
My nameisVictorCostan,andIamheretotalkaboutSanctum.
ThisworkwasdoneatMIT’sComputerScienceandAILaboratory,incollaborationwithIliaLebedevandProf.SriniDevadas.
1
Sanctum’sgoalistrustedcomputing.Inthisrespect,ourworkbelongstothesamefamilyasTPM,TXT,SGX,andTrustZone.However,Sanctumgivesyouunprecedentedprotectionandunprecedentedcontroloveryourcomputer.
MostofSanctum’ssecuritylogicisinsoftware,notinhardwareormicrocode.Oursoftwarecanbeinspectedbythecomputer’sowner,andisamenabletoformalverification.Mostofthissoftwarecanevenbereplacedbythecomputer’sowner.Thisisanunprecedentedlevelofcontrol.
Sanctum’shardwareextensionscanbeappliedtoanyreasonablymodernRISCprocessorcore.IncombinationwithSanctum’ssoftware,thehardwareextensionsprotectagainstanypracticalsoftwareattacks,includingcachetimingattacks.Thisisanunprecedentedlevelofprotection.
OurprototypetargetstheRISC-Varchitecture,andshowsthatSanctumincursacceptableperformanceoverheads.
2
Togetthingsstarted,letmegiveyouaquickoverview oftrustedcomputing,whichistheproblemthatwe’retryingtosolve.
3
Sothere’sthisdream,calledsecureremotecomputation.Inthisdream,youcanpackageyourcodeanddataintoabundle,sendthatbundleovertoaremotecomputer,havethecomputerrunyoursoftware,andgettheresultsback.Thethingis,youdon’townthatremotecomputer,soyourelyonmagictoprotectyourcodeanddatafromthecomputer’sowner,andfromtheothersoftwarethatmightberunningonthatcomputer.
Unfortunately,thisisjustadream.Theclosestthingwe’vegotisfullyhomomorphicencryption,andthat’snowherenearlypractical.
4
Fortunately,wecanapproximatethatdream,ifwe’rewillingtotrustapieceofhardwareontheremote computer.Thetrusted hardwareestablishesasecurecontainerontheremotecomputer,whichprotectsourcomputationanddatafromuntrustedthirdparties.So,ourcomputationissafe,aslongasweonlysendittotrustedhardware.
5
So,wehaveto makesurethatweonlytalktotrustedhardware.We can usesoftwareattestationforthis.
6
Veryquickly,softwareattestationmeansthatthereisahardwaremanufacturerthatwetrust,andthemanufactureractsasacertificateauthorityinaPKI.
7
Eachpieceoftrustedhardwarehas anattestationkey,andthemanufacturerissuesanendorsementcertificateforthepublicattestationkey.Whenweseethatcertificate,weknowthatwecantrustsignaturesissuedbythedevice’sprivateattestationkey,whichisstoredinsecurehardware.
8
Now,whenwewanttosendourcodeovertotheremotecomputer,wewillfirstaskthe trustedhardwaretocreateasecurecontainerforus,andwewillsendachallengemessagetothatsecurecontainer.
9
Ourloader codeinthecontainerwillreceivethechallengemessageandcomputearesponsemessage,andthenitwillaskthetrustedhardwaretoproduceanattestationsignature.Theattestationsignaturecoversthemessageproducedbyourcontainer,aswellasameasurementofthesecurecontainer’sinitialstate.Whenwevalidatetheattestationsignature,weareassuredthatwearetalkingtoasecurecontainerthatisinitializedaccordingtoourinstructions,andhostedbyhardwarewetrust.
10
WhatI’vesaidso farappliestoalltrustedcomputingsolutions.Thesesolutionsdifferbytheamountofsoftwarethatgoesintoasecurecontainer,bythesecurityguaranteesofferedtothecontainer,bythetrustedhardwareandsoftwareneededtoenforcethesystem’ssecurity,andbythedetailsoftheirsoftwareattestationprocess.
TherestofthistalkwillhopefullyclarifywhereSanctumstandsonalltheseaspects.
11
12
Oursecurecontainersarecalledenclaves,andtheyare conceptuallyextensionsofapplicationprocesses.Enclavesrunatthelowestpossibleprivilegelevel -- thisisknownasring3inx86,orusermodeanywhereelse.Thismeansenclavescannotcompromisethehostcomputer’sOSorhypervisor.Sowedon’tneedtoworryaboutrestrictingenclaves–thesamemechanismsusedtopoliceuserprocesseswillworkforenclaves.
13
Enclavescanaccessthememoryspaceoftheirhostapplications,buttheycannotperformsyscalls directly.Thisisbecausewedon’ttrusttheOSkerneltonotdamagetheenclave’sexecutioncontextbeforereturningfromthesyscall.Toworkaroundthis,theenclavemustrelyonitshostapplicationtoproxysyscalls totheOS.Thesyscall proxying requirescodeintheenclave,andinthehostapplication.Weexpectthiscodetobecomeapartoftheruntimelibrary.Forexample,ifyourenclavesoftwareuseslibc,you’dsimplyuseanenclave-awarelibc thatproxiesallthesyscallsitmakes.
14
Ourenclavesaren’tnew.SGX’senclavesoperateinaverysimilarway.Somethingthat_is_new,andthatI’mreallyproudof– thevastmajorityoursecuritylogicisexpressedinsoftware.Thisisn’tfirmwareormicrocode.It’snormalsoftwarethatexecutesusingtheprocessor’sstandardexecutionfacilities.It’ssoftwarethatthecomputer’sownercaninspectandanalyze.
15
Thedownsideofnotrelyingonfirmwareormicrocodeisthatoursoftwareisnotautomaticallyisolatedfromrestofthecoderunningonthemachine,andwemayberunningalongsideamalicioushypervisororoperatingsystem.Inordertobeabletoprovideanysortofmeaningfulsecurityguarantees,weassumethatoursoftwarerunsatahigherprivilegelevelthananythingelse.TheRISC-Varchitectureconvenientlyincludesamachinelevel,andourprototypetakesadvantageoftheexistenceofthismachinelevel.
Weruntwopiecesofsoftwareatthemachinelevel.
16
Thecentralpieceofsoftwareisthesecuritymonitor,whichenforcesSanctum’ssecuritypolicies.Oursecuritymonitoristiny,soitcanbeamenabletoformalverification.Thekeytokeepingitsosmallisthatwedon’tmakeanyresourceallocationdecisionsinthemonitor.Theoperatingsystemgetstomakeallthedecisions,justliketoday.InSanctum,theOSmustsubmititsdecisionstothesecuritymonitorinordertohavethemapplied.Thisway,wecanverifytheOS’decisionsinthemonitor,andwecanrejectdecisionsthatwouldbreakSanctum’ssecurityguarantees.
17
Theotherpieceofsoftwarethatrunsinmachinemodeisthemeasurementroot.Thiscoderunsatboottime,andsetsupthesoftwareattestationchain.Itdoesnotplayanypartafterthebootprocesscompletes.
18
Let’sseehowSanctum givescomputerownersunprecedentedcontrolovertheirsystems.
19
Beforewegointoattestation,let’stalkalittlebitabout Sanctum’sbootprocess.OneofthethingsthatmakeSanctumspecialisthatthesecuritymonitor,whichismostofourlogic,isstoredinflashmemory,andcanbereplacedbythecomputer’sowner.
20
Inordertokeepthingssecure,werelyonthemeasurementrootcode,whichisstoredintheprocessor’sROM,andcannotbemodified.
21
Whenthecomputerpowersup,themeasurementrootreadsthesecuritymonitorandcomputesitscryptographichash.
22
ThishashisfedintosomecryptographicmachinerythateventuallygeneratesanRSAkeypair,whichbecomesthemonitor’sattestationkey.
23
Finally,themeasurementrootusestheprocessor’sattestationkeytoissueacertificatethatcontainsthemonitor’spublicattestationkeyanditsmeasurementhash.Afterthishappens,themeasurementroothandscontrolovertothesecuritymonitor. Thekeyfacttonotehereisthatthemonitor’scertificatecontainsthemonitor’smeasurement.Ifthecomputerownermodifiesthemonitor,thechangeswillbereflectedintheattestationcertificate.
24
Ifyou’rehorrifiedbytheprospectofhavingtogenerateanRSAkeyoneveryboot,restassured.Wehaveamechanismtosecurelycachethemonitor’sRSAkeyinflash.Thisway,weonlyneedtoregeneratetheRSAkeywhenthecomputerownerreplacesthesecuritymonitor,whichshouldn’thappenveryoften.
25
WeborrowedSGX’sgeneralapproachtoenclavemeasurement.Whenanenclaveiscreated,itisinaloadingstate, whereitcannotbeused.TheapplicationthatcreatedtheenclaveworkswiththeOStoallocateresourcestotheenclave,andtoloadtheinitialpagesofcodeanddataintotheenclave.Theparametersofeachloadingoperationarehashedandcontributetotheenclave’smeasurement.
Whentheloadingstageiscomplete,theenclaveisinitialized.Atthispoint,theenclave’smeasurementisfinalized,andthesecuritymonitorwillnotallowtheuseofanyloadingAPIontheenclave.So,anenclave’smeasurementisanaccuraterepresentationoftheenclave’sinitialmemorystate.
26
Nowthat youknowhowthebootprocessworks,you’llfindtherestoftheattestationtobeprettystandard.I’llgothroughitquickly,soyoucanseetheideasI’veoutlinedcometogether.
27
First,youtrust theSanctumprocessormanufacturer,whichhasarootkey.
28
EachSanctumprocessorhasa processorattestationkey,andanendorsementcertificatefromthemanufacturer.
29
Whenthecomputer powersup,themeasurementrootcreatesamonitorattestationkeypairandissuesanattestationcertificatetothemonitor.
30
Now,whenyouwanttosendyourcomputationover toaSanctumprocessor,yousendtheenclave’sinitialcontents,andachallengemessage.Theenclavestartsexecuting,readsthechallengemessage,andcomputestheresponsemessage.TheenclaveusesSanctum’ssecureinter-enclavecommunicationprimitivestosendahashofthechallengeresponsetotheSigningEnclave,whichisaspecialenclavethatthesecuritymonitortrusts.
31
InSanctum,thesecuritymonitordoesnotperformanyoperationsusingtheprivateattestationkey.Instead,thereisaspecialSigningEnclave,whosemeasurementhashishard-codedintothesecuritymonitor.Thisistheonlyenclavethatcanreceivethemonitor’sprivateattestationkey.
32
So,ourenclavemustuseSanctum’ssecureinter-enclavecommunicationprimitivestosendahashoftheresponsemessagetotheSigningEnclave.TheSigningEnclavecreatesanattestationsignaturethatcoversourenclave’smeasurementandtheresponsemessage.
33
Atthispoint,wecanexaminetheattestationsignature,andthemonitorandprocessor’sattestationcertificates,toconvinceourselvesthatwearecommunicatingwithanenclavebuiltaccordingtoourinstructions,hostedonaSanctumprocessorrunningasecuritymonitorthatwetrust.
34
Now,let’stalkabitaboutprotection.
35
Sanctumwasdesignedformulti-coreprocessorswithasharedlast-levelcache.Thismattersbecauseper-corecachescanbeprotectedprettyeasily– wheneveryouenterorexitanenclave,flushthecore’scaches.Thisisasimplestrategy,andwelikesimple,sothisisexactlywhatwedotoprotectper-corecaches.
ThesharedLLCismoreinteresting,becauseanattackerthreadcouldbeattemptingatimingattackatanytime.Sanctumusesaverysimplescheme,calledpagecoloring,whichIwilloutlinesoon.
36
Sanctum*almost*scalestoafull-fledgedInteldesktopsystem.Theoneaspectwedon’tsupportishyper-threading.Thisisbecausewithhyper-threading,there’sjustsimplytoomuchmicro-architectural resourcesharing.Wecouldn’tcomeupwithanysanewaytoprotectanenclavethreadfrombeingattackedbyathreadrunningonthesamecore.SoSanctumdoesn’tsupporthyper-threading.
37
Now,let’sturnontocachetimingattacks.Ataveryhigh level,theseattackstakeadvantageofthefactthatacachehitismuchfasterthanacachemiss.Virtuallyallcachetimingattacksrequiretheattackertoaccessthesamecacheasthevictim,sothememoryaccesstimingcanbeobserved.
Sanctumtargetsset-associativecaches,whicharethemostcommonlyusedcaches.Forthepurposeofthistalk,allthatmattersisthataset-associativecacheismadeupofmultiplesets,andamemorylocationcanonlybecachedinexactlyoneset,dependingonitsaddress.Conceptually,wecanpretendthateachsetinaset-associativecacheisaseparatecachememory.
38
This istheinsightbehindcachepartitioning.Ifwecanensurethatmemoryownedbyanenclavewillneverendupinthesamecachesetasmemoryownedbyanattacker,wecanconsiderthattheenclaveandtheattackerareusingdifferentcaches.Thisdefeatscachetimingattacks,becausetheyrequireasharedcache.
39
Set-associativecaches usephysicalmemoryaddressesforsetindexcomputation.
40
Thisisconvenientforus,becausesoftwareusesaddresstranslation,whichabstractsawayphysicaladdressesalmostcompletely.Wecanasktheoperating systemtostructureitspagetablesinanywaythathelpsusachieveoursecuritygoal.
41
PagecoloringessentiallycomesdowntothisobservationthatIjustmade.Therearesomephysical addressbitsthatbelongtothecachesetindex,andaresetbythepagetables.Thesebitscanbeusedtocontrolcacheplacement.
42
Theproblemis,bydefault,thepagecolorbitsareatthebottomofanaddress’physicalpagenumber.IfyoudrawyourDRAMandcoloreachpage,it’sgoingtolooklikethestackontheleft.
Thisisaproblembecause,inSanctum,we’dliketoassignsomecolorsexclusivelytoenclaves.Atthesametime,theoperatingsystemprobablyneedssomelargecontinuouschunksofDRAMforDMA.Forexample,ifyouhaveagraphicscardorahigh-performancenetworkcard,thesethingstendtolikelargeDMAbuffers.
43
Weuseabitofhardwaretomungethephysicaladdressesastheyenterthecacheunit,andobtainthecolormapontheright.
InSanctum,theDRAMiseffectivelysplitintoequally-sizedDRAMregions,andeachregionmapstodisjointLLCsets.
44
EachDRAMregioncanbeassignedtoexactlyoneenclave,ortotheoperatingsystemanditsuntrustedprocesses.Mostofeachenclave’svirtualaddressspaceismappedintothehostapplication’smemory,usingthepagetablespreparedbytheOSforthehostapplication.However,onecontinuousrangeisusedtomaptheenclave’sownDRAMregions,usingaseparatesetofpagetablesthatismanagedbytheenclave.
Thisgivesusisolationatalllevels.Thedatainanenclave’sDRAMregionsisnotaccessibletoanyothersoftware.Thepagetablesusedtomaptheenclave’sprivatememoryarealsoisolated,sotheydon’tleakmemoryaccesspatterns.
…andthiswrapsupmyhigh-leveloverview.Theexcitingdetailsareinthepaper!
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61