ABSTRACT
Security-critical applications constantly face threats from exploits in lower computing layers such as the operating system, virtual machine monitors, or even attacks from malicious administrators. To help protect application secrets from such attacks, there is increasing interest in hardware implementations of primitives for trusted computing, such as Intel's Software Guard Extensions (SGX) instructions. These primitives enable hardware protection of memory regions containing code and data, and provide a root of trust for measurement, remote attestation, and cryptographic sealing. However, vulnerabilities in the application itself, such as the incorrect use of SGX instructions or memory safety errors, can be exploited to divulge secrets. In this paper, we introduce a new approach to formally model these primitives and formally verify properties of so-called enclave programs that use them. More specifically, we create formal models of relevant aspects of SGX, develop several adversary models, and present a sound verification methodology (based on automated theorem proving and information flow analysis) for proving that an enclave program running on SGX does not contain a vulnerability that causes it to reveal secrets to the adversary. We introduce Moat, a tool which formally verifies confidentiality properties of applications running on SGX. We evaluate Moat on several applications, including a one time password scheme, off-the-record messaging, notary service, and secure query processing.
- Available at http://www.cryptopp.com/.Google Scholar
- https://devmoat.github.io.Google Scholar
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with wit. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP '08, pages 263--277, Washington, DC, USA, 2008. IEEE Computer Society. Google ScholarDigital Library
- ARM Security Technology - Building a Secure System using TrustZone Technology. ARM Technical White Paper.Google Scholar
- M. Balliu, M. Dam, and R. Guanciale. Automating information flow analysis of low level code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1080--1091, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- M. Barnett, B. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In FMCO '05, LNCS 4111, pages 364--387, 2005. Google ScholarDigital Library
- M. Barnett and K. R. M. Leino. Weakest-precondition of unstructured programs. In PASTE '05, pages 82--87, 2005. Google ScholarDigital Library
- C. Barrett, R. Sebastiani, S. A. Seshia, and C. Tinelli. Satisfiability modulo theories. In A. Biere, H. van Maaren, and T. Walsh, editors, Handbook of Satisfiability, volume 4, chapter 8. IOS Press, 2009.Google Scholar
- G. Barthe and L. P. Nieto. Secure information flow for a concurrent language with scheduling. In Journal of Computer Security, pages 647--689. IOS Press, 2007. Google ScholarDigital Library
- A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with Haven. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014. Google ScholarDigital Library
- B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop, pages 82--96, Cape Breton, Canada, June 2001. Google ScholarDigital Library
- B. Blanchet. A computationally sound automatic prover for cryptographic protocols. In Workshop on the link between formal and computational models, Paris, France, June 2005.Google Scholar
- N. Borisov, I. Goldberg, and E. Brewer. Off-the-record communication, or, why not to use pgp. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES '04, pages 77--84, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In Proceedings of the 23rd International Conference on Computer Aided Verification, CAV'11, pages 463--469, 2011. Google ScholarDigital Library
- R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Modeling and Verifying Systems using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions. In Computer-Aided Verification (CAV'02), LNCS 2404, pages 78--92, July 2002. Google ScholarDigital Library
- M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157--1210, Sept. 2010. Google ScholarDigital Library
- L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS '08, pages 337--340, 2008. Google ScholarDigital Library
- Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 475--488, 2014. Google ScholarDigital Library
- C. Fournet and T. Rezk. Cryptographically sound implementations for typed information-flow security. In Proceedings 35th Symposium on Principles of Programming Languages. G. Smith, 2008. Google ScholarDigital Library
- V. Ganapathy, S. A. Seshia, S. Jha, T. W. Reps, and R. E. Bryant. Automatic discovery of API-level exploits. In Proceedings of the 27th International Conference on Software Engineering (ICSE), pages 312--321, May 2005. Google ScholarDigital Library
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: end-to-end security via automated full-system verification. In Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, pages 165--181, 2014. Google ScholarDigital Library
- J. Heusser and P. Malacaria. Quantifying information leaks in software. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 261--269. ACM, 2010. Google ScholarDigital Library
- M. Hoekstra, R. Lal, P. Pappachan, C. Rozas, V. Phegade, and J. Cuvillo. Using innovative instructions to create trustworthy software solutions. In Workshop on Hardware and Architectural Support for Security and Privacy, 2013. Google ScholarDigital Library
- Intel Software Guard Extensions Programming Reference. Available at https://software.intel.com/sites/default/files/329298-001.pdf.Google Scholar
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. sel4: Formal verification of an os kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP '09, pages 207--220, New York, USA, 2009. Google ScholarDigital Library
- F. McKeen, I. Alexandrovich, A. Berenzon, C. V. Rozas, H. Shafi, V. Shanbhogue, and U. R. Savagaonkar. Innovative instructions and software model for isolated execution. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP '13, pages 10:1--10:1, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- J. Mclean. Proving noninterference and functional correctness using traces. Journal of Computer Security, 1:37--58, 1992. Google ScholarDigital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, SOSP '97, pages 129--142, New York, USA, 1997. Google ScholarDigital Library
- J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In Proceedings of the 22nd USENIX Conference on Security, pages 479--494, 2013. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. Selected Areas in Communications, IEEE Journal on, 21(1):5--19, 2003. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. A model for delimited information release. In In Proc. International Symp. on Software Security, pages 174--191. Springer-Verlag, 2004.Google ScholarCross Ref
- N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM TrustZone to build a trusted language runtime for mobile applications. In Proceedings of the 19th international conference on Architectural support for programming languages and operating systems (ASPLOS), pages 67--80. ACM, 2014. Google ScholarDigital Library
- F. Schuster, M. Costa, C. Fournet, C. Gkantsidis, M. Peinado, G. Mainar-Ruiz, and M. Russinovich. VC3: trustworthy data analytics in the cloud using SGX. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17--21, 2015, pages 38--54, 2015.Google ScholarDigital Library
- D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journal of Computer Security, 4(2--3):167--187, Jan. 1996. Google ScholarDigital Library
- J. Yang and C. Hawblitzel. Safe to the last instruction: Automated verification of a type-safe operating system. In Proceedings of the 31st Conference on Programming Language Design and Implementation, pages 99--110, 2010. Google ScholarDigital Library
Index Terms
- Moat: Verifying Confidentiality of Enclave Programs
Recommendations
A Formal Foundation for Secure Remote Execution of Enclaves
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityRecent proposals for trusted hardware platforms, such as Intel SGX and the MIT Sanctum processor, offer compelling security features but lack formal guarantees. We introduce a verification methodology based on a trusted abstract platform (TAP), a ...
A design and verification methodology for secure isolated regions
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationHardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications ...
A design and verification methodology for secure isolated regions
PLDI '16Hardware support for isolated execution (such as Intel SGX) enables development of applications that keep their code and data confidential even while running in a hostile or compromised host. However, automatically verifying that such applications ...
Comments