EVEE FS : Securing Access to Untrusted Filesystems in Enclaved Execution

Enclaved execution techniques like Intel SGX guarantee secure execution of applications in presence of a compromised operating system. However, these techniques still rely on the underlying OS for services such as filesystem management. In this paper, we present attacks called syscall-abuse attacks on applications such as OpenSSL and ClamAV in presence of a compromised filesystem management service. To mitigate such attacks, we design and implement LEVEEFS — a filesystem abstraction to ensure secure access to untrusted storage in enclaved execution environment. LEVEEFS simultaneously provides security, efficiency and expressiveness guarantees. Unlike existing solutions, the trusted computing base (TCB) is small and comprises of approximately 3836 LOC i.e, 7.62 % of the total filesystem size. To evaluate the expressiveness, we execute various file benchmarks like Bonnie++, Iozone and FileBench along with application benchmarks like CoreUtils, OpenSSL and ClamAV. LEVEEFS system incurs an average overhead of 8.03 % on these benchmarks which is acceptable for practical use.

[1]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[2]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[3]  G. Edward Suh,et al.  Design and implementation of the AEGIS single-chip secure processor using physical random functions , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[4]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[5]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[6]  Tal Garfinkel,et al.  Towards Application Security on Untrusted Operating Systems , 2008, HotSec.

[7]  Hermann Härtig,et al.  VPFS: building a virtual private file system with a small trusted computing base , 2008, Eurosys '08.

[8]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[9]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[10]  Elaine Shi,et al.  Towards Practical Oblivious RAM , 2011, NDSS.

[11]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[12]  Elaine Shi,et al.  Memory Trace Oblivious Program Execution , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[13]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[14]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[15]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[16]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX Annual Technical Conference.

[17]  P. Saxena,et al.  Protecting Legacy Applications with a Purely Hardware TCB , 2015 .