DelegaTEE: Brokered Delegation Using Trusted Execution Environments

We introduce a new concept called brokered delegation. Brokered delegation allows users to flexibly delegate credentials and rights for a range of service providers to other users and third parties. We explore how brokered delegation can be implemented using novel trusted execution environments (TEEs). We introduce a system called DELEGATEE that enables users (Delegatees) to log into different online services using the credentials of other users (Owners). Credentials in DELEGATEE are never revealed to Delegatees and Owners can restrict access to their accounts using a range of rich, contextually dependent delegation policies. DELEGATEE fundamentally shifts existing access control models for centralized online services. It does so by using TEEs to permit access delegation at the user's discretion. DELEGATEE thus effectively reduces mandatory access control (MAC) in this context to discretionary access control (DAC). The system demonstrates the significant potential for TEEs to create new forms of resource sharing around online services without the direct support from those services. We present a full implementation of DELEGATEE using Intel SGX and demonstrate its use in four real-world applications: email access (SMTP/IMAP), restricted website access using a HTTPS proxy, e-banking/credit card, and a third-party payment system (PayPal).

[1]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[2]  T. Thomas A mandatory access control mechanism for the Unix file system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[3]  T. Levin,et al.  A formal model for Unix setuid , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Jon Howell,et al.  An Access-Control Calculus for Spanning Administrative Domains , 1999 .

[8]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[9]  Nikita Borisov,et al.  Active Certificates: A Framework for Delegation , 2002, NDSS.

[10]  Lujo Bauer,et al.  A General and Flexible Access-Control System for the Web , 2002, USENIX Security Symposium.

[11]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[12]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[13]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[14]  Johannes Winter,et al.  Trusted computing building blocks for embedded linux-based ARM trustzone platforms , 2008, STC '08.

[15]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[16]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[17]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[18]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[19]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[20]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[21]  Arnar Birgisson,et al.  Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud , 2014, NDSS.

[22]  Vili Lehdonvirta,et al.  Virtual Economies: Design and Analysis , 2014 .

[23]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[24]  Elaine Shi,et al.  The Ring of Gyges: Investigating the Future of Criminal Smart Contracts , 2016, CCS.

[25]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[26]  J. Bohannon Who's downloading pirated papers? Everyone. , 2016, Science.

[27]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[28]  Ittay Eyal,et al.  Teechain: Scalable Blockchain Payments using Trusted Execution Environments , 2017, ArXiv.

[29]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[30]  Todd M. Austin,et al.  Regaining lost cycles with HotCalls: A fast interface for SGX secure enclaves , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[31]  Jean-Sébastien Coron,et al.  Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 , 2017, Public Key Cryptography.