SoK: A Study of Using Hardware- assisted Isolated...
Transcript of SoK: A Study of Using Hardware- assisted Isolated...
![Page 1: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/1.jpg)
SoK:AStudyofUsingHardware-assistedIsolatedExecu<onEnvironmentsforSecurity
FengweiZhang
WayneStateUniversityDetroit,Michigan,USA
WayneStateUniversity CSC6991 1
![Page 2: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/2.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 2
![Page 3: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/3.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 3
![Page 4: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/4.jpg)
Introduc<on• Isola<ngcodeexecu<onisoneofthefundamentalapproachesfor
achievingsecurity
• Isolatedexecu<onenvironments– SoSware-based:Virtualmachines
• Alargetrustedcompu<ngbase(e.g.,Xenhas532KSLOC)• Failuretodealwithhypervisororfirmwarerootkits• Sufferingfromsystemoverhead
• Hardware-assistedisolatedexecu<onenvironments(HIEEs)
– Isolatedexecu<onconcept:Trustedexecu<onenvironment(TEE)– Hardware-assistedtechnologies
• ExcludingthehypervisorsfromTCB• Achievingahighlevelofprivilege(i.e.,hardware-levelprivilege)• Reducingperformanceoverhead(e.g.,contextswitches)
WayneStateUniversity CSC6991 4
![Page 5: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/5.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 5
![Page 6: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/6.jpg)
HIEEs• Alistofhardware-assistedisolatedexecu<onenvironments(HIEEs)
thathavebeenusedforbuildingsecuritytools
– Systemmanagementmode(SMM)[24]
– Intelmanagementengine(ME)[36]
– AMDplaaormsecurityprocessor(PSP)[4]– Dynamicrootoftrustformeasurements(DRTM)[52]
– IntelsoSwareguardextension(SGX)[5,23,34]
– ARMTrustZonetechnology[6]
WayneStateUniversity CSC6991 6
![Page 7: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/7.jpg)
HIEE:SystemManagementMode• ACPUmodesimilartoRealandProtectedmodesavailableonx86
architecture• Ini<alizedbytheBasicInput/OutputSystem(BIOS)• EnteringSMMbyasser<ngthesystemmanagementinterrupt(SMI)pin• SystemmanagementRAM(SMRAM)thatisinaccessiblefromthenormal
OS
WayneStateUniversity CSC6991 7
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
![Page 8: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/8.jpg)
HIEE:IntelManagementEngine
Management Engine
MEProcessor
CryptoEngine
DMAEngine
HECIEngine
ROM
InternalSRAM
InterruptController
Timer
CLink I/O
Internal Bus
WayneStateUniversity CSC6991 8
ManagementEngine(ME)isamicro-computerembeddedinsideofallrecentIntelprocessors;itisIntroducedasanembeddedprocessor,andIntelAMTisthefirstapplica<onrunninginME[36]
![Page 9: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/9.jpg)
HIEE:AMDEmbeddedProcessors• AMDsecureprocessor[4]– Alsocalledplaaormsecurityprocessor(PSP)– EmbeddedinsideofthemainAMDCPUtoenablerunningthird-partyapplica<ons
– PartnershipwithARMTrustZone
• Systemmanagementunit(SMU)[30]– AnembeddedprocessoratNorthbridge– NorthbridgehasbeenintegratedintoCPU– Responsibleforavarietyofsystemandpowermanagementtasksduringbootandrun<me
WayneStateUniversity CSC6991 9
![Page 10: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/10.jpg)
HIEE:DynamicRootofTrustforMeasurement
• TCGintroducedDRTM,alsocalled“latelaunch”,intheTPMv1.2specifica<onin2005[51,52]
• SRTMv.s.DRTM– Sta<crootoftrustformeasurement(SRTM)operatesatboot<me,DRTMallowstherootoftrustformeasurementtobeini<alizedatanypoints
• IntelandAMDimplementa<ons– Inteltrustedexecu<ontechnology(TXT)[25]– AMDsecurevirtualmachine(SVM)[2]– Overheadforlatelaunch:SENTERv.s.SKINIT
WayneStateUniversity CSC6991 10
![Page 11: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/11.jpg)
HIEE:IntelSoSwareGuardExtension
• Threeintroduc<onpapers[5,34,23]aboutSGXpresentedatHASP2013
• SGXisasetofinstruc<onsandmechanismsformemoryaccessesaddedtoIntelarchitectureprocessors
• Allowinganuser-levelapplica<ontoinstan<ateaprotectedcontainer,calledenclave
• Providingconfiden<alityandintegrityevenwithouttrus<ngtheBIOS,firmware,hypervisors,andOS
• OpenSGX[27]:Anopen-sourceplaaormthatemulatesIntelSGXattheinstruc<onlevelbymodifyingQEMU
WayneStateUniversity CSC6991 11
![Page 12: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/12.jpg)
HIEE:ARMTrustZone• ARMTrustZonetechnologyisahardwareextensionthat
createsasecureexecu<onenvironmentsinceARMv6[12]• Twomodes:Secureworldandnormalworld• Iden<fiedbytheNSbitinthesecureconfigura<onregister
(SCR)
WayneStateUniversity CSC6991 12
Normal World
Rich OS in REE
Secure World
Secure OS in TEE
Normal world
user mode
Normal world
priviledge modes
Secure world
user mode
Secure world
priviledge modes
Monitor mode
![Page 13: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/13.jpg)
HIEEs
WayneStateUniversity CSC6991 13
![Page 14: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/14.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 14
![Page 15: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/15.jpg)
UseCasesofHIEEs• Systemintrospec<on
• Memoryforensics
• Transparentmalwareanalysis
• Execu<onsensi<veworkloads
• Rootkitsandkeyloggers
WayneStateUniversity CSC6991 15
![Page 16: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/16.jpg)
UseCase:SystemIntrospec<on• Runningsystemintrospec<ontoolsinsideofHIEEs
– Hypervisor/OSintegritychecking– OSrootkitsdetec<on– AOacksdetec<on(e.g.,heapsprayandheapoverflows)
• SMM-based– Hypercheck[65],HyperGuard[41],HyperSentry[8],IOCheck[64],and
Spectre[62]• TrustZone-based
– SPROBES[22]andTZ-RKP[7]
• DRTM-based– Flicker[31]
WayneStateUniversity CSC6991 16
![Page 17: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/17.jpg)
UseCase:MemoryForensics
• UsingHIEEstoperformacquisi<onofvola<lememoryofatargetsystem,andthentransmitthememorycontentstoaremotemachineforanalysis
• Examplesofexis<ngsystems– SMMDump[35]implementedbyusingSMM– TrustDump[48]usedARMTrustZone
WayneStateUniversity CSC6991 17
![Page 18: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/18.jpg)
UseCase:TransparentMalwareAnalysis
• Malwareusesan<-debugging,an<-virtualiza<on,an<-emula<ontechniquestoevadetradi<onalanalysissuingvirtualiza<onoremula<ontechnology
• AnalyzingmalwareusingHIEEssothatadvancedmalwarecanbedebuggedonbaremetal
• Exposingtherealbehaviorofmalwarewithan<-debugging,an<-vm,andan<-emula<ontechniques
• Examplesofexi<ngsystems– MalT[61]usingSMM– OtherHIEEslikeTrustZoneandMEcanbeusedforthesamepurpose
WayneStateUniversity CSC6991 18
![Page 19: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/19.jpg)
UseCase:Execu<ngSensi<veWorkloads
• UsingHIEEstorunsecuritysensi<veopera<ons
• DRTM-based– Flicker[31],TrustVisor[32],andBumpy[33]
• TrustZone-based– TrustICE[49]andTrustOTP[47]
• SMM-based– SICE[9]andTrustLogin[63]
• SGX-based– Haven[10]andVC3[43]
WayneStateUniversity CSC6991 19
![Page 20: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/20.jpg)
UseCase:RootkitsandKeyloggers• ThoughresearchershaveusedHIEEsforimplemen<ngdefensivetools,aOackers
canalsousethemformaliciouspurposesduetotheirhighprivilegeandstealthiness
• SMMrootkits– PS/2[20]andUSB[42]keyloggers– NSA:DEITYBOUNCEforDellandIRONCHEFforHPProliantservers[1]
• MErootkits– Ring-3rootkits[46,50]
• DRTM,SGX,andTrustZonerootkits– Wehaven’tseenanypubliclyavailableexamplesbutaOackershavethemo<va<onto
implementthemduetotheirstealthiness
• HIEEscreateidealenvironmentsorinfrastructuresthataOractaOackerstoimplementsuper-powerfulrootkits.
WayneStateUniversity CSC6991 20
![Page 21: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/21.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 21
![Page 22: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/22.jpg)
HIEEAOacks• HIEEaOacks:Bypassingthehardwareprotec<onmechanisms
ofHIEEisola<on;notusingHIEEsformaliciouspurposes
• SMMaOacks
WayneStateUniversity CSC6991 22
![Page 23: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/23.jpg)
HIEEAOacks(cont’d)• MEaOacks
– In2009,TereshkinandWojtczuk[50]demonstratedthattheycanimplementring-3rootkitsinMEbyinjec<ngthemaliciouscodeintotheIntelAMT
– DAGGER[46]bypassestheMEisola<onusingasimilartechniquein[50]
• DRTMaOacks– WojtczukandRutkowskafromInvisibleThingsLabdemonstrate
severalaOacks[57,56,59]againstIntelTXT
• TrustZoneaOacks– Di[44]foundvulnerabili<esthatareabletoexecutearbitrarilycodein
secureworldusingauser-levelapplica<oninnormalworldonHuaweiHiSilicondevices
WayneStateUniversity CSC6991 23
![Page 24: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/24.jpg)
HIEEAOacks(cont’d)• SGXaOacks
– Cache<mingaOacksandsoSwareside-channelaOacksincludingusingperformancecountersfromthestudypublishedbyCostanandDevadas[15]
• UnclearifMEfirmwareismalicious
– SGXfordesktop-environmentsneedstoestablishasecurechannelbetweenI/Odevices(e.g.,key-boardandvideodisplay)andanenclavetopreventsensi<vedataleakage[38,27]
– ProtectedAudioVideoPath(PVAP)technologycansecurelydisplayvideoframesandplayaudiotousers;Iden<tyProtec<onTechnology(IPT)providessecurityfeaturesincludingProtectedTransac<onDisplay(e.g.,enteringaPINbyanuser)
– SGXneedsEnhancedPrivacyIden<fica<on(EPID)supportforremoteaOesta<on[27]
– PVAP,IPT,EPIDarerealizedbyME[36]
WayneStateUniversity CSC6991 24
![Page 25: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/25.jpg)
OverviewOfTheTalk
• Introduc<on• Hardware-assistedIsolatedExecu<onEnvironments(HIEEs)
• UseCasesofHIEEs• AOacksagainstHIEEs• DiscussionsandConclusions
WayneStateUniversity CSC6991 25
![Page 26: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/26.jpg)
ChallengesofUsingHIEEsforSecurity
• Ensuingtrustedswitchingpath– HIEE-basedsystemsassumeaOackershavering0privilege,so
aOackerscanintercepttheswitchingandcreateafakeone– Ad-hocsolu<onsusinganexternalsmartphone[33],keyboardLED
lights[63],LEDpowerlights[49]– Buildingagenericanduser-friendlytrustedpathmechanismform
HIEE-basedsystemisanopenresearchproblem
• Verifyingthetrustworthinessofhardware– HIEE-basedsystemsdependonthetrustworthinessofhardware– Assuminghardwarefeaturesarebug-free(e.g.,isola<onisgraduated)– Hardwarevendorstendnottoreleaseimplementa<ondetails– Howtoreliablyevaluatethetrustworthinessofthesemysterious
hardwaresecuritytechnologies(e.g.,ME)
WayneStateUniversity CSC6991 26
![Page 27: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/27.jpg)
Conclusions• Maincontribu<onsofthisSoKpaperare:– Presen<ngathoroughstudyofsixHIEEsincludingSMM,IntelME,AMDPSP,DRTM,IntelSGX,andARMTrustZone
– ExploringboththedefensiveandoffensiveusescenariosofHIEEsanddescribethemwiththestate-of-the-artsystems
– DiscussingallaOacksagainstthecompu<ngenvironmentofeachHIEE(e.g.,bypassingtheisola<on)andsomemi<ga<ons
WayneStateUniversity CSC6991 27
![Page 28: SoK: A Study of Using Hardware- assisted Isolated …webpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/2-SoK...SoK: A Study of Using Hardware-assisted Isolated Execu](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f936fd5c288fd3df6020af3/html5/thumbnails/28.jpg)
ReferencesThereferencenumbersintheslidesaretheonesshownintheSec<on8ofthepaper.
WayneStateUniversity CSC6991 28