C. Weinhold, N. Asmussen, Diana Göhringer, M. Roitzsch
State-of-the-art implementations of Trusted Execution Environments (TEEs) present system designers and users with several problems: First, it is not possible to choose a TEE implementation independently from the instruction set architecture. Second, the security-critical functionality of such TEEs is deeply integrated into the micro-architecture of complex processor cores, making programs running in such TEEs vulnerable to side-channel attacks. And third, the interface and execution model of certain types of TEEs make it hard to integrate these TEEs with the system software. To address these issues, we propose a modular TEE design. We apply this modular design to the M3 hardware/software co-design platform and demonstrate how TEE support can be made a first-class feature at the system-architecture level.
{"title":"Towards Modular Trusted Execution Environments","authors":"C. Weinhold, N. Asmussen, Diana Göhringer, M. Roitzsch","doi":"10.1145/3578359.3593037","DOIUrl":"https://doi.org/10.1145/3578359.3593037","url":null,"abstract":"State-of-the-art implementations of Trusted Execution Environments (TEEs) present system designers and users with several problems: First, it is not possible to choose a TEE implementation independently from the instruction set architecture. Second, the security-critical functionality of such TEEs is deeply integrated into the micro-architecture of complex processor cores, making programs running in such TEEs vulnerable to side-channel attacks. And third, the interface and execution model of certain types of TEEs make it hard to integrate these TEEs with the system software. To address these issues, we propose a modular TEE design. We apply this modular design to the M3 hardware/software co-design platform and demonstrate how TEE support can be made a first-class feature at the system-architecture level.","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131357329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Alder, Gianluca Scopelliti, Jo Van Bulck, J. Mühlberg
Measuring the passage of time and taking actions based on such measurements is a common security-critical operation that developers often take for granted. When working with confidential computing, however, temporal guarantees become more challenging due to trusted execution environments residing in effectively untrusted environments, which can oftentimes influence expectations on time and progress. In this work, we identify and categorize five different levels of tracking the passage of time that an enclave may be able to mesure or receive from its environment. Focusing first on the popular Intel SGX architecture, we analyze what level of time is possible and how this is utilized in both academia and industry projects. We then broaden the scope to other popular trusted computing solutions and list common applications for each level of time, concluding that not every use case requires an accurate access to real-world time.
{"title":"About Time: On the Challenges of Temporal Guarantees in Untrusted Environments","authors":"F. Alder, Gianluca Scopelliti, Jo Van Bulck, J. Mühlberg","doi":"10.1145/3578359.3593038","DOIUrl":"https://doi.org/10.1145/3578359.3593038","url":null,"abstract":"Measuring the passage of time and taking actions based on such measurements is a common security-critical operation that developers often take for granted. When working with confidential computing, however, temporal guarantees become more challenging due to trusted execution environments residing in effectively untrusted environments, which can oftentimes influence expectations on time and progress. In this work, we identify and categorize five different levels of tracking the passage of time that an enclave may be able to mesure or receive from its environment. Focusing first on the popular Intel SGX architecture, we analyze what level of time is possible and how this is utilized in both academia and industry projects. We then broaden the scope to other popular trusted computing solutions and list common applications for each level of time, concluding that not every use case requires an accurate access to real-world time.","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"14 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115298498","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the automotive sector, one easily looks into two decades of software maintenance at the vehicle level. During this time, either the processor-specific version of the potentially complex operating system (OS) kernel in use has to be patched or completely exchanged. To eliminate this maintenance effort, the presented work exploits device virtualization by using the Secure Monitor Call (SMC) interface of ARM [6] and the microkernel-based virtualization scheme of L4Re [2, 3] in its commercial variant EB corbos Hypervisor [1]. This is an alternative to the common approach based on Virtio [8].
{"title":"What virtualization can do for maintenance: the HSM case","authors":"Adrian Leren, Uwe Hildebrand, Kai Lampka","doi":"10.1145/3578359.3593035","DOIUrl":"https://doi.org/10.1145/3578359.3593035","url":null,"abstract":"In the automotive sector, one easily looks into two decades of software maintenance at the vehicle level. During this time, either the processor-specific version of the potentially complex operating system (OS) kernel in use has to be patched or completely exchanged. To eliminate this maintenance effort, the presented work exploits device virtualization by using the Secure Monitor Call (SMC) interface of ARM [6] and the microkernel-based virtualization scheme of L4Re [2, 3] in its commercial variant EB corbos Hypervisor [1]. This is an alternative to the common approach based on Virtio [8].","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130929692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Achieving distribution transparency is an important goal in distributed system development since it ensures a positive user experience for end-users. In our previous research, we utilized the Intel SGX Trusted Execution Environment (TEE) to facilitate trusted execution of client-side Byzantine Fault-Tolerance (BFT) library functionality on the server-side, enabling legacy clients to access replicated services in a transparent manner. Nonetheless, improving distribution transparency increases the middleware layer's complexity, posing a hindrance to BFT systems' ability to have more transparency in deploying and managing BFT protocols. To resolve this issue, we propose a configurable framework that can manage BFT systems' middleware components flexibly, utilizing a Trusted Execution Environment (TEE) of the emerging RISC-V architecture. The framework offers large-size enclaves that securely execute BFT protocols and other middleware functions, such as network processing, permitting the transparent management of server-side BFT systems without imposing a significant overhead.
{"title":"Transparent Management of BFT Systems with TEE","authors":"Bijun Li, Pierre-Louis Aublin","doi":"10.1145/3578359.3593041","DOIUrl":"https://doi.org/10.1145/3578359.3593041","url":null,"abstract":"Achieving distribution transparency is an important goal in distributed system development since it ensures a positive user experience for end-users. In our previous research, we utilized the Intel SGX Trusted Execution Environment (TEE) to facilitate trusted execution of client-side Byzantine Fault-Tolerance (BFT) library functionality on the server-side, enabling legacy clients to access replicated services in a transparent manner. Nonetheless, improving distribution transparency increases the middleware layer's complexity, posing a hindrance to BFT systems' ability to have more transparency in deploying and managing BFT protocols. To resolve this issue, we propose a configurable framework that can manage BFT systems' middleware components flexibly, utilizing a Trusted Execution Environment (TEE) of the emerging RISC-V architecture. The framework offers large-size enclaves that securely execute BFT protocols and other middleware functions, such as network processing, permitting the transparent management of server-side BFT systems without imposing a significant overhead.","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131866611","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In confidential computing, the view of the system software is Manichean: the host operating system is untrusted and the TEE runtime system is fully trusted. However, the runtime system is often as complex as a full operating system, and thus is not free from bugs and exploitable vulnerabilities. Yet, it executes with complete system-level control over the enclave application, in violation of the least privilege principle. While the confidential computing research community has been striving to secure trusted software from its untrusted counterpart, efforts fall short when it comes to securing the enclave application from potentially bug-prone and vulnerable trusted runtime systems. This project describes the design of a simple RISC-V extension that prevents trusted runtime systems from accessing the enclave application's memory. We implement the hardware extension in the QEMU functional simulator and extend the Keystone TEE framework and its runtime system, Eyrie, to enforce the least privilege principle, support unmodified enclave applications, and prevent a class of Iago attacks that leverage the runtime system's unrestricted access to the enclave application's memory.
{"title":"A RISC-V Extension to Minimize Privileges of Enclave Runtimes","authors":"Neelu S. Kalani, Edouard Bugnion","doi":"10.1145/3578359.3593040","DOIUrl":"https://doi.org/10.1145/3578359.3593040","url":null,"abstract":"In confidential computing, the view of the system software is Manichean: the host operating system is untrusted and the TEE runtime system is fully trusted. However, the runtime system is often as complex as a full operating system, and thus is not free from bugs and exploitable vulnerabilities. Yet, it executes with complete system-level control over the enclave application, in violation of the least privilege principle. While the confidential computing research community has been striving to secure trusted software from its untrusted counterpart, efforts fall short when it comes to securing the enclave application from potentially bug-prone and vulnerable trusted runtime systems. This project describes the design of a simple RISC-V extension that prevents trusted runtime systems from accessing the enclave application's memory. We implement the hardware extension in the QEMU functional simulator and extend the Keystone TEE framework and its runtime system, Eyrie, to enforce the least privilege principle, support unmodified enclave applications, and prevent a class of Iago attacks that leverage the runtime system's unrestricted access to the enclave application's memory.","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134394620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Intel SGX [1] enables a variety of valuable use cases (e.g., secure data sharing [13]) by protecting an application from all other untrusted parties (e.g., host kernel). However, incorporating Intel SGX in the conventional software development introduces additional requirements. New interface between the application running in an SGX enclave and the host kernel (i.e., ecall and ocall [1]) is one of the requirements.
{"title":"GRAMINER: Fuzz Testing Gramine LibOS to Harden the Trusted Computing Base","authors":"Jaewon Hur, Byoungyoung Lee","doi":"10.1145/3578359.3593036","DOIUrl":"https://doi.org/10.1145/3578359.3593036","url":null,"abstract":"Intel SGX [1] enables a variety of valuable use cases (e.g., secure data sharing [13]) by protecting an application from all other untrusted parties (e.g., host kernel). However, incorporating Intel SGX in the conventional software development introduces additional requirements. New interface between the application running in an SGX enclave and the host kernel (i.e., ecall and ocall [1]) is one of the requirements.","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132849601","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 6th Workshop on System Software for Trusted Execution","authors":"","doi":"10.1145/3578359","DOIUrl":"https://doi.org/10.1145/3578359","url":null,"abstract":"","PeriodicalId":166764,"journal":{"name":"Proceedings of the 6th Workshop on System Software for Trusted Execution","volume":"142 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133580388","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: