TreVisor OS-Independent Software-Based Full Disk Secure Against Main Memory Attacks

June 26 - 29 • ACNS 2012 • Singapore

Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Department of Computer Science Friedrich-Alexander University of Erlangen-Nuremberg Contents

I. Motivation: Memory Attacks on Full Disk Encryption

II. Background & Design

• TRESOR Runs Encryption Securely Outside RAM

• TreVisor: The TRESOR Hypervisor

• BitVisor: A Thin Hypervisor for Enforcing I/O Device Security

III. Implementation Details: The BitVisor Patch

IV. Evaluation: Performance, Compatibility, Security

V. Conclusion

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part I Motivation

I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion

Disk Encryption

● Full disk encryption (FDE) protects data against physical loss and theft of the hard drive.

● It does generally not protect against remote attacks.

Source: http://bvinews.com/bvi/wp-content/uploads//2011/07/laptop-theft-in-action.jpg

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption

But current (software-based) FDE solutions do not protect data effectively if an adversary gains physical access!

Why?

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Software Disk Encryption

RAM HDD (unencrypted) CPU (encrypted) en/decrypt

● Software-based disk encryption stores necessary keys in RAM

● Including BitLocker, FileVault, dm-crypt, and TrueCrypt

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory

Problem: main memory is no secure storage for cryptographic keys.

1) DMA Attacks via Firewire, Thunderbolt, PCIe, etc.

2) Cold Boot Attacks on Encryption Keys

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling DMA Attacks Direct Memory Access is exploitable:

2004: Firewire 0wned by an iPod from Maximilian Dornseif -- All Your Memory Are Belong To Us

... PC Card / ExpressCard / PCIe / more Firewire ...

2012: Thunderbolt Adventures with Daisy in Thunderbolt -DMA-land: Hacking Macs through the Thunderbolt interface

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Cold Boot Attacks

● Remanence effect of DRAM:

● 2008: Lest We Remember: Cold Boot Attacks on Encryption Keys

Source: https://citp.princeton.edu/research/memory/media/ June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory

Memory attacks require target systems to be running or in suspended mode

● Lost and theft of suspended laptops at public places

● Confiscation of running servers by law enforcement authorities

Source: http://i.dailymail.co.uk Source: http://gottabemobile.wpengine.netdna-cdn.com

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory

Basically all memory contents can be read out. We focus on the security of disk encryption keys

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption Solutions

Software FDE Hardware FDE TRESOR/TreVisor

RAM RAM RAM

HDD HDD HDD

CPU CPU CPU

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part II Background & Design

I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion

TRESOR TRESOR Runs Encryption Securely Outside RAM

● Published at USENIX 2011

● Keys are stored in CPU registers (dr0-dr3) rather than in RAM

● All intermediate states / runtime variables are stored only in CPU registers as well

● Challenges:

● No use of stack and heap

● Scheduling, hardware interrupts, and context switches

● Userland access to debug registers (dr0-dr3)

● Swapping and Suspend-to-Disk / RAM

● ...

● Linux kernel patch (originally for 2.6.36); dm-crypt support

● AES-128, -192, and -256 accelerated by 's AES-NI

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TRESOR Problems

● TRESOR effectively defeats cold boot attacks, but is still vulnerable to:

● write-able DMA attacks on running machines (code infiltration)

● local privilege escalations (loadable kernel modules and /dev/kmem)

● buggy drivers can lead to data corruption

● full disk encryption (FDE) is tricky to set up

● works for Linux only; no other OS supported

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TreVisor The TRESOR HyperVisor

● TreVisor is a ``thin hypervisor`` that encrypts hard disks transparently for the guest OS.

● one unmodified guest, including Linux and Windows.

● Most devices are just passed through, except

● hard disk: hook into file access in order to en-/decrypt data transparently with TRESOR technology.

● DMA devices: filter memory transfers by means of the IOMMU ; access to hyperspace is disallowed.

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TRESOR vs. TreVisor

(a) TRESOR (b) TreVisor

App App App App ring 3 App App App App

unused ring 1+2 unused

TRESOR patched Linux ring 0 Any Operating System

unused ring -1 TreVisor

HDD Other Hardware HDD Other Hardware

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling BitVisor A Secure and Lightweight Hypervisor

● University of Tsukuba ; published at VEE '09

● Thin hypervisor that implements various security features: FDE, VPN, VT-d/IOMMU, TCG, etc.

● Parapass-through architecture  no drivers required for most devices

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling

Tresor + BitVisor = TreVisor We use BitVisor as a basis for TreVisor

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part III Implementation Details

I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion

Registers

Debug registers: SSE Registers: General Purpose:

dr0 (64-bit) xmm0 (128-bit) rax (64-bit)

dr1 (64-bit) xmm1 (128-bit) rbx (64-bit)

dr2 (64-bit) ... rcx (64-bit)

dr3 (64-bit) xmm15 (128-bit) rdx (64-bit)

● dr0 to dr3 are exclusively reserved as key storage ; hardware breakpoints cannot be set by userland applications anymore

● xmm0 to xmm15 and GPRs are used only temporarily inside atomic sections

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Key Storage Registers

● Usually, debug registers (dr0 - dr7) can be accessed with ring 0 privileges from guest OS

● Now we need exclusive access from ring -1 (VMM)

● We must protect the debug registers from guest OS:

● Throw VMEXIT exception when the guest tries to access debug registers (virtualization control: "MOV-DR exiting")

● Exception handler: ignore instruction (increment IP), don't throw exception to guest, mirror guest debug regs in RAM

 Changes privilege level of debug regs from ring 0 to -1

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Key Management

● Every CPU core should be able to do encryption

 Key has to be present in every single core

 Use Inter-Processor Interrupts (IPIs) to distribute the key (For key distribution, RAM is used briefly but cleared thoroughly afterwards)

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption

● BitVisor already knows about FDE

● drivers for ATA and USB disks

● routines for hooking disk accesses

● So what is missing?

● the "TRESOR" crypto module

● e.g.: implement crypto_tresor_init(), crypto_tresor_encrypt(), and crypto_tresor_decrypt()

● most of the routines implemented in assembly (AES-NI)

● Important: TRESOR code must run atomically and zero-fill used registers (SSE + GPRs) before exiting

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Availability

http://www1.cs.fau.de/trevisor

● In active development by Benjamin Taubmann

● Latest patch from mid of June

● 3.800 lines of code, mixture of C and assembly

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part IV Evaluation

I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion

TreVisor Performance

10 20 30 40 50 60 MB/s

59.3 MB/s Linux (write) 54.4 MB/s 56.0 MB/s

38.8 MB/s Linux (read) 36.3 MB/s 32.5 MB/s

43.3 MB/s Windows 39.4 MB/s 35.3 MB/s AES-128 AES-192 AES-256

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Linux Performance

10 20 30 40 50 60 MB/s

No 60.7 MB/s VMM 63.7 MB/s

No 59.9 MB/s Crypto 63.2 MB/s

AES-NI 59.2 MB/s 256 62.9 MB/s

StdAES 57.6 MB/s 256 37.8 MB/s

TRESOR 56.0 MB/s 256 32.5 MB/s write read

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Compatibility: Hardware

● CPU requirements:

-64

● Multimedia Extensions (SSE / AVX / ...)

● Virtualization (VT-x)

● VT-d/IOMMU

● Hardware Encryption (AES-NI)

● Those are currently:

● Intel Core-i5

● Intel Core-i7

● Many upcoming CPUs, also from AMD

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Compatibility: Software

● Operating systems: basically all x86 OSs. Most noteworthy:

● LINUX

● WINDOWS

● Userland

● Debuggers: Yes, but without hardware breakpoints.

● Virtualization: Yes, but without hardware acceleration.

● Everything else: w/o restrictions

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Security Overview

Threat Model Hard Disk Encryption Memory System BitLocker TRESOR BitVisor TreVisor Attack State / dmcrypt off cold boot running suspend off DMA * running suspend OS independent

*) running on a CPU with VT-d/IOMMU support

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Security Analysis

● We spent considerable effort to ensure that no key data enters RAM

● Methods we used to dump RAM

● cold boot attacks

● BitVisor debugging shell

● virtualization

● DMA attacks (Firewire; IOMMU switched off)

● We were not able to recover any keybits

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part V Conclusion

I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion

Conclusion

We solved the main drawbacks of TRESOR

● secure against local privilege escalations

● secure against data corruption through buggy drivers

● secure against write-able DMA attacks

● easy to set up full disk encryption

● Windows support (and many other OSs)

June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling

The End Thank you for your attention!