Automatic enforcement of expressive security policies using enclaves

GollamudiAnitha,; ChongStephen,

doi:10.1145/3022671.2984002

Cited by 10 publications

(12 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, downgrading in DFLATE is carefully controlled and restricted: well-typed assume terms can only execute in contexts with sufficient integrity, and endorsement of TEEs reflect measurement and verification of code executing in a TEE. We thus expect that well-typed DFLATE programs satisfy a variety of expressive noninterference-based security guarantees, based on controlled downgrading (e.g., [12,25,8,9,13,3]), suitably adapted to be consistent with our threat model IV.…”

Section: Security Guaranteesmentioning

confidence: 99%

See 1 more Smart Citation

Information Flow Control for Distributed Trusted Execution Environments

Gollamudi

Chong

Arden

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Distributed applications cannot assume that their security policies will be enforced on untrusted hosts. Trusted execution environments (TEEs) combined with cryptographic mechanisms enable execution of known code on an untrusted host and the exchange of confidential and authenticated messages with it. TEEs do not, however, establish the trustworthiness of code executing in a TEE. Thus, developing secure applications using TEEs requires specialized expertise and careful auditing. This paper presents DFLATE, a core security calculus for distributed applications with TEEs. DFLATE offers high-level abstractions that reflect both the guarantees and limitations of the underlying security mechanisms they are based on. The accuracy of these abstractions is exhibited by asymmetry between confidentiality and integrity in our formal results: DFLATE enforces a strong form of noninterference for confidentiality, but only a weak form for integrity. This reflects the asymmetry of the security guarantees of a TEE: a malicious host cannot access secrets in the TEE or modify its contents, but they can suppress or manipulate the sequence of its inputs and outputs. Therefore DFLATE cannot protect against the suppression of high-integrity messages, but when these messages are delivered, their contents cannot have been influenced by an attacker.

show abstract

Section: Security Guaranteesmentioning

confidence: 99%

“…Gollamudi and Chong [25] use enclaves to enforce information flow policies against low-level attackers that can inject arbitrary code into non-enclave parts of a program. DFLATE uses enclaves to enforce confidentiality and integrity against low-level attackers in a distributed setting.…”

Section: A Enclaves and Information Flowmentioning

confidence: 99%

Information Flow Control for Distributed Trusted Execution Environments

Gollamudi

Chong

Arden

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Sinha et al [30,29] verify the security of programs which use SGX enclaves to ensure that hardware security features are used correctly. Gollamudi et al [13] use information flow in software to partition programs into TrustZone worlds or SGX enclaves. This work is complementary to ours, which verifies the hardware security features.…”

Section: Related Workmentioning

confidence: 99%

Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis

et al. 2017

View full text Add to dashboard Cite

Hardware-based mechanisms for software isolation are becoming increasingly popular, but implementing these mechanisms correctly has proved difficult, undermining the root of security. This work introduces an effective way to formally verify important properties of such hardware security mechanisms. In our approach, hardware is developed using a lightweight security-typed hardware description language (HDL) that performs static information flow analysis. We show the practicality of our approach by implementing and verifying a simplified but realistic multi-core prototype of the ARM TrustZone architecture. To make the security-typed HDL expressive enough to verify a realistic processor, we develop new type system features. Our experiments suggest that information flow analysis is efficient, and programmer effort is modest. We also show that information flow constraints are an effective way to detect hardware vulnerabilities, including several found in commercial processors. Recent hardware security architectures such as ARM Trust-Zone [21], Intel SGX [2], and IBM SecureBlue [1] aim to protect software even when the operating system is malicious or compromised The complexity of modern processors inevitably leads to bugs and security vulnerabilities. Processor errata often include security bugs [14].

show abstract

“…An active attacker may force the enclave program to violate the security policy by compromising the integrity of inputs at the interface or by controlling the execution order of interface components, e.g., to trigger execution paths and side effects that were not possible in the original program. Current research adopts Information Flow Control (IFC) to ensure that the code within an enclave does not leak sensitive information to the non-enclave environment [15], [16], [17]. This research, however, either takes a limited view of a passive attacker that only observes the data leaving the enclave, or it incorporates the effects of an active attacker into the execution semantics and the security condition, thus requiring additional verification effort to secure enclave programs.…”

Section: Introductionmentioning

confidence: 99%

Language Support for Secure Software Development with Enclaves

Oak

Ahmadian

Balliu

et al. 2021

2021 IEEE 34th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Confidential computing is a promising technology for securing code and data-in-use on untrusted host machines, e.g., the cloud. Many hardware vendors offer different implementations of Trusted Execution Environments (TEEs). A TEE is a hardware protected execution environment that allows performing confidential computations over sensitive data on untrusted hosts. Despite the appeal of achieving strong security guarantees against low-level attackers, two challenges hinder the adoption of TEEs. First, developing software in high-level managed languages, e.g., Java or Scala, taking advantage of existing TEEs is complex and error-prone. Second, partitioning an application into components that run inside and outside a TEE may break application-level security policies, resulting in an insecure application when facing a realistic attacker.In this work, we study both these challenges. We present JE, a programming model that seamlessly integrates a TEE, abstracting away low-level programming details such as initialization and loading of data into the TEE. JE only requires developers to add annotations to their programs to enable the execution within the TEE. Drawing on information flow control, we develop a security type system that checks confidentiality and integrity policies against realistic attackers with full control over the code running outside the TEE. We formalize the security type system for the JE core and prove it sound for a semantic characterization of security. We implement JE and the security type system, enable Java programs to run on Intel SGX with strong security guarantees. We evaluate our approach on use cases from the literature, including a battleship game, a secure event processing system, and a popular processing framework for big data, showing that we correctly handle complex cases of partitioning, information flow, declassification, and trust.

show abstract

Automatic enforcement of expressive security policies using enclaves

Cited by 10 publications

References 25 publications

Information Flow Control for Distributed Trusted Execution Environments

Information Flow Control for Distributed Trusted Execution Environments

Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis

Language Support for Secure Software Development with Enclaves

Contact Info

Product

Resources

About