Catching the Cuckoo: Verifying TPM Proximity Using a Quote Timing Side-Channel

Fink, Russell A.; Sherman, Alan T.; Mitchell, Alexander O.; Challener, David

doi:10.1007/978-3-642-21599-5_22

Cited by 10 publications

(7 citation statements)

References 6 publications

(9 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The attestation of the HETEE box is implemented on SC, which is included in our TCB and protected from physical attacks for controlling the box (see Sec.VII). Also, solutions have been proposed for mitigating the threat of the Cuckoo attack [119], [120], which could be incorporated into our attestation protocol.…”

Section: Trust Establishmentmentioning

confidence: 99%

Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment

Zhu

Hou

Wang

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

With its huge real-world demands, large-scale confidential computing still cannot be supported by today's Trusted Execution Environment (TEE), due to the lack of scalable and effective protection of high-throughput accelerators like GPUs, FPGAs, and TPUs etc. Although attempts have been made recently to extend the CPU-like enclave to GPUs, these solutions require change to the CPU or GPU chips, may introduce new security risks due to the side-channel leaks in CPU-GPU communication and are still under the resource constraint of today's CPU TEE.To address these problems, we present the first Heterogeneous TEE design that can truly support large-scale compute or data intensive (CDI) computing, without any chip-level change. Our approach, called HETEE, is a device for centralized management of all computing units (e.g., GPUs and other accelerators) of a server rack. It is uniquely designed to work with today's data centres and clouds, leveraging modern resource pooling technologies to dynamically compartmentalize computing tasks, and enforce strong isolation and reduce TCB through hardware support. More specifically, HETEE utilizes the PCIe ExpressFabric to allocate its accelerators to the server node on the same rack for a non-sensitive CDI task, and move them back into a secure enclave in response to the demand for confidential computing. Our design runs a thin TCB stack for security management on a security controller (SC), while leaving a large set of software (e.g., AI runtime, GPU driver, etc.) to the integrated microservers that operate enclaves. An enclaves is physically isolated from others through hardware and verified by the SC at its inception. Its microserver and computing units are restored to a secure state upon termination.We implemented HETEE on a real hardware system, and evaluated it with popular neural network inference and training tasks. Our evaluations show that HETEE can easily support the CDI tasks on the real-world scale and incurred a maximal throughput overhead of 2.17% for inference and 0.95% for training on ResNet152.Recent years have seen attempts to support the heterogeneous TEE. Examples include Graviton [15] and HIX [16]. However, all these approaches require changes to CPU and (or) GPU chips, which prevents the use of existing hardware, and also incurs a long and expensive development cycle to chip manufacturers and therefore may not happen in the near 1450 2020 IEEE Symposium on Security and Privacy

show abstract

Section: Trust Establishmentmentioning

confidence: 99%

Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment

Zhu

Hou

Wang

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…Fink at al. [21] suggest measuring the round trip times of requests to the trusted device to detect if it is in the proximity of the verifier. Zhang et al [46] also investigate the problem of a human user distinguishing genuine secure hardware from adversarial devices.…”

Section: Trusted Computing and Cuckoo Attackmentioning

confidence: 99%

Misbinding Attacks on Secure Device Pairing and Bootstrapping

Sethi

Peltonen

Aura

2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

In identity misbinding attacks against authenticated key-exchange protocols, a legitimate but compromised participant manipulates the honest parties so that the victim becomes unknowingly associated with a third party. These attacks are well known, and resistance to misbinding is considered a critical requirement for security protocols on the Internet. In the context of device pairing, on the other hand, the attack has received little attention outside the trusted-computing community. This paper points out that most device pairing protocols are vulnerable to misbinding. Device pairing protocols are characterized by lack of a-priory information, such as identifiers and cryptographic roots of trust, about the other endpoint. Therefore, the devices in pairing protocols need to be identified by the user's physical access to them. As case studies for demonstrating the misbinding vulnerability, we use Bluetooth and a protocol that registers new IoT devices to authentication servers on wireless networks. We have implemented the attacks. We also show how the attacks can be found in formal models of the protocols with carefully formulated correspondence assertions. The formal analysis yields a new type of double misbinding attack. While pairing protocols have been extensively modelled and analyzed, misbinding seems to be an aspect that has not previously received sufficient attention. Finally, we discuss potential ways to mitigate the threat and its significance to security of pairing protocols. CCS CONCEPTS• Security and privacy → Systems security; Network security; Formal methods and theory of security; • Networks → Network protocol design.

show abstract

“…We argue that regarding now, any potential threats from Intel ME (Management Engine) which is referred to as Ring minus 3 and has a dedicated processor, in the consideration that all rely on ad-hoc vulnerabilities and this topic is still under open discussion [13]. TPM relay attack [14]. A man-in-the-middle (MitM) attack specifically targeting TPM-like devices impersonates and forwards requests to a (remote) legitimate device, pretending its proximity or co-location on the same machine, to either learn the secrets or forge authentication/attestation results.…”

Section: H Porting Effortmentioning

confidence: 99%

One-Time Programs Made Practical

Zhao

Choi

Demirag

et al. 2019

Financial Cryptography and Data Security

View full text Add to dashboard Cite

A one-time program (OTP) works as follows: Alice provides Bob with the implementation of some function. Bob can have the function evaluated exclusively on a single input of his choosing. Once executed, the program will fail to evaluate on any other input. State-of-the-art one-time programs have remained theoretical, requiring custom hardware that is cost-ineffective/unavailable, or confined to adhoc/unrealistic assumptions. To bridge this gap, we explore how the Trusted Execution Environment (TEE) of modern CPUs can realize the OTP functionality. Specifically, we build two flavours of such a system: in the first, the TEE directly enforces the one-timeness of the program; in the second, the program is represented with a garbled circuit and the TEE ensures Bob's input can only be wired into the circuit once, equivalent to a smaller cryptographic primitive called one-time memory. These have different performance profiles: the first is best when Alice's input is small and Bob's is large, and the second for the converse. 5 Hazay and Lindell [24] give a thorough treatment of interactive two-party protocols. 6 Further explanation is provided in Appendix A.2. arXiv:1907.00935v1 [cs.CR] 1 Jul 2019 7 As an example, Intel STK2mv64CC, a Compute Stick that supports both TXT and TPM, was priced at $499.95 USD on Amazon.com (as of September 2018). 8 A state-bound cryptographic operation performed by the TPM chip, like encryption.

show abstract

Catching the Cuckoo: Verifying TPM Proximity Using a Quote Timing Side-Channel

Cited by 10 publications

References 6 publications

Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment

Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment

Misbinding Attacks on Secure Device Pairing and Bootstrapping

One-Time Programs Made Practical

Contact Info

Product

Resources

About