Lecture Embedded System Security
Dynamic Root of Trust and
Trusted Execution
Prof. Dr.-Ing. Ahmad-Reza Sadeghi
System Security Lab
Technische Universität Darmstadt (CASED)
Germany
Summer Term 2014
Dynamic Root of Trust
Problem of legacy
Incompatible or sloppy BIOS
Chain of trust is too long, too static
AMD/Intel introduce
Dynamic RTM (DRTM)
CPU resets into clean state to load OS/App
Essentially starting a new Chain of Trust
SYSTEM SECURITY LAB
Dynamic Root of Trust
Reset Chain of Trust, cut out BIOS and boot loader
Boots clean OS out of compromised system (!)
Operating System
Boot Loader
BIOS
CPU, Chipset, TPM
Operating System
Chain
of
Trus
t
Authenticated Code (AC)
Chain
of
Trus
t
App Y
App X
CRTM
“SENTER“ CPU instruction issues the process
Resets CPU and Chipset
Resets TPM PCRs 17-23
CPU executes Authenticated Code module (AC mod)
AC mod is signed by vendor (Intel)
AC mod is measured into PCR 17
AC mod reinitializes CPU and Chipset
Payload is measured by AC mod
Payload measurement stored in PCR 18
SYSTEM SECURITY LAB
DRTM Security (1)
System Management Mode (SMM, “Ring -2”)
Runtime, low-level hardware management
Arbitrary code execution while OS is suspended
BIOS is expected to initialize SMM and then lock access
Active Management Technology (AMT, “Ring -3”)
RISC CPU inside the mainboard chipset
Dedicated link to your RAM and network card
Arbitrary code execution while OS is running
DRTM Security (2)
SMM and AMT are not validated/supervised by TXT
BIOS is supposed to secure access and lock registers
• Compromised SMM or
AMT can manipulate AC
or TXT payload
• As of 2006, BIOS locks
access to SM-RAM
• TXT needs secure BIOS!
• DRTM needs SRTM!?
Operating System
Boot Loader
BIOS
CPU, Chipset, TPM
Operating System
App X
App Y
Authenticated Code (AC)
App B
App A
AMT
System Management Mode (SMM)
SYSTEM SECURITY LAB
Trusted GRUB
Root of Trust is the CPU reset to TXT mode
Chain of Trust:
CPU
GRUB boot loader
(Hypervisor)
Operating System
...
Simlilar problems as with Static Root of Trust
Long chain of trust
TXT Example: TrustedGRUB
Trusted Execution Environment (TEE) at runtime
Run only a small part in the TEE
Leads to small TCB
Must be isolated from other software
Flicker
Suspend operating system
Switch to TXT mode
Measure and execute code
Resume operating system
SYSTEM SECURITY LAB
Transaction Security (Flicker)
Use TXT only for small critical functions like signature
Output can be signed or otherwise bound to TPM
• Strong isolation for
legacy OS without
virtualization overhead
• Simple and stable apps
Integrity = Security
PC-Hardware
Operating
System
Boot Loader
CRTM
BIOS
CPU & Chipset
Secure App
App X
App Y
Authenticated Code
ret = func(input)
Cha
in of
Trus
t
Transaction Security (Flicker)
Flicker framework is available for Intel TXT, AMD
SVM, Windows, Linux
First prototype apps:
Transaction confirmation, e.g., in online shopping
Software-Smartcard
Cryptographic operations executed in “TXT-mode”
PKCS#11 Interface
Usable with legacy software
SYSTEM SECURITY LAB
DRTM with TXT/SVM still contains huge software
stack
How to verify measuments
Multiple open problems in cloud scenario
Privider doesn‘t want to reveal software configuration
Host machine identification through TPM keys
Isolating only the security critical part is desirable
Flicker never evolved to a practical solution
Substantial modification of the OS required
Switch to and from TXT/SVM is time consuming
Execution stalls entire system (interrupts disabled)
Security critical code isolated in
enclave
Only CPU is trusted
Transparent memory encryption
17 new instructions
Enclaves cannot harm the system
Only unprivileged code (CPU ring3)
Memory protection
Designed for Multi-Core systems
Multi-threaded execution of enclaves
Parallel execution of enclaves and
untrusted code
Enclaves are interruptible
Programming Reference available
Intel® Software Guard Extensions (SGX)
APP2
Hardware
APP1
Enclave
Security
Service
Operating System
CPU
SGX
Trusted
Untrusted
SYSTEM SECURITY LAB
Hardware
SGX – Create Enclave
1. Create App
2. Create app certificate (includes HASH(App) and Client PK)
3. Upload App to Loader
SGX
User space
Operating system
SGX
driver
5
Enclave
Loader
1
2
3
Client
SK/PK
Trusted
Untrusted
Hardware
SGX – Create Enclave
1. Create App
2. Create app certificate (includes HASH(App) and Client PK)
3. Upload App to Loader
SGX
User space
Operating system
SGX
driver
5
Enclave
Loader
5. Allocate enclave pages
1
2
3
4
4. Create enclave
5
7
Client
SK/PK
SYSTEM SECURITY LAB
Hardware
SGX – Create Enclave
1. Create App
2. Create app certificate (includes HASH(App) and Client PK)
3. Upload App to Loader
SGX
User space
Operating system
SGX
driver
5
Enclave
Loader
5. Allocate enclave pages
6. Load & Measure App 7. Validate certificate and enclave integrity
1
2
3
4
4. Create enclave
6
5
7
Client
SK/PK
Trusted
Untrusted
Hardware
SGX – Create Enclave
1. Create App
2. Create app certificate (includes HASH(App) and Client PK)
3. Upload App to Loader
SGX
User space
Operating system
SGX
driver
5
Enclave
Loader
5. Allocate enclave pages
6. Load & Measure App 7. Validate certificate and enclave integrity
1
2
3
4
4. Create enclave
6
5
8. Generate enclave K key
7
9. Protect enclave
8
K
Client
SK/PK
SYSTEM SECURITY LAB
Enclave Creation – Details
En
cla
ve
Application
EPC list
OS
CPU
M
M
U
MEE
RAM
EPC
EPCM
#
Key
ID
n
n+1
1a. Request Enclave Pages
1b. Allocate EP to App
2a. ECREATE(SECS)
2b. Init SECS
SE
CS
Encl.
Code
3a. EADD(*src, *dest)
3b. copy
4a. EEXTEND(*src)
4b. Hardware measures
5a. EINT
5b. Update HASH
Trusted
Untrusted
En
cla
ve
EPC: Enclave Page Cache
EPCM: EPC Map
MEE: Memory Encryption Engine
MMU: Memory Management Unit
SECS: SGX Enclave Control Structure
Enclave Entry and Exit – Details
Encla
ve
Application
EPC list
OS
CPU
M
M
U
MEE
RAM
EPC
EPCM
2. Lock TCS, start Enclave
TC
S
ISR
1. EENTER(TCS, AEP)
Stack
AEP
Trusted
Untrusted
SYSTEM SECURITY LAB
Enclave Entry and Exit – Details
Encla
ve
Application
EPC list
OS
CPU
M
M
U
MEE
RAM
EPC
EPCM
TC
S
ISR
1. EEXIT
Stack
AEP
Trusted
Untrusted
AEP: Async Exit Point
EPC: Encl . Page Cache
EPCM: EPC Map
ISR: Int. Service Routine
MEE: Mem. Enc. Engine
TCS: Thread Control Structure
Enclave Entry and Exit – Details
Encla
ve
Application
EPC list
OS
CPU
M
M
U
MEE
RAM
EPC
EPCM
TC
S
ISR
1. Interrupt
Stack
2. Save context in Enclave
AEP
Trusted
Untrusted
AEP: Async Exit Point
EPC: Encl . Page Cache
EPCM: EPC Map
SYSTEM SECURITY LAB
Enclave Entry and Exit – Details
Encla
ve
Application
EPC list
OS
CPU
M
M
U
MEE
RAM
EPC
EPCM
TC
S
ISR
2. ERESUME
Stack
AEP
Trusted
Untrusted
3. Resume Enclave
AEP: Async Exit Point
EPC: Encl . Page Cache
EPCM: EPC Map
ISR: Int. Service Routine
MEE: Mem. Enc. Engine
TCS: Thread Control Structure
SGX – Create Enclave Secure Channel
SGX
User space
Operating system
Enclave2
Enclave1
1. Generate DH params 2. Request Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params)
Shared
memory
2
1
SYSTEM SECURITY LAB
SGX – Create Enclave Secure Channel
SGX
User space
Operating system
Enclave2
Enclave1
Trusted
Untrusted
1. Generate DH params
6. Get enclave’s share key
4. Authenticate Report using MAC with target enclave’s shared key
2. Request Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params)
Shared
memory
5. Pass Report (shared memory)
7. Validate report 8. Repeat for other direction
2
1
3
SGX – Create Enclave Secure Channel
SGX
User space
Operating system
Enclave2
Enclave1
1. Generate DH params
6. Get enclave’s share key
4. Authenticate Report using MAC with target enclave’s shared key
2. Request Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params)
Shared
memory
5. Pass Report (shared memory)
7. Validate report
2
1
3
5
7
SYSTEM SECURITY LAB
SGX – Create Enclave Secure Channel
SGX
User space
Operating system
Enclave2
Enclave1
Trusted
Untrusted
1. Generate DH params
6. Get enclave’s share key
4. Authenticate Report using MAC with target enclave’s shared key
2. Request Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params)
Shared
memory
5. Pass Report (shared memory)
7. Validate report 8. Repeat for other direction
2
1
3
5
SGX – Remote Attestation
1. Verifier sends nonce
2. Generate Report = (HASH(Enclave1), ID-QuotingEnclave, nonce)
SGX
User space
Operating system
Quoting Enclave
Enclave1
nonce
1
2
SYSTEM SECURITY LAB
SGX – Remote Attestation
Trusted
Untrusted
1. Verifier sends nonce
3. Pass Report to Quoting Enclave
2. Generate Report = (HASH(Enclave1), ID-QuotingEnclave, nonce)
SGX
User space
Operating system
Quoting Enclave
Enclave1
nonce
1
2
3
SGX – Remote Attestation
1. Verifier sends nonce
6. Signed Report is send to verifier
3. Pass Report to Quoting Enclave
2. Generate Report = (HASH(Enclave1), ID-QuotingEnclave, nonce)
4. Quoting Enclave verifies Report
SGX
User space
Operating system
Quoting Enclave
Enclave1
nonce
5. Signs Report with “Platform Key”
1
2
3
SYSTEM SECURITY LAB
SGX – Remote Attestation
Trusted
Untrusted
1. Verifier sends nonce
6. Signed Report is send to verifier
3. Pass Report to Quoting Enclave
2. Generate Report = (HASH(Enclave1), ID-QuotingEnclave, nonce)
4. Quoting Enclave verifies Report
SGX
User space
Operating system
Quoting Enclave
Enclave1
nonce
5. Signs Report with “Platform Key”
1
2
3
4/5
6
Embedded Trusted Computing
TC appears very suitable for embedded systems
Less problems with legacy platforms
No SMM and AMT, less complex BIOS
Less bugs in Root of Trust
Reduced code complexity and flexibility
Special-purpose devices and use-cases
Well-known code-base, longer release cycles
SYSTEM SECURITY LAB
