sok: a study of using hardware- assisted isolated execu
TRANSCRIPT
SoK:AStudyofUsingHardware-assistedIsolatedExecu<onEnvironmentsforSecurity
FengweiZhang
WayneStateUniversityDetroit,Michigan,USA
WayneStateUniversity CSC6991TopicsinComputerSecurity 1
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 2
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 3
Introduc<on• Isola<ngcodeexecu<onisoneofthefundamentalapproachesfor
achievingsecurity
• Isolatedexecu<onenvironments– SoSware-based:Virtualmachines
• Alargetrustedcompu<ngbase(e.g.,Xenhas532KSLOC)• Failuretodealwithhypervisororfirmwarerootkits• Sufferingfromsystemoverhead
• Hardware-assistedisolatedexecu<onenvironments(HIEEs)
– Isolatedexecu<onconcept:Trustedexecu<onenvironment(TEE)– Hardware-assistedtechnologies
• ExcludingthehypervisorsfromTCB• Achievingahighlevelofprivilege(i.e.,hardware-levelprivilege)• Reducingperformanceoverhead(e.g.,contextswitches)
WayneStateUniversity CSC6991TopicsinComputerSecurity 4
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 5
HIEEs• Alistofhardware-assistedisolatedexecu<onenvironments(HIEEs)
thathavebeenusedforbuildingsecuritytools
– Systemmanagementmode(SMM)[24]
– Intelmanagementengine(ME)[36]
– AMDplaaormsecurityprocessor(PSP)[4]– Dynamicrootoftrustformeasurements(DRTM)[52]
– IntelsoSwareguardextension(SGX)[5,23,34]
– ARMTrustZonetechnology[6]
WayneStateUniversity CSC6991TopicsinComputerSecurity 6
HIEE:SystemManagementMode• ACPUmodesimilartoRealandProtectedmodesavailableonx86
architecture• Ini<alizedbytheBasicInput/OutputSystem(BIOS)• EnteringSMMbyasser<ngthesystemmanagementinterrupt(SMI)pin• SystemmanagementRAM(SMRAM)thatisinaccessiblefromthenormal
OS
WayneStateUniversity CSC6991TopicsinComputerSecurity 7
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
HIEE:IntelManagementEngine
Management Engine
MEProcessor
CryptoEngine
DMAEngine
HECIEngine
ROM
InternalSRAM
InterruptController
Timer
CLink I/O
Internal Bus
WayneStateUniversity CSC6991TopicsinComputerSecurity 8
ManagementEngine(ME)isamicro-computerembeddedinsideofallrecentIntelprocessors;itisIntroducedasanembeddedprocessor,andIntelAMTisthefirstapplica<onrunninginME[36]
HIEE:AMDEmbeddedProcessors• AMDsecureprocessor[4]– Alsocalledplaaormsecurityprocessor(PSP)– EmbeddedinsideofthemainAMDCPUtoenablerunningthird-partyapplica<ons
– PartnershipwithARMTrustZone
• Systemmanagementunit(SMU)[30]– AnembeddedprocessoratNorthbridge– NorthbridgehasbeenintegratedintoCPU– Responsibleforavarietyofsystemandpowermanagementtasksduringbootandrun<me
WayneStateUniversity CSC6991TopicsinComputerSecurity 9
HIEE:DynamicRootofTrustforMeasurement
• TCGintroducedDRTM,alsocalled“latelaunch”,intheTPMv1.2specifica<onin2005[51,52]
• SRTMv.s.DRTM– Sta<crootoftrustformeasurement(SRTM)operatesatboot<me,DRTMallowstherootoftrustformeasurementtobeini<alizedatanypoints
• IntelandAMDimplementa<ons– Inteltrustedexecu<ontechnology(TXT)[25]– AMDsecurevirtualmachine(SVM)[2]– Overheadforlatelaunch:SENTERv.s.SKINIT
WayneStateUniversity CSC6991TopicsinComputerSecurity 10
HIEE:IntelSoSwareGuardExtension
• Threeintroduc<onpapers[5,34,23]aboutSGXpresentedatHASP2013
• SGXisasetofinstruc<onsandmechanismsformemoryaccessesaddedtoIntelarchitectureprocessors
• Allowinganuser-levelapplica<ontoinstan<ateaprotectedcontainer,calledenclave
• Providingconfiden<alityandintegrityevenwithouttrus<ngtheBIOS,firmware,hypervisors,andOS
• OpenSGX[27]:Anopen-sourceplaaormthatemulatesIntelSGXattheinstruc<onlevelbymodifyingQEMU
WayneStateUniversity CSC6991TopicsinComputerSecurity 11
HIEE:ARMTrustZone• ARMTrustZonetechnologyisahardwareextensionthat
createsasecureexecu<onenvironmentsinceARMv6[12]• Twomodes:Secureworldandnormalworld• Iden<fiedbytheNSbitinthesecureconfigura<onregister
(SCR)
WayneStateUniversity CSC6991TopicsinComputerSecurity 12
Normal World
Rich OS in REE
Secure World
Secure OS in TEE
Normal world
user mode
Normal world
priviledge modes
Secure world
user mode
Secure world
priviledge modes
Monitor mode
HIEEs
WayneStateUniversity CSC6991TopicsinComputerSecurity 13
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 14
UseCasesofHIEEs• Systemintrospec<on
• Memoryforensics
• Transparentmalwareanalysis
• Execu<onsensi<veworkloads
• Rootkitsandkeyloggers
WayneStateUniversity CSC6991TopicsinComputerSecurity 15
UseCase:SystemIntrospec<on• Runningsystemintrospec<ontoolsinsideofHIEEs
– Hypervisor/OSintegritychecking– OSrootkitsdetec<on– APacksdetec<on(e.g.,heapsprayandheapoverflows)
• SMM-based– Hypercheck[65],HyperGuard[41],HyperSentry[8],IOCheck[64],and
Spectre[62]• TrustZone-based
– SPROBES[22]andTZ-RKP[7]
• DRTM-based– Flicker[31]
WayneStateUniversity CSC6991TopicsinComputerSecurity 16
UseCase:MemoryForensics
• UsingHIEEstoperformacquisi<onofvola<lememoryofatargetsystem,andthentransmitthememorycontentstoaremotemachineforanalysis
• Examplesofexis<ngsystems– SMMDump[35]implementedbyusingSMM– TrustDump[48]usedARMTrustZone
WayneStateUniversity CSC6991TopicsinComputerSecurity 17
UseCase:TransparentMalwareAnalysis
• Malwareusesan<-debugging,an<-virtualiza<on,an<-emula<ontechniquestoevadetradi<onalanalysissuingvirtualiza<onoremula<ontechnology
• AnalyzingmalwareusingHIEEssothatadvancedmalwarecanbedebuggedonbaremetal
• Exposingtherealbehaviorofmalwarewithan<-debugging,an<-vm,andan<-emula<ontechniques
• Examplesofexi<ngsystems– MalT[61]usingSMM– OtherHIEEslikeTrustZoneandMEcanbeusedforthesamepurpose
WayneStateUniversity CSC6991TopicsinComputerSecurity 18
UseCase:Execu<ngSensi<veWorkloads
• UsingHIEEstorunsecuritysensi<veopera<ons
• DRTM-based– Flicker[31],TrustVisor[32],andBumpy[33]
• TrustZone-based– TrustICE[49]andTrustOTP[47]
• SMM-based– SICE[9]andTrustLogin[63]
• SGX-based– Haven[10]andVC3[43]
WayneStateUniversity CSC6991TopicsinComputerSecurity 19
UseCase:RootkitsandKeyloggers• ThoughresearchershaveusedHIEEsforimplemen<ngdefensivetools,aPackers
canalsousethemformaliciouspurposesduetotheirhighprivilegeandstealthiness
• SMMrootkits– PS/2[20]andUSB[42]keyloggers– NSA:DEITYBOUNCEforDellandIRONCHEFforHPProliantservers[1]
• MErootkits– Ring-3rootkits[46,50]
• DRTM,SGX,andTrustZonerootkits– Wehaven’tseenanypubliclyavailableexamplesbutaPackershavethemo<va<onto
implementthemduetotheirstealthiness
• HIEEscreateidealenvironmentsorinfrastructuresthataPractaPackerstoimplementsuper-powerfulrootkits.
WayneStateUniversity CSC6991TopicsinComputerSecurity 20
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 21
HIEEAPacks• HIEEaPacks:Bypassingthehardwareprotec<onmechanisms
ofHIEEisola<on;notusingHIEEsformaliciouspurposes
• SMMaPacks
WayneStateUniversity CSC6991TopicsinComputerSecurity 22
HIEEAPacks(cont’d)• MEaPacks
– In2009,TereshkinandWojtczuk[50]demonstratedthattheycanimplementring-3rootkitsinMEbyinjec<ngthemaliciouscodeintotheIntelAMT
– DAGGER[46]bypassestheMEisola<onusingasimilartechniquein[50]
• DRTMaPacks– WojtczukandRutkowskafromInvisibleThingsLabdemonstrate
severalaPacks[57,56,59]againstIntelTXT
• TrustZoneaPacks– Di[44]foundvulnerabili<esthatareabletoexecutearbitrarilycodein
secureworldusingauser-levelapplica<oninnormalworldonHuaweiHiSilicondevices
WayneStateUniversity CSC6991TopicsinComputerSecurity 23
HIEEAPacks(cont’d)• SGXaPacks
– Cache<mingaPacksandsoSwareside-channelaPacksincludingusingperformancecountersfromthestudypublishedbyCostanandDevadas[15]
• UnclearifMEfirmwareismalicious
– SGXfordesktop-environmentsneedstoestablishasecurechannelbetweenI/Odevices(e.g.,key-boardandvideodisplay)andanenclavetopreventsensi<vedataleakage[38,27]
– ProtectedAudioVideoPath(PVAP)technologycansecurelydisplayvideoframesandplayaudiotousers;Iden<tyProtec<onTechnology(IPT)providessecurityfeaturesincludingProtectedTransac<onDisplay(e.g.,enteringaPINbyanuser)
– SGXneedsEnhancedPrivacyIden<fica<on(EPID)supportforremoteaPesta<on[27]
– PVAP,IPT,EPIDarerealizedbyME[36]
WayneStateUniversity CSC6991TopicsinComputerSecurity 24
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• APacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991TopicsinComputerSecurity 25
ChallengesofUsingHIEEsforSecurity
• Ensuingtrustedswitchingpath– HIEE-basedsystemsassumeaPackershavering0privilege,so
aPackerscanintercepttheswitchingandcreateafakeone– Ad-hocsolu<onsusinganexternalsmartphone[33],keyboardLED
lights[63],LEDpowerlights[49]– Buildingagenericanduser-friendlytrustedpathmechanismform
HIEE-basedsystemisanopenresearchproblem
• Verifyingthetrustworthinessofhardware– HIEE-basedsystemsdependonthetrustworthinessofhardware– Assuminghardwarefeaturesarebug-free(e.g.,isola<onisgraduated)– Hardwarevendorstendnottoreleaseimplementa<ondetails– Howtoreliablyevaluatethetrustworthinessofthesemysterious
hardwaresecuritytechnologies(e.g.,ME)
WayneStateUniversity CSC6991TopicsinComputerSecurity 26
Conclusions• Maincontribu<onsofthisSoKpaperare:– Presen<ngathoroughstudyofsixHIEEsincludingSMM,IntelME,AMDPSP,DRTM,IntelSGX,andARMTrustZone
– ExploringboththedefensiveandoffensiveusescenariosofHIEEsanddescribethemwiththestate-of-the-artsystems
– DiscussingallaPacksagainstthecompu<ngenvironmentofeachHIEE(e.g.,bypassingtheisola<on)andsomemi<ga<ons
WayneStateUniversity CSC6991TopicsinComputerSecurity 27
ReferencesThereferencenumbersintheslidesaretheonesshownintheSec<on8ofthepaper.
WayneStateUniversity CSC6991TopicsinComputerSecurity 28