Redesigning software-based defenses against privileged attackers on trusted computing

Abstract

For last decades, sophisticated and powerful cyber attacks have been emerging. Their targets are not only security-critical softwares such as the operating system but also hardware devices. These strong threats seriously tackles the traditional concept of Trusted Computing Base (TCB)

in the long history of computer systems, we deal with the kernel as a TCB and let it manage all security-critical components of the system, but this principle is broken. To address this problem, Trusted Computing Group (TCG) developed Trusted Computing to ensure that a program is executed as expected. Relying on assists from the special hardware called Trusted Execution Environment (TEE), Trusted Computing provides applications with confidentiality and integrity. Intel Software Guard eXtension (SGX) is a set of new instructions of Intel CPU that fully supports Trusted Computing. Intel SGX is a state-of-the-art secure processor, but we observe that traditional attacks such as code reuse attacks are still available in SGX. Moreover, it is not trivial to enable Address Space Layout Randomization (ASLR) for SGX, which is the most widely adopted countermeasure against code reuse attack. This is because the initialization and memory management must be incorporated with the untrusted kernel (i.e., a threat model of Intel SGX). Thus, the memory layout of a SGX program is completely visible to the untrusted kernel and this opens the possibility that the kernel launches code reuse attacks through the communication channel between the enclave and its outside. We also observe that SGX alone cannot guarantee the confidentiality of user’s data, especially if the user who provides input and the program owners are separate entities. In fact, SGX is not designed to cater to such an adversary model. More precisely, SGX only provides primitive security services on confidentiality and integrity of the program, and it does not restrict how the program handles data provided to it. Missing this security guarantee severely endangers a user’s privacy, because the program owner can easily write their program to collect user’s data. In this dissertation, we claim that we must redesign existing software-based defenses to hide critical information from untrusted privileged entities in SGX that are considered as trusted parties in the design of existing defenses. We found that this principle is applied to solutions for those two problems (i.e., code reuse attacks by untrusted kernel and data leakage by malicious service program). For the first problem, we design SGX-Shield that is a redesigned Address Space Layout Randomization (ASLR) to hide the memory layout of an enclave against the untrusted kernel. We also design SECUREBOOTH, a redesign Software Fault Isolation (SFI), to guarantee that a service provider cannot leak the user’s data in a malicious purpose. Because of the architectural features and security implications of SGX, there are several challenges to resist against those strong attackers. We overcome those challenges and thoroughly evaluate each system in term of both security and performance. SGX-Shield shows a high degree of randomness in memory layouts and stops memory corruption attacks with a high probability. It also shows 7.61% performance overhead in running common micro-benchmarks and 2.25% overhead in running a more realistic workload of an HTTPS server. SECUREBOOTH guarantees the confidentiality of user data against malicious service provider. Moreover, it is efficient compared to its baseline system because of its memory sharing mechanism in the multi-threading model, which results in ×1.13 - 38.73 performance improvement.