TRUSTED CODE EXECUTION ON UNTRUSTED PLATFORMS... NOUBIR & SANATINIA TRUSTED CODE EXECUTION ON against malicious OSs [1–3]. An alternative approach that mobilized the research community is to compute over encrypted UNTRUSTED PLATFORMS USING data [4], for example using Fully Homomorphic Encryption INTEL SGX (FHE) schemes [5] that can perform general operations on encrypted data. However, current FHE techniques are still Guevara Noubir & Amirali Sanatinia several orders of magnitude slower than necessary for practical Northeastern University, USA applications. Earlier attempts such as Intel TXT, formerly known as LaGrande Email {noubir, amirali}@ccs.neu.edu Technology, did not succeed in becoming widely adopted and deployed. Intel TXT is a platform-level enhancement and set of extensions to attest the authenticity of the hardware and ABSTRACT operating system by enabling the measurement and verifi cation of the environment [6]. Currently, ARM TrustZone is one of the Today, isolated trusted computation and code execution is of most successful and widely deployed TEEs both for clients and paramount importance to protect sensitive information and enterprises. workfl ows from other malicious privileged or unprivileged software. Intel Software Guard Extensions (SGX) is a set of Previous works have looked at Intel SGX and discussed its security architecture extensions fi rst introduced in the Skylake potentials and shortcomings [7–9]. However, they were based on microarchitecture that enables a Trusted Execution Environment the information available prior to the offi cial release of the SGX (TEE). It provides an ‘inverse sandbox’, for sensitive programs, hardware (processors and supporting motherboards) and its and guarantees the integrity and confi dentiality of secure specifi cations. In this work, by having access to resources and computations, even from the most privileged malicious software publications such as white papers, patents and the actual (e.g. OS, hypervisor). SGX-capable hardware and software development environment, we are in a privileged position to be able to report on our SGX-capable CPUs only became available in production systems experience with SGX. We fi rst look at ARM TrustZone, the other in Q3 2015, and they are not yet fully supported and adopted in competing TEE technology that is widely used. Then we systems. Besides the capability in the CPU, the BIOS also needs overview the SGX internals and the underlying concepts that to provide support for the enclaves, and not many vendors have power it, followed by a discussion of its use cases. Finally, we released the required updates for the system support. This has led review the software development model and libraries available in to many wrong assumptions being made about the capabilities, SGX. features, and ultimately dangers of secure enclaves. By having access to resources and publications such as white papers, patents and the actual SGX-capable hardware and software 2. ARM TRUSTZONE development environment, we are in a privileged position to be ARM TrustZone is a set of security enhancement extensions to able to investigate and demystify SGX. the ARM architecture that appears in ARMv6 and later versions. In this paper, we fi rst review the previous trusted execution It introduces two security modes, which divide the CPU into two technologies, such as ARM Trust Zone and Intel TXT, to better isolated worlds, the secure mode and the normal mode. A third understand and appreciate the new innovations of SGX. Then, we mode, called the monitor mode, is in charge of the switch look at the details of SGX technology, cryptographic primitives between the secure and normal worlds. The Secure Monitor Call and the underlying concepts that power it, namely the sealing, (SMC) instruction is invoked to switch between the two worlds. attestation, and the Memory Encryption Engine (MEE). We also In TrustZone, the two worlds have their own separate address consider use cases such as trusted and secure code execution on spaces and different privileges. The memory is partitioned into an untrusted cloud platform, and digital rights management two sections, one of which is reserved exclusively for the secure (DRM). This is followed by an overview of the software mode. Furthermore, individual peripherals can be assigned to development environment and the available libraries. different worlds. Both worlds can run any software, ranging from unprivileged user-level applications, to the OS. 1. INTRODUCTION To guarantee the integrity of the secure world’s components and software, upon powering the device, it boots into the secure Today, cloud platforms are becoming more widely used, both by world, and after executing the secure boot and verifying the end-users and enterprises. However, the notion of trusting a signature of the boot image, it can attest that the software has not third party with your secrets is not very desirable for many been modifi ed. entities. The status quo not only forces users to put their faith in the honesty and trustworthiness of the cloud providers but also To determine the state of the CPU, an extra bit is added to the forces them to trust in the lack of malware and comprise of the Secure Confi guration Register (SCR), called the non-secure (NS) cloud platforms. Intel SGX is a new technology that guarantees bit, which indicates the security context of the CPU. When the the confi dentiality of users’ data on a remote node, against other NS bit is zero, the CPU is in the secure world mode, and when unprivileged or even privileged software such as the operating the NS bit is set to 1, the CPU is in the normal mode. system and hypervisor. Without adequate support from the Previous work has looked at the use and application of TrustZone hardware to provide a secure execution environment, previous for a wide range of domains. For example, to regulate devices in work relied on trusted hypervisors to protect applications restricted spaces [10], for cache-assisted secure execution [11], VIRUS BULLETIN CONFERENCE OCTOBER 2016 1 TRUSTED CODE EXECUTION ON UNTRUSTED PLATFORMS... NOUBIR & SANATINIA and for enabling a Samsung mobile security solution called 3.1 New instructions and data structures KNOX. The two main challenges to enable the functionalities of SGX As noted in ARM TrustZone, the TCB is much larger than SGX. are memory access semantics and protection of the address The larger size of TCB can lead to errors and ultimately mappings [13]. To address this, new instructions, data vulnerabilities. Furthermore, a trusted system stack, including structures, and a new mode of execution have been introduced. OS, fi rmware, and libraries, needs to be implemented and The 18 new instructions can be categorized into fi ve groups: fi ve trusted by all the users. instructions to build and destroy enclaves, four instructions to enter and exit enclaves, fi ve instructions to move enclave pages 3. INTEL SOFTWARE GUARD EXTENSIONS to and from memory, two instructions to debug enclaves, and (SGX) two instructions for the security operation of enclaves, including key generation and the measurement of the enclaves. Intel SGX allows the creation of secure enclaves that can keep and be trusted with a secret. In the context of SGX, enclaves are Six new data structures have been introduced to hold the isolated execution units, with encrypted code and data. At the enclave’s data and metadata: beginning, enclaves have no secret, since they can be • The Enclave Page Cache (EPC) is a protected memory disassembled and viewed like any other normal program. After region used to hold the protected code and data, in 4k pages. their launch, the enclaves need to be provisioned, to retrieve the The EPC is encrypted through the Memory Encryption secret data. The following is an overview of SGX [12] (Figure 1 Engine (MME), and is managed by the OS/VMM. provides a diagram of the procedure and lifecycle of an SGX • The Enclave Page Cache Map (EPCM) contains the enclave): metadata of the enclave pages, and is used by the CPU to keep track of the content of EPC pages. The EPCM is controlled by the CPU and is not directly accessible by the software or devices. • The SGX Enclave Control Store (SECS) and Thread Control Structure (TCS) hold the metadata for each enclave, and each thread, respectively. • The Version Array (VA) of evicted pages. • The SIGSTRUCT record, which is responsible for the signature and sealing identity of the enclave. F igure 1: Diagram of the SGX enclave lifecycle. The new mode (enclave mode) is activated when a process moves into an enclave. In this mode, extra memory access • Step 1 (Launch): the untrusted application loads the checks are performed to ensure the confi dentiality and enclave code and instantiates it. During this process a log is protection of the enclave’s memory from other processes. created called the enclave’s measurement. This measurement is used in the verifi cation by the remote party 3.2 Types of enclaves (service provider). Enclaves are the secure computation units that run in ring • Step 2 (Attestation): the enclave contacts the service level 3 (user level). They have no privileged access, yet they are provider for provisioning and retrieving the secrets. As protected against the higher level, privileged programs, mentioned earlier, the enclave does not contain any secret including the OS, VMM and hypervisor. Since enclaves run in information before provisioning. The enclave presents its ring 3, and do not have direct access to peripheral and I/O attested measurement to the service provider, which devices, they cannot harm systems [7]. The enclaves are identifi es the hardware environment and the enclave. designed to work on multi-core platforms, since multiple • Step 3 (Provisioning): after verifying the attestation enclaves can run at the same time. Furthermore, the enclave and provided by the enclave in step 2, the service provider the untrusted application can run in simultaneous threads.