Execution integrity without implicit trust of system software

When trusted application code in a TEE computes over results produced by an untrusted kernel and hypervisor [1, 2], it is difficult at best to reason about the secrecy and integrity properties achieved by the overall ensemble---to establish, despite the wide breadth of the Linux system call interface, that in-enclave code is immune to Iago attacks [3]. In this paper, we argue that an attractive use case for TEEs is tamper-proof audit: the TEE executes a trusted observer (TO) that allows efficient offline validation that application code running outside the TEE has executed as expected. We describe a TO design that inherently does not require any trust of system call results (and thus of the kernel or hypervisor), and DOG, a prototype TO implementation for Intel SGX that upholds application execution integrity, even for applications that do not fit within today's SGX virtual memory limits, and incurs modest execution overhead.

[1]  Michael Stumm,et al.  FlexSC: Flexible System Call Scheduling with Exception-Less System Calls , 2010, OSDI.

[2]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[3]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[4]  Daniel Gruss,et al.  Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory , 2017, USENIX Security Symposium.

[5]  Marc Feeley,et al.  A Taxonomy of Distributed Debuggers Based on Execution Replay , 1996, PDPTA.

[6]  Srinivas Devadas,et al.  Authenticated storage using small trusted hardware , 2013, CCSW.

[7]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[8]  Lingfan Yu,et al.  The Efficient Server Audit Problem, Deduplicated Re-execution, and the Web , 2017, SOSP.

[9]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[10]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[11]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[12]  Peter M. Chen,et al.  Execution replay of multiprocessor virtual machines , 2008, VEE '08.

[13]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[14]  Benjamin Livshits,et al.  Ripley: automatically securing web 2.0 applications through replicated execution , 2009, CCS.

[15]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[16]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[17]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[18]  Andreas Haeberlen,et al.  Accountable Virtual Machines , 2010, OSDI.

[19]  Guillaume Pierre,et al.  Wikipedia workload analysis for decentralized hosting , 2009, Comput. Networks.