Operating System Support for Run-Time Security with a Trusted Execution Environment

Operating System Support for Run-Time Security with a Trusted Execution Environment

Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Contents Preface2 1 Introduction4 1.1 Context.......................................4 1.2 Problem.......................................6 1.3 Approach......................................7 1.4 Contribution....................................9 1.5 Thesis Structure.................................. 10 I State of the Art 12 2 Trusted Execution Environments 14 2.1 Smart Cards.................................... 15 2.1.1 Secure Element............................... 17 2.2 Trusted Platform Module (TPM)......................... 17 2.3 Intel Security Extensions.............................. 20 2.3.1 Intel TXT.................................. 20 2.3.2 Intel SGX.................................. 21 2.4 ARM TrustZone.................................. 23 2.5 Other Techniques.................................. 26 2.5.1 Hardware Replication........................... 26 2.5.2 Hardware Virtualization.......................... 27 2.5.3 Only Software............................... 27 2.6 Discussion...................................... 27 3 Run-Time Security 30 3.1 Access and Usage Control............................. 30 3.2 Data Protection................................... 33 3.3 Reference Monitors................................. 36 3.3.1 Policy Enforcement............................. 36 3.3.2 Intrusion Detection............................. 36 3.3.3 Code Integrity Protection......................... 37 3.4 Conclusion..................................... 39 4 Boot Protection 40 4.1 Boot Protection Mechanisms........................... 40 4.2 Discussion...................................... 42 2 5 Discussion 44 II Contribution 46 6 Split Enforcement 48 6.1 Background..................................... 49 6.2 Hypothesis..................................... 50 6.2.1 Application State.............................. 51 6.2.2 Application Monitoring.......................... 52 6.3 Design Space.................................... 53 6.3.1 Secure Drivers............................... 54 6.3.2 Split Enforcement............................. 56 6.3.3 Approach.................................. 58 6.4 Target Devices................................... 59 6.5 Conclusion..................................... 61 7 TrustZone TEE Linux Support 63 7.1 TrustZone TEE Framework............................ 63 7.1.1 Open Virtualization Analysis....................... 65 7.1.2 Summary.................................. 69 7.2 Generic TrustZone Driver for Linux Kernel................... 70 7.2.1 Design Space................................ 70 7.2.2 Design and Implementation........................ 73 7.2.3 Open Virtualization Driver........................ 78 7.3 Driver Status.................................... 80 7.4 Conclusion..................................... 81 8 Trusted Cell 83 8.1 Architecture..................................... 84 8.1.1 REE Trusted Cell............................. 86 8.1.2 TEE Trusted Cell............................. 90 8.2 Trusted Services.................................. 96 8.2.1 Trusted Storage............................... 96 8.2.2 Reference Monitor............................. 101 8.3 Prototype...................................... 106 8.4 Conclusion..................................... 110 9 Certainty Boot 112 9.1 Context....................................... 112 9.1.1 Example Scenario............................. 114 9.2 Architecture..................................... 114 9.2.1 First Phase Verification.......................... 116 9.2.2 Second Phase Verification......................... 117 9.2.3 Exchange OS and Boot Loader...................... 118 9.3 Conclusion..................................... 119 3 III Evaluation 121 10 Analytical Evaluation 123 10.1 Security Analysis.................................. 123 10.1.1 Types of Attacks.............................. 123 10.1.2 Hardware Protection Baseline....................... 125 10.1.3 Attacks against TrustZone Driver..................... 126 10.1.4 Attacks against Trusted Cell....................... 128 10.1.5 Attacks against Certainty Boot...................... 136 10.2 Design Requirements Compliance......................... 137 10.2.1 State Machine and Reference Monitor Abstraction........... 137 10.2.2 Low TCB.................................. 138 10.2.3 Protection vs. Innovative Applications.................. 138 10.2.4 Untrusted Commodity OS......................... 138 10.2.5 TrustZone Driver Genericity........................ 139 10.3 Conclusion..................................... 139 11 Experimental Evaluation 140 11.1 Experimental Setup................................ 141 11.2 Performance Overhead............................... 143 11.2.1 Application Benchmarks.......................... 144 11.2.2 Microbenchmarks.............................. 146 11.2.3 Applicability of Split-Enforcement.................... 152 11.3 Discussion...................................... 154 12 Conclusion 156 12.1 Conclusion..................................... 156 12.2 Future Work.................................... 157 12.2.1 Linux TEE support and Trusted Modules................ 158 12.2.2 Current Trusted Services......................... 159 12.2.3 New Trusted Services........................... 160 Glossary 162 4 Abstract Software services have become an integral part of our daily life. Cyberattacks have thus become a problem of increasing importance not only for the IT industry, but for society at large. A way to contain cyberattacks is to guarantee the integrity of IT systems at run-time. Put differently, it is safe to assume that any complex software is compromised. The problem is then to monitor and contain it when it executes in order to protect sensitive data and other sensitive assets. To really have an impact, any solution to this problem should be integrated in commodity operating systems. In this thesis we introduce run-time security primitives that enable a number of trusted services in the context of Linux. These primitives mediate any action involving sensitive data or sensitive asset in order to guarantee their integrity and confidentiality. We introduce a general mechanism to protect sensitive assets at run-time that we denote split-enforcement, and provide an implementation for ARM-powered devices using ARM TrustZone security extensions. We design, build and evaluate a prototype Trusted Cell that provides trusted services. We also present the first generic TrustZone driver in the Linux operating system. We are in the process of making this driver part of the mainline Linux kernel. Preface The journey that has led to this writing has been long; at times exciting and at many others difficult. However, as in any other long term commitment, it is the process of walking the new path that is worth the effort. There are many people to thank for their time, knowledge, and above all support during these years. I can only hope that I have expressed my gratitude enough to them, before they can identify themselves here. Thanks to Philippe Bonnet, my advisor, for taking care of me during these years: Thanks for not babysitting. Thanks for letting me hit the wall hard enough to know the feeling without getting hurt. Thanks for sharing your knowledge. But above all, thanks for helping me find something that I love doing. Thanks to INTERACT for financing my Ph.D. Also, thanks to Inger Vibeke Dorph for handling it on the IT University side: Paperwork would have killed me long ago had it not been for you. Thanks to my Ph.D and office colleagues, who have helped in all possible ways. Matias Bjørlig, Jonathan F¨urst,Aslak Johansen, Joel Granados, Niv Dayan, Jesper Wendel De- vantier, Mohammed Aljarrah, and Michal Mouˇcka: Thanks for the coffees, the discussions, the comments, and the critics. But above all, thanks for taking the time for explaining what I could not understand alone. Thanks to the SMIS group for hosting my stay abroad at INRIA Rocquencourt, France. Special thanks to Luc Bouganim for making it possible: This stay has indeed been one of the most productive periods of my Ph.D, and it is all thanks to you. Also, thanks to Philippe, Henriette, Anna, Clara, and Oscar for opening a home for me during my stay in France: I did feel home, and I will never forget your kindness. Thanks to Xilinx for taking me on an internship. Special thanks to Dave Beal and Steve McNeil. Also, thanks to the rest of the security team at Albuquerque: Thanks for giving me the chance to learn and contribute on equal terms. Thanks to all the people collaborating in the publications that have made this thesis possi- ble. Michael H¨olzand Peter Riedl from the Upper Austria University of Applied Sciences: Thanks for the great work. Also, thanks to their advisor, Rene Mayrhofer, for endorsing this collaboration. Thanks to the IT University of Copenhagen for being such a fantastic place to work. To all 2 the people that make ITU what it is: Thanks. Special thanks to Freja Krab Koed Eriksen and Christina Rasmussen for supporting us, Ph.D students, in the best possible way: We all owe you, I hope you know it. Thanks to family and friends for all the rest. Naming all of you would require twice as many pages as the ones already written: You know who you are. Thanks for the phone calls, the music, the bars, the concerts, the smiles, the beers, the dinners,

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    194 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us