Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, - - PowerPoint PPT Presentation

Formal Abstractions for Attested Execution Secure Processors

Eurocrypt May 1st, 2017 Rafael Pass, Elaine Shi, Florian Tramèr

Trusted hardware:

Different communities, different world views

2

Trusted hardware:

Different communities, different world views

Crypto

Architecture Systems & Security

2

Trusted hardware:

Different communities, different world views

Crypto

Architecture Systems & Security

• “Minimal” trusted

hardware to circumvent theoretical impossibilities

• Little concern about

practical performance

2

Trusted hardware:

Different communities, different world views

Crypto

Architecture Systems & Security

• “Minimal” trusted

hardware to circumvent theoretical impossibilities

• Little concern about

practical performance

• Trusted execution of

“general-purpose” user- defined progs

• Cost-effectiveness,

reusability, expressivity

2

3

TPM Bastion Sanctum Ascend XOM Aegis Iso-X Phantom GhostRider

Academia Industry

Architecture community converged on “attested execution”

4

Architecture community converged on “attested execution”

Attested Execution

5

Client Server

Compute prog on inp

Attested Execution

5

Client Server Enclave

Compute prog on inp

Attested Execution

5

Client Server

Verify

Enclave Manufacturer

Sign

Compute prog on inp

Attested Execution

5

Client Server

Verify

Enclave Manufacturer

Sign

Compute prog on inp

• utp, σ

Attestation that outp is correctly computed from prog and inp

Why Ideal Abstractions?

6

• Formal security proofs for implementations

from precise abstractions and security models

Why Ideal Abstractions?

6

• Formal security proofs for implementations

from precise abstractions and security models

• Ultimate Goal: Formally verified processor

implementing this formal abstraction

Why Ideal Abstractions?

6

Formal Model

7

𝓗att[Σ, reg]

Signature scheme Registry of all platforms with trusted hardware

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

Signature scheme Registry of all platforms with trusted hardware

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: Signature scheme Registry of all platforms with trusted hardware

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: Signature scheme Registry of all platforms with trusted hardware (eid, P) ( sid, prog, M ) enclave id (nonce) enclave memory … …

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: resume(eid, inp) from P ∊ reg: Signature scheme Registry of all platforms with trusted hardware (eid, P) ( sid, prog, M ) enclave id (nonce) enclave memory … …

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: resume(eid, inp) from P ∊ reg: (out, M’) = prog(inp, M) Signature scheme Registry of all platforms with trusted hardware (eid, P) ( sid, prog, M ) enclave id (nonce) enclave memory … …

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: resume(eid, inp) from P ∊ reg: (out, M’) = prog(inp, M) Signature scheme Registry of all platforms with trusted hardware (eid, P) ( sid, prog, M ) enclave id (nonce) enclave memory … …

’

Formal Model

7

𝓗att[Σ, reg]

init():

, ⟵ Σ.KeyGen(1λ)

getpk() from P: send

to P

install(prog, sid) from P ∊ reg: resume(eid, inp) from P ∊ reg: (out, M’) = prog(inp, M) σ = Σ.Sign( , eid, sid, prog, out) send (out, σ) to P Signature scheme Registry of all platforms with trusted hardware (eid, P) ( sid, prog, M ) enclave id (nonce) enclave memory … …

’

Composability with Global State

8

Composability with Global State

8

Model 𝓗att as global ideal functionality [CDPW’07]

Composability with Global State

8

Model 𝓗att as global ideal functionality [CDPW’07]

𝓗att[Σ, reg]

Attestation key is shared across protocols

Composability with Global State

Model 𝓗att as global ideal functionality [CDPW’07]

σ

𝓗att[Σ, reg]

9

Composability with Global State

Model 𝓗att as global ideal functionality [CDPW’07]

σ

𝓗att[Σ, reg]

Example of concrete security issue:

Non-deniability for parties in reg

9

10

The more interesting question

The good

11

Powerful Abstraction!

The good

11

Powerful Abstraction!

𝓗att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic

• bfuscation

The good The surprise

11

Powerful Abstraction!

𝓗att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic

• bfuscation

UC-Secure MPC?

The good The surprise

11

Powerful Abstraction!

𝓗att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic

• bfuscation

UC-Secure MPC?

The surprise

12

UC-Secure MPC?

Consider 2PC

13

14

UC-secure 2PC possible if both parties have trusted hardware

Consider 2PC

14

UC-secure 2PC possible if both parties have trusted hardware Impossible if only one party has trusted hardware!

Consider 2PC

15

Impossible if only one party has trusted hardware!

Consider 2PC

This is counter-intuitive.

Issue: non-deniability

16

under global pk

Issue: non-deniability

16

under global pk

Convinced that some honest party in the registry participated in the protocol

17

under global pk

Convinced that some honest party in the registry participated in the protocol

Non-issue if all nodes have trusted hardware

• r if pk isn’t global

What if we really really want to use a single trusted processor?

18

What if we really really want to use a single trusted processor?

18

Extra setup assumption: Augmented CRS

What if we really really want to use a single trusted processor?

18

Extra setup assumption: Augmented CRS

UC-Secure MPC with O(1) crypto operations

What if we really really want to use a single trusted processor?

18

Extra setup assumption: Augmented CRS Backdoor enclave program: allow simulator to extract inputs and program the outputs for corrupt parties

UC-Secure MPC with O(1) crypto operations

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

𝒬i

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 1. Generate pki,ski

𝒬i

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 1. Generate pki,ski

𝒬i pki, σ Full protocol replaces σ by a WI-Proof

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 1. Generate pki,ski

Key-exchange 𝒬i pki, σ Full protocol replaces σ by a WI-Proof

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 1. Generate pki,ski
• 1. Collect all inpi

Key-exchange 𝒬i pki, σ Encrypted inpi Full protocol replaces σ by a WI-Proof

Server

What if we really really want to use a single trusted processor?

19

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 1. Generate pki,ski
• 1. Collect all inpi
• 2. Compute outp*

Key-exchange 𝒬i pki, σ Encrypted inpi Encrypted outpi Full protocol replaces σ by a WI-Proof

Server

What if we really really want to use a single trusted processor?

20

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 3. Trapdoors

Sim

Server

What if we really really want to use a single trusted processor?

20

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 3. Trapdoors

check(𝒣acrs, 𝒬i, idi)

Sim extract(idi)

Server

What if we really really want to use a single trusted processor?

20

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 3. Trapdoors

check(𝒣acrs, 𝒬i, idi)

Sim extract(idi) ski Sim can recover inpi

Server

What if we really really want to use a single trusted processor?

20

prog[f,𝓗acrs,𝒬1 … 𝒬n]

• 3. Trapdoors

check(𝒣acrs, 𝒬i, idi) set outpi = v

Sim equivocate(idi, v)

21

Fair 2PC?

21

Fair 2PC?

• Fairness impossible for general

functionalities in plain model [Cleve86]

21

Fair 2PC?

• Fairness impossible for general

functionalities in plain model [Cleve86]

Can trusted hardware help with fairness?

22

UC-Secure Fair 2PC

Enhanced model: Clock-aware secure processor

22

UC-Secure Fair 2PC

Enhanced model: Clock-aware secure processor

• Fair 2PC possible if both parties have clock-

aware secure processors

22

UC-Secure Fair 2PC

Enhanced model: Clock-aware secure processor

• Fair 2PC possible if both parties have clock-

aware secure processors

• Fair coin-tossing possible if one party has clock-

aware secure processors (+ ACRS)

22

UC-Secure Fair 2PC

Enhanced model: Clock-aware secure processor

• Fair 2PC possible if both parties have clock-

aware secure processors

23

Enclaves establish secure channel

23

Enclaves establish secure channel Enclaves exchange inputs and compute outputs

23

Enclaves establish secure channel Enclaves exchange inputs and compute outputs “Will release to Alice in 2λ time” “Will release to Bob in 2λ time”

23

Enclaves establish secure channel Enclaves exchange inputs and compute outputs “Will release to Alice in 2λ time” “Will release to Bob in 2λ time” “Will release to Alice in 2λ-1 time” “Will release to Bob in 2λ-1 time”

…

24

Enclaves establish secure channel “Will release to Alice in 2λ-1 time” “Will release to Bob in 2λ-1 time” …

If Alice learns result at time t < 2λ, Bob will learn it at the latest by time 2t + no ‘’wasted’’ computation!

What next?

Formal abstractions

• f trusted hw

What next?

Attested execution is a powerful assumption

⟹ Stateful Obfuscation, Efficient MPC, Fair 2PC

Formal abstractions

• f trusted hw

What next?

Attested execution is a powerful assumption

⟹ Stateful Obfuscation, Efficient MPC, Fair 2PC

Subtle issues unless all parties have trusted hardware

⟹ Non-deniability, Extra setup assumptions

Formal abstractions

• f trusted hw

What next?

Attested execution is a powerful assumption

⟹ Stateful Obfuscation, Efficient MPC, Fair 2PC

Subtle issues unless all parties have trusted hardware

⟹ Non-deniability, Extra setup assumptions

Formal abstractions

• f trusted hw

Formally verified secure processor design

What next?

Attested execution is a powerful assumption

⟹ Stateful Obfuscation, Efficient MPC, Fair 2PC

Subtle issues unless all parties have trusted hardware

⟹ Non-deniability, Extra setup assumptions

Formal abstractions

• f trusted hw

Formally verified secure processor design Secure implementations from formally secure abstractions

Thank You

Formal abstractions

• f trusted hw

Formally verified secure processor design Secure implementations from formally secure abstractions