DOCSLIB.ORG

Encrypted Execution and You

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Encrypted Execution and You 1 Assured Information Security (@ainfosec) Encrypted Execution and You @JacobTorrey DayCon 9 { October 2015 @JacobTorrey | HARES Outline 2 Introduction Background HARES Details Results Implications Conclusions @JacobTorrey | HARES Amp Up! 3 I was pretty nervous presenting here in front of all of you, luckily one of my idols gave me the courage to stand up here in front of you all! @JacobTorrey | HARES Who am I? 4 I Advising Research Engineer at Assured Information Security (words are my own) I Site lead for Denver, CO office; provides InfoSec strategy consulting I Leads low-level Computer Architectures research group I Plays in Intel privilege rings ≤ 0 I Ultra-runner, ultra-cyclist & mountaineer @JacobTorrey | HARES Overview 5 I Encrypted (non-reversable) execution is coming I HARES provides the ability to execute fully-encrypted binaries with minimal performance impact (~2%) I Intel Software Guard Extensions (SGX) provides support for encrypted enclaves I How will this impact attackers vs. defenders? @JacobTorrey | HARES Impact 6 I Provides a secure execution capability for running sensitive applications in contested environments I Could integrate with cloud-computing offerings to minimize trust placed in cloud provider I Security of solution dependent on encryption, not security-through-obscurity I Provides technology, does not enforce usage based on \morals" @JacobTorrey | HARES Problem Statement 7 I Algorithms exposed to copying or theft I Application code can be used to develop attacks I Code can be reused for unintended purposes (ROP) I Malware RE can lead to attribution and C&C attack @JacobTorrey | HARES Current State-of-the-Art 8 I Obfuscation and packers | Analysis tools and live debugging can recover instructions I VM-based obfuscation | Can still be mapped to x86 and impacts performance I Encrypting entire OS with trusted boot | Only prevents against offline attacks @JacobTorrey | HARES Von Neumann versus Harvard Architectures 9 Von Neumann systems have a unified memory and buses for data and instructions: Harvard architectures have separate memories for data and instructions: @JacobTorrey | HARES AES-NI 10 I In response to software-based caching attacks on AES, Intel released instruction set to support AES I Hardware logic is faster, and more protected I Supports 128-bit and 256-bit AES I Provides primitives, still requires engineering to make a safe system on top of these @JacobTorrey | HARES TRESOR 11 I Uses AES-NI and CPU debug registers to provide accelerated, cold-RAM resistant AES on Linux I Key loaded early boot I Kernel patch to prevent applications reading debug registers @JacobTorrey | HARES TLB-Splitting 12 I Translation lookaside buffer (TLB) is a cache for virtual −! physical address translations I Used to improve paging performance I Logically treated as single entity, physically multiple components I Switches x86 platform from apparent Von Neumann to Harvard architecture: I Used by PaX/GRSecurity to emulate no-execute bit I Shadow Walker used for memory-hiding root-kit functionality @JacobTorrey | HARES TLB-Splitting (cont.) 13 Figure 1: TLB during normal operation Figure 2: Split TLB @JacobTorrey | HARES TLB-Splitting Impact 14 I TLB-splitting allows, through software, the apparent hardware architecture to be changed, per process I Most end-point protection capabilities (PatchGuard, AV, anti-root-kit tools, etc.) assume a Von Neumann system; TLB-splitting breaks that assumption and can bypass all of them (I bet your AV vendor forgot to mention that...) @JacobTorrey | HARES S-TLB 15 With Nehalem micro-architecture, an L2 cache was introduced, the S-TLB; breaks split-TLB assumptions Figure 3: S-TLB @JacobTorrey | HARES MoRE: Measurement of Running Executables 16 I DARPA Cyber Fast Track program I Explored using TLB-splitting for measurement/integrity verification of interleaved application I Immutable code page (can repeatably measure in real-time) I Mutable data page (for variable isolation) I Used EPT granular permissions to simulate a split-TLB on newer CPUs with S-TLB I Thin-VMM to simulate Harvard architecture on per-process basis @JacobTorrey | HARES Why HARES? 17 I HARES is an example of an encrypted capability (enclave), that allows exploration of the implications of encrypted execution I Intel SGX soon will provide similar capabilities, but through hardware modifications, providing stronger security guarantees I The following deep-dive will provide background of what the current state-of-the-art is @JacobTorrey | HARES VMX Thin-Hypervisor 18 I Loaded as Windows 7 kernel driver I Based on vmcpu root-kit example I No emulation of devices, OS retains direct access to HW I Minimal performance impact I Can use VMCS exit conditions to track certain architectural events @JacobTorrey | HARES On-CPU AES 19 I \Hoists" TRESOR on-CPU AES into VMM I AES-NI key stored in CPU debug registers to protect against cold-RAM attack I Adds VMCS exit condition for debug register accesses (return NULL or silently discard write) I Decrypts executable sections of program into execute-only memory @JacobTorrey | HARES TLB-Splitting 20 I All data-fetch requests, even from application itself, directed via EPT/TLB to encrypted page I All instruction fetches are directed to execute-only, decrypted, memory I Must track Windows application memory management events (COW) and ensure EPT structures correspond with OS-level structures @JacobTorrey | HARES EPT Fault Flowchart 21 @JacobTorrey | HARES Tested Applications 22 I Command-line synthetic test-suite I Microsoft Windows Notepad I Microsoft Windows Paint I Microsoft Windows Calculator Usability of HARES-protected applications was not noticeably impacted to end-user @JacobTorrey | HARES Test Results 23 Overall, average performance impact was ~2% Test Name Average Execution Time (s) Average HARES Execution Time (s) Performance Impact (%) Pi 28.173 28.600 1.515 Randomized Sort1 0.016 0.031 95.83 Coin Flip 1.778 1.809 1.762 Timers 15.013 15.023 0.069 Table 1: Performance Results for CLI Test-Suite 1The randomized sort runs for such a short period that the initialization routine of the Windows process creation monitor almost doubles the execution time. If the TLB-splitting and periodic measurement is disabled, the run-time is still almost double. For this test, it is reasonable to assume that there is a constant increase of ~.015s for each test case run under the VMX hypervisor, and due to this test case's short duration it skewed the percentage. @JacobTorrey | HARES Demonstration System 24 Specifications for the demonstration system to overcome some prototype limitations: I Intel Core-i series processor with AES-NI; Windows 7 32-bit OS I Single processor [numproc=1] (Our thin-VMM only supports single core currently) I 2GiB RAM [truncatememory=0x80000000] (Windows kernel memory layout changes > 2 GiB, and too lazy to update hard-coded values) I No PAE/DEP [nx=AlwaysOff and pae=ForceDisable] (Again, hard-coded memory layout code) @JacobTorrey | HARES Demonstration 25 [ALT-TAB] @JacobTorrey | HARES Major Challenge: Mixed Code & Data 26 Code and string "Statistics" sharing same section (.text): @JacobTorrey | HARES Security Benefits 27 Protects against: I Reverse-engineering and algorithmic IP theft I \Weaponization" of crash case into RCE I Mining application source for ROP gadgets I Harvard architecture resistant to code injection attacks & pivoting @JacobTorrey | HARES Weaknesses 28 I JTAG/ICE/XDM I Memory Dumping I DMA I SMM/AMT I Side-channels I Emulation/VMM I Syscall Inference @JacobTorrey | HARES Overcoming Weaknesses & Future Work 29 Intel SGX will solve many of these, but for HARES: I VT-d/IOMMU (DMA) I Cache-as-RAM (memory dumping) I DRTM launch (VMM) I Combining with unique compilation @JacobTorrey | HARES Offensive Use-Cases 30 I Offensive key management is challenging, needs further research into new models for a PKI-like system I Easier to use when all parties are aware and in agreement @JacobTorrey | HARES Physically Unclonable Functions 31 I Expose manufacturing variance across devices of same type I Return unique (unclonable without FIB) values to given input I Examples: I SRAM initializes to PUF pattern I Flash memory requires different amounts of charge to jump from 1 to 0 I FPGA gate fabric can exhibit PUFs when \racing" ring oscillators I Provides assurances device has not been modified or simulated @JacobTorrey | HARES S-DRTM 32 I Provides method to verify trustworthiness of platform without requiring hardware extensions such as Intel's Trusted Execution Technologies I Typically uses timing-based attestation against remote trusted entity to measure system and loaded code and prevent active RE or emulation/virtualization 2 @JacobTorrey2Martignoni, | HARES L et al. Conqueror: Tamper-Proof Code Execution on Legacy Systems Offensive Key Management 33 I Boot-kit for key loading I Conqueror for VMM/debugger detection I PUFs for machine-unique keys instead TPM (paired with multi-stage dropper) I With protected execution and device-specific keys we can bootstrap a soft-TPM! I Have trusted, opaque implants @JacobTorrey | HARES AV Heuristics 34 I However, notepad.exe (unencrypted) with a 1-bit change to remove from MS white-list also hits 4/57 @JacobTorrey | HARES Attackers vs. Defenders 35 I There is a track record of attackers evolving to take advantage of technology quicker and more effectively than the defenders it was designed and built for: I Blue Pill I SMM root-kits I ARM TrustZone root-kits I Encrypted malware? I Personal incentives are asymmetric between offense and
Load more

Recommended publications
  • A Complete Bibliography of ACM Transactions on Computer Systems
    A Complete Bibliography of ACM Transactions on Computer Systems Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 10 August 2021 Version 1.75 Title word cross-reference Accelerating [BJS01]. Accelerator [CZL+15]. Accelerators [LAB+13]. Accent [FR86]. Access [AT83, LZCZ86, LP93, Smi84b, GB01]. arc [GS93]. N [SHG95, Mae85]. Access/Execute [Smi84b]. Accesses [AJ19, HY92, Kel00]. accessing [ACM04]. -Body [SHG95]. accounting [EV03]. accuracy [Jim05]. Accurate [GVM+11, NTW09]. Ace [RR99]. 11/780 [Cla83, CE85]. 1988 [ACM88]. Achieve [LLL+16]. ACM [Jha20]. ACM/SIGOPS [ACM88]. Action [Sch84]. + 2.6 [PTS 14]. 2011 [Mow12]. 2019 [MT20]. Actions [Ree83]. Activations [ABLL92]. active [SJS+00]. Activity 36 [Jha20]. [IRH86, MSB+06]. Ad [BYFK08, FKA10]. Adaptable [AC92]. Adaptation 4 [Jha20]. 432 [CGJ88, CCLP83]. [BS91, AD03, FS04]. Adaptive [ALHH08, AS95, MLS97, CT01]. Address 780 [Cla83, CE85]. [CLFL94, SV99]. Adrenaline [HZL+17]. Affected [IRH86]. Aggregate [AB83]. Abstract [Her86, SS84]. abstraction aggregation [JMB05]. Aggressive [CRL03, Kel00]. Abstractions [SKH+16]. 1 2 [GWSU13]. AI [RDB+21]. Air [CDD96]. al [HKS+83]. Arrays [SHCG94]. Article [Jha20]. Algorithm [Jha20]. Asbestos [VEK+07]. [Bad86, DC85, HBAK86, Lam87, Mae85, Assignments [BGM86]. Assistant Ray89, SK85, Zha91]. Algorithms [HLZ+16]. Assisting [KMG16]. [CM86, GD87, GLM91, KS91, KH92, LA93, Associative [SA95]. Astrolabe [VBV03]. MCS91, San87, Sau83a, Sau83b, TS89, KY04]. Asymmetric [SFKP12]. At-Most-Once allergies [QTZS07]. Allocation [LSW91]. ATC [MT20].
    [Show full text]
  • Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token
    Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian Goldberg?1, Graeme Jenkinson2, and Frank Stajano2 1 University of Waterloo (Canada) 2 University of Cambridge (United Kingdom) Abstract. Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnera- ble to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryp- tographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.
    [Show full text]
  • Using Registers As Buffers to Resist Memory Disclosure Attacks Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, Ziqiang Ma
    RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, Ziqiang Ma To cite this version: Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, et al.. RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. pp.293-307, 10.1007/978-3-319-33630-5_20. hal-01369563 HAL Id: hal-01369563 https://hal.inria.fr/hal-01369563 Submitted on 21 Sep 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks Yuan Zhao1;2;3?, Jingqiang Lin1;2, Wuqiong Pan1;2??, Cong Xue1;2;3, Fangyu Zheng1;2;3, and Ziqiang Ma1;2;3 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China 2 Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China 3 University of Chinese Academy of Sciences, China {yzhao,linjq,wqpan,cxue13,fyzheng,zqma13}@is.ac.cn Abstract.
    [Show full text]
  • Lest We Remember: Cold Boot Attacks on Encryption Keys
    Lest We Remember: Cold Boot Attacks on Encryption Keys J. Alex Halderman*, Seth D. Schoen†, Nadia Heninger*, William Clarkson, William Paul‡, Joseph A. Calandrino*, Ariel J. Feldman*, Jacob Appelbaum and Edward W. Felten* *Princeton University †Electronic Frontier Foundation ‡Wind River Systems USENIX Security Symposium, 2008 Presented by: Andra-Maria Ilieș Seminar in Computer Architecture 1 Executive summary ■ Problem: DRAMs lose their data gradually after the power is cut ■ Goal: Present a new type of attack which exploits remanence effect ■ Method: ■ Acquire usable full-system memory image ■ Extract cryptographic key ■ Gain access to secret data ■ Evaluation: succeeded on most popular disk encryption systems 2 Background, Problem & Goal 3 DRAM ■ A DRAM cell consists of a capacitor and an access transistor. ■ It stores data in terms of change in the capacitor. wordline access transistor bitline bitline storage bitline capacitor 4 DRAM refresh ■ DRAM capacitor charge leaks over time ■ Each DRAM row is refreshed periodically to restore charge ■ Period usually is 64 ms ■ Retention time: maximum time a cell can go without being refreshed while maintaining its stored data ■ Decay: bit flips caused by charge leak ■ Cell leak = cell decays to ground state ■ When powered off DRAM loses its data completely 5 Retention time and temperature ■ Contents survive at some extent even at room temperature ■ LINK, W., AND MAY, H. Eigenschaften von MOS - Ein Transistorspeicherzellen bei tiefen Temperaturen. Archiv fur Elekotronik und Ubertragungstechnik 33 (June 1979), 229–235 ■ DRAM showed no data loss for a full week without refresh when cooled with liquid nitrogen ■ Retention time can be increased by cooling 6 Retention time and booting ■ Chow, Jim & Pfaff, Ben & Garfinkel, Tal & Rosenblum, Mendel.
    [Show full text]
  • OS-Level Attacks and Defenses: from Software to Hardware-Based Exploits © December 2018 by David Gens Phd Referees: Prof
    OS-LEVELATTACKSANDDEFENSES: FROMSOFTWARETOHARDWARE-BASEDEXPLOITS Dissertation zur Erlangung des akademischen Grades Doktor der Ingenieurswissenschaften (Dr.-Ing.) genehmigt durch den Fachbereich Informatik (FB 20) der Technischen Universtität Darmstadt von D AV I D G E N S aus Wiesbaden, Deutschland Gutachter: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (Erstreferent) Prof. Dr. Thorsten Holz (Zweitreferent) Tag der Einreichung: 14. Dezember 2018 Tag der Disputation: 13. Februar 2019 CYSEC/System Security Lab Intel Collaborative Research Institute (ICRI-CARS) Fachbereich für Informatik Technische Universität Darmstadt Hochschulkennziffer: D17 OS-level Attacks and Defenses: from Software to Hardware-based Exploits © December 2018 by David Gens phd referees: Prof. Dr.-Ing. Ahmad-Reza Sadeghi (1st PhD Referee) Prof. Dr. Thorsten Holz (2nd PhD Referee) further phd commission members: Prof. Dr. Sebastian Faust Prof. Dr. Guido Salvaneschi Prof. Dr.-Ing. Thomas Schneider Darmstadt, Germany December 2018 Veröffentlichung unter CC-BY-SA 4.0 International https://creativecommons.org/licenses/ ABSTRACT Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming repre- senting the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed soft- ware, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and ef- fective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabil- ities to construct successful exploits.
    [Show full text]
  • Protecting Data In-Use from Firmware and Physical Attacks
    Protecting Data In-Use from Firmware and Physical Attacks Stephen Weis PrivateCore Palo Alto, CA ABSTRACT 2. PHYSICAL ATTACKS Defending computers from unauthorized physical access, ma- It is generally understood that physical access to an x86 licious hardware devices, or other low-level attacks has proven platform can completely compromise software security. His- extremely challenging. The risks from these attacks are torically, physical security controls such as cages, cameras, exacerbated in cloud-computing environments, where users and locks have been employed to prevent or detect physical lack physical control over servers executing their workloads. access. Yet with adoption of outsourced infrastructure and This paper reviews several firmware and physical attacks cloud computing, x86 platforms are increasingly run outside against x86 platforms, including bootkits, "cold booting", the physical control of the software owner. and malicious devices. We discuss several existing tools and This section briefly summarizes several well-known phys- technologies that can mitigate these risk such as Trusted ical attack vectors against x86 platforms, including DMA Execution Technology (TXT) and main memory encryption. and physical memory extraction. We will also discuss upcoming technologies that may help protect against firmware and physical threats. 2.1 Direct Memory Access By design, x86 architectures provide direct memory access (DMA) from hardware subsystems to main memory without 1. INTRODUCTION invoking the CPU. DMA is generally used to improve per- formance. For example, DMA allows disk, network, and In 2013, journalists revealed that the United States Na- graphics devices to read and write data directly to memory tional Security Agency's (NSA) Tailored Access Operations without incurring CPU cycles.
    [Show full text]
  • Protecting Private Keys Against Memory Disclosure Attacks Using Hardware Transactional Memory
    2015 IEEE Symposium on Security and Privacy Protecting Private Keys against Memory Disclosure Attacks using Hardware Transactional Memory Le Guan∗†§, Jingqiang Lin∗†,BoLuo‡, Jiwu Jing∗† and Jing Wang∗† ∗Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China †State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China ‡Department of Electrical Engineering and Computer Science, the University of Kansas, USA §University of Chinese Academy of Sciences, China Email: {guanle, linjingqiang}@iie.ac.cn, [email protected], {jingjiwu, wangjing}@iie.ac.cn Abstract—Cryptography plays an important role in comput- without any privileges to steal sensitive data in memory [58]. er and communication security. In practical implementations of Malicious unprivileged processes can exploit other different cryptosystems, the cryptographic keys are usually loaded into vulnerabilities [31, 50, 57, 59] to obtain unauthorized mem- the memory as plaintext, and then used in the cryptographic algorithms. Therefore, the private keys are subject to memory ory data. According to the statistics of Linux vulnerabilities disclosure attacks that read unauthorized data from RAM. [24], 16.2% of the vulnerabilities can be exploited to read Such attacks could be performed through software methods unauthorized data from the memory space of operating (e.g., OpenSSL Heartbleed) even when the integrity of the system (OS) kernel or user processes. These memory dis- victim system’s executable binaries is maintained. They could closure attacks can be launched successfully, even when also be performed through physical methods (e.g., cold-boot attacks on RAM chips) even when the system is free of the integrity of the victim system’s executable binaries is software vulnerabilities.
    [Show full text]
  • Analysing Android's Full Disk Encryption Feature
    Analysing Android’s Full Disk Encryption Feature Johannes Gotzfried¨ ∗ and Tilo Muller¨ Friedrich-Alexander-Universitat¨ Erlangen-Nurnberg,¨ Germany fjohannes.goetzfried, [email protected] Abstract Since Android 4.0, which was released in October 2011, users of Android smartphones are pro- vided with a built-in encryption feature to protect their home partitions. In the work at hand, we give a structured analysis of this software-based encryption solution. For example, software-based encryption always requires at least a small part of the disk to remain unencrypted; in Android this is the entire system partition. Unencrypted parts of a disk can be read out and are open to system manipulations. We present a tool named EvilDroid to show that with physical access to an encrypted smartphone only (i.e., without user level privileges), the Android system partition can be subverted with keylogging. Additionally, as it was exemplary shown by attacks against Galaxy Nexus devices in 2012, Android-driven ARM devices are vulnerable to cold boot attacks. Data recovery tools like FROST exploit the remanence effect of RAM to recover data from encrypted smartphones, at worst the disk encryption key. With a Linux kernel module named Armored, we demonstrate that Android’s software encryption can be improved to withstand cold boot attacks by performing AES entirely on the CPU without RAM. As a consequence, cold boot attacks on encryption keys can be defeated. We present both a detailed security and a performance analysis of Armored. Keywords: cold boot, evil maid, Android, cpu-bound encryption 1 Introduction Smartphones are long since part of the privacy sphere of their owners, and consequently, a missing smartphone that falls into the wrong hands has severe consequences for its owner.
    [Show full text]
  • OCRAM-Assisted Sensitive Data Protection on ARM-Based Platform
    OCRAM-assisted Sensitive Data Protection on ARM-based Platform Dawei Chu1;2;3, Yuewu Wang1;2;3, Lingguang Lei1;2;3 ?, Yanchu Li1;2;3, Jiwu Jing4, and Kun Sun5 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences 2 Data Assurance and Communication Security Research Center, Chinese Academy of Sciences 3 School of Cyber Security, University of Chinese Academy of Sciences 4 School of Computer Science and Technology, University of Chinese Academy of Sciences 5 Center for Secure Information Systems, George Mason University Abstract. On mobile devices, security-sensitive tasks (e.g., mobile payment, one-time pass- word) involve not only sensitive data such as cryptographic keying material, but also sensitive I/O operations such as inputting PIN code via touchscreen and showing the authentication verification code on the display. Therefore, a comprehensive protection of these services should enforce a Trusted User Interface (TUI) to protect the sensitive user inputs and sys- tem outputs, in addition to preventing both software attacks and physical memory disclo- sure attacks. In this paper, we present an On-Chip RAM (OCRAM) assisted sensitive data protection mechanism named Oath on ARM-based platform to protect the sensitive data, particularly, sensitive I/O data, against both software attacks and physical memory disclo- sure attacks. The basic idea is to store and process the sensitive data in the OCRAM that is only accessible to the TrustZone secure world. After figuring out how to enable TrustZone protection for iRAM, we develop a trusted user interface with an OCRAM allocation mech- anism to efficiently share the OCRAM between the secure OS and the rich OS.
    [Show full text]
  • Protecting Data In-Use from Firmware and Physical Attacks
    Protecting Data In-Use from! Firmware and Physical Attacks Steve Weis! PrivateCore About Me • Cryptography & Information Security • Co-founder & CTO of PrivateCore • Ex-Google Security • PhD in crypto Steve Weis! saweis.net @sweis Today’s Talk Spot the implants 4 NSA ANT NSA Observer https://nsa-observer.laquadrature.net/ • Targets the BIOS firmware ! • BIOS exploits system management mode (SMM) ! • Infection through a USB stick System Management Mode (SMM) FigureSystem 11-1.SMRR Management Mapping Mode (SMM) with a Typical Memory Layout FigureSystem 11-1.SMRR Management Mapping Mode (SMM) with a Typical Memory LayoutTo p of M em o ry ( To M) System Management Mode (SMM) System ManagementHigh Mode (SMM) Memory SMRAM + IEDRAM is To p of M em o ry ( To M) mapped byFigure the CS11-1.SMRR Mapping with a Typical Memory Layout as TSEG and in the Figure 11-1.SMRR MappingHigh with aMemory Typical Memory Layout4 GB CPU with the SMRR Figure 11-1.SMRR Mapping with a Typical Memory Layout System Management Mode SMRAM + IEDRAM is PCI Memory Hole mapped by the CS To p of M em o ry ( To M) as TSEG and in the 4ToTo pGB p pof of Mof M em emL o ory o w( ry To M M)( To em M) o ry ( To L M) CPU with the SMRR High Memory PCIIEDRAM Memory Hole SMRAM + IEDRAM is HighHigh Memory Memory G R (4MB Minimum) • “Ring -2”: Highest levelE Rofmapped SMRAMprivilege by + theSMRAM IEDRAM CS + IEDRAM is is To p of L o w M em o ry ( To L M) mapped by the CS IEDBASE = SMRR_PHYSBASE + 4MB S Mas TSEG and in the T mapped byas TSEGthe CS and in the S 4 GBGB CPUas with TSEG
    [Show full text]
  • Trevisor OS-Independent Software-Based Full Disk Encryption Secure Against Main Memory Attacks
    TreVisor OS-Independent Software-Based Full Disk Encryption Secure against Main Memory Attacks Tilo M¨uller, Benjamin Taubmann, and Felix C. Freiling Department of Computer Science Friedrich-Alexander University of Erlangen-Nuremberg Abstract. Software-based disk encryption techniques store necessary keys in main memory and are therefore vulnerable to DMA and cold boot attacks which can acquire keys from RAM. Recent research results have shown operating system dependent ways to overcome these attacks. For example, the TRESOR project patches Linux to store AES keys solely on the microprocessor. We present TreVisor, the first software-based and OS-independent solution for full disk encryption that is resistant to main memory attacks. It builds upon BitVisor, a thin virtual machine monitor which implements various security features. Roughly speaking, TreVisor adds the encryption facilities of TRESOR to BitVisor, i. e., we move TRESOR one layer below the operating system into the hypervisor such that secure disk encryption runs transparently for the guest OS. We have tested its compatibility with both Linux and Windows and show positive security and performance results. 1 Introduction Why Disk Encryption Matters. Disk encryption is an increasingly popu- lar method to protect sensitive data against physical loss and theft of nomadic computer systems. According to a Ponemon survey from 2010 [24], the majority of U. S. enterprises has an overall strategy for data protection from which full disk encryption (FDE) is the fastest growing favorite (59 %). Also the U. S. govern- ment recommends agencies to encrypt all data on mobile devices to compensate the lack of physical security outside their agency location [15].
    [Show full text]
  • Trusted Systems in Untrusted Environments: Protecting Against Strong Attackers
    Trusted Systems in Untrusted Environments: Protecting against Strong Attackers Vertrauenswürdige Systeme in nicht vertrauenswürdigen Umgebungen: Schutz vor starken Angreifern Der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg zur Erlangung des Doktorgrades Dr.-Ing. vorgelegt von Johannes Götzfried aus Amberg Als Dissertation genehmigt von der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg Tag der mündlichen Prüfung: 7. Dezember 2017 Vorsitzender des Promotionsorgans: Prof. Dr.-Ing. Reinhard Lerch Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Ir. Ingrid Verbauwhede Abstract In this thesis, we investigate possibilities of operating trusted systems within untrusted environments in the presence of strong attackers. We consider attackers with physical access to a system as well as root-level attackers which are able to execute code on the target system at the highest privilege level possible. Our proposed defense mechanisms range from hardware-based trusted computing architectures over hardware-assisted software solutions to pure software-based encryption schemes. First, we design two hardware-based trusted computing architectures for embedded devices, called Soteria and Atlas, which both protect against root-level attackers and focus on code and data confidentiality. At its heart, Soteria is a lightweight program-counter based memory access control extension which provides integrity, authenticity, and confidentiality guarantees for software modules. To guarantee the confidentiality of code at any given point in time against all software attacks, we design a scheme consisting of initially encrypted software modules and loader modules. Mutual integrity checks between software modules and the loader ensure that a software module is only decrypted if the system behaves with integrity. Atlas protects software modules with the help of an encryption unit placed between the cache and main memory.
    [Show full text]