ROTE: Rollback Protection for Trusted Execution

Security architectures such as Intel SGX need protection against rollback attacks, where the adversary violates the integrity of a protected application state by replaying old persistently stored data or by starting multiple application instances. Successful rollback attacks have serious consequences on applications such as financial services. In this paper, we propose a new approach for rollback protection on SGX. The intuition behind our approach is simple. A single platform cannot efficiently prevent rollback, but in many practical scenarios, multiple processors can be enrolled to assist each other. We design and implement a rollback protection system called ROTE that realizes integrity protection as a distributed system. We construct a model that captures adversarial ability to schedule enclave execution and show that our solution achieves a strong security property: the only way to violate integrity is to reset all participating platforms to their initial state. We implement ROTE and demonstrate that distributed rollback protection can provide significantly better performance than previously known solutions based on local non-volatile memory.

[1]  Sanjit A. Seshia,et al.  Moat: Verifying Confidentiality of Enclave Programs , 2015, CCS.

[2]  Paul England,et al.  Continuous Tamper-Proof Logging Using TPM 2.0 , 2014, TRUST.

[3]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[4]  Miguel Correia,et al.  How to tolerate half less one Byzantine nodes in practical distributed systems , 2004, Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004..

[5]  Johannes Behl,et al.  CheapBFT: resource-efficient byzantine fault tolerance , 2012, EuroSys '12.

[6]  Frank Piessens,et al.  ICE: a passive, high-speed, state-continuity scheme , 2014, ACSAC.

[7]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[8]  Christof Fetzer,et al.  SecureKeeper: Confidential ZooKeeper using Intel SGX , 2016, Middleware.

[9]  Rüdiger Kapitza,et al.  Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[10]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[11]  Fan Zhang,et al.  Town Crier: An Authenticated Data Feed for Smart Contracts , 2016, CCS.

[12]  Frank Piessens,et al.  Ariadne: A Minimal Approach to State Continuity , 2016, USENIX Security Symposium.

[13]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[14]  Rachid Guerraoui,et al.  Introduction to Reliable and Secure Distributed Programming , 2011 .

[15]  Sergei Skorobogatov,et al.  The bumpy road towards iPhone 5c NAND mirroring , 2016, ArXiv.

[16]  Srdjan Capkun,et al.  Verena: End-to-End Integrity Protection for Web Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[18]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[19]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[20]  Joan Feigenbaum,et al.  Using Intel Software Guard Extensions for Efficient Two-Party Secure Function Evaluation , 2016, Financial Cryptography Workshops.

[21]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[22]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[23]  Michael K. Reiter,et al.  Secure agreement protocols: reliable and atomic group multicast in rampart , 1994, CCS '94.

[24]  N. Asokan,et al.  Credential Disabling from Trusted Execution Environments , 2010, NordSec.

[25]  Juan A. Garay,et al.  A Continuum of Failure Models for Distributed Computing , 1992, WDAG.

[26]  Wei-Pang Yang,et al.  A Note on Consensus on Dual Failure Modes , 1996, IEEE Trans. Parallel Distributed Syst..

[27]  Christos Gkantsidis,et al.  VC3: Trustworthy Data Analytics in the Cloud Using SGX , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Jacob R. Lorch,et al.  TrInc: Small Trusted Hardware for Large Distributed Systems , 2009, NSDI.

[29]  Raoul Strackx,et al.  Idea: State-Continuous Transfer of State in Protected-Module Architectures , 2015, ESSoS.

[30]  Srinivas Devadas,et al.  Offline untrusted storage with immediate detection of forking and replay attacks , 2007, STC '07.

[31]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[32]  Elaine Shi,et al.  Formal Abstractions for Attested Execution Secure Processors , 2017, EUROCRYPT.

[33]  Fan Zhang,et al.  Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  Ghassan O. Karame,et al.  Scalable Byzantine Consensus via Hardware-Assisted Secret Sharing , 2016, IEEE Transactions on Computers.

[36]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[37]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[38]  Dhiraj K. Pradhan,et al.  Consensus With Dual Failure Modes , 1991, IEEE Trans. Parallel Distributed Syst..

[39]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[40]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[41]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[42]  Mohan Kumar,et al.  S-NFV: Securing NFV states by using SGX , 2016, SDN-NFV@CODASPY.