Leonardo Winter Pereira, Luis Felipe Mazzuchetti Ortiz, Douglas Costa Rossi, M. Rosa, K. Fonseca, Charles B. Prado, L. D. C. Carmo, Andrey Elísio Monteiro-Brito, R. Riella
{"title":"Using Intel SGX to Enforce Auditing of Running Software in Insecure Environments","authors":"Leonardo Winter Pereira, Luis Felipe Mazzuchetti Ortiz, Douglas Costa Rossi, M. Rosa, K. Fonseca, Charles B. Prado, L. D. C. Carmo, Andrey Elísio Monteiro-Brito, R. Riella","doi":"10.1109/CloudCom2018.2018.00054","DOIUrl":null,"url":null,"abstract":"In this work we propose a strategy using Intel SGX processors to guarantee the use of audited applications in insecure environments. A cloud-based toolchain allows auditors to assess if the user's application meets specifications and standards, to generate the final binaries, and to cryptographically sign them. It also generates a manifesto containing information to verify the authenticity of the audited software binaries. A SGX-based binary loader (inserted by the cloud-based toolchain during the applications building process) writes down auditing data that is encrypted and sealed by SGX functions to form reliable proofs that the original audited software is the one running. As a proof-of-concept, a Linux kernel was modified in order to cryptographically measure all processes being executed and send these results to a SGX application. An analysis was carried out to measure the performance of the altered system. On average, a system consistently running the audit increased the execution time of each process by 20 to 30%.","PeriodicalId":93366,"journal":{"name":"Proceedings. IEEE International Conference on Cloud Computing","volume":"1 1","pages":"243-246"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. IEEE International Conference on Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CloudCom2018.2018.00054","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
In this work we propose a strategy using Intel SGX processors to guarantee the use of audited applications in insecure environments. A cloud-based toolchain allows auditors to assess if the user's application meets specifications and standards, to generate the final binaries, and to cryptographically sign them. It also generates a manifesto containing information to verify the authenticity of the audited software binaries. A SGX-based binary loader (inserted by the cloud-based toolchain during the applications building process) writes down auditing data that is encrypted and sealed by SGX functions to form reliable proofs that the original audited software is the one running. As a proof-of-concept, a Linux kernel was modified in order to cryptographically measure all processes being executed and send these results to a SGX application. An analysis was carried out to measure the performance of the altered system. On average, a system consistently running the audit increased the execution time of each process by 20 to 30%.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
