Intel Software Guard Extensions(Intel SGX) Carlos Rozas Intel Labs November 6, 2013

Similar documents
Intel Media SDK Library Distribution and Dispatching Process

Intel Data Direct I/O Technology (Intel DDIO): A Primer >

Intel Software Guard Extensions. Developer Guide

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Intel Identity Protection Technology (IPT)

Intel Service Assurance Administrator. Product Overview

Specification Update. January 2014

Intel Identity Protection Technology with PKI (Intel IPT with PKI)

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

How to Configure Intel Ethernet Converged Network Adapter-Enabled Virtual Functions on VMware* ESXi* 5.1

Software Solutions for Multi-Display Setups

Creating Overlay Networks Using Intel Ethernet Converged Network Adapters

Intel Ethernet and Configuring Single Root I/O Virtualization (SR-IOV) on Microsoft* Windows* Server 2012 Hyper-V. Technical Brief v1.

Intel HTML5 Development Environment. Tutorial Test & Submit a Microsoft Windows Phone 8* App (BETA)

iscsi Quick-Connect Guide for Red Hat Linux

Intel vpro Technology. How To Purchase and Install Go Daddy* Certificates for Intel AMT Remote Setup and Configuration

Power Benefits Using Intel Quick Sync Video H.264 Codec With Sorenson Squeeze

with PKI Use Case Guide

Intel Technical Advisory

Intel Media Server Studio - Metrics Monitor (v1.1.0) Reference Manual

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

VNF & Performance: A practical approach

Intel Internet of Things (IoT) Developer Kit

Intel Core TM i3 Processor Series Embedded Application Power Guideline Addendum

The Case for Rack Scale Architecture

Intel Data Migration Software

Intel Retail Client Manager

Lecture Embedded System Security Dynamic Root of Trust and Trusted Execution

Intel: a Thought Leader Helping IoT Scale Out

User Experience Reference Design

CLOUD SECURITY: Secure Your Infrastructure

Intel SSD 520 Series Specification Update

Fast, Low-Overhead Encryption for Apache Hadoop*

Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

Intel HTML5 Development Environment. Article - Native Application Facebook* Integration

Intel HTML5 Development Environment. Tutorial Building an Apple ios* Application Binary

Haswell Cryptographic Performance

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

Vendor Update Intel 49 th IDC HPC User Forum. Mike Lafferty HPC Marketing Intel Americas Corp.

Cloud based Holdfast Electronic Sports Game Platform

Intel and Qihoo 360 Internet Portal Datacenter - Big Data Storage Optimization Case Study

2013 Intel Corporation

Intel Core i5 processor 520E CPU Embedded Application Power Guideline Addendum January 2011

Intel Virtualization Technology (VT) in Converged Application Platforms

Intel Retail Client Manager Audience Analytics

Douglas Fisher Vice President General Manager, Software and Services Group Intel Corporation

Intel Media Server Studio Professional Edition for Windows* Server

Intel HTML5 Development Environment Article Using the App Dev Center

Intel Active Management Technology Embedded Host-based Configuration in Intelligent Systems

Intel Simple Network Management Protocol (SNMP) Subagent v6.0

RAID and Storage Options Available on Intel Server Boards and Systems

COSBench: A benchmark Tool for Cloud Object Storage Services. Jiangang.Duan@intel.com

Intel Small Business Advantage (Intel SBA) Release Notes for OEMs

Intel Retail Client Manager

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Intel Atom Processor E3800 Product Family

Intel Cloud Builder Guide to Cloud Design and Deployment on Intel Platforms

MCA Enhancements in Future Intel Xeon Processors June 2013

System Event Log (SEL) Viewer User Guide

Intel Solid-State Drive Pro 2500 Series Opal* Compatibility Guide

Customizing Boot Media for Linux* Direct Boot

Intel Trusted Platforms Overview

How To Secure An Rsa Authentication Agent

How to Configure Intel X520 Ethernet Server Adapter Based Virtual Functions on Citrix* XenServer 6.0*

Intel Virtualization Technology FlexMigration Application Note

Security Analysis of the Computer Architecture *OR* What a so9ware researcher can teach you about *YOUR* computer

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

* * * Intel RealSense SDK Architecture

Configuring RAID for Optimal Performance

Partition Alignment of Intel SSDs for Achieving Maximum Performance and Endurance Technical Brief February 2014

Intel Desktop Board DP55WB

Hetero Streams Library 1.0

Enhancing McAfee Endpoint Encryption * Software With Intel AES-NI Hardware- Based Acceleration

Intel Virtualization Technology FlexMigration Application Note

Security Policy for FIPS Validation

Intel RAID Controllers

RAID and Storage Options Available on Intel Server Boards and Systems based on Intel 5500/5520 and 3420 PCH Chipset

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Secure Network Communications FIPS Non Proprietary Security Policy

Implementation and Performance of AES-NI in CyaSSL. Embedded SSL

Developing High-Performance, Flexible SDN & NFV Solutions with Intel Open Network Platform Server Reference Architecture

Intel Integrated Native Developer Experience (INDE): IDE Integration for Android*

Intel Cloud Builder Guide to Cloud Design and Deployment on Intel Xeon Processor-based Platforms

How To Reduce Pci Dss Scope

Accomplish Optimal I/O Performance on SAS 9.3 with

Intel Platform Controller Hub EG20T

Intel Network Builders

Creating Full Screen Applications Across Multiple Displays in Extended Mode

Intel RAID Volume Recovery Procedures

Upgrading Intel AMT 5.0 drivers to Linux kernel v2.6.31

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

USB 3.0* Radio Frequency Interference Impact on 2.4 GHz Wireless Devices

Intel Desktop Board DG43RK

Intel Remote Configuration Certificate Utility Frequently Asked Questions

Intel X38 Express Chipset Memory Technology and Configuration Guide

The ROI from Optimizing Software Performance with Intel Parallel Studio XE

Windows Embedded Security and Surveillance Solutions

Accelerating Business Intelligence with Large-Scale System Memory

System Image Recovery* Training Foils

Transcription:

Intel Software Guard Extensions(Intel SGX) Carlos Rozas Intel Labs November 6, 2013

Legal Disclaimers INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm No computer system can provide absolute security under all conditions. Built-in security features available on select Intel processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. Intel, the Intel Logo, Intel Inside, Intel Core, Intel Atom, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Intel compilers, associated libraries and associated development tools may or may not optimize to the same degree for non- Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include Intel Streaming SIMD Extensions 2 (Intel SSE2), Intel Streaming SIMD Extensions 3 (Intel SSE3), and Supplemental Streaming SIMD Extensions 3 (Intel SSSE3) instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Copyright 2013 Intel Corporation 2

Outline Problem Statement Attack Surface and Overview Programming environment System programming view Day in the life of an enclave SGX Access Control & Off Chip protections Attestation and Sealing Developing with SGX Summary 3

The Basic Issue: Why Aren t Compute Devices Trustworthy? Protected Mode (rings) protects OS from apps App X OK X X Malicious App App Bad Code Privileged Code attack and apps from each other UNTIL a malicious app exploits a flaw to gain full privileges and then tampers with the OS or other apps Apps not protected from privileged code attacks 4

Reduced attack surface with SGX Application gains ability to defend its own secrets Smallest attack surface (App + processor) Malware that subverts OS/VMM, BIOS, Drivers etc. cannot steal app secrets Familiar development/debug Single application environment Build on existing ecosystem expertise Familiar deployment model Platform integration not a bottleneck to deployment of trusted apps Attack Attack surface surface with today s App App App Proxy Proxy Proxy OS VMM Hardware X X Attack Surface Scalable security within mainstream environment 5

SGX Programming Environment Trusted execution environment embedded in a process OS App Data App Code Code Data TCS (*n) With its own code and data Provide Confidentiality Provide integrity With controlled entry points Supporting multiple threads With full access to app memory User Process 6

SGX High-level HW/SW Picture Application Environment SGX User Runtime SGX User Runtime Instructions EEXIT EGETKEY EREPORT EENTER ERESUME Privileged Environment Page tables SGX Module Instructions ECREATE ETRACK EADD EWB EEXTEND ELD EINIT EPA EBLOCK EREMOVE Exposed Hardware EPC Platform EPCM Hdw Data Structure Hardware Runtime Application OS Data structure 7

Life Cycle of An Virtual Addr Space Physical Addr Space Build Code/Data Code/Data Load Code/Data Plaintext Code/Data Plaintext Code/Data System Memory MRENCLAVE Update PTE ECREATE (Range) EADD (Copy Page) EEXTEND EINIT EENTER EEXIT EREMOVE Page Cache Plaintext Code/Data Plaintext Code/Data SECS EPCM Invalid Valid,ID, InvalidLA Valid,ID, InvalidLA Valid,SECS Invalid 8

SGX Access Control Linear Address Traditional IA Page Table Checks Physical Address Access? No Non- Access Address in EPC? Access Signal Fault No Yes Address in EPC? Check EPCM Yes Yes Replace Address With Abort Page No No Checks Pass? Yes Allow Memory Access 9

Protection vs. Memory Snooping Attacks CPU Package Cores Cache AMEX: 3234-134584- 26864 System Memory Jco3lks937weu0cwejpoi9987v80we Non- Access 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and/or integrity checked 4. External memory reads and bus snoops see only encrypted data Snoop Snoop 10

Outline Problem Statement Attack Surface and Overview Programming environment System programming view Day in the life of an enclave SGX Access Control & Off Chip protections Attestation and Sealing Developing with SGX Summary 11

The Challenge Provisioning Secrets to the An enclave is in the clear before instantiation Sections of code and data could be encrypted, but their decryption key can t be pre-installed Secrets come from outside the enclave Keys Passwords Sensitive data The enclave must be able to convince a 3 rd party that it s trustworthy and can be provisioned with the secrets Subsequent runs should be able to use the secrets that have already been provisioned 12

Trustworthiness A service provider should vet the enclave s Trusted Computing Base (TCB) before it should trust it and provide secrets to it The enclave s software The CPU s hardware & firmware Intel SGX provides the means for an enclave to securely prove to a 3 rd party: What software is running inside the enclave Which execution environment the enclave is running at Which Sealing Identity will be used by the enclave What s the CPU s security level 13

Attestation Software TCB When building an enclave, Intel SGX generates a cryptographic log of all the build activities Content: Code, Data, Stack, Heap Location of each page within the enclave Security flags being used MRENCLAVE ( Identity ) is a 256-bit digest of the log Represents the enclave s software TCB A software TCB verifier should: Securely obtain the enclave s software TCB Securely obtain the expected enclave s software TCB Compare the two values 14

Local Attestation Local attestation : The process by which one enclave attests its TCB to another enclave on the same platform Using Intel SGX s EREPORT and EGETKEY instructions EREPORT generates a cryptographic REPORT that binds MRENCLAVE to the target enclave s REPORT KEY EGETKEY provides the REPORT KEY to verify the REPORT TCB component Attestation CPU Firmware & hardware Symmetric - CPU REPORT KEY Software MRENCLAVE 15

Remote Attestation Remote attestation : The process by which one enclave attests its TCB to another entity outside of the platform Intel SGX Extends Local attestation by allowing a Quoting (QE) to use Intel EPID to create a QUOTE out of a REPORT Intel EPID is a group signature scheme TCB component CPU Firmware & hardware Software Attestation Asymmetric - Intel EPID MRENCLAVE 16

Local Attestation - Flow Client Application EREPORT REPORT MRENCLAVE MAC Processor Client Application EGETKEY MRENCLAVE 1. Verifying enclave sends its MRENCLAVE to reporting enclave 2. Reporting enclave creates a cryptographic REPORT that includes its MRENCLAVE 3. Verifying enclave obtains its REPORT key and verifies the authenticity of the REPORT 17

Remote Attestation - Flow Platform REPORT QUOTE QE Remote Platform Verifying Application MRENCLAVE EPID MAC 1. Verifying enclave becomes the Quoting. 2. After verifying the REPORT the, QE signs the REPORT with the EPID private key and converts it into a QUOTE 3. Remote platform verifies the QUOTE with the EPID public key and verifies MRENCLAVE against the expected value 18

Sealing Authority Every enclave has an Certificate (SIGSTRUCT) which is signed by a Sealing Authority Typically the enclave writer SIGSTRUCT includes: s Identity (represented by MRENCLAVE) Sealing Authority s public key (represented by MRSIGNER) EINIT verifies the signature over SIGSTRUCT prior to enclave initialization 19

Sealing Sealing : Cryptographically protecting data when it leaves the enclave. s use EGETKEY to retrieve an enclave, platform persistent key and encrypts the data EGETKEY uses a combination of enclave attributes and platform unique key to generate keys Sealing Authority Product ID Product Security Version Number (SVN) 20

Example: Secure Transaction Client Application Remote Platform 1 QE EPID 2 3 4 1. built & measured against ISV s signed certificate 2. calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) 3. REPORT & user data sent to Quoting who signs the REPORT with an EPID private key 4. QUOTE sent to server & verified 5. Ephemeral key used to create a trusted channel between enclave and remote server 6. Secret provisioned to enclave 7. calls EGETKEY to obtain the SEAL KEY 8. Secret is encrypted using SEAL KEY & stored for future use 21

Example: Secure Transaction Client Application 1 QE Authenticated Channel Remote Platform EPID 2 4 3 1. built & measured against ISV s signed certificate 2. calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) 3. REPORT & user data sent to Quoting who signs the REPORT with an EPID private key 4. QUOTE sent to server & verified 5. Ephemeral key used to create a trusted channel between enclave and remote server 6. Secret provisioned to enclave 7. calls EGETKEY to obtain the SEAL KEY 8. Secret is encrypted using SEAL KEY & stored for future use 5 22

Example: Secure Transaction Client Application 2 5 1 Authenticated Channel 3 Remote Platform 1. built & measured against ISV s signed certificate 2. calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) 3. REPORT & user data sent to Quoting who signs the REPORT with an EPID private key 4. QUOTE sent to server & verified 5. Ephemeral key used to create a trusted channel between enclave and remote server 6. Secret provisioned to enclave 7. calls EGETKEY to obtain the SEAL KEY 8. Secret is encrypted using SEAL KEY & stored for future use 5 6 4 23

Example: Secure Transaction Client Application Remote Platform 8 2 1 5 7 Authenticated Channel 3 1. built & measured against ISV s signed certificate 2. calls EREPORT to obtain a REPORT that includes enclave specific data (ephemeral key) 3. REPORT & user data sent to Quoting who signs the REPORT with an EPID private key 4. QUOTE sent to server & verified 5. Ephemeral key used to create a trusted channel between enclave and remote server 6. Secret provisioned to enclave 7. calls EGETKEY to obtain the SEAL KEY 8. Secret is encrypted using SEAL KEY & stored for future use 5 6 4 24

Intel SGX Software Development SGX SDK Libraries Windows DLL / Trusted Glue Code Architectural s Architectural s Architectural s SGX SDK Tools Application App Code Processing Component SGX SDK Glue Code Libraries Processing Component Software Developer decides which components should execute within an enclave Development Environment allows the Developer to quickly develop enclave enabled binaries Including support for common software libraries, exporting interfaces, and support for provisioning Intel SGX enabled CPU 25

SGX Technical Summary Provides any application the ability to keep a secret Provide capability using new processor instructions Application can support multiple enclaves Provides integrity and confidentiality Resists hardware attacks Prevent software access, including privileged software and SMM Applications run within OS environment Low learning curve for application developers Open to all developers Resources managed by system software 26

Links Joint research poster session: http://sigops.org/sosp/sosp13/ Programming Reference: http://www.intel.com/software/isa HASP Workshop: https://sites.google.com/site/haspworkshop2013/wo rkshop-program 27

Intel Labs: Security and Privacy Research Looking for researchers with the following skills: Cloud Computing Operating Systems Virtualization BIOS and Firmware Mobile Security Machine Learning Algorithms Contact Jennifer.M.Muir@intel.com 28

29 Thank You

30 Backup

SGX Paging Introduction Requirement: Remove an EPC page and place into unprotected memory. Later restore it. Page must maintain same security properties (confidentiality, anti-replay, and integrity) when restored Instructions: EWB: Evict EPC page to main memory with cryptographic protections ELDB/ELDU: Load page from main memory to EPC with cryptographic protections EPA: Allocate an EPC page for holding versions EBLOCK: Declare an EPC page ready for eviction ETRACK: Ensure address translations have been cleared 31

Page-out Example EPC SECS Page VER VA Page Page Page EWB System Memory Encrypted Page PCMD EWB Parameters: Pointer to EPC page that needs to be paged out Pointer to empty version slot Pointers outside EPC location EWB Operation Remove page from the EPC Populate version slot Write encrypted version to outside Write meta-data, PCMD BUILD All pages, including SECS and Version Array can be paged out 32

Page-in Example EPC SECS Page ELD System Memory ELD Parameters: Encrypted page Free EPC page SECS (for an enclave page) Populated version slot BUILD VER VA Page Free Page Page Encrypted Page MD ELD Operation Verify and decrypt the page using version Populate the EPC slot Make back-pointer connection (if applicable) Free-up version slot 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information