TreVisor OS-Independent Software-Based Full Disk Encryption Secure Against Main Memory Attacks June 26 - 29 • ACNS 2012 • Singapore Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Department of Computer Science Friedrich-Alexander University of Erlangen-Nuremberg Contents I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design • TRESOR Runs Encryption Securely Outside RAM • TreVisor: The TRESOR Hypervisor • BitVisor: A Thin Hypervisor for Enforcing I/O Device Security III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part I Motivation I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion Disk Encryption ● Full disk encryption (FDE) protects data against physical loss and theft of the hard drive. ● It does generally not protect against remote attacks. Source: http://bvinews.com/bvi/wp-content/uploads//2011/07/laptop-theft-in-action.jpg June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption But current (software-based) FDE solutions do not protect data effectively if an adversary gains physical access! Why? June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Software Disk Encryption RAM HDD (unencrypted) CPU (encrypted) en/decrypt ● Software-based disk encryption stores necessary keys in RAM ● Including BitLocker, FileVault, dm-crypt, and TrueCrypt June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory Problem: main memory is no secure storage for cryptographic keys. 1) DMA Attacks via Firewire, Thunderbolt, PCIe, etc. 2) Cold Boot Attacks on Encryption Keys June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling DMA Attacks Direct Memory Access is exploitable: 2004: Firewire 0wned by an iPod from Maximilian Dornseif -- All Your Memory Are Belong To Us ... PC Card / ExpressCard / PCIe / more Firewire ... 2012: Thunderbolt Adventures with Daisy in Thunderbolt -DMA-land: Hacking Macs through the Thunderbolt interface June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Cold Boot Attacks ● Remanence effect of DRAM: ● 2008: Lest We Remember: Cold Boot Attacks on Encryption Keys Source: https://citp.princeton.edu/research/memory/media/ June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory Memory attacks require target systems to be running or in suspended mode ● Lost and theft of suspended laptops at public places ● Confiscation of running servers by law enforcement authorities Source: http://i.dailymail.co.uk Source: http://gottabemobile.wpengine.netdna-cdn.com June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Attacks on Main Memory Basically all memory contents can be read out. We focus on the security of disk encryption keys June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption Solutions Software FDE Hardware FDE TRESOR/TreVisor RAM RAM RAM HDD HDD HDD CPU CPU CPU June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part II Background & Design I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion TRESOR TRESOR Runs Encryption Securely Outside RAM ● Published at USENIX 2011 ● Keys are stored in CPU registers (dr0-dr3) rather than in RAM ● All intermediate states / runtime variables are stored only in CPU registers as well ● Challenges: ● No use of stack and heap ● Scheduling, hardware interrupts, and context switches ● Userland access to debug registers (dr0-dr3) ● Swapping and Suspend-to-Disk / RAM ● ... ● Linux kernel patch (originally for 2.6.36); dm-crypt support ● AES-128, -192, and -256 accelerated by Intel's AES-NI June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TRESOR Problems ● TRESOR effectively defeats cold boot attacks, but is still vulnerable to: ● write-able DMA attacks on running machines (code infiltration) ● local privilege escalations (loadable kernel modules and /dev/kmem) ● buggy drivers can lead to data corruption ● full disk encryption (FDE) is tricky to set up ● works for Linux only; no other OS supported June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TreVisor The TRESOR HyperVisor ● TreVisor is a ``thin hypervisor`` that encrypts hard disks transparently for the guest OS. ● one unmodified guest, including Linux and Windows. ● Most devices are just passed through, except ● hard disk: hook into file access in order to en-/decrypt data transparently with TRESOR technology. ● DMA devices: filter memory transfers by means of the IOMMU ; access to hyperspace is disallowed. June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling TRESOR vs. TreVisor (a) TRESOR (b) TreVisor App App App App ring 3 App App App App unused ring 1+2 unused TRESOR patched Linux ring 0 Any Operating System unused ring -1 TreVisor HDD Other Hardware HDD Other Hardware June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling BitVisor A Secure and Lightweight Hypervisor ● University of Tsukuba ; published at VEE '09 ● Thin hypervisor that implements various security features: FDE, VPN, VT-d/IOMMU, TCG, etc. ● Parapass-through architecture no drivers required for most devices June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Tresor + BitVisor = TreVisor We use BitVisor as a basis for TreVisor June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part III Implementation Details I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion Registers Debug registers: SSE Registers: General Purpose: dr0 (64-bit) xmm0 (128-bit) rax (64-bit) dr1 (64-bit) xmm1 (128-bit) rbx (64-bit) dr2 (64-bit) ... rcx (64-bit) dr3 (64-bit) xmm15 (128-bit) rdx (64-bit) ● dr0 to dr3 are exclusively reserved as key storage ; hardware breakpoints cannot be set by userland applications anymore ● xmm0 to xmm15 and GPRs are used only temporarily inside atomic sections June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Key Storage Registers ● Usually, debug registers (dr0 - dr7) can be accessed with ring 0 privileges from guest OS ● Now we need exclusive access from ring -1 (VMM) ● We must protect the debug registers from guest OS: ● Throw VMEXIT exception when the guest tries to access debug registers (virtualization control: "MOV-DR exiting") ● Exception handler: ignore instruction (increment IP), don't throw exception to guest, mirror guest debug regs in RAM Changes privilege level of debug regs from ring 0 to -1 June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Key Management ● Every CPU core should be able to do encryption Key has to be present in every single core Use Inter-Processor Interrupts (IPIs) to distribute the key (For key distribution, RAM is used briefly but cleared thoroughly afterwards) June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Disk Encryption ● BitVisor already knows about FDE ● drivers for ATA and USB disks ● routines for hooking disk accesses ● So what is missing? ● the "TRESOR" crypto module ● e.g.: implement crypto_tresor_init(), crypto_tresor_encrypt(), and crypto_tresor_decrypt() ● most of the routines implemented in assembly (AES-NI) ● Important: TRESOR code must run atomically and zero-fill used registers (SSE + GPRs) before exiting June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Availability http://www1.cs.fau.de/trevisor ● In active development by Benjamin Taubmann ● Latest patch from mid of June ● 3.800 lines of code, mixture of C and assembly June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Part IV Evaluation I. Motivation: Memory Attacks on Full Disk Encryption II. Background & Design: TRESOR, TreVisor, BitVisor III. Implementation Details: The BitVisor Patch IV. Evaluation: Performance, Compatibility, Security V. Conclusion TreVisor Performance 10 20 30 40 50 60 MB/s 59.3 MB/s Linux (write) 54.4 MB/s 56.0 MB/s 38.8 MB/s Linux (read) 36.3 MB/s 32.5 MB/s 43.3 MB/s Windows 39.4 MB/s 35.3 MB/s AES-128 AES-192 AES-256 June 26 - 29, 2012 · ACNS '12 Singapore · TreVisor · Tilo Müller, Benjamin Taubmann, and Felix C. Freiling Linux Performance 10 20 30 40 50 60 MB/s No 60.7 MB/s VMM 63.7 MB/s No