ABSTRACT
Recent proposals for trusted hardware platforms, such as Intel SGX and the MIT Sanctum processor, offer compelling security features but lack formal guarantees. We introduce a verification methodology based on a trusted abstract platform (TAP), a formalization of idealized enclave platforms along with a parameterized adversary. We also formalize the notion of secure remote execution and present machine-checked proofs showing that the TAP satisfies the three key security properties that entail secure remote execution: integrity, confidentiality and secure measurement. We then present machine-checked proofs showing that SGX and Sanctum are refinements of the TAP under certain parameterizations of the adversary, demonstrating that these systems implement secure enclaves for the stated adversary models.
Supplemental Material
- Lenovo ThinkPad System Management Mode Arbitrary Code Execution 0day Exploit. Available at https://github.com/Cr4sh/ThinkPwn.git.Google Scholar
- T. Alves and D. Felton. TrustZone: Integrated Hardware and Software Security. Information Quarterly, 3(4):18--24, 2004.Google Scholar
- I. Anati, S. Gueron, S. P. Johnson, and V. R. Scarlata. Innovative Technology for CPU Based Attestation and Sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP, volume 13, 2013.Google Scholar
- K. Asanovic, R. Avizienis, J. Bachrach, S. Beamer, D. Biancolin, C. Celio, H. Cook, D. Dabbelt, J. Hauser, A. Izraelevitz, et al. The Rocket Chip Generator. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2016--17, 2016.Google ScholarDigital Library
- K. Asanović and D. A. Patterson. Instruction Sets Should Be Free: The Case For RISC-V. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS- 2014--146, 2014.Google Scholar
- M. Barbosa, B. Portela, G. Scerri, and B. Warinschi. Foundations of HardwareBased Attested Computation and Application to SGX. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21--24, 2016, pages 245--260, 2016.Google ScholarCross Ref
- M. Barnett, B. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In FMCO '05, LNCS 4111, pages 364--387, 2005.Google Scholar
- G. Barthe, P. R. D'Argenio, and T. Rezk. Secure information flow by selfcomposition. Mathematical Structures in Computer Science, 21(6):1207--1252, 2011. Google ScholarDigital Library
- Y. Bertot and P. Castéran. Interactive Theorem Proving and Program Development: Coq'Art: The Calculus of Inductive Constructions. Springer Science & Business Media, 2013.Google Scholar
- K. Bhargavan, C. Fournet, and M. Kohlweiss. miTLS: Verifying Protocol Implementations against Real-World Attacks. IEEE Security & Privacy, 14(6):18--25, 2016. Google ScholarDigital Library
- J. Bonneau and I. Mironov. Cache-Collision Timing Attacks Against AES, pages 201--215. Springer Berlin Heidelberg, Berlin, Heidelberg, 2006.Google Scholar
- F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, and A. Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. CoRR, abs/1702.07521, 2017.Google Scholar
- M. C. Browne, E. M. Clarke, and O. Grumberg. Characterizing Finite Kripke Structures in Propositional Temporal Logic. Theoretical Computer Science, 59:115-- 131, 1988. Google ScholarDigital Library
- B. B. Brumley and N. Tuveri. Remote Timing Attacks Are Still Practical. In Proceedings of the 16th European Conference on Research in Computer Security, ESORICS'11, pages 355--371, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarCross Ref
- D. Brumley and D. Boneh. Remote Timing Attacks Are Practical. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 1--1, Berkeley, CA, USA, 2003. USENIX Association.Google ScholarDigital Library
- D. Champagne and R. B. Lee. Scalable architectural support for trusted software. In High Performance Computer Architecture (HPCA), 2010 IEEE 16th International Symposium on, pages 1--12. IEEE, 2010. Google ScholarCross Ref
- A. Chaudhuri. Language-based security on Android. In Proceedings of the 2009 Workshop on Programming Languages and Analysis for Security, PLAS 2009, Dublin, Ireland, 15--21 June, 2009, pages 1--7, 2009. Google ScholarDigital Library
- C.-T. Chou, P. K. Mannava, and S. Park. A simple method for parameterized verification of cache coherence protocols. In A. J. Hu and A. K. Martin, editors, Proceedings of the 5th International Conference on Formal Methods in ComputerAided Design, pages 382--398, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg. Google ScholarCross Ref
- M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157--1210, Sept. 2010. Google ScholarDigital Library
- V. Costan and S. Devadas. Intel SGX Explained. Cryptology ePrint Archive, Report 2016/086, 2016. http://eprint.iacr.org/2016/086.Google Scholar
- V. Costan, I. Lebedev, and S. Devadas. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In 25th USENIX Security Symposium (USENIX Security 16), pages 857--874, Austin, TX, 2016. USENIX Association.Google Scholar
- A. Datta, J. Franklin, D. Garg, and D. Kaynar. A Logic of Secure Systems and Its Application to Trusted Computing. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP '09, pages 221--236, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- L. de Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS '08, pages 337--340, 2008.Google ScholarDigital Library
- R. DeLine and K. R. M. Leino. BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005--70, Microsoft Research, 2005.Google Scholar
- L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. Nonmonopolizable caches: Low-complexity mitigation of cache side channel attacks. Transactions on Architecture and Code Optimization (TACO), 2012.Google Scholar
- S. Embleton, S. Sparks, and C. C. Zou. SMM rootkit: a new breed of OS independent malware. Security and Communication Networks, 6(12):1590--1605, 2013. Google ScholarCross Ref
- C. W. Fletcher, M. v. Dijk, and S. Devadas. A Secure Processor Architecture for Encrypted Computation on Untrusted Programs. In Proceedings of the Seventh ACM Workshop on Scalable Trusted Computing, pages 3--8. ACM, 2012. Google ScholarDigital Library
- J. A. Goguen and J. Meseguer. Security Policies and Security Models. In 1982 IEEE Symposium on Security and Privacy, Oakland, CA, USA, April 26--28, 1982, pages 11--20, 1982. Google ScholarCross Ref
- D. Grawrock. Dynamics of a Trusted Platform: A building block approach. Intel Press, 2009.Google Scholar
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad Apps: End-to-End Security via Automated Full-System Verification. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, pages 165--181, 2014.Google ScholarDigital Library
- M. P. Herlihy and J. M. Wing. Linearizability: A Correctness Condition for Concurrent Objects. ACM Transactions on Programming Languages and Systems, 12(3):463--492, July 1990. Google ScholarDigital Library
- M. Hoekstra, R. Lal, P. Pappachan, V. Phegade, and J. Del Cuvillo. Using Innovative Instructions to Create Trustworthy Software Solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP, volume 13, 2013. Google ScholarDigital Library
- Intel Software Guard Extensions Programming Reference. Available at https: //software.intel.com/sites/default/files/329298-001.pdf.Google Scholar
- G. Irazoqui, T. Eisenbarth, and B. Sunar. S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES. In IEEE Symposium on Security and Privacy, pages 591--604, May 2015. Google ScholarDigital Library
- Joanna Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction. https://github.com/Cr4sh/ThinkPwn.git.Google Scholar
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP '09, pages 207--220, New York, USA, 2009. Google ScholarDigital Library
- P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO '96, pages 104--113, London, UK, UK, 1996. Springer-Verlag. Google ScholarCross Ref
- S. Lee, M. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing. CoRR, abs/1611.06952, 2016.Google Scholar
- R. Leslie-Hurd, D. Caspi, and M. Fernandez. Verifying Linearizability of Intel® Software Guard Extensions. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18--24, 2015, Proceedings, Part II, pages 144--160, 2015.Google Scholar
- X. Li, V. Kashyap, J. K. Oberg, M. Tiwari, V. R. Rajarathinam, R. Kastner, T. Sherwood, B. Hardekopf, and F. T. Chong. Sapper: A Language for Hardware-Level Security Policy Enforcement. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '14, Salt Lake City, UT, USA, March 1--5, 2014, pages 97--112, 2014. Google ScholarDigital Library
- X. Li, M. Tiwari, J. Oberg, V. Kashyap, F. T. Chong, T. Sherwood, and B. Hardekopf. Caisson: A Hardware Description Language for Secure Information Flow. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4--8, 2011, pages 109--120, 2011. Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. ACM SIGPLAN Notices, 35(11):168--177, 2000. Google ScholarDigital Library
- F. Liu, Q. Ge, Y. Yarom, F. Mckeen, C. Rozas, G. Heiser, and R. B. Lee. CATalyst: Defeating Last-Level Cache Side Channel Attacks in Cloud Computing. In 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA), Mar 2016. Google ScholarCross Ref
- F. Liu and R. B. Lee. Random Fill Cache Architecture. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 2014. Google ScholarDigital Library
- F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-Level Cache Side-Channel Attacks Are Practical. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, pages 605--622, Washington, DC, USA, 2015. IEEE Computer Society. Google ScholarDigital Library
- M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, and D. Song. Phantom: Practical oblivious computation in a secure processor. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 311--324. ACM, 2013.Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative Instructions and Software Model for Isolated Execution. HASP, 13:10, 2013. Google ScholarDigital Library
- J. Mclean. Proving Noninterference and Functional Correctness Using Traces. Journal of Computer Security, 1:37--58, 1992. Google ScholarDigital Library
- A. Moghimi, G. Irazoqui, and T. Eisenbarth. CacheZoom: How SGX Amplifies The Power of Cache Attacks. CoRR, abs/1703.06986, 2017.Google Scholar
- G. Morrisett, G. Tan, J. Tassarotti, J. Tristan, and E. Gan. RockSalt: better, faster, stronger SFI for the x86. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '12, Beijing, China - June 11 - 16, 2012, pages 395--404, 2012. Google ScholarDigital Library
- T. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: From General Purpose to a Proof of Information Flow Enforcement. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 415--429. IEEE, 2013.Google ScholarDigital Library
- M. Neugschwandtner, C. Platzer, P. M. Comparetti, and U. Bayer. dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection. In Detection of Intrusions and Malware, and Vulnerability Assessment, 7th International Conference, DIMVA 2010, Bonn, Germany, July 8--9, 2010. Proceedings, pages 41--60, 2010.Google Scholar
- T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic, volume 2283. Springer Science & Business Media, 2002. Google ScholarCross Ref
- J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 479--494, Berkeley, CA, USA, 2013. USENIX Association.Google Scholar
- O. Ohrimenko, F. Schuster, C. Fournet, A. Mehta, S. Nowozin, K. Vaswani, and M. Costa. Oblivious Multi-Party Machine Learning on Trusted Processors. In 25th USENIX Security Symposium (USENIX Security 16), pages 619--636, Austin, TX, 2016. USENIX Association.Google Scholar
- Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox - Practical Cache Attacks in Javascript. CoRR, abs/1502.07373, 2015.Google Scholar
- B. Parno, J. R. Lorch, J. R. Douceur, J. Mickens, and J. M. McCune. Memoir: Practical State Continuity for Protected Modules. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 379--394, Washington, DC, USA, 2011. IEEE Computer Society. Google ScholarDigital Library
- R. Pass, E. Shi, and F. Tramèr. Formal Abstractions for Attested Execution Secure Processors. IACR Cryptology ePrint Archive, 2016:1027, 2016.Google Scholar
- M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure Compilation to Protected Module Architectures. ACM Trans. Program. Lang. Syst., 37(2):6:1--6:50, 2015.Google ScholarDigital Library
- M. Patrignani and D. Clarke. Fully abstract trace semantics for low-level isolation mechanisms. In Symposium on Applied Computing, SAC 2014, Gyeongju, Republic of Korea - March 24 - 28, 2014, pages 1562--1569, 2014. Google ScholarDigital Library
- M. Patrignani and D. Clarke. Fully abstract trace semantics for protected module architectures. Computer Languages, Systems & Structures, 42:22--45, 2015. Google ScholarDigital Library
- A. W. Roscoe. CSP and determinism in security modelling. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 8--10, 1995, pages 114--127, 1995. Google ScholarCross Ref
- J. M. Rushby. Proof of separability: A verification technique for a class of a security kernels. In International Symposium on Programming, 5th Colloquium, Torino, Italy, April 6--8, 1982, Proceedings, pages 352--367, 1982. Google ScholarCross Ref
- J. Rutkowska. Security challenges in virtualized environments.Google Scholar
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
- M. Schwarz, S. Weiser, D. Gruss, C. Maurice, and S. Mangard. Malware Guard Extension: Using SGX to Conceal Cache Attacks. CoRR, abs/1702.08719, 2017.Google Scholar
- J. Seo, B. Lee, S. Kim, M.-W. Shih, I. Shin, D. Han, and T. Kim. SGX-Shield: Enabling address space layout randomization for SGX programs. In 23nd Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26-Marc 1, 2017, 2017.Google ScholarCross Ref
- M.-W. Shih, S. Lee, T. Kim, and M. Peinado. T-SGX: Eradicating ControlledChannel Attacks Against Enclave Programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2017. Google ScholarCross Ref
- S. Shinde, Z. L. Chua, V. Narayanan, and P. Saxena. Preventing Page Faults from Telling Your Secrets. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi'an, China, May 30 - June 3, 2016, pages 317--328, 2016. Google ScholarDigital Library
- R. Sinha, M. Costa, A. Lal, N. P. Lopes, S. K. Rajamani, S. A. Seshia, and K. Vaswani. A Design and Verification Methodology for Secure Isolated Regions. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13--17, 2016, pages 665--681, 2016. Google ScholarDigital Library
- R. Sinha, S. K. Rajamani, S. A. Seshia, and K. Vaswani. Moat: Verifying Confidentiality of Enclave Programs. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12--6, 2015, pages 1169--1184, 2015.Google ScholarDigital Library
- T. Skolem. Logico-combinatorial investigations in the satisfiability or provability of mathematical propositions: a simplified proof of a theorem by L. Löwenheim and generalizations of the theorem. From Frege to Gödel. A Source Book in Mathematical Logic, 1879--1931, pages 252--263, 1967.Google Scholar
- G. Smith and D. M. Volpano. Secure Information Flow in a Multi-Threaded Imperative Language. In POPL '98, Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, CA, USA, January 19--21, 1998, pages 355--364, 1998. Google ScholarDigital Library
- R. Strackx and F. Piessens. Fides: Selectively Hardening Software Application Components Against Kernel-level or Process-level Malware. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 2--13, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- P. Subramanyan, R. Sinha, I. Lebedev, S. Devadas, and S. A. Seshia. Models and Proofs for the Trusted Abstract Platform (TAP), Intel SGX and MIT Sanctum. https://github.com/0tcb/TAP.Google Scholar
- G. E. Suh, D. Clarke, B. Gassend, M. Van Dijk, and S. Devadas. AEGIS: architecture for tamper-evident and tamper-resistant processing. In Proceedings of the 17th annual international conference on Supercomputing, pages 160--171. ACM, 2003. Google ScholarDigital Library
- T. Terauchi and A. Aiken. Secure Information Flow as a Safety Problem. In Static Analysis Symposium (SAS '05), LNCS 3672, pages 352--367, 2005. Google ScholarDigital Library
- E. Tromer, D. A. Osvik, and A. Shamir. Efficient Cache Attacks on AES, and Countermeasures. J. Cryptology, 23(1):37--71, 2010. Google ScholarDigital Library
- M. Vijayaraghavan, A. Chlipala, Arvind, and N. Dave. Modular Deductive Verification of Multiprocessor Hardware Designs. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18--24, 2015, Proceedings, Part II, pages 109--127, 2015.Google Scholar
- D. Volpano, C. Irvine, and G. Smith. A Sound Type System for Secure Flow Analysis. Journal of Computer Security, 4(2--3):167--187, Jan. 1996.Google ScholarDigital Library
- A. Waterman, Y. Lee, R. Avizienis, D. A. Patterson, and K. Asanović. The RISC-V Instruction Set Manual Volume II: Privileged Architecture Version 1.9.1. Technical Report UCB/EECS-2016--161, EECS Department, University of California, Berkeley, Nov 2016.Google Scholar
- A. Waterman, Y. Lee, D. A. Patterson, and K. Asanović. The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.0. Technical Report UCB/EECS- 2014--54, EECS Department, University of California, Berkeley, May 2014.Google Scholar
- Y. Xu, W. Cui, and M. Peinado. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17--21, 2015, pages 640--656, 2015.Google Scholar
- Y. Yarom and K. Falkner. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014., pages 719--732, 2014.Google Scholar
- D. Zhang, Y. Wang, G. E. Suh, and A. C. Myers. A Hardware Design Language for Timing-Sensitive Information-Flow Security. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, Istanbul, Turkey, March 14--18, 2015, pages 503--516, 2015. Google ScholarDigital Library
Index Terms
- A Formal Foundation for Secure Remote Execution of Enclaves
Recommendations
Moat: Verifying Confidentiality of Enclave Programs
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecuritySecurity-critical applications constantly face threats from exploits in lower computing layers such as the operating system, virtual machine monitors, or even attacks from malicious administrators. To help protect application secrets from such attacks, ...
A design and verification methodology for secure isolated regions
PLDI '16Hardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications ...
A design and verification methodology for secure isolated regions
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationHardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications ...
Comments