Principles of Secure Processor Architecture Design Slides and information available at: http://caslab.csl.yale.edu/tutorials/ Tutorial on Principles of Secure Processor Architecture Design 1 © Jakub Szefer (ver. HOST 2018) Principles of Secure Processor Architecture Design Jakub Szefer Assistant Professor Dept. of Electrical Engineering Yale University HOST 2018 -- April 30th, 2018 Tutorial on Principles of Secure Processor Architecture Design 2 © Jakub Szefer (ver. HOST 2018) Tutorial Outline 9:30 – 9:50 Secure Processor Architectures 9:50 – 10:10 Trusted Execution Environments 10:10 – 10:30 Hardware Roots of Trust 10:30 – 10:50 Memory Protection 10:50 – 11:00 Multiprocessor and Many-core Protections 11:00 – 11:30 Side-Channels Threats and Protections 11:30 – 12:00 Principles of Secure Processor Architecture Design Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 3 Upcoming Book Jakub Szefer, ”Principles of Secure Processor Architecture Design,” in Synthesis Lectures on Computer Architecture, Morgan & Claypool Publishers Coming Summer 2018 Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 4 Secure Processor Architectures Trusted Execution Environments Hardware Roots of Trust Memory Protection Multiprocessor and Many-core Protections Side-Channels Threats and Protections Principles of Secure Processor Architecture Design Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 5 Typical Processor Architecture A simplified view of a processor and the software stack in a general-purpose computer: Processor Chip App App App AppApp App App App App Core Core … $ $ $ $ Guest Guest … Guest OS OS OS $ Hypervisor (VMM) Uncore Hardware Memory I/O Devices Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 6 Typical Trust Hierarchy (Software) Typical ring-based protection scheme gives most privileges (and most trust) to the lowest levels of the system: App App Compromised or malicious App AppApp App Ring 3 App App App OS can attack all the applications in the system. Guest Guest … Guest Ring 0 OS OS OS Compromised or malicious Hypervisor can attack all Ring -1 Hypervisor (VMM) the OSes in the system. Hardware Image: https://commons.wikimedia.org/wiki/File:Priv_rings.svg Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 7 Typical Trust Hierarchy (Hardware) Typically a computer system (predating architectures such as Intel SGX or AMD SEV) considers all the components as trusted: Processor Chip Information can be extracted Core Core from memory or memory … $ $ $ $ contents can be modified. $ Snooping on the system bus is possible to extract Uncore information. Compromised or malicious devices can attack other Memory I/O Devices components of the system. Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 8 Potential Attack Threats Hardware and software that implements the Trusted Computing Base (TCB) can be attacked through numerous attack vectors: Most attacks today are software on software, Software Software Software but importance of others Local on on is growing. Software Hardware Software Remote Attacks Attacks Hardware Hardware Hardware Attack Vectors Attack Local on on Hardware Hardware Software Remote Attacks Attacks TCB TCB Protected Hardware Software Software Attack Targets Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 9 Hardware Attacks without Physical Access Possibilities for hardware attacks with dedicated tools and lots of money are infinite. However, many non-software attacks that require with no physical access are possible today: Repeated accesses to DRAM rows can cause bits to flip in adjacent DRAM rows, e.g. • Rowhammer to change protection bits in a page table. • Meltdown Out-of-order execution and incorrect checking of protection bits + cache side channel attacks can leak information about protected memory contents. • Spectre Speculative execution + cache side channel attacks can be used to extract data from an application. • ClkScrew Abusing Dynamic Voltage and Frequency Scaling (DVFS) features can allow attacker • … to introduce faults into a system. Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 10 Protecting from Software and Hardware Attacks Secure Processor Architectures add new hardware and software features to provide Trusted Execution Environments (TEEs) wherein software executes protected from some of the software and hardware threats. • Enhance general-purpose processor with new protection features • Provide new or alternate privilege levels • Utilize software and hardware changes • Facilitate attestation of the protected software Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 11 New Privilege Levels Modern computer systems define protections in terms of privilege level or protection rings, new privilege levels are defined to provide added protections. Ring 3 Application code, least privileged. Rings 2 and 1 Device drivers and other semi-privileged code, although rarely used. Ring 0 Operating system kernel. Ring -1 Hypervisor or virtual machine monitor (VMM), most privileged mode that a typical system administrator has access to. Ring -2 System management mode (SMM), typically locked down by processor manufacturer Ring -3 Platform management engine, retroactively named “ring -3”, actually runs on a separate management processor. Image: https://commons.wikimedia.org/wiki/File:Priv_rings.svg Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 12 Extend Linear Trust with New Protection Levels The hardware is most privileged as it is the lowest level in the system. • There is a linear relationship between App App protection ring and privilege (lower ring App AppApp App App is more privileged) Ring 3 App App Guest Guest … Guest • Each component trusts all the software Ring 0 OS OS OS “below” it Ring -1 Hypervisor (VMM) Ring -2 SMM Ring -3 SecE Security Engine (SecE) Hardware can be something like Intel’s ME or AMD’s PSP. Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 13 Add Horizontal Privilege Separation New privileges can be made orthogonal to existing protection rings. Normal Privileged • E.g. ARM’s “normal” and “secure” worlds Operation Operation • Need privilege level (ring number) and normal / secure privilege Security levels from a lattice: Ring -1 Privileged Ring -1 Ring 0 Normal Privileged Ring 0 Normal Ring 3 Privileged Ring 3 Normal Image: https://commons.wikimedia.org/wiki/File:Priv_rings.svg Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 14 Breaking Linear Hierarchy of Protection Rings Examples of architectures that do and don’t have a linear relationship between privileges and protection ring level: App App App App App App AppEncl App TSM Ring 3 App Ring 3 App Ring 3 Appave Ring 3 App Guest Guest Guest Guest Ring 0 OS Ring 0 OS Ring 0 OS Ring 0 OS Ring -1 HV Ring -1 HV Ring -1 HV Ring -1 HV Ring -2 SMM Ring -2 SMM Ring -2 SMM Ring -2 SMM Ring -3 SecE Ring -3 SecE Ring -3 SecE Ring -3 SecE Hardware Hardware Hardware Hardware Normal Computer E.g. Bastion E.g. SGX E.g. SEV Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 15 Example Secure Architecture: Intel SGX Simplified schematic of Intel SGX architecture and the protected Enclave. Processor Chip App App App App App AppEncl App App Appave Core Core … $ $ $ $ Guest Guest … Guest OS OS OS $ Hypervisor (VMM) ME Uncore SMM SecE Hardware Memory I/O Devices Emoji Image: https://www.emojione.com/emoji/1f479 Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 16 Example Secure Architecture: AMD SEV Simplified schematic of AMD SEV architecture and the protected Virtual Machines. Processor Chip App App App AppApp App App App App Core Core … $ $ $ $ Guest Guest … Guest OS OS OS $ Hypervisor (VMM) PSP Uncore SMM SecE Hardware Memory I/O Devices Emoji Image: https://www.emojione.com/emoji/1f479 Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 17 Trusted Processor Chip Assumption Key to most secure processor architecture designs is the trusted processor chip assumption. Processor Chip Core Core Whole processor chip is … $ $ $ $ trusted. $ Memory is untrusted. Uncore System bus is untrusted. Devices are untrusted. Memory I/O Devices Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 18 Trusted Computing Base Trusted Computing Base, or TCB, is the sum total of all the hardware and software which work together to realize the protections offered by the system. • TCB is trusted • TCB may not be trustworthy, if is not verified or is not bug free TCB contains: • All trusted hardware – typically the processor chip • All trusted software – some software levels may be untrusted (e.g. OS in SGX) Tutorial on Principles of Secure Processor Architecture Design © Jakub Szefer (ver. HOST 2018) 19 TCB Example: Intel SGX TCB of the Intel SGX contains the processor chip, and privileged software controlling the protection mechanisms. Processor Chip App App App App App AppEncl Protections are not App App Appave Core Core guaranteed if there is … $ $ $ $ hardware or