execution secure processors
play

Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, - PowerPoint PPT Presentation

Apr 17, 2023 •201 likes •929 views

Formal Abstractions for Attested Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, Elaine Shi, Florian Tramr Trusted hardware: Different communities, different world views 2 Trusted hardware: Different communities,

  1. Formal Abstractions for Attested Execution Secure Processors Eurocrypt May 1 st , 2017 Rafael Pass, Elaine Shi, Florian Tramèr

  2. Trusted hardware: Different communities, different world views 2

  3. Trusted hardware: Different communities, different world views Systems Crypto Architecture & Security 2

  4. Trusted hardware: Different communities, different world views Systems Crypto Architecture & Security • “ Minimal ” trusted hardware to circumvent theoretical impossibilities • Little concern about practical performance 2

  5. Trusted hardware: Different communities, different world views Systems Crypto Architecture & Security • • “ Minimal ” trusted Trusted execution of hardware to circumvent “ general-purpose ” user- theoretical impossibilities defined progs • • Little concern about Cost-effectiveness, practical performance reusability, expressivity 2

  6. Architecture community converged on “attested execution” GhostRider Bastion TPM Iso-X Ascend Sanctum Aegis Phantom XOM Academia Industry 3

  7. Architecture community converged on “attested execution” 4

  8. Attested Execution Server Compute prog on inp Client 5

  9. Attested Execution Server Enclave Compute prog on inp Client 5

  10. Attested Execution Server Enclave Compute prog on inp Client Sign Verify Manufacturer 5

  11. Attested Execution Server Enclave Compute prog on inp Client outp, σ Sign Verify Attestation that outp is correctly computed from prog and inp Manufacturer 5

  12. Why Ideal Abstractions? 6

  13. Why Ideal Abstractions? • Formal security proofs for implementations from precise abstractions and security models 6

  14. Why Ideal Abstractions? • Formal security proofs for implementations from precise abstractions and security models • Ultimate Goal: Formally verified processor implementing this formal abstraction 6

  15. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] 7

  16. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , getpk () from P: send to P 7

  17. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , getpk () from P: send to P install (prog, sid) from P ∊ reg: 7

  18. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , enclave id enclave getpk () from P: send to P (nonce) memory install (prog, sid) from P ∊ reg: (eid, P) ( sid, prog, M ) … … 7

  19. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , enclave id enclave getpk () from P: send to P (nonce) memory install (prog, sid) from P ∊ reg: (eid, P) ( sid, prog, M ) … … resume (eid, inp) from P ∊ reg: 7

  20. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , enclave id enclave getpk () from P: send to P (nonce) memory install (prog, sid) from P ∊ reg: (eid, P) ( sid, prog, M ) … … resume (eid, inp) from P ∊ reg: (out, M’ ) = prog(inp, M) 7

  21. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , enclave id enclave getpk () from P: send to P (nonce) memory install (prog, sid) from P ∊ reg: (eid, P) ( sid, prog, M ) ’ … … resume (eid, inp) from P ∊ reg: (out, M’ ) = prog(inp, M) 7

  22. Formal Model Signature scheme Registry of all platforms with trusted hardware 𝓗 att [ Σ , reg] ⟵ Σ .KeyGen(1 λ ) init (): , enclave id enclave getpk () from P: send to P (nonce) memory install (prog, sid) from P ∊ reg: (eid, P) ( sid, prog, M ) ’ … … resume (eid, inp) from P ∊ reg: (out, M’ ) = prog(inp, M) σ = Σ .Sign( , eid, sid, prog, out) send (out, σ ) to P 7

  23. Composability with Global State 8

  24. Composability with Global State Model 𝓗 att as global ideal functionality [CDPW’07] 8

  25. Composability with Global State Model 𝓗 att as global ideal functionality [CDPW’07] Attestation key is shared across protocols 𝓗 att [ Σ , reg] 8

  26. Composability with Global State Model 𝓗 att as global ideal functionality [CDPW’07] 𝓗 att [ Σ , reg] σ 9

  27. Composability with Global State Model 𝓗 att as global ideal functionality [CDPW’07] Example of concrete security issue: Non-deniability for parties in reg 𝓗 att [ Σ , reg] σ 9

  28. The more interesting question 10

  29. The good Powerful Abstraction! 11

  30. The good Powerful Abstraction! 𝓗 att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic obfuscation 11

  31. The good The surprise Powerful UC-Secure MPC? Abstraction! 𝓗 att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic obfuscation 11

  32. The good The surprise Powerful UC-Secure MPC? Abstraction! 𝓗 att ➔ ‘’Stateful Obfuscation’’ Impossible even with stateless tokens and cryptographic obfuscation 11

  33. The surprise UC-Secure MPC? 12

  34. Consider 2PC 13

  35. Consider 2PC UC-secure 2PC possible if both parties have trusted hardware 14

  36. Consider 2PC UC-secure 2PC possible if both parties have trusted hardware Impossible if only one party has trusted hardware! 14

  37. Consider 2PC This is counter-intuitive. Impossible if only one party has trusted hardware! 15

  38. Issue: non-deniability under global pk 16

  39. Issue: non-deniability Convinced that some honest party in the registry participated in the protocol under global pk 16

  40. Non-issue if all nodes have trusted hardware or if pk isn’t global Convinced that some honest party in the registry participated in the protocol under global pk 17

  41. What if we really really want to use a single trusted processor? 18

  42. What if we really really want to use a single trusted processor? Extra setup assumption: Augmented CRS 18

  43. What if we really really want to use a single trusted processor? Extra setup assumption: Augmented CRS UC-Secure MPC with O(1) crypto operations 18

  44. What if we really really want to use a single trusted processor? Extra setup assumption: Augmented CRS UC-Secure MPC with O(1) crypto operations Backdoor enclave program: allow simulator to extract inputs and program the outputs for corrupt parties 18

  45. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] 𝒬 i 19

  46. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] 1. Generate pk i ,sk i 𝒬 i 19

  47. What if we really really want to use a single trusted processor? Server Full protocol replaces σ by a WI-Proof prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] pk i , σ 1. Generate pk i ,sk i 𝒬 i 19

  48. What if we really really want to use a single trusted processor? Server Full protocol replaces σ by a WI-Proof prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] pk i , σ 1. Generate pk i ,sk i Key-exchange 𝒬 i 19

  49. What if we really really want to use a single trusted processor? Server Full protocol replaces σ by a WI-Proof prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] pk i , σ 1. Generate pk i ,sk i Key-exchange 𝒬 i 1. Collect all inp i Encrypted inp i 19

  50. What if we really really want to use a single trusted processor? Server Full protocol replaces σ by a WI-Proof prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] pk i , σ 1. Generate pk i ,sk i Key-exchange 𝒬 i 1. Collect all inp i Encrypted inp i 2. Compute outp * Encrypted outp i 19

  51. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] 3. Trapdoors Sim 20

  52. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] 3. Trapdoors extract(id i ) check( 𝒣 acrs , 𝒬 i , id i ) Sim 20

  53. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] Sim can recover inp i 3. Trapdoors extract(id i ) check( 𝒣 acrs , 𝒬 i , id i ) sk i Sim 20

  54. What if we really really want to use a single trusted processor? Server prog[f, 𝓗 acrs , 𝒬 1 … 𝒬 n ] 3. Trapdoors Sim equivocate(id i , v) check( 𝒣 acrs , 𝒬 i , id i ) set outp i = v 20

  55. Fair 2PC? 21

  56. • Fairness impossible for general functionalities in plain model [Cleve86] Fair 2PC? 21

  57. Can trusted hardware help with fairness? • Fairness impossible for general functionalities in plain model [Cleve86] Fair 2PC? 21

  58. UC-Secure Fair 2PC Enhanced model: Clock-aware secure processor 22

  59. UC-Secure Fair 2PC Enhanced model: Clock-aware secure processor • Fair 2PC possible if both parties have clock- aware secure processors 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING LOU, TOM HOU Talk Outline Motivation and Background Why this work ? Threat Model What are we defending against ? CaSE:

248 views • 21 slides
Low-Latency Transaction Execution on Graphics Processors: Dream or Reality? Iya Arefyeva,

Low-Latency Transaction Execution on Graphics Processors: Dream or Reality? Iya Arefyeva,

Workgroup Databases and Software Engineering University of Magdeburg Low-Latency Transaction Execution on Graphics Processors: Dream or Reality? Iya Arefyeva, Gabriel Campero Durand, Marcus Pinnecke, David Broneske , Gunter Saake Motivation:

389 views • 35 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A: Neha Chachra and Bryan S. Kim Feb. 11, 2010 1 Historical perspective Pipeline RISC Superscalar Out-of-order VLIW SMT 1960 1970 1980 1990

1.01k views • 45 slides
21264 vs NetBurst Two Different Processors- Both Nonexistent CSE 240C - Rushi Chakrabarti - WI09

21264 vs NetBurst Two Different Processors- Both Nonexistent CSE 240C - Rushi Chakrabarti - WI09

21264 vs NetBurst Two Different Processors- Both Nonexistent CSE 240C - Rushi Chakrabarti - WI09 Common Boasts Out of Order Execution Speculative Execution High Performance Memory System Industry Leading Clock Rates Bit o

812 views • 56 slides
Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh,

Efficient Memory Integrity Verification and Encryption for Secure Processors G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology New Security Challenges Current computer

411 views • 26 slides
FluidCheck: A Redundant Threading based Approach for Reliable Execution in Manycore Processors

FluidCheck: A Redundant Threading based Approach for Reliable Execution in Manycore Processors

FluidCheck: A Redundant Threading based Approach for Reliable Execution in Manycore Processors Rajshekar Kalayappan, Sm ruti R. Sarangi Dept of Computer Science and Engineering Indian Institute of Technology Delhi New Delhi, India. S oft

899 views • 64 slides
Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi

Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi

Efficient Transient-Fault Tolerance for Multithreaded Processors Using Dual-Thread Execution Yi Ma Huiyang Zhou Computer Science Department University of Central Florida Introduction Introduction Modern microprocessors are increasingly

243 views • 21 slides
Lect. 4: Shared Memory Multiprocessors Obtained by connecting full processors together

Lect. 4: Shared Memory Multiprocessors Obtained by connecting full processors together

Lect. 4: Shared Memory Multiprocessors Obtained by connecting full processors together Processors have their own connection to memory Processors are capable of independent execution and control (Thus, by this definition, GPU is not

557 views • 26 slides
Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza,

Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza,

Efficient Execution of Dependent Tasks on Many-Core Processors Hamza Rihani, Claire Maiza, Matthieu Moy Univ. Grenoble Alpes Verimag RTSOPS 2016, July 5, 2016 Context PE PE PE PE High Level Language PE PE PE PE i 1 o 1 2 3

248 views • 22 slides
Approaching Overhead-Free Execution on FPGA Soft-Processors Charles Eric LaForest Jason Anderson

Approaching Overhead-Free Execution on FPGA Soft-Processors Charles Eric LaForest Jason Anderson

Approaching Overhead-Free Execution on FPGA Soft-Processors Charles Eric LaForest Jason Anderson J. Gregory Steffan University of Toronto ICFPT 2014, Shanghai Motivation Designing on FPGAs remains difficult Larger systems Longer

670 views • 44 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic Information Flow Tracking Tracking G. Edward Suh Suh, , Jae Jae W. Lee, David W. Lee, David G. Edward Zhang, Srinivas Srinivas Devadas Devadas

547 views • 26 slides
Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique Devriese, Frank Piessens (K.U.Leuven) Secure Multi-Execution May 14, 2010 1 / 24 Secure Multi-Execution Outline Secure Multi-Execution

622 views • 29 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

886 views • 36 slides
Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America

Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America

Terraform Colonise the cloud! Stefan Magnus Landr, BEKK Consulting AS ApacheCon North America 2017 - 17. May 2017 1 Terraform Commandline tool (go) (OS X, Windows, Linux, ) Developed by Hashicorp (Vagrant, Packer, Consul, Nomad)

1.07k views • 17 slides
Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Anna Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital What is a bastion (jumpbox) ? Outside world bastion server server server What do we mean by secure? How do we make a custom AMI?

231 views • 20 slides
BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee 1 , Hyunmin Seo 1 , Phillip Porras 2 , Vinod Yegneswaran 2 , and Seungwon Shin 1 KAIST 1 and SRI International 2 The state of Container Security

800 views • 24 slides
Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on

Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on

Introduction Ideal flow theory Vorticity of flow Basic aerodynamics Fundamentals of Fluid Dynamics: Ideal Flow Theory & Basic Aerodynamics Introductory Course on Multiphysics Modelling T OMASZ G. Z IELI NSKI (after: D.J. A CHESON s

918 views • 87 slides
CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks

CS 378: Autonomous Intelligent Robotics (FRI) Dr. Todd Hester Are there any questions? Talks Keith Sullivan Hierarchical Multiagent Learning from Demonstration Junaed Sattar A Multimodal Approach Towards Robust Human- machine

480 views • 24 slides
Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M

Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M

Introduction to Trusted Computing Pieter Maene , Johannes G otzfried, Ruan de Clercq, Tilo M uller, Felix Freiling, and Ingrid Verbauwhede 1 KU Leuven/COSIC, Belgium 2 FAU Erlangen-N urnberg, Germany January 31, 2017 Trusted Computing 2

723 views • 35 slides
New York University High Performance Computing High Performance Computing Information

New York University High Performance Computing High Performance Computing Information

New York University High Performance Computing High Performance Computing Information Techonology Services New York University hpc@nyu.edu September 20, 2011 (High Performance Computing Information Techonology Services New York University

226 views • 22 slides
Securing PostgreSQL Christophe Pettus PostgreSQL Experts, Inc. PGDay FOSDEM 2018 Greetings!

Securing PostgreSQL Christophe Pettus PostgreSQL Experts, Inc. PGDay FOSDEM 2018 Greetings!

Securing PostgreSQL Christophe Pettus PostgreSQL Experts, Inc. PGDay FOSDEM 2018 Greetings! Christophe Pettus CEO, PostgreSQL Experts, Inc. thebuild.com personal blog. pgexperts.com company website. Twitter @Xof

945 views • 70 slides

More recommend