demystifying the secure enclave processor
play

Demystifying the Secure Enclave Processor Tarjei Mandt - PowerPoint PPT Presentation

Jul 30, 2023 •535 likes •1.51k views

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik) David Wang (@planetbeing) About Us Tarjei Mandt Senior Security Researcher, Azimuth Security tm@azimuthsecurity.com Mathew Solnik

  1. Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik) David Wang (@planetbeing)

  2. About Us • Tarjei Mandt ▫ Senior Security Researcher, Azimuth Security ▫ tm@azimuthsecurity.com • Mathew Solnik ▫ Director, OffCell Research ▫ ms@offcellresearch.com • David Wang ▫ Senior Security Researcher, Azimuth Security ▫ dw@azimuthsecurity.com

  3. Introduction • iPhone 5S was a technological milestone ▫ First 64-bit phone • Introduced several technological advancements ▫ Touch ID ▫ M7 motion coprocessor ▫ Security coprocessor (SEP) • Enabled sensitive data to be stored securely ▫ Fingerprint data, cryptographic keys, etc.

  4. Secure Enclave Processor • Security circuit designed to perform secure services for the rest of the SOC ▫ Prevents main processor from gaining direct access to sensitive data • Used to support a number of different services ▫ Most notably Touch ID • Runs its own operating system (SEPOS) ▫ Includes its own kernel, drivers, services, and applications

  5. Secure (?) Enclave Processor • Very little public information exists on the SEP ▫ Only information provided by Apple • SEP patent only provides a high level overview ▫ Doesn’t describe actual implementation details • Several open questions remain ▫ What services are exposed by the SEP? ▫ How are these services accessed? ▫ What privileges are needed? ▫ How resilient is SEP against attacks?

  6. Talk Outline • Part 1: Secure Enclave Processor ▫ Hardware Design ▫ Boot Process • Part 2: Communication ▫ Mailbox Mechanism ▫ Kernel-to-SEP Interfaces • Part 3: SEPOS ▫ Architecture / Internals • Part 4: Security Analysis ▫ Attack Surface and Robustness

  7. Demystifying the Secure Enclave Processor

  8. SEP’s ARM Core: Kingfisher • Dedicated ARMv7a “Kingfisher” core ▫ Even EL3 on AP’s core won’t doesn’t give you access to SEP • Appears to be running at 300-400mhz~ • One of multiple kingfisher cores in the SoC ▫ 2-4 Other KF cores - used for NAND/SmartIO/etc ▫ Other cores provide a wealth of arch knowledge • Changes between platforms (A7/A8/A9) ▫ Appears like anti-tamper on newer chips

  9. Dedicated Hardware Peripherals • SEP has its own set of peripherals accessible by memory-mapped IO ▫ Built into hardware that AP cannot access – Crypto Engine & Random Number Generator – Security Fuses – GID/UID Keys • Dedicated IO lines - ▫ Lines run directly to off-chip peripherals – GPIO – SPI – UART – I2C

  10. Shared Hardware Peripherals • SEP and AP share some peripherals • Power Manager (PMGR) ▫ Security fuse settings are located in the PMGR ▫ Lots of other interesting items • Memory Controller ▫ Can be poked at via iOS kernel • Phase-locked loop (PLL) clock generator ▫ Nothing to see here move along… • Secure Mailbox ▫ Used to tranfer data between cores • External Random Access Memory (RAM)

  11. Physical Memory • Dedicated BootROM (and some SRAM) ▫ BootROM physically located at 0x2_0da0_0000 • Uses inline AES to encrypt external RAM ▫ Most likely to prevent physical memory attacks against off SoC RAM chips (iPads) • Hardware “filter” to prevent AP to SEP memory access ▫ Only SEP’s KF core has this filter

  12. SEP KF Filter Diagram From SoC To SoC

  13. Demystifying the Secure Enclave Processor

  14. SEP Initialization – First Stage • AP comes out of reset. AP BootROM releases SEP from reset. ▫ This is irreversible. No hardware register to reset or stop SEP accessible by AP. • Initially uses 4096 bytes of static RAM for stack and variables. • Uses page tables in ROM. ▫ Needs Large Physical Address Extension. • Starts a message loop.

  15. SEP Initialization – Second Stage • Listens for messages in the mailbox. • 8-byte messages that have the same format SEPOS uses. • All messages use endpoint 255 (EP_BOOTSTRAP) Opcode Description 1, 2 “Status check” (Ping) 3 Generate nonce 4 Get nonce word 5 “BootTZ0” (Continue boot)

  16. Memory Protections • SEP needs more RAM than 4096 bytes of SRAM, so it needs external RAM. • RAM used by SEP must be protected against AP tampering. • Two regions configurable by AP are setup: ▫ TZ0 is for the SEP. ▫ TZ1 is for the AP’s TrustZone (Kernel Patch Protection). • SEP must wait for AP to setup TZ0 to continue boot.

  17. SEP Boot Flow AP SEP Configure TZ0 and TZ1 iBoot Kernel Send Ping Acknowledge Ping Send BootTZ0 Acknowledge BootTZ0 Send Ping Map in TZ0 Setup Memory Encryption Stage 2 Stage 3 Begin Stage 3

  18. SEP Memory Protection Bootstrap Configure TZ0 and • SEP doesn’t take AP’s word for TZ1 iBoot it that TZ0 is locked. Kernel Send Ping ▫ Checks hardware registers for lock. Acknowledge Ping Send BootTZ0 ▫ Then reads size and address of TZ0 from other hardware Acknowledge Send Ping registers. BootTZ0 • Impossible to change these Map in TZ0 hardware registers after TZ0 is Setup Memory Stage 2 Encryption locked. Stage 3 • Spin processor on failure. Begin Stage 3

  19. Memory Encryption Modes • Appears to support ECB, CBC, and XEX . • Capable of AES-128 or AES-256 . • Supports two channels. ▫ BootROM uses channel 1. ▫ SEPOS uses channel 0. • All access to certain ranges of physical addresses get encrypted/decrypted transparently. ▫ After boot, SEPOS has all page mappings into the encrypted range (except for hardware regs and memory shared with AP).

  20. Key Generation • Keys are generated by “tangling”: ▫ True Random Number Generator output ▫ Static ”type” value. • With protected (unreadable) registers: ▫ UID, GID, Seed A, Seed B. – Seed B tangled with UID == GenID_2B • Encrypt the following using GenID_2B to generate key: ▫ [4 byte magic = 0xFF XK1][4 bytes of 0s][192-bits of randomness]

  21. Beginning Stage 3 Configure TZ0 and • After memory encryption is TZ1 iBoot setup, SEP re-initializes to use Kernel encrypted memory: Send Ping ▫ Page tables Acknowledge Ping Send BootTZ0 ▫ Stack ▫ Data Acknowledge Send Ping BootTZ0 • Begins a new message loop Map in TZ0 with no shared code between it and the initial low-capability Setup Memory Stage 2 Encryption bootstrap. Stage 3 Begin Stage 3

  22. SEP Boot Flow: Stage 3 AP SEP Acknowledge Ping Send ART Copy in ART Acknowledge ART Send SEPOS Copy in SEPOS Validate SEPOS and ART Acknowledge SEPOS Send Shared Memory Addr Boot SEPOS

  23. Boot-loading: Img4 • SEP uses the “IMG4” bootloader format which is based on ASN.1 DER encoding ▫ Very similar to 64bit iBoot/AP Bootrom ▫ Can be parsed with ”openssl -asn1parse” • Three primary objects used by SEP ▫ Payload – – Contains the encrypted sep-firmware ▫ Restore – – Contains basic information when restoring SEP ▫ Manifest (aka the AP ticket) - – Effectively the Alpha and the Omega of bootROM configuration (and security)

  24. Img4 - Manifest • The manifest (APTicket) contains almost all the essential information used to authenticate and configure SEP(OS). • Contains multiple hardware identifier tags ▫ ECID ▫ ChipID ▫ Others • Is also used to change runtime settings in both software and hardware ▫ DPRO – Demote Production ▫ DSEC – Demote Security ▫ Others…

  25. Reversing SEP’s Img4 Parser: Stage 1 • How can you reverse something you cannot see? ▫ Look for potential code reuse! • Other locations that parse IMG4 ▫ AP BootROM – A bit of a pain to get at ▫ iBoot – Dump from phys memory - 0x8700xx000 – Not many symbols… – But sometimes it only takes 1… (iBoot from n51)

  26. Reversing SEP’s Img4 Parser: Stage 2 • Another file also contains the “Img4Decode” symbol ▫ /usr/libexec/seputil • Userland IMG4 parser with many more symbols ▫ May not be exact – but bindiff shows it is very close • From symbols found in seputil we can deduce: ▫ The ASN’1 decoder is based on libDER – Which Apple so kindly releases as OpenSource. ▫ The RSA portion is handled by CoreCrypto • LibDER + CoreCrypto = SEP’s IMG4 Parsing engine ▫ We now have a great base to work with

  27. Img4 Parsing Flow • SEP BootROM copies in the sep-firmware.img4 from AP • Initializes the DER Decoder ▫ Decodes Payload, Manifest, and Restore Info • Verifies digests and signing certificates ▫ Root of trust cert is hardcoded at the end of BootROM • Verifies all properties in manifest ▫ Checks against current hardware fusing • If all items pass – load and execute the payload

  28. Img4 Parsing Flow AP SEP SEP Sends SEP IMG4 Decode Payload & Manifest Fail Validate Certificates Validate Digest Validate Manifest Validate Properties Against Certificate Read Fuses Validate Properties Against Hardware Boot SEPOS

  29. Demystifying the Secure Enclave Processor

  30. Secure Mailbox • The secure mailbox allows the AP to communicate with the SEP ▫ Features both an inbox (request) and outbox (reply) • Implemented using the SEP device I/O registers ▫ Also known as the SEP configuration space

  31. Interrupt-based Message Passing • When sending a message, the AP writes to the inbox of the mailbox • This operation triggers an interrupt in the SEP ▫ Informs the SEP that a message has been received • When a reply is ready, the SEP writes a message back to the outbox ▫ Another interrupt is generated in order to let the AP know a message was received

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu Problem Definition Verifying hyperproperties about the Keystone Security monitor Secure Remote Execution (SRE) : a 2-safety hyperproperty

446 views • 10 slides
Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris

Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon University* 1 Secure Remote

356 views • 21 slides
Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I

Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I

Demystifying DNA Demystifying DNA What is it? How do I get it? What is it? How do I get it? How do I get rid of it? How do I get rid of it? Alissa Bjerkhoel Litigation Coordinator, California Innocence Project Panel Attorney,

1.61k views • 124 slides
A Secure Data Enclave and Analytics Platform For Social Scientists Yadu N. Babuji, Kyle Chard,

A Secure Data Enclave and Analytics Platform For Social Scientists Yadu N. Babuji, Kyle Chard,

A Secure Data Enclave and Analytics Platform For Social Scientists Yadu N. Babuji, Kyle Chard, Aaron Gerow, & Eamon Duede Computation Institute, The University of Chicago and Argonne National Laboratory

473 views • 24 slides
Demystifying Blockchains: Decentralized, Secure and Fault-tolerant Storage Amr El Abbadi

Demystifying Blockchains: Decentralized, Secure and Fault-tolerant Storage Amr El Abbadi

Demystifying Blockchains: Decentralized, Secure and Fault-tolerant Storage Amr El Abbadi University of California, Santa Barbara In Collaboration with: Mohammad Amiri, Sujaya Maiyya, Victor Zakhary, and Divyakant Agrawal. Brown 2019 1

458 views • 41 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you

Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you

Drupal GovCon 2018 Demystifying SEO for Government Agencies Demystifying SEO for Government Agencies Why should you listen me? Jason Hamrick Senior Strategist Phase2 jhamrick@phase2technology.com Demystifying SEO for Government Agencies 2

418 views • 26 slides
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee

T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure users code and data in the cloud

1.07k views • 27 slides
Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop (OSEW 2019) Berkeley, July 2019 https://mesatee.org Rust and Keystone Enclave Open-Source Enclave (RISC-V Hardware/Keystone Enclave) :

662 views • 32 slides
MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big

Damian Barabonkov MI6 Secure Enclaves ... in a Speculative Out-of-Order Processor Overview Goals of MI6 Big Ideas Paper Feedback Motivation of MI6 Threat Model Implementation Performance Analysis

383 views • 24 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky

February 2, 2010 Deconstructing a Secure Processor Black Hat Washington D.C. Christopher Tarnovsky Flylogic, Inc. chris@flylogic.net http://www.flylogic.net Decapsulate Perform initial examination Identify device if

1.38k views • 6 slides
The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas,

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas,

The Ascend Secure Processor Christopher Fletcher MIT 1 Joint work with Srini Devadas, Marten van Dijk Ling Ren, Albert Kwon, Xiangyao Yu Elaine Shi & Emil Stefanov David Wentzlaff & Princeton Team (Mike, Tri, Jonathan,

923 views • 37 slides
Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. ODonnell, Ishan Sachdev, and Srinivas Devadas Massachusetts Institute of Technology 1 New Security Challenges

356 views • 31 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann,

Open Source Enclave Workshop July 2019 Berkeley, CA Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, Xi Wang University of Washington, Columbia University, Microsoft Research 1

435 views • 14 slides
Engineering with UML: The Last Decade and Towards the Future Jan Jrjens http://jan.jurjens.de

Engineering with UML: The Last Decade and Towards the Future Jan Jrjens http://jan.jurjens.de

Model-based Security Engineering with UML: The Last Decade and Towards the Future Jan Jrjens http://jan.jurjens.de Secure IT-Systems Today IT-systems pervade almost all aspects of human life. At the same time, IT-systems become more open

496 views • 28 slides
Multibiometrics for Face Recognition 3D Face Project End User Meeting 2007-03-22 /

Multibiometrics for Face Recognition 3D Face Project End User Meeting 2007-03-22 /

Multibiometrics for Face Recognition 3D Face Project End User Meeting 2007-03-22 / Darmstadt Volker Kempert (Cognitec Systems GmbH) Agenda Multibiometrics in general Multibiometrics related to the face Biometric Face

499 views • 16 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John

IT 2 EC 2020 IT 2 EC Extended Abstract Template Presentation/Panel Flying the Unfriendly Skies: Overcoming Obstacles in Legacy Simulations to Improve Training John Williamson 1 , Jennifer Lewis 2 1 Game Development Specialist, SAIC, Seattle, USA

248 views • 3 slides
Teleperformance Group Overview Including Q3 2018 information DISCLAIMER All forward-looking

Teleperformance Group Overview Including Q3 2018 information DISCLAIMER All forward-looking

Teleperformance Group Overview Including Q3 2018 information DISCLAIMER All forward-looking statements reflect Teleperformance managements present expectations of future events and are subject to a number of factors and uncertainties that

861 views • 54 slides
APTA Human Resources Committee 2014 Webinar Series Developing Frontline Workers: The Transit

APTA Human Resources Committee 2014 Webinar Series Developing Frontline Workers: The Transit

APTA Human Resources Committee 2014 Webinar Series Developing Frontline Workers: The Transit Industrys Backbone Wednesday, November 19, 2014 2:00 3:30 p.m. Eastern Time Viewing the webinar: Your confirmation email from GoToWebinar

882 views • 64 slides
Mobile & Secure End-Point Computing with Managed Virtual Machines Monica Lam Stanford

Mobile & Secure End-Point Computing with Managed Virtual Machines Monica Lam Stanford

Mobile & Secure End-Point Computing with Managed Virtual Machines Monica Lam Stanford University Pressing Problems Consumerization of IT: Using home computers Viruses on home computers attacking the data center May test for

511 views • 20 slides

More recommend