SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security Fengwei Zhang Hongwei Zhang Department of Computer Science Department of Computer Science Wayne State University Wayne State University [email protected] [email protected] ABSTRACT are crucial to secure computer systems: The isolated exe- Hardware-assisted Isolated Execution Environments (HIEEs) cution concept provides a Trusted Execution Environment have been widely adopted to build effective and efficient de- (TEE) for running defensive tools on a compromised sys- fensive tools for securing systems. Hardware vendors have tem. Using hardware-assisted technologies excludes the hy- introduced a variety of HIEEs including system management pervisors from TCB, achieves a high level of privilege (i.e., mode, Intel management engine, ARM TrustZone, and Intel hardware-level privilege), and reduces performance overhead software guard extensions. This SoK paper presents a com- giving that context switches are performed faster in hard- prehensive study of existing HIEEs and compares their fea- ware. tures from the security perspective. Additionally, we explore In this SoK paper, we survey the state-of-the-art sys- both defensive and offensive use scenarios of HIEEs and dis- tems that leverage HIEEs for security. We first study six cuss the attacks against HIEE-based systems. Overall, this hardware-level computing environments (i.e., HIEEs) that paper aims to give an essential checkpoint of the state-of- have been used for building security tools. Based on the the-art systems that use HIEEs for trustworthy computing. timelines they introduced, we categorize them as follows. 1) Legacy HIEEs: System Management Mode (SMM) and Dy- namic Root of Trust for Measurements (DRTM); 2) recent Keywords HIEEs: Intel Management Engine (ME), AMD Platform Se- Isolated execution environments, hardware, security curity Processor (PSP), and ARM TrustZone; 3) the latest HIEE: Intel Software Guard Extensions (SGX). We discuss the security usage scenarios of HIEEs from both defensive 1. INTRODUCTION and offensive points of view, and further describe these us- Isolating code execution is one of the fundamental ap- age scenarios along with the existing HIEE-based systems. proaches to achieving security. Researchers use virtualiza- Additionally, we identify attacks and security concerns to tion technology to create an isolated execution environment HIEE-based systems from two aspects: 1) the isolated com- for running defensive tools. Moreover, Virtual machine in- puting environments (i.e., HIEEs themselves) and 2) the trospection [21] has been widely adopted for attacks detec- approach of using HIEEs for security. For each HIEE it- tion and malware analysis. However, existing virtualization- self, we enumerate potential attacks against it and describe based approaches have limitations including: 1) Dependence corresponding mitigations. In terms of the approach of us- on hypervisors that may have a large Trusted Computing ing HIEEs for security in general, we raise security con- Base (TCB). For instance, the latest Xen hypervisor has cerns such as ensuring trusted path and verifying trustwor- 532K lines of source code obtained from [11]. 2) Failure to thy hardware. Note that the concept of HIEE needs to be deal with hypervisor or firmware rootkits. Virtualization- distinguished from TEE. On one hand, a TEE may not be based approaches rely on hypervisors so they cannot analyze a HIEE such as software-based TEEs (e.g., virtualization the same or higher privilege-level rootkits. And 3) suffering technology); on the other hand, a HIEE does not have to be from system performance overhead (e.g., context switches a TEE (e.g., SMM is a HIEE but may not be a TEE because from a VM to a hypervisor). it is not designed for security). In light of these problems, researchers proposed to use The main contributions of this SoK paper are: Hardware-assisted Isolated Execution Environments (HIEEs) for securing systems. This approach combines the isolated • We present a thorough study of six HIEEs including execution concept with hardware-assisted technologies. Both SMM, Intel ME, AMD PSP, DRTM, Intel SGX, and ARM TrustZone, and compare their hardware features Permission to make digital or hard copies of all or part of this work for personal or for trustworthy computing. classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- • We explore both the defensive and offensive use sce- tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- narios of HIEEs and describe them with the state-of- publish, to post on servers or to redistribute to lists, requires prior specific permission the-art HIEE-based systems. and/or a fee. Request permissions from [email protected]. HASP 2016, June 18 2016, , • We discuss all attacks against the computing environ- c 2016 ACM. ISBN 978-1-4503-4769-3/16/06. $15.00 ment of each HIEE (e.g., bypassing the isolation) and DOI: http://dx.doi.org/10.1145/2948618.2948621 some mitigations. • We raise the concerns about the approach of using Protected Mode System Management Mode HIEEs for security including ensuring the trusted switch- ing path and verifying trustworthiness of hardware tech- Highest privilege nologies. Trigger SMI Software SMM entry SMI or Isolated SMRAM The rest of the paper is organized as follows. Section 2 SMM exit Handler Hardware explains different HIEEs including SMM, Intel ME, AMD RSM Interrupts disabled PSP, DRTM, Intel SGX, and ARM TrustZone. Section 3 presents the security use cases of HIEEs. Section 4 presents all attacks against the HIEEs. Section 5 discusses the secu- Normal OS Isolated Execution Environment rity concerns of the HIEE-based approach. Lastly, Section 6 concludes the SoK paper with our expectations. Figure 1: SMI Triggering Process 2. HIEE tablets, and smart phones [36]. Intel introduced ME as an In this section, we first explain Hardware-assisted Isolated embedded processor in 2007. At that time, its main func- Execution Environments (HIEEs) including system manage- tion was to support Intel Active Management Technology ment mode, Intel management engine, AMD secure proces- (AMT), and Intel AMT is the first application running in sor, dynamic root of trust for measurement, Intel software the ME. Recently, Intel started to use ME as a Trusted Exe- guard extension, and ARM TrustZone. Then, we briefly cution Environmental (TEE) for executing security-sensitive compare these HIEEs. applications. According to the latest ME book [36] written by an Intel Architect working on ME, a few security appli- 2.1 System Management Mode cations have been or will be implemented in ME including System Management Mode (SMM) [24] is a mode of ex- enhanced privacy identification, protected audio video path, ecution similar to Real and Protected modes available on identity protection technology, and boot guard. x86 platforms (Intel started to use SMM in its Pentium Figure 2 shows the hardware architecture of ME. From processors since early 90s). It provides a hardware-assisted the figure we can see that ME is like a computer; it contains isolated execution environment for implementing platform- a processor, cryptography engine, Direct Memory Access specific system control functions such as power management. (DMA) engine, Host-Embedded Communication Interface It is initialized by the Basic Input/Output System (BIOS). (HECI) engine, Read-Only Memory (ROM), internal Static SMM is triggered by asserting the System Management Random-Access Memory (SRAM), a timer, and other I/O Interrupt (SMI) pin on the CPU. This pin can be asserted devices. ME executes the instructions on the processor, and in a variety of ways, which include writing to a hardware it has code and data caches to reduce the number of ac- port or generating Message Signaled Interrupts with a PCI cesses to the internal SRAM. The internal SRAM is used to device. Next, the CPU saves its state to a special region store the firmware code and runtime data. Besides the in- of memory called System Management RAM (SMRAM). ternal SRAM, ME also uses some Dynamic Random-Access Then, it atomically executes the SMI handler stored in SM- Memory (DRAM) from the main system's memory (i.e., host RAM. SMRAM cannot be addressed by the other modes of memory). This DRAM serves a role as the disk; the mem- execution. The requests for addresses in SMRAM are in- ory pages of code/data that are not currently used by ME stead forwarded to video memory by default. This caveat processor will be evicted from SRAM and swapped out to therefore allows SMRAM to be used as a secure storage. The DRAM in the host memory. The region of DRAM is re- SMI handler is loaded into SMRAM by the BIOS at boot served by the BIOS when system boots. This DRAM is time. The SMI handler has unrestricted access to the phys- dedicated for ME use and the operating system cannot ac- ical address space and can run privileged instructions (For cess it. However, the design of ME does not trust the BIOS this reason, SMM is often referred to as ring -2.) The RSM and it assumes the host can access the reserved DRAM re- instruction forces the CPU to exit from SMM and resume gion. execution in the previous mode. Since the embedded processor (i.e., ME processor) cannot In general, there are software- and hardware-based meth- address the host memory, two engines (i.e., DAM engine ods to trigger an SMI. In software, we can write to an ACPI and HECI engine) are introduced for the data transmission port to raise an SMI. For example, Intel chipsets use port between the ME memory and the main system's memory.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-