A Formal Foundation for Secure Remote Execution of Enclaves

Subramanyan, Pramod; Sinha, Raj; Lebedev, Ilya; Devadas, Srinivas; Seshia, Sanjit A.

doi:10.1145/3133956.3134098

Cited by 87 publications

(67 citation statements)

References 63 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the adversary is actually user-level software, our threat model is strictly conservative. 2 In the case of a supervisor-level adversary, we assume the victim is running within a virtual shielding system, such as an SGX enclave [43], [44], to prevent direct inspection/tampering on victim data. The OISA is orthogonal to which virtual shielding system is used, in the sense that shielded programs can execute oblivious instructions regardless of the exact shielding system implementation.…”

Section: B Threat Modelmentioning

confidence: 99%

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Hsiung²,

El'Hajj³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Blocking microarchitectural (digital) side channels is one of the most pressing challenges in hardware security today. Recently, there has been a surge of effort that attempts to block these leakages by writing programs data obliviously. In this model, programs are written to avoid placing sensitive data-dependent pressure on shared resources. Despite recent efforts, however, running data oblivious programs on modern machines today is insecure and low performance. First, writing programs obliviously assumes certain instructions in today's ISAs will not leak privacy, whereas today's ISAs and hardware provide no such guarantees. Second, writing programs to avoid data-dependent behavior is inherently high performance overhead. This paper tackles both the security and performance aspects of this problem by proposing a Data Oblivious ISA extension (OISA). On the security side, we present ISA design principles to block microarchitectural side channels, and embody these ideas in a concrete ISA capable of safely executing existing data oblivious programs. On the performance side, we design the OISA with support for efficient memory oblivious computation, and with safety features that allow modern hardware optimizations, e.g., out-of-order speculative execution, to remain enabled in the common case. We provide a complete hardware prototype of our ideas, built on top of the RISC-V out-of-order, speculative BOOM processor, and prove that the OISA can provide the advertised security through a formal analysis of an abstract BOOM-style machine. We evaluate area overhead of hardware mechanisms needed to support our prototype, and provide performance experiments showing how the OISA speeds up a variety of existing data oblivious codes (including "constant time" cryptography and memory oblivious data structures), in addition to improving their security and portability.

show abstract

Section: B Threat Modelmentioning

confidence: 99%

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Hsiung²,

El'Hajj³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Subramanyan et al [39] provide a formal foundation for the remote execution of enclaves and use it to prove that two remote enclave executions emit observationally equivalent traces if the attacker provides the same inputs in both executions. DFLATE uses the high-level guarantees of TEEs and proves end-to-end semantic guarantees (noninterference) of distributed applications using enclaves.…”

Section: A Enclaves and Information Flowmentioning

confidence: 99%

Information Flow Control for Distributed Trusted Execution Environments

Gollamudi

Chong

Arden

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Distributed applications cannot assume that their security policies will be enforced on untrusted hosts. Trusted execution environments (TEEs) combined with cryptographic mechanisms enable execution of known code on an untrusted host and the exchange of confidential and authenticated messages with it. TEEs do not, however, establish the trustworthiness of code executing in a TEE. Thus, developing secure applications using TEEs requires specialized expertise and careful auditing. This paper presents DFLATE, a core security calculus for distributed applications with TEEs. DFLATE offers high-level abstractions that reflect both the guarantees and limitations of the underlying security mechanisms they are based on. The accuracy of these abstractions is exhibited by asymmetry between confidentiality and integrity in our formal results: DFLATE enforces a strong form of noninterference for confidentiality, but only a weak form for integrity. This reflects the asymmetry of the security guarantees of a TEE: a malicious host cannot access secrets in the TEE or modify its contents, but they can suppress or manipulate the sequence of its inputs and outputs. Therefore DFLATE cannot protect against the suppression of high-integrity messages, but when these messages are delivered, their contents cannot have been influenced by an attacker.

show abstract

“…SeL4 [6] does not provide enclave-like guarantees in terms of isolation, but it does demonstrate an example of large, formally verified software implemented with security as a primary goal. While Sanctorum itself is not formally verified, its design is based on a formally verified specification for enclaves as described in [11]. c) Side Channel and Hardware Adversaries: Komodo [4] supports protection against physical attacks on memory while Bastion [4] provides defense against physical attacks on memory, busses, and disks.…”

Section: Related Workmentioning

confidence: 99%

Sanctorum: A lightweight security monitor for secure enclaves

Lebedev¹,

Hogan²,

Drean³

et al. 2019

2019 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

Self Cite

View full text Add to dashboard Cite

Enclaves have emerged as a particularly compelling primitive to implement trusted execution environments: strongly isolated sensitive user-mode processes in a largely untrusted software environment. While the threat models employed by various enclave systems differ, the high-level guarantees they offer are essentially the same: attestation of an enclave's initial state, as well as a guarantee of enclave integrity and privacy in the presence of an adversary.This work describes Sanctorum, a small trusted code base (TCB), consisting of a generic enclave-capable system, which is sufficient to implement secure enclaves akin to the primitive offered by Intel's SGX. While enclaves may be implemented via unconditionally trusted hardware and microcode, as it is the case in SGX, we employ a smaller TCB principally consisting of authenticated, privileged software, which may be replaced or patched as needed. Sanctorum implements a formally verified specification for generic enclaves on an in-order multiprocessor system meeting baseline security requirements, e.g., the MIT Sanctum processor and the Keystone enclave framework. Sanctorum requires trustworthy hardware including a random number generator, a private cryptographic key pair derived via a secure bootstrapping protocol, and a robust isolation primitive to safeguard sensitive information. Sanctorum's threat model is informed by the threat model of the isolation primitive, and is suitable for adding enclaves to a variety of processor systems.

show abstract

A Formal Foundation for Secure Remote Execution of Enclaves

Cited by 87 publications

References 63 publications

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Information Flow Control for Distributed Trusted Execution Environments

Sanctorum: A lightweight security monitor for secure enclaves

Contact Info

Product

Resources

About