A Formal Framework for State Continuity of Protected Modules

With system crashes or power failures, state-continuity solutions ensure the state of protected modules, e.g., enclaves of Intel SGX, cannot be rolled back to a stale version. In this paper, we propose a general framework for formally modeling and verifying the state-continuity solutions. The framework supports solutions that use different security strategies, such as strategies based on hash values or monotonic counters. We first propose a general model for state-continuity solutions. The general model contains an adversary that controls not only the OS but also the power of the system, and common actions of the solutions for ensuring state continuity. Then, we propose a general refinement strategy to refine the general model to models of concrete solutions. If the model of a concrete solution can be refined from the general model by using the strategy, the solution ensures state continuity. We implement the framework in the Coq proof assistant, and demonstrate that a solution, called Memior, guarantees state continuity for protected modules.

[1]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Wenchao Huang,et al.  Fine-Grained Refinement on TPM-Based Protocol Applications , 2013, IEEE Transactions on Information Forensics and Security.

[3]  Yunheung Paek,et al.  Hardware-Assisted On-Demand Hypervisor Activation for Efficient Security Critical Code Execution on Mobile Devices , 2016, USENIX Annual Technical Conference.

[4]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[5]  Frank Piessens,et al.  Ariadne: A Minimal Approach to State Continuity , 2016, USENIX Security Symposium.

[6]  Galen C. Hunt,et al.  Shielding Applications from an Untrusted Cloud with Haven , 2014, OSDI.

[7]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[8]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[9]  Yang Liu,et al.  Refinement-Based Specification and Security Analysis of Separation Kernels , 2017, IEEE Transactions on Dependable and Secure Computing.

[10]  Frank Piessens,et al.  ICE: a passive, high-speed, state-continuity scheme , 2014, ACSAC.

[11]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[12]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[13]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.