### APPLICATION-ORIENTED SECURITY: SECRETS MANAGEMENT AND SIDE-CHANNEL PROTECTION FOR TEES

Christof Fetzer TU Dresden





#### OUTLINE



### **OBJECTIVES**

#### **APPLICATION-ORIENTED SECURITY**



**Objective**: Ensure integrity and confidentiality of applications

#### **THREAT MODEL**



#### SYSTEM ADMINISTRATOR



https://sconedocs.github.io

#### **SERVICE PROVIDER ADMINISTRATOR**



https://sconedocs.github.io

#### **DEFENSE IN DEPTH!**



#### **OS-BASED ACCESS CONTROL INSUFFICIENT**



#### WE NEED A CRYPTOGRAPHIC APPROACH!



#### ENGINEERING IS ABOUT ...

… balancing multiple, often conflicting goals



#### SCONE: E2E ENCRYPTION WITHOUT SOURCE CODE CHANGES

Languages: C, C++, Go, Rust, Java, Python, R, ...



[SCONE] Sergei Arnautov, et al, "SCONE: Secure Linux Containers with Intel SGX", USENIX OSDI 2016

#### WHY NO SOURCE CODE CHANGES?

#### ► Considerations:

- reduce cost / time of improving security
- reduce the skills required to improve security
- ► no hardware / software lock-in

#### ≻ ..

► partitioning software for TEEs is quite difficult

# TOOL SUPPORT

Joshua Lind, etc: "Glamdring: Automatic Application Partitioning for Intel SGX", Usenix ATC 2017

...still hard to partition - should we really partition?



#### **EXAMPLE**

- ► Web Server (nginx)
- ➤ Configuration:
  - ► TLS certificate (private key)
  - ► config file
  - ≻ ...
- ► WWW files:
  - must only be visible to authorised clients





### **HOW TO PARTITION NGINX?**

- ► We need to protect certificate!
  - ► must not leak private key
  - ► TLS should be protected!

could impersonate original website if not protected



#### **SHOULD WE PARTITION NGINX?**

- ► We need to protect certificate!
  - ► must not leak
  - ► TLS should be protected!
- Attacker does not need cert:
  - establish connections via protected TLS stack
- ► how to protect against this?
  - how to automate the protection?



#### **SHOULD WE PARTITION NGINX?**

- ► We need to protect certificate!
  - ► must not leak
  - ► TLS should be protected!
- ► We need to encrypt www files
  - ► to ensure confidentiality
  - ► to ensure integrity



#### **SHOULD WE PARTITION NGINX?**

- ► We need to protect certificate!
  - ► must not leak
  - ► TLS should be protected!
- ► We need to encrypt www files
  - ► to ensure confidentiality
  - ► to ensure integrity
- ► We need to protect content
  - ► never as plain text
  - detect modifications

Side-Channel attack! https://sconedocs.github.io



#### SHIELDING

- Partitioning requires bespoke protection
  - need to ensure that TLS API calls are not malicious



- ► larger than TLS API
- but reusable across many applications



https://sconedocs.github.io



transparently encrypted files

#### FILESHIELD, TLS SHIELD,...

- Transparent encryption/ decryption of files
  - ► inside of enclaves

- In case app does not support TLS
  - can wrap TCP connections in TLS
  - ► e.g., memcache

(50)

#### **SCONE: FILE ENCRYPTION**



- Developer determines which files must be encrypted
- Encryption/authentication with source code changes <u>https://sconedocs.github.io</u>

# REALLY, NO PARTITIONING?

- focus on microservices -

#### **CLOUD NATIVE APPLICATIONS**



### **EACH MICROSERVICE RUNS IN A CONTAINER**



#### **MICROSERVICE-BASED PARTITIONING**



#### **CONTAINER-AS-A-SERVICE AND/OR IAAS**



https://sconedocs.github.io

#### METAL-AS-A-SERVICE



https://sconedocs.github.io

## PORTABILITY

- reduce cost / avoid lock in -

### SCONE PLATFORM: DESIGNED FOR MULTIPLE ARCHITECTURES

Languages: C, C++, Go, Rust, interpreted/JIT: Java, Python, R, ...



## **MEMORY SAFETY?**

- exploiting application bugs -

#### SGXBOUNDS FOR MEMORY SAFETY (C AND C++)





**Dmitrii Kuvaiskii**, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBOUNDS: Memory Safety for Shielded Execution. In *Proceedings of the Twelfth European Conference on Computer Systems* (EuroSys '17). ACM, New York, NY, USA, 205-221.

#### **SGXBOUNDS IN A NUTSHELL**



- Lower bound (LB): placed after allocated object
- Upper bound (UB): embedded into 64-bit pointer
  - "tagged pointer" as opposed to "fat pointer"
  - SGX enclaves address 32-bit space (max 36 bits)

 $\bigcirc$  Cache-friendly layout  $\rightarrow$  minimal memory overhead

#### PERFORMANCE



|         | ASan | МРХ   | SGXBounds |
|---------|------|-------|-----------|
| Phoenix | 1.41 | 2.27  | 1.13      |
| PARSEC  | 1.60 | 1.43* | 1.20      |
| SPEC    | 1.76 | 1.52* | 1.41      |

#### **SECRETS MANAGEMENT**



## DISTRIBUTED APPLICATIONS

- motivation -

#### **DISTRIBUTED APPLICATIONS – SPREAD ACROSS CLOUDS**



#### HOW DO WE KNOW THAT CORRECT CODE EXECUTES?



## TRANSPARENT ATTESTATION & CONFIGURATION

- problems? -

#### **PROBLEM: STARTUP LATENCY!**

Attestation via Intel Attention Service

 rate in which we can spawn containers limited/depends on Intel



#### **TRANSPARENT ATTESTATION**



#### **TRANSPARENT ATTESTATION**



#### **PROBLEM: STARTUP LATENCY!**

Attestation via Intel takes too long time

 rate in which we can spawn containers limited/depends on Intel



#### **NO SOURCE CODE CHANGES?**



- Problem: how can the application show that it runs inside an enclave and runs correct code?
- ► Approach: attest application and give it a certificate

#### Swarm Mode



#### **REST INTERFACES**

- Application is partitioned into microservices
- Microservices run on same or on different machines
- ►REST APIs protected by TLS
  - >could add transparently if
    needed ("SCONE TLS shield")

#### **TRANSPARENT P2P ATTESTATION VIA TLS**

We run our internal CA and only components belonging to the same application can talk to each other ...



#### **SECRETS MANAGEMENT**



## **SIDE CHANNELS**

- dealing various side channels -

#### SIDE CHANNEL ATTACK?



- An attacker steals a secret from a victim via a covert channel:
  - i.e., a channel that is not intended to communicate information
- ► Examples: timing, power, cache, ...

#### **SIDE CHANNEL ATTACK?**



- ► Side channel attack:
  - information gained from the implementation
    - ► not from the implemented algorithm

#### **SIDE CHANNEL ATTACK**



#### ► We need a

- transmitter code in the victim to send the secret, and a
- receiver to store the secret

#### **SIDE CHANNEL ATTACK**



- ► Finally, we need
  - ► access code to get the secret to the transmitter code

#### WHAT SIDE-CHANNELS?

- ► Spectre Variant 1
- ► Spectre Variant 2
- ► Meltdown
- ► Spectre NG
- ► Foreshadow

▶ ...

► Let's focus on Spectre Variant 1

#### **NON-SPECULATIVE EXECUTION**



*Note*: execution must wait until array1\_size is fetched from memory

Paul Kocher et al, "Spectre Attacks: Exploiting Speculative Execution", 40th IEEE Symposium on Security and Privacy (S&P'19)

#### **SPECULATIVE EXECUTION**



Approach: CPU predicts the outcome of the comparisons

Paul Kocher et al, "Spectre Attacks: Exploiting Speculative Execution", 40th IEEE Symposium on Security and Privacy (S&P'19)

#### **EXPLOITING CONDITIONAL BRANCH MISPREDICTION**

Branch prediction to speed up computations:





#### **MISPREDICTION**

- CPU might (mis)predict true:
  - accesses array1 out-of-bound
  - ► will speculatively access
    - ➤ array2[secret value\*4k]
- CPU will eventually detect this
  - ► rolls back updates



► Value array2[secret value\*4096] is read into cache





#### **ADDRESSING SIDE CHANNEL ATTACKS?**



#### ► Alternatives:

- ► disable access code
- ► disable transmitter code
- ► disable covert channel
- ► disable receiver code

## Varys

Protecting SGX Enclaves From Practical Side-Channel Attacks

#### Oleksii Oleksenko, Bohdan Trach

Robert Krahn, Andre Martin, Christof Fetzer



Mark Silberstein



#### **Existing solutions**





(no code changes required)

[1] Gruss, D., Lettner, J., Schuster, F., Ohrimenko, O., Haller, I., & Costa, M. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In *Usenix Security 2017*. [2] Zhang, Y., Reiter, M. K., Zhang, Y., & Reiter, M. K. Düppel: Retrofitting Commodity Operating Systems to Mitigate Cache Side Channels in the Cloud. *In CCS 2013*.

[3] Brasser, F., Capkun, S., Dmitrienko, A., Frassetto, T., Kostiainen, K., Müller, U., & Sadeghi, A.-R. DR.SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization. In arXiv 2017.

[4] Chen, S., Reiter, M. K., Zhang, X., & Zhang, Y. Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu. In ASIA CCS '17.

[5] Shih, M., Lee, S., & Kim, T. T-SGX: Eradicating controlled-channel attacks against enclave programs. In NDSS 2017.

#### **Existing solutions**





#### Rely but verify

#### Approach

#### Rely but verify

#### Request isolation from the untrusted OS

#### Approach

# Rely but verifyRequest isolationCfrom the untrustedthOS

Check within the enclave

#### **Complete description**

Varys implements a low-cost protection for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime. Varys implements a low-cost protection for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.

## Let's explains this sentence

Varys implements a low-cost protection for Intel SGX enclaves against **side-channel attacks** by creating an isolated environment and verifying it at runtime.

#### WHAT SIDE CHANNELS DO WE CONSIDER?



|          |   | ~ |   |   |     |   |
|----------|---|---|---|---|-----|---|
| platform | I |   | r | Ο | Jla | 9 |

#### L1 & L2 CACHE: SHARED BETWEEN HYPERTHREADS



#### Vulnerable shared resources

- CPU caches (L1, L2)
   Page tables
- Page tables
- FPU
- Memory bus

• • • •





\*slaps modern cpu\* You won't believe how many side channels this thing can hold 74 7:44 AM - 10 Jul 2018





if (secret == 0) read(addr1) else read(addr2)









#### Shared resource

| addr1 |       |
|-------|-------|
|       |       |
|       | addr2 |

























Varys implements a low-cost protection for Intel SGX enclaves against side-channel attacks by creating an **isolated environment** and verifying it at runtime.

#### Attack requirements

- High interrupt rate
- Predefined cache state
- Shared core

#### Attack requirements

- High interrupt rate
- Predefined cache state
- Shared core

Isolated environment Varys implements a low-cost protection for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.

# Design

- High preemption rate
- Predefined cache state
- Shared core

- Restrict and terminate
  - Cache eviction
- Trusted reservation

Design

- High preemption rate
- Predefined cache state *4*
- Shared core

Restrict and terminate Cache eviction Trusted reservation

#### Restricting preemption rate

• Attack exit rate: ~ 5000 exits/s.

# **Restricting preemption rate**

- Attack exit rate: ~ 5000 exits/s.
- Normal exit rate: ~ 30 exits/s.



# **Restricting preemption rate**

- Attack exit rate: ~ 5000 exits/s.
- Normal exit rate: ~ 30 exits/s.











*SSA* = *State Save Area* 















Design

- High preemption rate
- Predefined cache state
- Shared core

#### Restrict and terminate Cache eviction Trusted reservation

### Hiding cache traces



| Cac | he  |    |    |     |  |
|-----|-----|----|----|-----|--|
|     |     |    |    |     |  |
|     | add | r1 |    |     |  |
|     |     |    |    |     |  |
|     |     |    |    |     |  |
|     |     |    |    |     |  |
|     |     |    | ad | dr2 |  |
|     |     |    |    |     |  |































Design

- High preemption rate
- Predefined cache state *4*
- Shared core

Restrict and terminate Cache eviction

Trusted reservation

# Preventing core sharing

Occupy both hyperthreads



# Preventing core sharing

- Occupy both hyperthreads
  - Use process affinity



#### How do we ensure reservation?



#### How do we ensure reservation?

















Design

- High preemption rate
- Predefined cache state
- Shared core

- Restrict and terminate Cache eviction
  - **Trusted reservation**

Varys **implements** a low-cost protection for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.

#### Implementation



Varys implements a **low-cost** protection for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.













Handshake and eviction only at enclave exits

• 20-30 times per second





EPC paging  $\Rightarrow$  higher exit rate



Varys implements a low-cost **protection** for Intel SGX enclaves against side-channel attacks by creating an isolated environment and verifying it at runtime.

- Privileged cache SCA
  - Target: L1 cache
- No eviction



- Privileged cache SCA
  - Target: L2 cache
- No eviction



- Privileged cache SCA
  - Target: L2 cache
- No eviction



- Privileged cache SCA
  - Target: L2 cache
- Varys protection



- Privileged cache SCA
  - Target: L2 cache
- Varys protection



# Varys Summary

- Varys: side-channel protection for SGX enclaves
- "Rely but verify" approach
  - $\circ$   $\,$  Ask OS for
    - Lower interrupt rate
    - Paired thread allocation
  - Verify the request
- Loads cache on enclave entrance